fix: Don't allow UIAA stages to be completed if no flow includes them

feat: Add a notice about email to the first-run banner
chore: Update admin command docs
2026-05-26 20:49:55 +00:00 · 2026-03-30 13:17:16 -04:00 · 2026-03-30 16:02:43 +00:00 · 2026-03-30 11:50:02 -04:00 · 2026-03-30 11:45:10 -04:00 · 2026-03-30 11:43:15 -04:00
49 changed files with 2833 additions and 1512 deletions
@@ -72,6 +72,12 @@ dependencies = [
 "alloc-no-stdlib",
 ]
 [[package]]
 name = "allocator-api2"
 version = "0.2.21"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "683d7910e743518b0e34f1186f92494becacb047c7b6bf616c96772180fef923"
 [[package]]
 name = "android_system_properties"
 version = "0.1.5"
@@ -104,6 +110,15 @@ version = "1.0.102"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7f202df86484c868dbad7eaa557ef785d5c66295e41b460ef922eca0723b842c"
 [[package]]
 name = "ar_archive_writer"
 version = "0.5.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7eb93bbb63b9c227414f6eb3a0adfddca591a8ce1e9b60661bb08969b87e340b"
 dependencies = [
 "object",
 ]
 [[package]]
 name = "arbitrary"
 version = "1.4.2"
@@ -811,6 +826,16 @@ dependencies = [
 "num-traits",
 ]
 [[package]]
 name = "chumsky"
 version = "0.9.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "8eebd66744a15ded14960ab4ccdbfb51ad3b81f51f3f04a80adac98c985396c9"
 dependencies = [
 "hashbrown 0.14.5",
 "stacker",
 ]
 [[package]]
 name = "clang-sys"
 version = "1.8.1"
@@ -948,6 +973,7 @@ dependencies = [
 "conduwuit_service",
 "const-str",
 "futures",
 "lettre",
 "log",
 "ruma",
 "serde-saphyr",
@@ -977,6 +1003,7 @@ dependencies = [
 "hyper",
 "ipaddress",
 "itertools 0.14.0",
 "lettre",
 "log",
 "rand 0.10.0",
 "reqwest",
@@ -1024,6 +1051,7 @@ dependencies = [
 "http-body-util",
 "ipaddress",
 "itertools 0.14.0",
 "lettre",
 "libc",
 "libloading 0.9.0",
 "lock_api",
@@ -1134,15 +1162,18 @@ dependencies = [
 "const-str",
 "either",
 "futures",
 "governor",
 "hickory-resolver",
 "http",
 "image",
 "ipaddress",
 "itertools 0.14.0",
 "ldap3",
 "lettre",
 "log",
 "loole",
 "lru-cache",
 "nonzero_ext",
 "rand 0.10.0",
 "recaptcha-verify",
 "regex",
@@ -1747,6 +1778,22 @@ dependencies = [
 "serde",
 ]
 [[package]]
 name = "email-encoding"
 version = "0.4.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9298e6504d9b9e780ed3f7dfd43a61be8cd0e09eb07f7706a945b0072b6670b6"
 dependencies = [
 "base64 0.22.1",
 "memchr",
 ]
 [[package]]
 name = "email_address"
 version = "0.2.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e079f19b08ca6239f47f8ba8509c11cf3ea30095831f7fed61441475edd8c449"
 [[package]]
 name = "encoding_rs"
 version = "0.8.35"
@@ -1949,6 +1996,12 @@ version = "0.1.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d9c4f5dac5e15c24eb999c26181a6ca40b39fe946cbe4c263c7209467bc83af2"
 [[package]]
 name = "foldhash"
 version = "0.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "77ce24cb58228fbb8aa041425bb1050850ac19177686ea6e0f41a70416f56fdb"
 [[package]]
 name = "form_urlencoded"
 version = "1.2.2"
@@ -2065,6 +2118,12 @@ version = "0.3.32"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "037711b3d59c33004d3856fbdc83b99d4ff37a24768fa1be9ce3538a1cde4393"
 [[package]]
 name = "futures-timer"
 version = "3.0.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "f288b0a4f20f9a56b5d1da57e2227c661b7b16168e2f72365f57b63326e29b24"
 [[package]]
 name = "futures-util"
 version = "0.3.32"
@@ -2155,6 +2214,25 @@ version = "0.3.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "0cc23270f6e1808e30a928bdc84dea0b9b4136a8bc82338574f23baf47bbd280"
 [[package]]
 name = "governor"
 version = "0.10.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9efcab3c1958580ff1f25a2a41be1668f7603d849bb63af523b208a3cc1223b8"
 dependencies = [
 "cfg-if",
 "futures-sink",
 "futures-timer",
 "futures-util",
 "hashbrown 0.16.1",
 "nonzero_ext",
 "parking_lot",
 "portable-atomic",
 "smallvec",
 "spinning_top",
 "web-time",
 ]
 [[package]]
 name = "h2"
 version = "0.4.13"
@@ -2219,13 +2297,23 @@ version = "0.1.2+12"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "647deb1583b14d160f85f3ff626f20b6edd366e3852c9843b06077388f794cb6"
 [[package]]
 name = "hashbrown"
 version = "0.14.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e5274423e17b7c9fc20b6e7e208532f9b19825d82dfd615708b70edd83df41f1"
 dependencies = [
 "ahash",
 "allocator-api2",
 ]
 [[package]]
 name = "hashbrown"
 version = "0.15.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9229cfe53dfd69f0609a49f65461bd93001ea1ef889cd5529dd176593f5338a1"
 dependencies = [
- "foldhash",
+ "foldhash 0.1.5",
 ]
 [[package]]
@@ -2233,6 +2321,11 @@ name = "hashbrown"
 version = "0.16.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "841d1cc9bed7f9236f321df977030373f4a4163ae1a7dbfe1a51a2c1a51d9100"
 dependencies = [
 "allocator-api2",
 "equivalent",
 "foldhash 0.2.0",
 ]
 [[package]]
 name = "hdrhistogram"
@@ -2891,6 +2984,37 @@ version = "0.5.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7a79a3332a6609480d7d0c9eab957bca6b455b91bb84e66d19f5ff66294b85b8"
 [[package]]
 name = "lettre"
 version = "0.11.19"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9e13e10e8818f8b2a60f52cb127041d388b89f3a96a62be9ceaffa22262fef7f"
 dependencies = [
 "async-trait",
 "base64 0.22.1",
 "chumsky",
 "email-encoding",
 "email_address",
 "fastrand",
 "futures-io",
 "futures-util",
 "hostname",
 "httpdate",
 "idna",
 "mime",
 "nom 8.0.0",
 "percent-encoding",
 "quoted_printable",
 "rustls",
 "rustls-native-certs",
 "serde",
 "socket2 0.6.3",
 "tokio",
 "tokio-rustls",
 "tracing",
 "url",
 ]
 [[package]]
 name = "libc"
 version = "0.2.183"
@@ -3273,6 +3397,12 @@ version = "0.7.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e9e591e719385e6ebaeb5ce5d3887f7d5676fceca6411d1925ccc95745f3d6f7"
 [[package]]
 name = "nonzero_ext"
 version = "0.3.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "38bf9645c8b145698bb0b18a4637dcacbc421ea49bef2317e4fd8065a387cf21"
 [[package]]
 name = "noop_proc_macro"
 version = "0.3.0"
@@ -4015,6 +4145,16 @@ dependencies = [
 "prost",
 ]
 [[package]]
 name = "psm"
 version = "0.1.30"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "3852766467df634d74f0b2d7819bf8dc483a0eb2e3b0f50f756f9cfe8b0d18d8"
 dependencies = [
 "ar_archive_writer",
 "cc",
 ]
 [[package]]
 name = "pulldown-cmark"
 version = "0.13.1"
@@ -4119,6 +4259,12 @@ dependencies = [
 "proc-macro2",
 ]
 [[package]]
 name = "quoted_printable"
 version = "0.5.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "640c9bd8497b02465aeef5375144c26062e0dcd5939dfcbb0f5db76cb8c17c73"
 [[package]]
 name = "r-efi"
 version = "5.3.0"
@@ -5247,6 +5393,15 @@ dependencies = [
 "windows-sys 0.61.2",
 ]
 [[package]]
 name = "spinning_top"
 version = "0.3.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d96d2d1d716fb500937168cc09353ffdc7a012be8475ac7308e1bdf0e3923300"
 dependencies = [
 "lock_api",
 ]
 [[package]]
 name = "spki"
 version = "0.7.3"
@@ -5263,6 +5418,19 @@ version = "1.2.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "6ce2be8dc25455e1f91df71bfa12ad37d7af1092ae736f3a6cd0e37bc7810596"
 [[package]]
 name = "stacker"
 version = "0.1.23"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "08d74a23609d509411d10e2176dc2a4346e3b4aea2e7b1869f19fdedbc71c013"
 dependencies = [
 "cc",
 "cfg-if",
 "libc",
 "psm",
 "windows-sys 0.59.0",
 ]
 [[package]]
 name = "strict"
 version = "0.2.0"
@@ -6398,6 +6566,15 @@ dependencies = [
 "windows-targets 0.52.6",
 ]
 [[package]]
 name = "windows-sys"
 version = "0.59.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1e38bc4d79ed67fd075bcc251a1c39b32a1776bbe92e5bef1f0bf1f8c531853b"
 dependencies = [
 "windows-targets 0.52.6",
 ]
 [[package]]
 name = "windows-sys"
 version = "0.60.2"
@@ -559,6 +559,19 @@ version = "1.0.1"
 [workspace.dependencies.askama]
 version = "0.15.0"
 [workspace.dependencies.lettre]
 version = "0.11.19"
 default-features = false
 features = ["smtp-transport", "pool", "hostname", "builder", "rustls", "aws-lc-rs", "rustls-native-certs", "tokio1", "tokio1-rustls", "tracing", "serde"]
 [workspace.dependencies.governor]
 version = "0.10.4"
 default-features = false
 features = ["std"]
 [workspace.dependencies.nonzero_ext]
 version = "0.3.0"
 #
 # Patches
 #
@@ -919,7 +932,6 @@ fn_to_numeric_cast_any = "warn"
 format_push_string = "warn"
 get_unwrap = "warn"
 impl_trait_in_params = "warn"
 let_underscore_untyped = "warn"
 lossy_float_literal = "warn"
 mem_forget = "warn"
 missing_assert_message = "warn"
@@ -0,0 +1 @@
 Added support for associating email addresses with accounts, requiring email addresses for registration, and resetting passwords via email. Contributed by @ginger
@@ -2037,3 +2037,41 @@
 # web->synapseHTTPAntispam->authorization
 #
 #secret =
 #[global.smtp]
 # A `smtp://`` URI which will be used to connect to a mail server.
 # Uncommenting the [global.smtp] group and setting this option enables
 # features which depend on the ability to send email,
 # such as self-service password resets.
 #
 # For most modern mail servers, format the URI like this:
 # 	`smtps://username:password@hostname:port`
 # Note that you will need to URL-encode the username and password. If your
 # username _is_ your email address, you will need to replace the `@` with
 # `%40`.
 #
 # For a guide on the accepted URI syntax, consult Lettre's documentation:
 # https://docs.rs/lettre/latest/lettre/transport/smtp/struct.AsyncSmtpTransport.html#method.from_url
 #
 #connection_uri =
 # The outgoing address which will be used for sending emails.
 #
 # For a syntax guide, see https://datatracker.ietf.org/doc/html/rfc2822#section-3.4
 #
 # ...or if you don't want to read the RFC, for some reason:
 # - `Name <address@domain.org>` to specify a sender name
 # - `address@domain.org` to not use a name
 #
 #sender =
 # Whether to require that users provide an email address when they
 # register.
 #
 #require_email_for_registration = false
 # Whether to require that users who register with a registration token
 # provide an email address.
 #
 #require_email_for_token_registration = false
@@ -130,6 +130,10 @@ Trim memory usage
 List database files
 ## `!admin debug send-test-email`
 Send a test email to the invoking admin's email address
 ## `!admin debug tester`
 Developer test stubs
@@ -12,6 +12,24 @@ Create a new user
 Reset user password
 ## `!admin users issue-password-reset-link`
 Issue a self-service password reset link for a user
 ## `!admin users get-email`
 Get a user's associated email address
 ## `!admin users get-user-by-email`
 Get the user with the given email address
 ## `!admin users change-email`
 Update or remove a user's email address.
 If `email` is not supplied, the user's existing address will be removed.
 ## `!admin users deactivate`
 Deactivate a user
@@ -80,6 +80,7 @@ conduwuit-macros.workspace = true
 conduwuit-service.workspace = true
 const-str.workspace = true
 futures.workspace = true
 lettre.workspace = true
 log.workspace = true
 ruma.workspace = true
 serde_json.workspace = true
@@ -19,6 +19,7 @@ use conduwuit::{
 	warn,
 };
 use futures::{FutureExt, StreamExt, TryStreamExt};
 use lettre::message::Mailbox;
 use ruma::{
 	CanonicalJsonObject, CanonicalJsonValue, EventId, OwnedEventId, OwnedRoomId,
 	OwnedRoomOrAliasId, OwnedServerName, RoomId, RoomVersionId,
@@ -876,3 +877,31 @@ pub(super) async fn trim_memory(&self) -> Result {
 	writeln!(self, "done").await
 }
 #[admin_command]
 pub(super) async fn send_test_email(&self) -> Result {
 	self.bail_restricted()?;
 	let mailer = self.services.mailer.expect_mailer()?;
 	let Some(sender) = self.sender else {
 		return Err!("No sender user provided in context");
 	};
 	let Some(email) = self
 		.services
 		.threepid
 		.get_email_for_localpart(sender.localpart())
 		.await
 	else {
 		return Err!("{} has no associated email address", sender);
 	};
 	mailer
 		.send(Mailbox::new(None, email.clone()), service::mailer::messages::Test)
 		.await?;
 	self.write_str(&format!("Test email successfully sent to {email}"))
 		.await?;
 	Ok(())
 }
@@ -225,6 +225,9 @@ pub enum DebugCommand {
 		level: Option<i32>,
 	},
 	/// Send a test email to the invoking admin's email address
 	SendTestEmail,
 	/// Developer test stubs
 	#[command(subcommand)]
 	#[allow(non_snake_case)]
@@ -11,6 +11,7 @@ use conduwuit::{
 	warn,
 };
 use futures::{FutureExt, StreamExt};
 use lettre::Address;
 use ruma::{
 	OwnedEventId, OwnedRoomId, OwnedRoomOrAliasId, OwnedServerName, OwnedUserId, UserId,
 	events::{
@@ -1094,3 +1095,106 @@ pub(super) async fn enable_login(&self, user_id: String) -> Result {
 	self.write_str(&format!("{user_id} can now log in.")).await
 }
 #[admin_command]
 pub(super) async fn get_email(&self, user_id: String) -> Result {
 	self.bail_restricted()?;
 	let user_id = parse_local_user_id(self.services, &user_id)?;
 	match self
 		.services
 		.threepid
 		.get_email_for_localpart(user_id.localpart())
 		.await
 	{
 		| Some(email) =>
 			self.write_str(&format!("{user_id} has the associated email address {email}."))
 				.await,
 		| None =>
 			self.write_str(&format!("{user_id} has no associated email address."))
 				.await,
 	}
 }
 #[admin_command]
 pub(super) async fn get_user_by_email(&self, email: String) -> Result {
 	self.bail_restricted()?;
 	let Ok(email) = Address::try_from(email) else {
 		return Err!("Invalid email address.");
 	};
 	match self.services.threepid.get_localpart_for_email(&email).await {
 		| Some(localpart) => {
 			let user_id = OwnedUserId::parse(format!(
 				"@{localpart}:{}",
 				self.services.globals.server_name()
 			))
 			.unwrap();
 			self.write_str(&format!("{email} belongs to {user_id}."))
 				.await
 		},
 		| None =>
 			self.write_str(&format!("No user has {email} as their email address."))
 				.await,
 	}
 }
 #[admin_command]
 pub(super) async fn change_email(&self, user_id: String, email: Option<String>) -> Result {
 	self.bail_restricted()?;
 	let user_id = parse_local_user_id(self.services, &user_id)?;
 	let Ok(new_email) = email.map(Address::try_from).transpose() else {
 		return Err!("Invalid email address.");
 	};
 	if self.services.mailer.mailer().is_none() {
 		warn!("SMTP has not been configured on this server, emails cannot be sent.");
 	}
 	let current_email = self
 		.services
 		.threepid
 		.get_email_for_localpart(user_id.localpart())
 		.await;
 	match (current_email, new_email) {
 		| (None, None) =>
 			self.write_str(&format!(
 				"{user_id} already had no associated email. No changes have been made."
 			))
 			.await,
 		| (current_email, Some(new_email)) => {
 			self.services
 				.threepid
 				.associate_localpart_email(user_id.localpart(), &new_email)
 				.await?;
 			if let Some(current_email) = current_email {
 				self.write_str(&format!(
 					"The associated email of {user_id} has been changed from {current_email} to \
 					 {new_email}."
 				))
 				.await
 			} else {
 				self.write_str(&format!(
 					"{user_id} has been associated with the email {new_email}."
 				))
 				.await
 			}
 		},
 		| (Some(current_email), None) => {
 			self.services
 				.threepid
 				.disassociate_localpart_email(user_id.localpart())
 				.await;
 			self.write_str(&format!(
 				"The associated email of {user_id} has been removed (it was {current_email})."
 			))
 			.await
 		},
 	}
 }
@@ -35,6 +35,24 @@ pub enum UserCommand {
 		username: String,
 	},
 	/// Get a user's associated email address.
 	GetEmail {
 		user_id: String,
 	},
 	/// Get the user with the given email address.
 	GetUserByEmail {
 		email: String,
 	},
 	/// Update or remove a user's email address.
 	///
 	/// If `email` is not supplied, the user's existing address will be removed.
 	ChangeEmail {
 		user_id: String,
 		email: Option<String>,
 	},
 	/// Deactivate a user
 	///
 	/// User will be removed from all rooms by default.
@@ -85,6 +85,7 @@ http-body-util.workspace = true
 hyper.workspace = true
 ipaddress.workspace = true
 itertools.workspace = true
 lettre.workspace = true
 log.workspace = true
 rand.workspace = true
 reqwest.workspace = true
@@ -1,980 +0,0 @@
 use std::fmt::Write;
 use axum::extract::State;
 use axum_client_ip::InsecureClientIp;
 use conduwuit::{
 	Err, Error, Event, Result, debug_info, err, error, info,
 	matrix::pdu::PduBuilder,
 	utils::{self, ReadyExt, stream::BroadbandExt},
 	warn,
 };
 use conduwuit_service::Services;
 use futures::{FutureExt, StreamExt};
 use register::RegistrationKind;
 use ruma::{
 	OwnedRoomId, UserId,
 	api::client::{
 		account::{
 			ThirdPartyIdRemovalStatus, change_password, check_registration_token_validity,
 			deactivate, get_3pids, get_username_availability,
 			register::{self, LoginType},
 			request_3pid_management_token_via_email, request_3pid_management_token_via_msisdn,
 			whoami,
 		},
 		uiaa::{AuthFlow, AuthType, UiaaInfo},
 	},
 	events::{
 		GlobalAccountDataEventType, StateEventType,
 		room::{
 			member::{MembershipState, RoomMemberEventContent},
 			message::RoomMessageEventContent,
 			power_levels::{RoomPowerLevels, RoomPowerLevelsEventContent},
 		},
 	},
 	push,
 };
 use super::{DEVICE_ID_LENGTH, SESSION_ID_LENGTH, TOKEN_LENGTH, join_room_by_id_helper};
 use crate::Ruma;
 const RANDOM_USER_ID_LENGTH: usize = 10;
 /// # `GET /_matrix/client/v3/register/available`
 ///
 /// Checks if a username is valid and available on this server.
 ///
 /// Conditions for returning true:
 /// - The user id is not historical
 /// - The server name of the user id matches this server
 /// - No user or appservice on this server already claimed this username
 ///
 /// Note: This will not reserve the username, so the username might become
 /// invalid when trying to register
 #[tracing::instrument(skip_all, fields(%client), name = "register_available", level = "info")]
 pub(crate) async fn get_register_available_route(
 	State(services): State<crate::State>,
 	InsecureClientIp(client): InsecureClientIp,
 	body: Ruma<get_username_availability::v3::Request>,
 ) -> Result<get_username_availability::v3::Response> {
 	// workaround for https://github.com/matrix-org/matrix-appservice-irc/issues/1780 due to inactivity of fixing the issue
 	let is_matrix_appservice_irc = body.appservice_info.as_ref().is_some_and(|appservice| {
 		appservice.registration.id == "irc"
 			|| appservice.registration.id.contains("matrix-appservice-irc")
 			|| appservice.registration.id.contains("matrix_appservice_irc")
 	});
 	if services
 		.globals
 		.forbidden_usernames()
 		.is_match(&body.username)
 	{
 		return Err!(Request(Forbidden("Username is forbidden")));
 	}
 	// don't force the username lowercase if it's from matrix-appservice-irc
 	let body_username = if is_matrix_appservice_irc {
 		body.username.clone()
 	} else {
 		body.username.to_lowercase()
 	};
 	// Validate user id
 	let user_id =
 		match UserId::parse_with_server_name(&body_username, services.globals.server_name()) {
 			| Ok(user_id) => {
 				if let Err(e) = user_id.validate_strict() {
 					// unless the username is from the broken matrix appservice IRC bridge, we
 					// should follow synapse's behaviour on not allowing things like spaces
 					// and UTF-8 characters in usernames
 					if !is_matrix_appservice_irc {
 						return Err!(Request(InvalidUsername(debug_warn!(
 							"Username {body_username} contains disallowed characters or spaces: \
 							 {e}"
 						))));
 					}
 				}
 				user_id
 			},
 			| Err(e) => {
 				return Err!(Request(InvalidUsername(debug_warn!(
 					"Username {body_username} is not valid: {e}"
 				))));
 			},
 		};
 	// Check if username is creative enough
 	if services.users.exists(&user_id).await {
 		return Err!(Request(UserInUse("User ID is not available.")));
 	}
 	if let Some(ref info) = body.appservice_info {
 		if !info.is_user_match(&user_id) {
 			return Err!(Request(Exclusive("Username is not in an appservice namespace.")));
 		}
 	}
 	if services.appservice.is_exclusive_user_id(&user_id).await {
 		return Err!(Request(Exclusive("Username is reserved by an appservice.")));
 	}
 	Ok(get_username_availability::v3::Response { available: true })
 }
 /// # `POST /_matrix/client/v3/register`
 ///
 /// Register an account on this homeserver.
 ///
 /// You can use [`GET
 /// /_matrix/client/v3/register/available`](fn.get_register_available_route.
 /// html) to check if the user id is valid and available.
 ///
 /// - Only works if registration is enabled
 /// - If type is guest: ignores all parameters except
 ///   initial_device_display_name
 /// - If sender is not appservice: Requires UIAA (but we only use a dummy stage)
 /// - If type is not guest and no username is given: Always fails after UIAA
 ///   check
 /// - Creates a new account and populates it with default account data
 /// - If `inhibit_login` is false: Creates a device and returns device id and
 ///   access_token
 #[allow(clippy::doc_markdown)]
 #[tracing::instrument(skip_all, fields(%client), name = "register", level = "info")]
 pub(crate) async fn register_route(
 	State(services): State<crate::State>,
 	InsecureClientIp(client): InsecureClientIp,
 	body: Ruma<register::v3::Request>,
 ) -> Result<register::v3::Response> {
 	let is_guest = body.kind == RegistrationKind::Guest;
 	let emergency_mode_enabled = services.config.emergency_password.is_some();
 	// Allow registration if it's enabled in the config file or if this is the first
 	// run (so the first user account can be created)
 	let allow_registration =
 		services.config.allow_registration || services.firstrun.is_first_run();
 	if !allow_registration && body.appservice_info.is_none() {
 		match (body.username.as_ref(), body.initial_device_display_name.as_ref()) {
 			| (Some(username), Some(device_display_name)) => {
 				info!(
 					%is_guest,
 					user = %username,
 					device_name = %device_display_name,
 					"Rejecting registration attempt as registration is disabled"
 				);
 			},
 			| (Some(username), _) => {
 				info!(
 					%is_guest,
 					user = %username,
 					"Rejecting registration attempt as registration is disabled"
 				);
 			},
 			| (_, Some(device_display_name)) => {
 				info!(
 					%is_guest,
 					device_name = %device_display_name,
 					"Rejecting registration attempt as registration is disabled"
 				);
 			},
 			| (None, _) => {
 				info!(
 					%is_guest,
 					"Rejecting registration attempt as registration is disabled"
 				);
 			},
 		}
 		return Err!(Request(Forbidden(
 			"This server is not accepting registrations at this time."
 		)));
 	}
 	if is_guest && !services.config.allow_guest_registration {
 		info!(
 			"Guest registration disabled, rejecting guest registration attempt, initial device \
 			 name: \"{}\"",
 			body.initial_device_display_name.as_deref().unwrap_or("")
 		);
 		return Err!(Request(GuestAccessForbidden("Guest registration is disabled.")));
 	}
 	// forbid guests from registering if there is not a real admin user yet. give
 	// generic user error.
 	if is_guest && services.users.count().await < 2 {
 		warn!(
 			"Guest account attempted to register before a real admin user has been registered, \
 			 rejecting registration. Guest's initial device name: \"{}\"",
 			body.initial_device_display_name.as_deref().unwrap_or("")
 		);
 		return Err!(Request(Forbidden(
 			"This server is not accepting registrations at this time."
 		)));
 	}
 	let user_id = match (body.username.as_ref(), is_guest) {
 		| (Some(username), false) => {
 			// workaround for https://github.com/matrix-org/matrix-appservice-irc/issues/1780 due to inactivity of fixing the issue
 			let is_matrix_appservice_irc =
 				body.appservice_info.as_ref().is_some_and(|appservice| {
 					appservice.registration.id == "irc"
 						|| appservice.registration.id.contains("matrix-appservice-irc")
 						|| appservice.registration.id.contains("matrix_appservice_irc")
 				});
 			if services.globals.forbidden_usernames().is_match(username)
 				&& !emergency_mode_enabled
 			{
 				return Err!(Request(Forbidden("Username is forbidden")));
 			}
 			// don't force the username lowercase if it's from matrix-appservice-irc
 			let body_username = if is_matrix_appservice_irc {
 				username.clone()
 			} else {
 				username.to_lowercase()
 			};
 			let proposed_user_id = match UserId::parse_with_server_name(
 				&body_username,
 				services.globals.server_name(),
 			) {
 				| Ok(user_id) => {
 					if let Err(e) = user_id.validate_strict() {
 						// unless the username is from the broken matrix appservice IRC bridge, or
 						// we are in emergency mode, we should follow synapse's behaviour on
 						// not allowing things like spaces and UTF-8 characters in usernames
 						if !is_matrix_appservice_irc && !emergency_mode_enabled {
 							return Err!(Request(InvalidUsername(debug_warn!(
 								"Username {body_username} contains disallowed characters or \
 								 spaces: {e}"
 							))));
 						}
 					}
 					// Don't allow registration with user IDs that aren't local
 					if !services.globals.user_is_local(&user_id) {
 						return Err!(Request(InvalidUsername(
 							"Username {body_username} is not local to this server"
 						)));
 					}
 					user_id
 				},
 				| Err(e) => {
 					return Err!(Request(InvalidUsername(debug_warn!(
 						"Username {body_username} is not valid: {e}"
 					))));
 				},
 			};
 			if services.users.exists(&proposed_user_id).await {
 				return Err!(Request(UserInUse("User ID is not available.")));
 			}
 			proposed_user_id
 		},
 		| _ => loop {
 			let proposed_user_id = UserId::parse_with_server_name(
 				utils::random_string(RANDOM_USER_ID_LENGTH).to_lowercase(),
 				services.globals.server_name(),
 			)
 			.unwrap();
 			if !services.users.exists(&proposed_user_id).await {
 				break proposed_user_id;
 			}
 		},
 	};
 	if body.body.login_type == Some(LoginType::ApplicationService) {
 		match body.appservice_info {
 			| Some(ref info) =>
 				if !info.is_user_match(&user_id) && !emergency_mode_enabled {
 					return Err!(Request(Exclusive(
 						"Username is not in an appservice namespace."
 					)));
 				},
 			| _ => {
 				return Err!(Request(MissingToken("Missing appservice token.")));
 			},
 		}
 	} else if services.appservice.is_exclusive_user_id(&user_id).await && !emergency_mode_enabled
 	{
 		return Err!(Request(Exclusive("Username is reserved by an appservice.")));
 	}
 	// UIAA
 	let mut uiaainfo = UiaaInfo {
 		flows: Vec::new(),
 		completed: Vec::new(),
 		params: Box::default(),
 		session: None,
 		auth_error: None,
 	};
 	let skip_auth = body.appservice_info.is_some() || is_guest;
 	// Populate required UIAA flows
 	if services.firstrun.is_first_run() {
 		// Registration token forced while in first-run mode
 		uiaainfo.flows.push(AuthFlow {
 			stages: vec![AuthType::RegistrationToken],
 		});
 	} else {
 		if services
 			.registration_tokens
 			.iterate_tokens()
 			.next()
 			.await
 			.is_some()
 		{
 			// Registration token required
 			uiaainfo.flows.push(AuthFlow {
 				stages: vec![AuthType::RegistrationToken],
 			});
 		}
 		if services.config.recaptcha_private_site_key.is_some() {
 			if let Some(pubkey) = &services.config.recaptcha_site_key {
 				// ReCaptcha required
 				uiaainfo
 					.flows
 					.push(AuthFlow { stages: vec![AuthType::ReCaptcha] });
 				uiaainfo.params = serde_json::value::to_raw_value(&serde_json::json!({
 					"m.login.recaptcha": {
 						"public_key": pubkey,
 					},
 				}))
 				.expect("Failed to serialize recaptcha params");
 			}
 		}
 		if uiaainfo.flows.is_empty() && !skip_auth {
 			// Registration isn't _disabled_, but there's no captcha configured and no
 			// registration tokens currently set. Bail out by default unless open
 			// registration was explicitly enabled.
 			if !services
 				.config
 				.yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse
 			{
 				return Err!(Request(Forbidden(
 					"This server is not accepting registrations at this time."
 				)));
 			}
 			// We have open registration enabled (😧), provide a dummy stage
 			uiaainfo = UiaaInfo {
 				flows: vec![AuthFlow { stages: vec![AuthType::Dummy] }],
 				completed: Vec::new(),
 				params: Box::default(),
 				session: None,
 				auth_error: None,
 			};
 		}
 	}
 	if !skip_auth {
 		match &body.auth {
 			| Some(auth) => {
 				let (worked, uiaainfo) = services
 					.uiaa
 					.try_auth(
 						&UserId::parse_with_server_name("", services.globals.server_name())
 							.unwrap(),
 						"".into(),
 						auth,
 						&uiaainfo,
 					)
 					.await?;
 				if !worked {
 					return Err(Error::Uiaa(uiaainfo));
 				}
 				// Success!
 			},
 			| _ => match body.json_body {
 				| Some(ref json) => {
 					uiaainfo.session = Some(utils::random_string(SESSION_ID_LENGTH));
 					services.uiaa.create(
 						&UserId::parse_with_server_name("", services.globals.server_name())
 							.unwrap(),
 						"".into(),
 						&uiaainfo,
 						json,
 					);
 					return Err(Error::Uiaa(uiaainfo));
 				},
 				| _ => {
 					return Err!(Request(NotJson("JSON body is not valid")));
 				},
 			},
 		}
 	}
 	let password = if is_guest { None } else { body.password.as_deref() };
 	// Create user
 	services.users.create(&user_id, password, None).await?;
 	// Default to pretty displayname
 	let mut displayname = user_id.localpart().to_owned();
 	// If `new_user_displayname_suffix` is set, registration will push whatever
 	// content is set to the user's display name with a space before it
 	if !services.globals.new_user_displayname_suffix().is_empty()
 		&& body.appservice_info.is_none()
 	{
 		write!(displayname, " {}", services.server.config.new_user_displayname_suffix)?;
 	}
 	services
 		.users
 		.set_displayname(&user_id, Some(displayname.clone()));
 	// Initial account data
 	services
 		.account_data
 		.update(
 			None,
 			&user_id,
 			GlobalAccountDataEventType::PushRules.to_string().into(),
 			&serde_json::to_value(ruma::events::push_rules::PushRulesEvent {
 				content: ruma::events::push_rules::PushRulesEventContent {
 					global: push::Ruleset::server_default(&user_id),
 				},
 			})?,
 		)
 		.await?;
 	// Generate new device id if the user didn't specify one
 	let no_device = body.inhibit_login
 		|| body
 			.appservice_info
 			.as_ref()
 			.is_some_and(|aps| aps.registration.device_management);
 	let (token, device) = if !no_device {
 		// Don't create a device for inhibited logins
 		let device_id = if is_guest { None } else { body.device_id.clone() }
 			.unwrap_or_else(|| utils::random_string(DEVICE_ID_LENGTH).into());
 		// Generate new token for the device
 		let new_token = utils::random_string(TOKEN_LENGTH);
 		// Create device for this account
 		services
 			.users
 			.create_device(
 				&user_id,
 				&device_id,
 				&new_token,
 				body.initial_device_display_name.clone(),
 				Some(client.to_string()),
 			)
 			.await?;
 		debug_info!(%user_id, %device_id, "User account was created");
 		(Some(new_token), Some(device_id))
 	} else {
 		(None, None)
 	};
 	let device_display_name = body.initial_device_display_name.as_deref().unwrap_or("");
 	// log in conduit admin channel if a non-guest user registered
 	if body.appservice_info.is_none() && !is_guest {
 		if !device_display_name.is_empty() {
 			let notice = format!(
 				"New user \"{user_id}\" registered on this server from IP {client} and device \
 				 display name \"{device_display_name}\""
 			);
 			info!("{notice}");
 			if services.server.config.admin_room_notices {
 				services.admin.notice(&notice).await;
 			}
 		} else {
 			let notice = format!("New user \"{user_id}\" registered on this server.");
 			info!("{notice}");
 			if services.server.config.admin_room_notices {
 				services.admin.notice(&notice).await;
 			}
 		}
 	}
 	// log in conduit admin channel if a guest registered
 	if body.appservice_info.is_none() && is_guest && services.config.log_guest_registrations {
 		debug_info!("New guest user \"{user_id}\" registered on this server.");
 		if !device_display_name.is_empty() {
 			if services.server.config.admin_room_notices {
 				services
 					.admin
 					.notice(&format!(
 						"Guest user \"{user_id}\" with device display name \
 						 \"{device_display_name}\" registered on this server from IP {client}"
 					))
 					.await;
 			}
 		} else {
 			#[allow(clippy::collapsible_else_if)]
 			if services.server.config.admin_room_notices {
 				services
 					.admin
 					.notice(&format!(
 						"Guest user \"{user_id}\" with no device display name registered on \
 						 this server from IP {client}",
 					))
 					.await;
 			}
 		}
 	}
 	if !is_guest {
 		// Make the first user to register an administrator and disable first-run mode.
 		let was_first_user = services.firstrun.empower_first_user(&user_id).await?;
 		// If the registering user was not the first and we're suspending users on
 		// register, suspend them.
 		if !was_first_user && services.config.suspend_on_register {
 			// Note that we can still do auto joins for suspended users
 			services
 				.users
 				.suspend_account(&user_id, &services.globals.server_user)
 				.await;
 			// And send an @room notice to the admin room, to prompt admins to review the
 			// new user and ideally unsuspend them if deemed appropriate.
 			if services.server.config.admin_room_notices {
 				services
 					.admin
 					.send_loud_message(RoomMessageEventContent::text_plain(format!(
 						"User {user_id} has been suspended as they are not the first user on \
 						 this server. Please review and unsuspend them if appropriate."
 					)))
 					.await
 					.ok();
 			}
 		}
 	}
 	if body.appservice_info.is_none()
 		&& !services.server.config.auto_join_rooms.is_empty()
 		&& (services.config.allow_guests_auto_join_rooms || !is_guest)
 	{
 		for room in &services.server.config.auto_join_rooms {
 			let Ok(room_id) = services.rooms.alias.resolve(room).await else {
 				error!(
 					"Failed to resolve room alias to room ID when attempting to auto join \
 					 {room}, skipping"
 				);
 				continue;
 			};
 			if !services
 				.rooms
 				.state_cache
 				.server_in_room(services.globals.server_name(), &room_id)
 				.await
 			{
 				warn!(
 					"Skipping room {room} to automatically join as we have never joined before."
 				);
 				continue;
 			}
 			if let Some(room_server_name) = room.server_name() {
 				match join_room_by_id_helper(
 					&services,
 					&user_id,
 					&room_id,
 					Some("Automatically joining this room upon registration".to_owned()),
 					&[services.globals.server_name().to_owned(), room_server_name.to_owned()],
 					&body.appservice_info,
 				)
 				.boxed()
 				.await
 				{
 					| Err(e) => {
 						// don't return this error so we don't fail registrations
 						error!(
 							"Failed to automatically join room {room} for user {user_id}: {e}"
 						);
 					},
 					| _ => {
 						info!("Automatically joined room {room} for user {user_id}");
 					},
 				}
 			}
 		}
 	}
 	Ok(register::v3::Response {
 		access_token: token,
 		user_id,
 		device_id: device,
 		refresh_token: None,
 		expires_in: None,
 	})
 }
 /// # `POST /_matrix/client/r0/account/password`
 ///
 /// Changes the password of this account.
 ///
 /// - Requires UIAA to verify user password
 /// - Changes the password of the sender user
 /// - The password hash is calculated using argon2 with 32 character salt, the
 ///   plain password is
 /// not saved
 ///
 /// If logout_devices is true it does the following for each device except the
 /// sender device:
 /// - Invalidates access token
 /// - Deletes device metadata (device id, device display name, last seen ip,
 ///   last seen ts)
 /// - Forgets to-device events
 /// - Triggers device list updates
 #[tracing::instrument(skip_all, fields(%client), name = "change_password", level = "info")]
 pub(crate) async fn change_password_route(
 	State(services): State<crate::State>,
 	InsecureClientIp(client): InsecureClientIp,
 	body: Ruma<change_password::v3::Request>,
 ) -> Result<change_password::v3::Response> {
 	// Authentication for this endpoint was made optional, but we need
 	// authentication currently
 	let sender_user = body
 		.sender_user
 		.as_ref()
 		.ok_or_else(|| err!(Request(MissingToken("Missing access token."))))?;
 	let mut uiaainfo = UiaaInfo {
 		flows: vec![AuthFlow { stages: vec![AuthType::Password] }],
 		completed: Vec::new(),
 		params: Box::default(),
 		session: None,
 		auth_error: None,
 	};
 	match &body.auth {
 		| Some(auth) => {
 			let (worked, uiaainfo) = services
 				.uiaa
 				.try_auth(sender_user, body.sender_device(), auth, &uiaainfo)
 				.await?;
 			if !worked {
 				return Err(Error::Uiaa(uiaainfo));
 			}
 			// Success!
 		},
 		| _ => match body.json_body {
 			| Some(ref json) => {
 				uiaainfo.session = Some(utils::random_string(SESSION_ID_LENGTH));
 				services
 					.uiaa
 					.create(sender_user, body.sender_device(), &uiaainfo, json);
 				return Err(Error::Uiaa(uiaainfo));
 			},
 			| _ => {
 				return Err!(Request(NotJson("JSON body is not valid")));
 			},
 		},
 	}
 	services
 		.users
 		.set_password(sender_user, Some(&body.new_password))
 		.await?;
 	if body.logout_devices {
 		// Logout all devices except the current one
 		services
 			.users
 			.all_device_ids(sender_user)
 			.ready_filter(|id| *id != body.sender_device())
 			.for_each(|id| services.users.remove_device(sender_user, id))
 			.await;
 		// Remove all pushers except the ones associated with this session
 		services
 			.pusher
 			.get_pushkeys(sender_user)
 			.map(ToOwned::to_owned)
 			.broad_filter_map(async |pushkey| {
 				services
 					.pusher
 					.get_pusher_device(&pushkey)
 					.await
 					.ok()
 					.filter(|pusher_device| pusher_device != body.sender_device())
 					.is_some()
 					.then_some(pushkey)
 			})
 			.for_each(async |pushkey| {
 				services.pusher.delete_pusher(sender_user, &pushkey).await;
 			})
 			.await;
 	}
 	info!("User {sender_user} changed their password.");
 	if services.server.config.admin_room_notices {
 		services
 			.admin
 			.notice(&format!("User {sender_user} changed their password."))
 			.await;
 	}
 	Ok(change_password::v3::Response {})
 }
 /// # `GET /_matrix/client/v3/account/whoami`
 ///
 /// Get `user_id` of the sender user.
 ///
 /// Note: Also works for Application Services
 pub(crate) async fn whoami_route(
 	State(services): State<crate::State>,
 	body: Ruma<whoami::v3::Request>,
 ) -> Result<whoami::v3::Response> {
 	let is_guest = services
 		.users
 		.is_deactivated(body.sender_user())
 		.await
 		.map_err(|_| {
 			err!(Request(Forbidden("Application service has not registered this user.")))
 		})? && body.appservice_info.is_none();
 	Ok(whoami::v3::Response {
 		user_id: body.sender_user().to_owned(),
 		device_id: body.sender_device.clone(),
 		is_guest,
 	})
 }
 /// # `POST /_matrix/client/r0/account/deactivate`
 ///
 /// Deactivate sender user account.
 ///
 /// - Leaves all rooms and rejects all invitations
 /// - Invalidates all access tokens
 /// - Deletes all device metadata (device id, device display name, last seen ip,
 ///   last seen ts)
 /// - Forgets all to-device events
 /// - Triggers device list updates
 /// - Removes ability to log in again
 #[tracing::instrument(skip_all, fields(%client), name = "deactivate", level = "info")]
 pub(crate) async fn deactivate_route(
 	State(services): State<crate::State>,
 	InsecureClientIp(client): InsecureClientIp,
 	body: Ruma<deactivate::v3::Request>,
 ) -> Result<deactivate::v3::Response> {
 	// Authentication for this endpoint was made optional, but we need
 	// authentication currently
 	let sender_user = body
 		.sender_user
 		.as_ref()
 		.ok_or_else(|| err!(Request(MissingToken("Missing access token."))))?;
 	let mut uiaainfo = UiaaInfo {
 		flows: vec![AuthFlow { stages: vec![AuthType::Password] }],
 		completed: Vec::new(),
 		params: Box::default(),
 		session: None,
 		auth_error: None,
 	};
 	match &body.auth {
 		| Some(auth) => {
 			let (worked, uiaainfo) = services
 				.uiaa
 				.try_auth(sender_user, body.sender_device(), auth, &uiaainfo)
 				.await?;
 			if !worked {
 				return Err(Error::Uiaa(uiaainfo));
 			}
 			// Success!
 		},
 		| _ => match body.json_body {
 			| Some(ref json) => {
 				uiaainfo.session = Some(utils::random_string(SESSION_ID_LENGTH));
 				services
 					.uiaa
 					.create(sender_user, body.sender_device(), &uiaainfo, json);
 				return Err(Error::Uiaa(uiaainfo));
 			},
 			| _ => {
 				return Err!(Request(NotJson("JSON body is not valid")));
 			},
 		},
 	}
 	// Remove profile pictures and display name
 	let all_joined_rooms: Vec<OwnedRoomId> = services
 		.rooms
 		.state_cache
 		.rooms_joined(sender_user)
 		.map(Into::into)
 		.collect()
 		.await;
 	full_user_deactivate(&services, sender_user, &all_joined_rooms)
 		.boxed()
 		.await?;
 	info!("User {sender_user} deactivated their account.");
 	if services.server.config.admin_room_notices {
 		services
 			.admin
 			.notice(&format!("User {sender_user} deactivated their account."))
 			.await;
 	}
 	Ok(deactivate::v3::Response {
 		id_server_unbind_result: ThirdPartyIdRemovalStatus::NoSupport,
 	})
 }
 /// # `GET _matrix/client/v3/account/3pid`
 ///
 /// Get a list of third party identifiers associated with this account.
 ///
 /// - Currently always returns empty list
 pub(crate) async fn third_party_route(
 	body: Ruma<get_3pids::v3::Request>,
 ) -> Result<get_3pids::v3::Response> {
 	let _sender_user = body.sender_user.as_ref().expect("user is authenticated");
 	Ok(get_3pids::v3::Response::new(Vec::new()))
 }
 /// # `POST /_matrix/client/v3/account/3pid/email/requestToken`
 ///
 /// "This API should be used to request validation tokens when adding an email
 /// address to an account"
 ///
 /// - 403 signals that The homeserver does not allow the third party identifier
 ///   as a contact option.
 pub(crate) async fn request_3pid_management_token_via_email_route(
 	_body: Ruma<request_3pid_management_token_via_email::v3::Request>,
 ) -> Result<request_3pid_management_token_via_email::v3::Response> {
 	Err!(Request(ThreepidDenied("Third party identifiers are not implemented")))
 }
 /// # `POST /_matrix/client/v3/account/3pid/msisdn/requestToken`
 ///
 /// "This API should be used to request validation tokens when adding an phone
 /// number to an account"
 ///
 /// - 403 signals that The homeserver does not allow the third party identifier
 ///   as a contact option.
 pub(crate) async fn request_3pid_management_token_via_msisdn_route(
 	_body: Ruma<request_3pid_management_token_via_msisdn::v3::Request>,
 ) -> Result<request_3pid_management_token_via_msisdn::v3::Response> {
 	Err!(Request(ThreepidDenied("Third party identifiers are not implemented")))
 }
 /// # `GET /_matrix/client/v1/register/m.login.registration_token/validity`
 ///
 /// Checks if the provided registration token is valid at the time of checking.
 pub(crate) async fn check_registration_token_validity(
 	State(services): State<crate::State>,
 	body: Ruma<check_registration_token_validity::v1::Request>,
 ) -> Result<check_registration_token_validity::v1::Response> {
 	// TODO: ratelimit this pretty heavily
 	let valid = services
 		.registration_tokens
 		.validate_token(body.token.clone())
 		.await
 		.is_some();
 	Ok(check_registration_token_validity::v1::Response { valid })
 }
 /// Runs through all the deactivation steps:
 ///
 /// - Mark as deactivated
 /// - Removing display name
 /// - Removing avatar URL and blurhash
 /// - Removing all profile data
 /// - Leaving all rooms (and forgets all of them)
 pub async fn full_user_deactivate(
 	services: &Services,
 	user_id: &UserId,
 	all_joined_rooms: &[OwnedRoomId],
 ) -> Result<()> {
 	services.users.deactivate_account(user_id).await.ok();
 	services
 		.users
 		.all_profile_keys(user_id)
 		.ready_for_each(|(profile_key, _)| {
 			services.users.set_profile_key(user_id, &profile_key, None);
 		})
 		.await;
 	// TODO: Rescind all user invites
 	let mut pdu_queue: Vec<(PduBuilder, &OwnedRoomId)> = Vec::new();
 	for room_id in all_joined_rooms {
 		let room_power_levels = services
 			.rooms
 			.state_accessor
 			.room_state_get_content::<RoomPowerLevelsEventContent>(
 				room_id,
 				&StateEventType::RoomPowerLevels,
 				"",
 			)
 			.await
 			.ok();
 		let user_can_demote_self =
 			room_power_levels
 				.as_ref()
 				.is_some_and(|power_levels_content| {
 					RoomPowerLevels::from(power_levels_content.clone())
 						.user_can_change_user_power_level(user_id, user_id)
 				}) || services
 				.rooms
 				.state_accessor
 				.room_state_get(room_id, &StateEventType::RoomCreate, "")
 				.await
 				.is_ok_and(|event| event.sender() == user_id);
 		if user_can_demote_self {
 			let mut power_levels_content = room_power_levels.unwrap_or_default();
 			power_levels_content.users.remove(user_id);
 			let pl_evt = PduBuilder::state(String::new(), &power_levels_content);
 			pdu_queue.push((pl_evt, room_id));
 		}
 		// Leave the room
 		pdu_queue.push((
 			PduBuilder::state(user_id.to_string(), &RoomMemberEventContent {
 				avatar_url: None,
 				blurhash: None,
 				membership: MembershipState::Leave,
 				displayname: None,
 				join_authorized_via_users_server: None,
 				reason: None,
 				is_direct: None,
 				third_party_invite: None,
 				redact_events: None,
 			}),
 			room_id,
 		));
 		// TODO: Redact all messages sent by the user in the room
 	}
 	super::update_all_rooms(services, pdu_queue, user_id).await;
 	for room_id in all_joined_rooms {
 		services.rooms.state_cache.forget(room_id, user_id);
 	}
 	Ok(())
 }
@@ -0,0 +1,426 @@
 use axum::extract::State;
 use axum_client_ip::InsecureClientIp;
 use conduwuit::{
 	Err, Event, Result, err, info,
 	pdu::PduBuilder,
 	utils::{ReadyExt, stream::BroadbandExt},
 };
 use conduwuit_service::Services;
 use futures::{FutureExt, StreamExt};
 use lettre::{Address, message::Mailbox};
 use ruma::{
 	OwnedRoomId, OwnedUserId, UserId,
 	api::client::{
 		account::{
 			ThirdPartyIdRemovalStatus, change_password, check_registration_token_validity,
 			deactivate, get_username_availability, request_password_change_token_via_email,
 			whoami,
 		},
 		uiaa::{AuthFlow, AuthType},
 	},
 	events::{
 		StateEventType,
 		room::{
 			member::{MembershipState, RoomMemberEventContent},
 			power_levels::{RoomPowerLevels, RoomPowerLevelsEventContent},
 		},
 	},
 };
 use service::{mailer::messages, uiaa::Identity};
 use super::{DEVICE_ID_LENGTH, TOKEN_LENGTH, join_room_by_id_helper};
 use crate::Ruma;
 pub(crate) mod register;
 pub(crate) mod threepid;
 /// # `GET /_matrix/client/v3/register/available`
 ///
 /// Checks if a username is valid and available on this server.
 ///
 /// Conditions for returning true:
 /// - The user id is not historical
 /// - The server name of the user id matches this server
 /// - No user or appservice on this server already claimed this username
 ///
 /// Note: This will not reserve the username, so the username might become
 /// invalid when trying to register
 #[tracing::instrument(skip_all, fields(%client), name = "register_available", level = "info")]
 pub(crate) async fn get_register_available_route(
 	State(services): State<crate::State>,
 	InsecureClientIp(client): InsecureClientIp,
 	body: Ruma<get_username_availability::v3::Request>,
 ) -> Result<get_username_availability::v3::Response> {
 	// Validate user id
 	let user_id =
 		match UserId::parse_with_server_name(&body.username, services.globals.server_name()) {
 			| Ok(user_id) => {
 				if let Err(e) = user_id.validate_strict() {
 					return Err!(Request(InvalidUsername(debug_warn!(
 						"Username {} contains disallowed characters or spaces: {e}",
 						body.username
 					))));
 				}
 				user_id
 			},
 			| Err(e) => {
 				return Err!(Request(InvalidUsername(debug_warn!(
 					"Username {} is not valid: {e}",
 					body.username
 				))));
 			},
 		};
 	// Check if username is creative enough
 	if services.users.exists(&user_id).await {
 		return Err!(Request(UserInUse("User ID is not available.")));
 	}
 	if let Some(ref info) = body.appservice_info {
 		if !info.is_user_match(&user_id) {
 			return Err!(Request(Exclusive("Username is not in an appservice namespace.")));
 		}
 	}
 	if services.appservice.is_exclusive_user_id(&user_id).await {
 		return Err!(Request(Exclusive("Username is reserved by an appservice.")));
 	}
 	Ok(get_username_availability::v3::Response { available: true })
 }
 /// # `POST /_matrix/client/r0/account/password`
 ///
 /// Changes the password of this account.
 ///
 /// - Requires UIAA to verify user password
 /// - Changes the password of the sender user
 /// - The password hash is calculated using argon2 with 32 character salt, the
 ///   plain password is
 /// not saved
 ///
 /// If logout_devices is true it does the following for each device except the
 /// sender device:
 /// - Invalidates access token
 /// - Deletes device metadata (device id, device display name, last seen ip,
 ///   last seen ts)
 /// - Forgets to-device events
 /// - Triggers device list updates
 #[tracing::instrument(skip_all, fields(%client), name = "change_password", level = "info")]
 pub(crate) async fn change_password_route(
 	State(services): State<crate::State>,
 	InsecureClientIp(client): InsecureClientIp,
 	body: Ruma<change_password::v3::Request>,
 ) -> Result<change_password::v3::Response> {
 	let identity = if let Some(ref user_id) = body.sender_user {
 		// A signed-in user is trying to change their password, prompt them for their
 		// existing one
 		services
 			.uiaa
 			.authenticate(
 				&body.auth,
 				vec![AuthFlow::new(vec![AuthType::Password])],
 				Box::default(),
 				Some(Identity::from_user_id(user_id)),
 			)
 			.await?
 	} else {
 		// A signed-out user is trying to reset their password, prompt them for email
 		// confirmation. Note that we do not _send_ an email here, their client should
 		// have already hit `/account/password/requestToken` to send the email. We
 		// just validate it.
 		services
 			.uiaa
 			.authenticate(
 				&body.auth,
 				vec![AuthFlow::new(vec![AuthType::EmailIdentity])],
 				Box::default(),
 				None,
 			)
 			.await?
 	};
 	let sender_user = OwnedUserId::parse(format!(
 		"@{}:{}",
 		identity.localpart.expect("localpart should be known"),
 		services.globals.server_name()
 	))
 	.expect("user ID should be valid");
 	services
 		.users
 		.set_password(&sender_user, Some(&body.new_password))
 		.await?;
 	if body.logout_devices {
 		// Logout all devices except the current one
 		services
 			.users
 			.all_device_ids(&sender_user)
 			.ready_filter(|id| *id != body.sender_device())
 			.for_each(|id| services.users.remove_device(&sender_user, id))
 			.await;
 		// Remove all pushers except the ones associated with this session
 		services
 			.pusher
 			.get_pushkeys(&sender_user)
 			.map(ToOwned::to_owned)
 			.broad_filter_map(async |pushkey| {
 				services
 					.pusher
 					.get_pusher_device(&pushkey)
 					.await
 					.ok()
 					.filter(|pusher_device| pusher_device != body.sender_device())
 					.is_some()
 					.then_some(pushkey)
 			})
 			.for_each(async |pushkey| {
 				services.pusher.delete_pusher(&sender_user, &pushkey).await;
 			})
 			.await;
 	}
 	info!("User {} changed their password.", &sender_user);
 	if services.server.config.admin_room_notices {
 		services
 			.admin
 			.notice(&format!("User {} changed their password.", &sender_user))
 			.await;
 	}
 	Ok(change_password::v3::Response {})
 }
 /// # `POST /_matrix/client/v3/account/password/email/requestToken`
 ///
 /// Requests a validation email for the purpose of resetting a user's password.
 pub(crate) async fn request_password_change_token_via_email_route(
 	State(services): State<crate::State>,
 	body: Ruma<request_password_change_token_via_email::v3::Request>,
 ) -> Result<request_password_change_token_via_email::v3::Response> {
 	let Ok(email) = Address::try_from(body.email.clone()) else {
 		return Err!(Request(InvalidParam("Invalid email address.")));
 	};
 	let Some(localpart) = services.threepid.get_localpart_for_email(&email).await else {
 		return Err!(Request(ThreepidNotFound(
 			"No account is associated with this email address"
 		)));
 	};
 	let user_id =
 		OwnedUserId::parse(format!("@{localpart}:{}", services.globals.server_name())).unwrap();
 	let display_name = services.users.displayname(&user_id).await.ok();
 	let session = services
 		.threepid
 		.send_validation_email(
 			Mailbox::new(display_name.clone(), email),
 			|verification_link| messages::PasswordReset {
 				display_name: display_name.as_deref(),
 				user_id: &user_id,
 				verification_link,
 			},
 			&body.client_secret,
 			body.send_attempt.try_into().unwrap(),
 		)
 		.await?;
 	Ok(request_password_change_token_via_email::v3::Response::new(session))
 }
 /// # `GET /_matrix/client/v3/account/whoami`
 ///
 /// Get `user_id` of the sender user.
 ///
 /// Note: Also works for Application Services
 pub(crate) async fn whoami_route(
 	State(services): State<crate::State>,
 	body: Ruma<whoami::v3::Request>,
 ) -> Result<whoami::v3::Response> {
 	let is_guest = services
 		.users
 		.is_deactivated(body.sender_user())
 		.await
 		.map_err(|_| {
 			err!(Request(Forbidden("Application service has not registered this user.")))
 		})? && body.appservice_info.is_none();
 	Ok(whoami::v3::Response {
 		user_id: body.sender_user().to_owned(),
 		device_id: body.sender_device.clone(),
 		is_guest,
 	})
 }
 /// # `POST /_matrix/client/r0/account/deactivate`
 ///
 /// Deactivate sender user account.
 ///
 /// - Leaves all rooms and rejects all invitations
 /// - Invalidates all access tokens
 /// - Deletes all device metadata (device id, device display name, last seen ip,
 ///   last seen ts)
 /// - Forgets all to-device events
 /// - Triggers device list updates
 /// - Removes ability to log in again
 #[tracing::instrument(skip_all, fields(%client), name = "deactivate", level = "info")]
 pub(crate) async fn deactivate_route(
 	State(services): State<crate::State>,
 	InsecureClientIp(client): InsecureClientIp,
 	body: Ruma<deactivate::v3::Request>,
 ) -> Result<deactivate::v3::Response> {
 	// Authentication for this endpoint is technically optional,
 	// but we require the user to be logged in
 	let sender_user = body
 		.sender_user
 		.as_ref()
 		.ok_or_else(|| err!(Request(MissingToken("Missing access token."))))?;
 	// Prompt the user to confirm with their password using UIAA
 	let _ = services
 		.uiaa
 		.authenticate_password(&body.auth, Some(Identity::from_user_id(sender_user)))
 		.await?;
 	// Remove profile pictures and display name
 	let all_joined_rooms: Vec<OwnedRoomId> = services
 		.rooms
 		.state_cache
 		.rooms_joined(sender_user)
 		.map(Into::into)
 		.collect()
 		.await;
 	full_user_deactivate(&services, sender_user, &all_joined_rooms)
 		.boxed()
 		.await?;
 	info!("User {sender_user} deactivated their account.");
 	if services.server.config.admin_room_notices {
 		services
 			.admin
 			.notice(&format!("User {sender_user} deactivated their account."))
 			.await;
 	}
 	Ok(deactivate::v3::Response {
 		id_server_unbind_result: ThirdPartyIdRemovalStatus::Success,
 	})
 }
 /// # `GET /_matrix/client/v1/register/m.login.registration_token/validity`
 ///
 /// Checks if the provided registration token is valid at the time of checking.
 pub(crate) async fn check_registration_token_validity(
 	State(services): State<crate::State>,
 	body: Ruma<check_registration_token_validity::v1::Request>,
 ) -> Result<check_registration_token_validity::v1::Response> {
 	// TODO: ratelimit this pretty heavily
 	let valid = services
 		.registration_tokens
 		.validate_token(body.token.clone())
 		.await
 		.is_some();
 	Ok(check_registration_token_validity::v1::Response { valid })
 }
 /// Runs through all the deactivation steps:
 ///
 /// - Mark as deactivated
 /// - Removing display name
 /// - Removing avatar URL and blurhash
 /// - Removing all profile data
 /// - Leaving all rooms (and forgets all of them)
 pub async fn full_user_deactivate(
 	services: &Services,
 	user_id: &UserId,
 	all_joined_rooms: &[OwnedRoomId],
 ) -> Result<()> {
 	services.users.deactivate_account(user_id).await.ok();
 	if services.globals.user_is_local(user_id) {
 		let _ = services
 			.threepid
 			.disassociate_localpart_email(user_id.localpart())
 			.await;
 	}
 	services
 		.users
 		.all_profile_keys(user_id)
 		.ready_for_each(|(profile_key, _)| {
 			services.users.set_profile_key(user_id, &profile_key, None);
 		})
 		.await;
 	// TODO: Rescind all user invites
 	let mut pdu_queue: Vec<(PduBuilder, &OwnedRoomId)> = Vec::new();
 	for room_id in all_joined_rooms {
 		let room_power_levels = services
 			.rooms
 			.state_accessor
 			.room_state_get_content::<RoomPowerLevelsEventContent>(
 				room_id,
 				&StateEventType::RoomPowerLevels,
 				"",
 			)
 			.await
 			.ok();
 		let user_can_demote_self =
 			room_power_levels
 				.as_ref()
 				.is_some_and(|power_levels_content| {
 					RoomPowerLevels::from(power_levels_content.clone())
 						.user_can_change_user_power_level(user_id, user_id)
 				}) || services
 				.rooms
 				.state_accessor
 				.room_state_get(room_id, &StateEventType::RoomCreate, "")
 				.await
 				.is_ok_and(|event| event.sender() == user_id);
 		if user_can_demote_self {
 			let mut power_levels_content = room_power_levels.unwrap_or_default();
 			power_levels_content.users.remove(user_id);
 			let pl_evt = PduBuilder::state(String::new(), &power_levels_content);
 			pdu_queue.push((pl_evt, room_id));
 		}
 		// Leave the room
 		pdu_queue.push((
 			PduBuilder::state(user_id.to_string(), &RoomMemberEventContent {
 				avatar_url: None,
 				blurhash: None,
 				membership: MembershipState::Leave,
 				displayname: None,
 				join_authorized_via_users_server: None,
 				reason: None,
 				is_direct: None,
 				third_party_invite: None,
 				redact_events: None,
 			}),
 			room_id,
 		));
 		// TODO: Redact all messages sent by the user in the room
 	}
 	super::update_all_rooms(services, pdu_queue, user_id).await;
 	for room_id in all_joined_rooms {
 		services.rooms.state_cache.forget(room_id, user_id);
 	}
 	Ok(())
 }
@@ -0,0 +1,601 @@
 use std::{collections::HashMap, fmt::Write};
 use axum::extract::State;
 use axum_client_ip::InsecureClientIp;
 use conduwuit::{
 	Err, Result, debug_info, error, info,
 	utils::{self},
 	warn,
 };
 use conduwuit_service::Services;
 use futures::{FutureExt, StreamExt};
 use lettre::{Address, message::Mailbox};
 use register::RegistrationKind;
 use ruma::{
 	OwnedUserId, UserId,
 	api::client::{
 		account::{
 			register::{self, LoginType},
 			request_registration_token_via_email,
 		},
 		uiaa::{AuthFlow, AuthType},
 	},
 	events::{GlobalAccountDataEventType, room::message::RoomMessageEventContent},
 	push,
 };
 use serde_json::value::RawValue;
 use service::mailer::messages;
 use super::{DEVICE_ID_LENGTH, TOKEN_LENGTH, join_room_by_id_helper};
 use crate::Ruma;
 const RANDOM_USER_ID_LENGTH: usize = 10;
 /// # `POST /_matrix/client/v3/register`
 ///
 /// Register an account on this homeserver.
 ///
 /// You can use [`GET
 /// /_matrix/client/v3/register/available`](fn.get_register_available_route.
 /// html) to check if the user id is valid and available.
 ///
 /// - Only works if registration is enabled
 /// - If type is guest: ignores all parameters except
 ///   initial_device_display_name
 /// - If sender is not appservice: Requires UIAA (but we only use a dummy stage)
 /// - If type is not guest and no username is given: Always fails after UIAA
 ///   check
 /// - Creates a new account and populates it with default account data
 /// - If `inhibit_login` is false: Creates a device and returns device id and
 ///   access_token
 #[allow(clippy::doc_markdown)]
 #[tracing::instrument(skip_all, fields(%client), name = "register", level = "info")]
 pub(crate) async fn register_route(
 	State(services): State<crate::State>,
 	InsecureClientIp(client): InsecureClientIp,
 	body: Ruma<register::v3::Request>,
 ) -> Result<register::v3::Response> {
 	let is_guest = body.kind == RegistrationKind::Guest;
 	let emergency_mode_enabled = services.config.emergency_password.is_some();
 	// Allow registration if it's enabled in the config file or if this is the first
 	// run (so the first user account can be created)
 	let allow_registration =
 		services.config.allow_registration || services.firstrun.is_first_run();
 	if !allow_registration && body.appservice_info.is_none() {
 		match (body.username.as_ref(), body.initial_device_display_name.as_ref()) {
 			| (Some(username), Some(device_display_name)) => {
 				info!(
 					%is_guest,
 					user = %username,
 					device_name = %device_display_name,
 					"Rejecting registration attempt as registration is disabled"
 				);
 			},
 			| (Some(username), _) => {
 				info!(
 					%is_guest,
 					user = %username,
 					"Rejecting registration attempt as registration is disabled"
 				);
 			},
 			| (_, Some(device_display_name)) => {
 				info!(
 					%is_guest,
 					device_name = %device_display_name,
 					"Rejecting registration attempt as registration is disabled"
 				);
 			},
 			| (None, _) => {
 				info!(
 					%is_guest,
 					"Rejecting registration attempt as registration is disabled"
 				);
 			},
 		}
 		return Err!(Request(Forbidden(
 			"This server is not accepting registrations at this time."
 		)));
 	}
 	if is_guest && !services.config.allow_guest_registration {
 		info!(
 			"Guest registration disabled, rejecting guest registration attempt, initial device \
 			 name: \"{}\"",
 			body.initial_device_display_name.as_deref().unwrap_or("")
 		);
 		return Err!(Request(GuestAccessForbidden("Guest registration is disabled.")));
 	}
 	// forbid guests from registering if there is not a real admin user yet. give
 	// generic user error.
 	if is_guest && services.firstrun.is_first_run() {
 		warn!(
 			"Guest account attempted to register before a real admin user has been registered, \
 			 rejecting registration. Guest's initial device name: \"{}\"",
 			body.initial_device_display_name.as_deref().unwrap_or("")
 		);
 		return Err!(Request(Forbidden(
 			"This server is not accepting registrations at this time."
 		)));
 	}
 	// Appeservices and guests get to skip auth
 	let skip_auth = body.appservice_info.is_some() || is_guest;
 	let identity = if skip_auth {
 		// Appservices and guests have no identity
 		None
 	} else {
 		// Perform UIAA to determine the user's identity
 		let (flows, params) = create_registration_uiaa_session(&services).await?;
 		Some(
 			services
 				.uiaa
 				.authenticate(&body.auth, flows, params, None)
 				.await?,
 		)
 	};
 	// If the user didn't supply a username but did supply an email, use
 	// the email's user as their initial localpart to avoid falling back to
 	// a randomly generated localpart
 	let supplied_username = body.username.clone().or_else(|| {
 		if let Some(identity) = &identity
 			&& let Some(email) = &identity.email
 		{
 			Some(email.user().to_owned())
 		} else {
 			None
 		}
 	});
 	let user_id = determine_registration_user_id(
 		&services,
 		supplied_username,
 		is_guest,
 		emergency_mode_enabled,
 	)
 	.await?;
 	if body.body.login_type == Some(LoginType::ApplicationService) {
 		// For appservice logins, make sure that the user ID is in the appservice's
 		// namespace
 		match body.appservice_info {
 			| Some(ref info) =>
 				if !info.is_user_match(&user_id) && !emergency_mode_enabled {
 					return Err!(Request(Exclusive(
 						"Username is not in an appservice namespace."
 					)));
 				},
 			| _ => {
 				return Err!(Request(MissingToken("Missing appservice token.")));
 			},
 		}
 	} else if services.appservice.is_exclusive_user_id(&user_id).await && !emergency_mode_enabled
 	{
 		// For non-appservice logins, ban user IDs which are in an appservice's
 		// namespace (unless emergency mode is enabled)
 		return Err!(Request(Exclusive("Username is reserved by an appservice.")));
 	}
 	let password = if is_guest { None } else { body.password.as_deref() };
 	// Create user
 	services.users.create(&user_id, password, None).await?;
 	// Set an initial display name
 	let mut displayname = user_id.localpart().to_owned();
 	// Apply the new user displayname suffix, if it's set
 	if !services.globals.new_user_displayname_suffix().is_empty()
 		&& body.appservice_info.is_none()
 	{
 		write!(displayname, " {}", services.server.config.new_user_displayname_suffix)?;
 	}
 	services
 		.users
 		.set_displayname(&user_id, Some(displayname.clone()));
 	// Initial account data
 	services
 		.account_data
 		.update(
 			None,
 			&user_id,
 			GlobalAccountDataEventType::PushRules.to_string().into(),
 			&serde_json::to_value(ruma::events::push_rules::PushRulesEvent {
 				content: ruma::events::push_rules::PushRulesEventContent {
 					global: push::Ruleset::server_default(&user_id),
 				},
 			})?,
 		)
 		.await?;
 	// Generate new device id if the user didn't specify one
 	let no_device = body.inhibit_login
 		|| body
 			.appservice_info
 			.as_ref()
 			.is_some_and(|aps| aps.registration.device_management);
 	let (token, device) = if !no_device {
 		// Don't create a device for inhibited logins
 		let device_id = if is_guest { None } else { body.device_id.clone() }
 			.unwrap_or_else(|| utils::random_string(DEVICE_ID_LENGTH).into());
 		// Generate new token for the device
 		let new_token = utils::random_string(TOKEN_LENGTH);
 		// Create device for this account
 		services
 			.users
 			.create_device(
 				&user_id,
 				&device_id,
 				&new_token,
 				body.initial_device_display_name.clone(),
 				Some(client.to_string()),
 			)
 			.await?;
 		debug_info!(%user_id, %device_id, "User account was created");
 		(Some(new_token), Some(device_id))
 	} else {
 		(None, None)
 	};
 	// If the user registered with an email, associate it with their account.
 	if let Some(identity) = identity
 		&& let Some(email) = identity.email
 	{
 		// This may fail if the email is already in use, but we already check for that
 		// in `/requestToken`, so ignoring the error is acceptable here in the rare case
 		// that an email is sniped by another user between the `/requestToken` request
 		// and the `/register` request.
 		let _ = services
 			.threepid
 			.associate_localpart_email(user_id.localpart(), &email)
 			.await;
 	}
 	let device_display_name = body.initial_device_display_name.as_deref().unwrap_or("");
 	// log in conduit admin channel if a non-guest user registered
 	if body.appservice_info.is_none() && !is_guest {
 		if !device_display_name.is_empty() {
 			let notice = format!(
 				"New user \"{user_id}\" registered on this server from IP {client} and device \
 				 display name \"{device_display_name}\""
 			);
 			info!("{notice}");
 			if services.server.config.admin_room_notices {
 				services.admin.notice(&notice).await;
 			}
 		} else {
 			let notice = format!("New user \"{user_id}\" registered on this server.");
 			info!("{notice}");
 			if services.server.config.admin_room_notices {
 				services.admin.notice(&notice).await;
 			}
 		}
 	}
 	// log in conduit admin channel if a guest registered
 	if body.appservice_info.is_none() && is_guest && services.config.log_guest_registrations {
 		debug_info!("New guest user \"{user_id}\" registered on this server.");
 		if !device_display_name.is_empty() {
 			if services.server.config.admin_room_notices {
 				services
 					.admin
 					.notice(&format!(
 						"Guest user \"{user_id}\" with device display name \
 						 \"{device_display_name}\" registered on this server from IP {client}"
 					))
 					.await;
 			}
 		} else {
 			#[allow(clippy::collapsible_else_if)]
 			if services.server.config.admin_room_notices {
 				services
 					.admin
 					.notice(&format!(
 						"Guest user \"{user_id}\" with no device display name registered on \
 						 this server from IP {client}",
 					))
 					.await;
 			}
 		}
 	}
 	if !is_guest {
 		// Make the first user to register an administrator and disable first-run mode.
 		let was_first_user = services.firstrun.empower_first_user(&user_id).await?;
 		// If the registering user was not the first and we're suspending users on
 		// register, suspend them.
 		if !was_first_user && services.config.suspend_on_register {
 			// Note that we can still do auto joins for suspended users
 			services
 				.users
 				.suspend_account(&user_id, &services.globals.server_user)
 				.await;
 			// And send an @room notice to the admin room, to prompt admins to review the
 			// new user and ideally unsuspend them if deemed appropriate.
 			if services.server.config.admin_room_notices {
 				services
 					.admin
 					.send_loud_message(RoomMessageEventContent::text_plain(format!(
 						"User {user_id} has been suspended as they are not the first user on \
 						 this server. Please review and unsuspend them if appropriate."
 					)))
 					.await
 					.ok();
 			}
 		}
 	}
 	if body.appservice_info.is_none()
 		&& !services.server.config.auto_join_rooms.is_empty()
 		&& (services.config.allow_guests_auto_join_rooms || !is_guest)
 	{
 		for room in &services.server.config.auto_join_rooms {
 			let Ok(room_id) = services.rooms.alias.resolve(room).await else {
 				error!(
 					"Failed to resolve room alias to room ID when attempting to auto join \
 					 {room}, skipping"
 				);
 				continue;
 			};
 			if !services
 				.rooms
 				.state_cache
 				.server_in_room(services.globals.server_name(), &room_id)
 				.await
 			{
 				warn!(
 					"Skipping room {room} to automatically join as we have never joined before."
 				);
 				continue;
 			}
 			if let Some(room_server_name) = room.server_name() {
 				match join_room_by_id_helper(
 					&services,
 					&user_id,
 					&room_id,
 					Some("Automatically joining this room upon registration".to_owned()),
 					&[services.globals.server_name().to_owned(), room_server_name.to_owned()],
 					&body.appservice_info,
 				)
 				.boxed()
 				.await
 				{
 					| Err(e) => {
 						// don't return this error so we don't fail registrations
 						error!(
 							"Failed to automatically join room {room} for user {user_id}: {e}"
 						);
 					},
 					| _ => {
 						info!("Automatically joined room {room} for user {user_id}");
 					},
 				}
 			}
 		}
 	}
 	Ok(register::v3::Response {
 		access_token: token,
 		user_id,
 		device_id: device,
 		refresh_token: None,
 		expires_in: None,
 	})
 }
 /// Determine which flows and parameters should be presented when
 /// registering a new account.
 async fn create_registration_uiaa_session(
 	services: &Services,
 ) -> Result<(Vec<AuthFlow>, Box<RawValue>)> {
 	let mut params = HashMap::<String, serde_json::Value>::new();
 	let flows = if services.firstrun.is_first_run() {
 		// Registration token forced while in first-run mode
 		vec![AuthFlow::new(vec![AuthType::RegistrationToken])]
 	} else {
 		let mut flows = vec![];
 		if services
 			.registration_tokens
 			.iterate_tokens()
 			.next()
 			.await
 			.is_some()
 		{
 			// Trusted registration flow with a token is available
 			let mut token_flow = AuthFlow::new(vec![AuthType::RegistrationToken]);
 			if let Some(smtp) = &services.config.smtp
 				&& smtp.require_email_for_token_registration
 			{
 				// Email is required for token registrations
 				token_flow.stages.push(AuthType::EmailIdentity);
 			}
 			flows.push(token_flow);
 		}
 		let mut untrusted_flow = AuthFlow::default();
 		if services.config.recaptcha_private_site_key.is_some() {
 			if let Some(pubkey) = &services.config.recaptcha_site_key {
 				// ReCaptcha is configured for untrusted registrations
 				untrusted_flow.stages.push(AuthType::ReCaptcha);
 				params.insert(
 					AuthType::ReCaptcha.as_str().to_owned(),
 					serde_json::json!({
 						"public_key": pubkey,
 					}),
 				);
 			}
 		}
 		if let Some(smtp) = &services.config.smtp
 			&& smtp.require_email_for_registration
 		{
 			// Email is required for untrusted registrations
 			untrusted_flow.stages.push(AuthType::EmailIdentity);
 		}
 		if !untrusted_flow.stages.is_empty() {
 			flows.push(untrusted_flow);
 		}
 		if flows.is_empty() {
 			// No flows are configured. Bail out by default
 			// unless open registration was explicitly enabled.
 			if !services
 				.config
 				.yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse
 			{
 				return Err!(Request(Forbidden(
 					"This server is not accepting registrations at this time."
 				)));
 			}
 			// We have open registration enabled (😧), provide a dummy flow
 			flows.push(AuthFlow::new(vec![AuthType::Dummy]));
 		}
 		flows
 	};
 	let params = serde_json::value::to_raw_value(&params).expect("params should be valid JSON");
 	Ok((flows, params))
 }
 async fn determine_registration_user_id(
 	services: &Services,
 	supplied_username: Option<String>,
 	is_guest: bool,
 	emergency_mode_enabled: bool,
 ) -> Result<OwnedUserId> {
 	if let Some(supplied_username) = supplied_username
 		&& !is_guest
 	{
 		// The user gets to pick their username. Do some validation to make sure it's
 		// acceptable.
 		// Don't allow registration with forbidden usernames.
 		if services
 			.globals
 			.forbidden_usernames()
 			.is_match(&supplied_username)
 			&& !emergency_mode_enabled
 		{
 			return Err!(Request(Forbidden("Username is forbidden")));
 		}
 		// Create and validate the user ID
 		let user_id = match UserId::parse_with_server_name(
 			&supplied_username,
 			services.globals.server_name(),
 		) {
 			| Ok(user_id) => {
 				if let Err(e) = user_id.validate_strict() {
 					// Unless we are in emergency mode, we should follow synapse's behaviour on
 					// not allowing things like spaces and UTF-8 characters in usernames
 					if !emergency_mode_enabled {
 						return Err!(Request(InvalidUsername(debug_warn!(
 							"Username {supplied_username} contains disallowed characters or \
 							 spaces: {e}"
 						))));
 					}
 				}
 				// Don't allow registration with user IDs that aren't local
 				if !services.globals.user_is_local(&user_id) {
 					return Err!(Request(InvalidUsername(
 						"Username {supplied_username} is not local to this server"
 					)));
 				}
 				user_id
 			},
 			| Err(e) => {
 				return Err!(Request(InvalidUsername(debug_warn!(
 					"Username {supplied_username} is not valid: {e}"
 				))));
 			},
 		};
 		if services.users.exists(&user_id).await {
 			return Err!(Request(UserInUse("User ID is not available.")));
 		}
 		Ok(user_id)
 	} else {
 		// The user is a guest or didn't specify a username. Generate a username for
 		// them.
 		loop {
 			let user_id = UserId::parse_with_server_name(
 				utils::random_string(RANDOM_USER_ID_LENGTH).to_lowercase(),
 				services.globals.server_name(),
 			)
 			.unwrap();
 			if !services.users.exists(&user_id).await {
 				break Ok(user_id);
 			}
 		}
 	}
 }
 /// # `POST /_matrix/client/v3/register/email/requestToken`
 ///
 /// Requests a validation email for the purpose of registering a new account.
 pub(crate) async fn request_registration_token_via_email_route(
 	State(services): State<crate::State>,
 	body: Ruma<request_registration_token_via_email::v3::Request>,
 ) -> Result<request_registration_token_via_email::v3::Response> {
 	let Ok(email) = Address::try_from(body.email.clone()) else {
 		return Err!(Request(InvalidParam("Invalid email address.")));
 	};
 	if services
 		.threepid
 		.get_localpart_for_email(&email)
 		.await
 		.is_some()
 	{
 		return Err!(Request(ThreepidInUse("This email address is already in use.")));
 	}
 	let session = services
 		.threepid
 		.send_validation_email(
 			Mailbox::new(None, email),
 			|verification_link| messages::NewAccount {
 				server_name: services.config.server_name.as_ref(),
 				verification_link,
 			},
 			&body.client_secret,
 			body.send_attempt.try_into().unwrap(),
 		)
 		.await?;
 	Ok(request_registration_token_via_email::v3::Response::new(session))
 }
@@ -0,0 +1,153 @@
 use std::time::SystemTime;
 use axum::extract::State;
 use conduwuit::{Err, Result, err};
 use lettre::{Address, message::Mailbox};
 use ruma::{
 	MilliSecondsSinceUnixEpoch,
 	api::client::account::{
 		ThirdPartyIdRemovalStatus, add_3pid, delete_3pid, get_3pids,
 		request_3pid_management_token_via_email, request_3pid_management_token_via_msisdn,
 	},
 	thirdparty::{Medium, ThirdPartyIdentifierInit},
 };
 use service::{mailer::messages, uiaa::Identity};
 use crate::Ruma;
 /// # `GET _matrix/client/v3/account/3pid`
 ///
 /// Get a list of third party identifiers associated with this account.
 pub(crate) async fn third_party_route(
 	State(services): State<crate::State>,
 	body: Ruma<get_3pids::v3::Request>,
 ) -> Result<get_3pids::v3::Response> {
 	let sender_user = body.sender_user();
 	let mut threepids = vec![];
 	if let Some(email) = services
 		.threepid
 		.get_email_for_localpart(sender_user.localpart())
 		.await
 	{
 		threepids.push(
 			ThirdPartyIdentifierInit {
 				address: email.to_string(),
 				medium: Medium::Email,
 				// We don't currently track these, and they aren't used for much
 				validated_at: MilliSecondsSinceUnixEpoch::now(),
 				added_at: MilliSecondsSinceUnixEpoch::from_system_time(SystemTime::UNIX_EPOCH)
 					.unwrap(),
 			}
 			.into(),
 		);
 	}
 	Ok(get_3pids::v3::Response::new(threepids))
 }
 /// # `POST /_matrix/client/v3/account/3pid/email/requestToken`
 ///
 /// Requests a validation email for the purpose of changing an account's email.
 pub(crate) async fn request_3pid_management_token_via_email_route(
 	State(services): State<crate::State>,
 	body: Ruma<request_3pid_management_token_via_email::v3::Request>,
 ) -> Result<request_3pid_management_token_via_email::v3::Response> {
 	let Ok(email) = Address::try_from(body.email.clone()) else {
 		return Err!(Request(InvalidParam("Invalid email address.")));
 	};
 	if services
 		.threepid
 		.get_localpart_for_email(&email)
 		.await
 		.is_some()
 	{
 		return Err!(Request(ThreepidInUse("This email address is already in use.")));
 	}
 	let session = services
 		.threepid
 		.send_validation_email(
 			Mailbox::new(None, email),
 			|verification_link| messages::ChangeEmail {
 				server_name: services.config.server_name.as_str(),
 				user_id: body.sender_user.as_deref(),
 				verification_link,
 			},
 			&body.client_secret,
 			body.send_attempt.try_into().unwrap(),
 		)
 		.await?;
 	Ok(request_3pid_management_token_via_email::v3::Response::new(session))
 }
 /// # `POST /_matrix/client/v3/account/3pid/msisdn/requestToken`
 ///
 /// "This API should be used to request validation tokens when adding an email
 /// address to an account"
 ///
 /// - 403 signals that The homeserver does not allow the third party identifier
 ///   as a contact option.
 pub(crate) async fn request_3pid_management_token_via_msisdn_route(
 	_body: Ruma<request_3pid_management_token_via_msisdn::v3::Request>,
 ) -> Result<request_3pid_management_token_via_msisdn::v3::Response> {
 	Err!(Request(ThreepidMediumNotSupported(
 		"MSISDN third-party identifiers are not supported."
 	)))
 }
 /// # `POST /_matrix/client/v3/account/3pid/add`
 pub(crate) async fn add_3pid_route(
 	State(services): State<crate::State>,
 	body: Ruma<add_3pid::v3::Request>,
 ) -> Result<add_3pid::v3::Response> {
 	let sender_user = body.sender_user();
 	// Require password auth to add an email
 	let _ = services
 		.uiaa
 		.authenticate_password(&body.auth, Some(Identity::from_user_id(sender_user)))
 		.await?;
 	let email = services
 		.threepid
 		.consume_valid_session(&body.sid, &body.client_secret)
 		.await
 		.map_err(|message| err!(Request(ThreepidAuthFailed("{message}"))))?;
 	services
 		.threepid
 		.associate_localpart_email(sender_user.localpart(), &email)
 		.await?;
 	Ok(add_3pid::v3::Response::new())
 }
 /// # `POST /_matrix/client/v3/account/3pid/delete`
 pub(crate) async fn delete_3pid_route(
 	State(services): State<crate::State>,
 	body: Ruma<delete_3pid::v3::Request>,
 ) -> Result<delete_3pid::v3::Response> {
 	let sender_user = body.sender_user();
 	if body.medium != Medium::Email {
 		return Ok(delete_3pid::v3::Response {
 			id_server_unbind_result: ThirdPartyIdRemovalStatus::NoSupport,
 		});
 	}
 	if services
 		.threepid
 		.disassociate_localpart_email(sender_user.localpart())
 		.await
 		.is_none()
 	{
 		return Err!(Request(ThreepidNotFound("Your account has no associated email.")));
 	}
 	Ok(delete_3pid::v3::Response {
 		id_server_unbind_result: ThirdPartyIdRemovalStatus::Success,
 	})
 }
@@ -30,8 +30,10 @@ pub(crate) async fn get_capabilities_route(
 		default: services.server.config.default_room_version.clone(),
 	};
-	// we do not implement 3PID stuff
+	// Only allow 3pid changes if SMTP is configured
-	capabilities.thirdparty_id_changes = ThirdPartyIdChangesCapability { enabled: false };
+	capabilities.thirdparty_id_changes = ThirdPartyIdChangesCapability {
 		enabled: services.mailer.mailer().is_some(),
 	};
 	capabilities.get_login_token = GetLoginTokenCapability {
 		enabled: services.server.config.login_via_existing_session,
@@ -51,7 +53,7 @@ pub(crate) async fn get_capabilities_route(
 		.await
 	{
 		// Advertise suspension API
-		capabilities.set("uk.timedout.msc4323", json!({"suspend":true, "lock": false}))?;
+		capabilities.set("uk.timedout.msc4323", json!({"suspend": true, "lock": false}))?;
 	}
 	Ok(get_capabilities::v3::Response { capabilities })
@@ -1,17 +1,15 @@
 use axum::extract::State;
 use axum_client_ip::InsecureClientIp;
-use conduwuit::{Err, Error, Result, debug, err, utils};
+use conduwuit::{Err, Result, debug, err, utils};
 use futures::StreamExt;
 use ruma::{
 	MilliSecondsSinceUnixEpoch, OwnedDeviceId,
-	api::client::{
+	api::client::device::{
-		device::{self, delete_device, delete_devices, get_device, get_devices, update_device},
+		self, delete_device, delete_devices, get_device, get_devices, update_device,
 		error::ErrorKind,
 		uiaa::{AuthFlow, AuthType, UiaaInfo},
 	},
 };
 use service::uiaa::Identity;
 use super::SESSION_ID_LENGTH;
 use crate::{Ruma, client::DEVICE_ID_LENGTH};
 /// # `GET /_matrix/client/r0/devices`
@@ -123,7 +121,7 @@ pub(crate) async fn delete_device_route(
 	State(services): State<crate::State>,
 	body: Ruma<delete_device::v3::Request>,
 ) -> Result<delete_device::v3::Response> {
-	let (sender_user, sender_device) = body.sender();
+	let sender_user = body.sender_user();
 	let appservice = body.appservice_info.as_ref();
 	if appservice.is_some_and(|appservice| appservice.registration.device_management) {
@@ -139,41 +137,11 @@ pub(crate) async fn delete_device_route(
 		return Ok(delete_device::v3::Response {});
 	}
-	// UIAA
+	// Prompt the user to confirm with their password using UIAA
-	let mut uiaainfo = UiaaInfo {
+	let _ = services
-		flows: vec![AuthFlow { stages: vec![AuthType::Password] }],
+		.uiaa
-		completed: Vec::new(),
+		.authenticate_password(&body.auth, Some(Identity::from_user_id(sender_user)))
-		params: Box::default(),
+		.await?;
 		session: None,
 		auth_error: None,
 	};
 	match &body.auth {
 		| Some(auth) => {
 			let (worked, uiaainfo) = services
 				.uiaa
 				.try_auth(sender_user, sender_device, auth, &uiaainfo)
 				.await?;
 			if !worked {
 				return Err!(Uiaa(uiaainfo));
 			}
 			// Success!
 		},
 		| _ => match body.json_body {
 			| Some(ref json) => {
 				uiaainfo.session = Some(utils::random_string(SESSION_ID_LENGTH));
 				services
 					.uiaa
 					.create(sender_user, sender_device, &uiaainfo, json);
 				return Err!(Uiaa(uiaainfo));
 			},
 			| _ => {
 				return Err!(Request(NotJson("Not json.")));
 			},
 		},
 	}
 	services
 		.users
@@ -200,7 +168,7 @@ pub(crate) async fn delete_devices_route(
 	State(services): State<crate::State>,
 	body: Ruma<delete_devices::v3::Request>,
 ) -> Result<delete_devices::v3::Response> {
-	let (sender_user, sender_device) = body.sender();
+	let sender_user = body.sender_user();
 	let appservice = body.appservice_info.as_ref();
 	if appservice.is_some_and(|appservice| appservice.registration.device_management) {
@@ -215,41 +183,11 @@ pub(crate) async fn delete_devices_route(
 		return Ok(delete_devices::v3::Response {});
 	}
-	// UIAA
+	// Prompt the user to confirm with their password using UIAA
-	let mut uiaainfo = UiaaInfo {
+	let _ = services
-		flows: vec![AuthFlow { stages: vec![AuthType::Password] }],
+		.uiaa
-		completed: Vec::new(),
+		.authenticate_password(&body.auth, Some(Identity::from_user_id(sender_user)))
-		params: Box::default(),
+		.await?;
 		session: None,
 		auth_error: None,
 	};
 	match &body.auth {
 		| Some(auth) => {
 			let (worked, uiaainfo) = services
 				.uiaa
 				.try_auth(sender_user, sender_device, auth, &uiaainfo)
 				.await?;
 			if !worked {
 				return Err(Error::Uiaa(uiaainfo));
 			}
 			// Success!
 		},
 		| _ => match body.json_body {
 			| Some(ref json) => {
 				uiaainfo.session = Some(utils::random_string(SESSION_ID_LENGTH));
 				services
 					.uiaa
 					.create(sender_user, sender_device, &uiaainfo, json);
 				return Err(Error::Uiaa(uiaainfo));
 			},
 			| _ => {
 				return Err(Error::BadRequest(ErrorKind::NotJson, "Not json."));
 			},
 		},
 	}
 	for device_id in &body.devices {
 		services.users.remove_device(sender_user, device_id).await;
@@ -7,7 +7,6 @@ use axum::extract::State;
 use conduwuit::{
 	Err, Error, Result, debug, debug_warn, err,
 	result::NotFound,
 	utils,
 	utils::{IterStream, stream::WidebandExt},
 };
 use conduwuit_service::{Services, users::parse_master_key};
@@ -22,7 +21,6 @@ use ruma::{
 				upload_signatures::{self},
 				upload_signing_keys,
 			},
 			uiaa::{AuthFlow, AuthType, UiaaInfo},
 		},
 		federation,
 	},
@@ -30,8 +28,8 @@ use ruma::{
 	serde::Raw,
 };
 use serde_json::json;
 use service::uiaa::Identity;
 use super::SESSION_ID_LENGTH;
 use crate::Ruma;
 /// # `POST /_matrix/client/r0/keys/upload`
@@ -174,16 +172,7 @@ pub(crate) async fn upload_signing_keys_route(
 	State(services): State<crate::State>,
 	body: Ruma<upload_signing_keys::v3::Request>,
 ) -> Result<upload_signing_keys::v3::Response> {
-	let (sender_user, sender_device) = body.sender();
+	let sender_user = body.sender_user();
 	// UIAA
 	let mut uiaainfo = UiaaInfo {
 		flows: vec![AuthFlow { stages: vec![AuthType::Password] }],
 		completed: Vec::new(),
 		params: Box::default(),
 		session: None,
 		auth_error: None,
 	};
 	match check_for_new_keys(
 		services,
@@ -207,32 +196,10 @@ pub(crate) async fn upload_signing_keys_route(
 			// Some of the keys weren't found, so we let them upload
 		},
 		| _ => {
-			match &body.auth {
+			let _ = services
-				| Some(auth) => {
+				.uiaa
-					let (worked, uiaainfo) = services
+				.authenticate_password(&body.auth, Some(Identity::from_user_id(sender_user)))
-						.uiaa
+				.await?;
 						.try_auth(sender_user, sender_device, auth, &uiaainfo)
 						.await?;
 					if !worked {
 						return Err(Error::Uiaa(uiaainfo));
 					}
 					// Success!
 				},
 				| _ => match body.json_body.as_ref() {
 					| Some(json) => {
 						uiaainfo.session = Some(utils::random_string(SESSION_ID_LENGTH));
 						services
 							.uiaa
 							.create(sender_user, sender_device, &uiaainfo, json);
 						return Err(Error::Uiaa(uiaainfo));
 					},
 					| _ => {
 						return Err(Error::BadRequest(ErrorKind::NotJson, "Not json."));
 					},
 				},
 			}
 		},
 	}
@@ -92,6 +92,3 @@ const DEVICE_ID_LENGTH: usize = 10;
 /// generated user access token length
 const TOKEN_LENGTH: usize = 32;
 /// generated user session ID length
 const SESSION_ID_LENGTH: usize = service::uiaa::SESSION_ID_LENGTH;
@@ -8,8 +8,9 @@ use conduwuit::{
 	warn,
 };
 use conduwuit_core::{debug_error, debug_warn};
-use conduwuit_service::{Services, uiaa::SESSION_ID_LENGTH};
+use conduwuit_service::Services;
 use futures::StreamExt;
 use lettre::Address;
 use ruma::{
 	OwnedUserId, UserId,
 	api::client::{
@@ -26,9 +27,10 @@ use ruma::{
 			},
 			logout, logout_all,
 		},
-		uiaa,
+		uiaa::UserIdentifier,
 	},
 };
 use service::uiaa::Identity;
 use super::{DEVICE_ID_LENGTH, TOKEN_LENGTH};
 use crate::Ruma;
@@ -80,7 +82,7 @@ pub(crate) async fn password_login(
 			.password_hash(lowercased_user_id)
 			.await
 			.map(|hash| (hash, lowercased_user_id))
-			.map_err(|_| err!(Request(Forbidden("Wrong username or password."))))?,
+			.map_err(|_| err!(Request(Forbidden("Invalid identifier or password."))))?,
 	};
 	if hash.is_empty() {
@@ -89,7 +91,7 @@ pub(crate) async fn password_login(
 	hash::verify_password(password, &hash)
 		.inspect_err(|e| debug_error!("{e}"))
-		.map_err(|_| err!(Request(Forbidden("Wrong username or password."))))?;
+		.map_err(|_| err!(Request(Forbidden("Invalid identifier or password."))))?;
 	Ok(user_id.to_owned())
 }
@@ -161,28 +163,38 @@ pub(super) async fn ldap_login(
 pub(crate) async fn handle_login(
 	services: &Services,
-	body: &Ruma<login::v3::Request>,
+	identifier: Option<&UserIdentifier>,
 	identifier: Option<&uiaa::UserIdentifier>,
 	password: &str,
 	user: Option<&String>,
 ) -> Result<OwnedUserId> {
 	debug!("Got password login type");
 	let user_id_or_localpart = match (identifier, user) {
 		| (Some(UserIdentifier::UserIdOrLocalpart(localpart)), _) => localpart,
 		| (Some(UserIdentifier::Email { address }), _) => {
 			let email = Address::try_from(address.to_owned())
 				.map_err(|_| err!(Request(InvalidParam("Email is malformed"))))?;
 			&services
 				.threepid
 				.get_localpart_for_email(&email)
 				.await
 				.ok_or_else(|| err!(Request(Forbidden("Invalid identifier or password"))))?
 		},
 		| (None, Some(user)) => user,
 		| _ => {
 			return Err!(Request(InvalidParam("Identifier type not recognized")));
 		},
 	};
 	let user_id =
-				if let Some(uiaa::UserIdentifier::UserIdOrLocalpart(user_id)) = identifier {
+		UserId::parse_with_server_name(user_id_or_localpart, &services.config.server_name)
-					UserId::parse_with_server_name(user_id, &services.config.server_name)
+			.map_err(|_| err!(Request(InvalidUsername("User ID is malformed"))))?;
 				} else if let Some(user) = user {
 					UserId::parse_with_server_name(user, &services.config.server_name)
 				} else {
 					return Err!(Request(Unknown(
 						debug_warn!(?body.login_info, "Valid identifier or username was not provided (invalid or unsupported login type?)")
 					)));
 				}
 				.map_err(|e| err!(Request(InvalidUsername(warn!("Username is invalid: {e}")))))?;
 	let lowercased_user_id = UserId::parse_with_server_name(
 		user_id.localpart().to_lowercase(),
 		&services.config.server_name,
-	)?;
+	)
 	.unwrap();
 	if !services.globals.user_is_local(&user_id)
 		|| !services.globals.user_is_local(&lowercased_user_id)
@@ -244,7 +256,7 @@ pub(crate) async fn login_route(
 			password,
 			user,
 			..
-		}) => handle_login(&services, &body, identifier.as_ref(), password, user.as_ref()).await?,
+		}) => handle_login(&services, identifier.as_ref(), password, user.as_ref()).await?,
 		| login::v3::LoginInfo::Token(login::v3::Token { token }) => {
 			debug!("Got token login type");
 			if !services.server.config.login_via_existing_session {
@@ -264,7 +276,7 @@ pub(crate) async fn login_route(
 			};
 			let user_id =
-				if let Some(uiaa::UserIdentifier::UserIdOrLocalpart(user_id)) = identifier {
+				if let Some(UserIdentifier::UserIdOrLocalpart(user_id)) = identifier {
 					UserId::parse_with_server_name(user_id, &services.config.server_name)
 				} else if let Some(user) = user {
 					UserId::parse_with_server_name(user, &services.config.server_name)
@@ -273,7 +285,7 @@ pub(crate) async fn login_route(
 						debug_warn!(?body.login_info, "Valid identifier or username was not provided (invalid or unsupported login type?)")
 					)));
 				}
-				.map_err(|e| err!(Request(InvalidUsername(warn!("Username is invalid: {e}")))))?;
+				.map_err(|_| err!(Request(InvalidUsername(warn!("User ID is malformed")))))?;
 			if !services.globals.user_is_local(&user_id) {
 				return Err!(Request(Unknown("User ID does not belong to this homeserver")));
@@ -370,45 +382,13 @@ pub(crate) async fn login_token_route(
 		return Err!(Request(Forbidden("Login via an existing session is not enabled")));
 	}
-	// This route SHOULD have UIA
+	let sender_user = body.sender_user();
 	// TODO: How do we make only UIA sessions that have not been used before valid?
 	let (sender_user, sender_device) = body.sender();
-	let mut uiaainfo = uiaa::UiaaInfo {
+	// Prompt the user to confirm with their password using UIAA
-		flows: vec![uiaa::AuthFlow { stages: vec![uiaa::AuthType::Password] }],
+	let _ = services
-		completed: Vec::new(),
+		.uiaa
-		params: Box::default(),
+		.authenticate_password(&body.auth, Some(Identity::from_user_id(sender_user)))
-		session: None,
+		.await?;
 		auth_error: None,
 	};
 	match &body.auth {
 		| Some(auth) => {
 			let (worked, uiaainfo) = services
 				.uiaa
 				.try_auth(sender_user, sender_device, auth, &uiaainfo)
 				.await?;
 			if !worked {
 				return Err(Error::Uiaa(uiaainfo));
 			}
 			// Success!
 		},
 		| _ => match body.json_body.as_ref() {
 			| Some(json) => {
 				uiaainfo.session = Some(utils::random_string(SESSION_ID_LENGTH));
 				services
 					.uiaa
 					.create(sender_user, sender_device, &uiaainfo, json);
 				return Err(Error::Uiaa(uiaainfo));
 			},
 			| _ => {
 				return Err!(Request(NotJson("No JSON body was sent when required.")));
 			},
 		},
 	}
 	let login_token = utils::random_string(TOKEN_LENGTH);
 	let expires_in = services.users.create_login_token(sender_user, &login_token);
@@ -28,7 +28,8 @@ pub fn build(router: Router<State>, server: &Server) -> Router<State> {
        .ruma_route(&client::appservice_ping)
 		.ruma_route(&client::get_supported_versions_route)
 		.ruma_route(&client::get_register_available_route)
-		.ruma_route(&client::register_route)
+		.ruma_route(&client::register::register_route)
 		.ruma_route(&client::register::request_registration_token_via_email_route)
 		.ruma_route(&client::get_login_types_route)
 		.ruma_route(&client::login_route)
 		.ruma_route(&client::login_token_route)
@@ -36,10 +37,13 @@ pub fn build(router: Router<State>, server: &Server) -> Router<State> {
 		.ruma_route(&client::logout_route)
 		.ruma_route(&client::logout_all_route)
 		.ruma_route(&client::change_password_route)
 		.ruma_route(&client::request_password_change_token_via_email_route)
 		.ruma_route(&client::deactivate_route)
-		.ruma_route(&client::third_party_route)
+		.ruma_route(&client::threepid::third_party_route)
-		.ruma_route(&client::request_3pid_management_token_via_email_route)
+		.ruma_route(&client::threepid::request_3pid_management_token_via_email_route)
-		.ruma_route(&client::request_3pid_management_token_via_msisdn_route)
+		.ruma_route(&client::threepid::request_3pid_management_token_via_msisdn_route)
 		.ruma_route(&client::threepid::add_3pid_route)
 		.ruma_route(&client::threepid::delete_3pid_route)
 		.ruma_route(&client::check_registration_token_validity)
 		.ruma_route(&client::get_capabilities_route)
 		.ruma_route(&client::get_pushrules_all_route)
@@ -2,14 +2,13 @@ use std::{mem, ops::Deref};
 use axum::{body::Body, extract::FromRequest};
 use bytes::{BufMut, Bytes, BytesMut};
-use conduwuit::{Error, Result, debug, debug_warn, err, trace, utils::string::EMPTY};
+use conduwuit::{Error, Result, debug, debug_warn, err, trace};
 use ruma::{
 	CanonicalJsonObject, CanonicalJsonValue, DeviceId, OwnedDeviceId, OwnedServerName,
 	OwnedUserId, ServerName, UserId, api::IncomingRequest,
 };
 use service::Services;
-use super::{auth, auth::Auth, request, request::Request};
+use super::{auth, request, request::Request};
 use crate::{State, service::appservice::RegistrationInfo};
 /// Extractor for Ruma request structs
@@ -108,7 +107,7 @@ where
 		}
 		let auth = auth::auth(services, &mut request, json_body.as_ref(), &T::METADATA).await?;
 		Ok(Self {
-			body: make_body::<T>(services, &mut request, json_body.as_mut(), &auth)?,
+			body: make_body::<T>(&mut request, json_body.as_mut())?,
 			origin: auth.origin,
 			sender_user: auth.sender_user,
 			sender_device: auth.sender_device,
@@ -118,16 +117,11 @@ where
 	}
 }
-fn make_body<T>(
+fn make_body<T>(request: &mut Request, json_body: Option<&mut CanonicalJsonValue>) -> Result<T>
 	services: &Services,
 	request: &mut Request,
 	json_body: Option<&mut CanonicalJsonValue>,
 	auth: &Auth,
 ) -> Result<T>
 where
 	T: IncomingRequest,
 {
-	let body = take_body(services, request, json_body, auth);
+	let body = take_body(request, json_body);
 	let http_request = into_http_request(request, body);
 	T::try_from_http_request(http_request, &request.path)
 		.map_err(|e| err!(Request(BadJson(debug_warn!("{e}")))))
@@ -151,38 +145,11 @@ fn into_http_request(request: &Request, body: Bytes) -> hyper::Request<Bytes> {
 }
 #[allow(clippy::needless_pass_by_value)]
-fn take_body(
+fn take_body(request: &mut Request, json_body: Option<&mut CanonicalJsonValue>) -> Bytes {
 	services: &Services,
 	request: &mut Request,
 	json_body: Option<&mut CanonicalJsonValue>,
 	auth: &Auth,
 ) -> Bytes {
 	let Some(CanonicalJsonValue::Object(json_body)) = json_body else {
 		return mem::take(&mut request.body);
 	};
 	let user_id = auth.sender_user.clone().unwrap_or_else(|| {
 		let server_name = services.globals.server_name();
 		UserId::parse_with_server_name(EMPTY, server_name).expect("valid user_id")
 	});
 	let uiaa_request = json_body
 		.get("auth")
 		.and_then(CanonicalJsonValue::as_object)
 		.and_then(|auth| auth.get("session"))
 		.and_then(CanonicalJsonValue::as_str)
 		.and_then(|session| {
 			services
 				.uiaa
 				.get_uiaa_request(&user_id, auth.sender_device.as_deref(), session)
 		});
 	if let Some(CanonicalJsonValue::Object(initial_request)) = uiaa_request {
 		for (key, value) in initial_request {
 			json_body.entry(key).or_insert(value);
 		}
 	}
 	let mut buf = BytesMut::new().writer();
 	serde_json::to_writer(&mut buf, &json_body).expect("value serialization can't fail");
 	buf.into_inner().freeze()
@@ -84,6 +84,7 @@ libc.workspace = true
 libloading.workspace = true
 libloading.optional = true
 log.workspace = true
 lettre.workspace = true
 num-traits.workspace = true
 rand.workspace = true
 rand_core = { version = "0.6.4", features = ["getrandom"] }
@@ -16,6 +16,7 @@ use either::{
 };
 use figment::providers::{Env, Format, Toml};
 pub use figment::{Figment, value::Value as FigmentValue};
 use lettre::message::Mailbox;
 use regex::RegexSet;
 use ruma::{
 	OwnedRoomId, OwnedRoomOrAliasId, OwnedServerName, OwnedUserId, RoomVersionId,
@@ -756,6 +757,9 @@ pub struct Config {
 	#[serde(default)]
 	pub well_known: WellKnownConfig,
 	/// display: nested
 	pub smtp: Option<SmtpConfig>,
 	/// Enable OpenTelemetry OTLP tracing export. This replaces the deprecated
 	/// Jaeger exporter. Traces will be sent via OTLP to a collector (such as
 	/// Jaeger) that supports the OpenTelemetry Protocol.
@@ -2440,6 +2444,52 @@ pub struct DraupnirConfig {
 	pub secret: String,
 }
 #[derive(Clone, Debug, Deserialize)]
 #[config_example_generator(
 	filename = "conduwuit-example.toml",
 	section = "global.smtp",
 	optional = "true"
 )]
 pub struct SmtpConfig {
 	/// A `smtp://`` URI which will be used to connect to a mail server.
 	/// Uncommenting the [global.smtp] group and setting this option enables
 	/// features which depend on the ability to send email,
 	/// such as self-service password resets.
 	///
 	/// For most modern mail servers, format the URI like this:
 	/// 	`smtps://username:password@hostname:port`
 	/// Note that you will need to URL-encode the username and password. If your
 	/// username _is_ your email address, you will need to replace the `@` with
 	/// `%40`.
 	///
 	/// For a guide on the accepted URI syntax, consult Lettre's documentation:
 	/// https://docs.rs/lettre/latest/lettre/transport/smtp/struct.AsyncSmtpTransport.html#method.from_url
 	pub connection_uri: String,
 	/// The outgoing address which will be used for sending emails.
 	///
 	/// For a syntax guide, see https://datatracker.ietf.org/doc/html/rfc2822#section-3.4
 	///
 	/// ...or if you don't want to read the RFC, for some reason:
 	/// - `Name <address@domain.org>` to specify a sender name
 	/// - `address@domain.org` to not use a name
 	pub sender: Mailbox,
 	/// Whether to require that users provide an email address when they
 	/// register.
 	///
 	/// default: false
 	#[serde(default)]
 	pub require_email_for_registration: bool,
 	/// Whether to require that users who register with a registration token
 	/// provide an email address.
 	///
 	/// default: false
 	#[serde(default)]
 	pub require_email_for_token_registration: bool,
 }
 const DEPRECATED_KEYS: &[&str] = &[
 	"cache_capacity",
 	"conduit_cache_capacity_modifier",
@@ -415,13 +415,6 @@ impl<'a, 'de: 'a> de::Deserializer<'de> for &'a mut Deserializer<'de> {
 		tracing::instrument(level = "trace", skip_all, fields(?self.buf))
 	)]
 	fn deserialize_any<V: Visitor<'de>>(self, visitor: V) -> Result<V::Value> {
 		debug_assert_eq!(
 			conduwuit::debug::type_name::<V>(),
 			"serde_json::value::de::<impl serde_core::de::Deserialize for \
 			 serde_json::value::Value>::deserialize::ValueVisitor",
 			"deserialize_any: type not expected"
 		);
 		match self.record_peek_byte() {
 			| Some(b'{') => self.deserialize_map(visitor),
 			| Some(b'[') => serde_json::Deserializer::from_slice(self.record_next())
@@ -53,6 +53,10 @@ pub(super) static MAPS: &[Descriptor] = &[
 		name: "disabledroomids",
 		..descriptor::RANDOM_SMALL
 	},
 	Descriptor {
 		name: "email_localpart",
 		..descriptor::RANDOM_SMALL
 	},
 	Descriptor {
 		name: "eventid_outlierpdu",
 		cache_disp: CacheDisp::SharedWith("pduid_pdu"),
@@ -100,6 +104,10 @@ pub(super) static MAPS: &[Descriptor] = &[
 		name: "lazyloadedids",
 		..descriptor::RANDOM_SMALL
 	},
 	Descriptor {
 		name: "localpart_email",
 		..descriptor::RANDOM_SMALL
 	},
 	Descriptor {
 		name: "mediaid_file",
 		..descriptor::RANDOM_SMALL
@@ -91,6 +91,7 @@ conduwuit-database.workspace = true
 const-str.workspace = true
 either.workspace = true
 futures.workspace = true
 governor.workspace = true
 hickory-resolver.workspace = true
 http.workspace = true
 image.workspace = true
@@ -102,6 +103,7 @@ ldap3.optional = true
 log.workspace = true
 loole.workspace = true
 lru-cache.workspace = true
 nonzero_ext.workspace = true
 rand.workspace = true
 regex.workspace = true
 reqwest.workspace = true
@@ -123,6 +125,7 @@ blurhash.workspace = true
 blurhash.optional = true
 recaptcha-verify = { version = "0.2.0", default-features = false }
 yansi.workspace = true
 lettre.workspace = true
 [target.'cfg(all(unix, target_os = "linux"))'.dependencies]
 sd-notify.workspace = true
@@ -122,7 +122,7 @@ impl Service {
 	/// if they were not.
 	pub async fn empower_first_user(&self, user: &UserId) -> Result<bool> {
 		#[derive(Template)]
-		#[template(path = "welcome.md.j2")]
+		#[template(path = "welcome.md")]
 		struct WelcomeMessage<'a> {
 			config: &'a Dep<config::Service>,
 			domain: &'a str,
@@ -228,19 +228,34 @@ impl Service {
 				);
 			},
 		}
 		if self.services.config.suspend_on_register {
 			eprintln!(
 				"{} Accounts created after yours will be suspended, as set in your \
 				 configuration.",
 				"Your account will not be suspended when you register.".green()
 			);
 		}
 		if let Some(smtp) = &self.services.config.smtp {
 			if smtp.require_email_for_registration || smtp.require_email_for_token_registration {
 				eprintln!(
 					"{} Accounts created after yours may be required to provide an email \
 					 address, as set in your configuration.",
 					"You will not be asked for your email address when you register.".yellow(),
 				);
 			}
 			eprintln!(
 				"If you wish to associate an email address with your account, you may do so \
 				 after registration in your client's settings (if supported)."
 			);
 		}
 		eprintln!(
 			"{} https://matrix.org/ecosystem/clients/",
 			"Find a list of Matrix clients here:".bold()
 		);
 		if self.services.config.suspend_on_register {
 			eprintln!(
 				"{} Because you enabled suspend-on-register in your configuration, accounts \
 				 created after yours will be automatically suspended.",
 				"Your account will not be suspended when you register.".green()
 			);
 		}
 		if self
 			.services
 			.config
@@ -0,0 +1,49 @@
 use askama::Template;
 use ruma::UserId;
 pub trait MessageTemplate: Template {
 	fn subject(&self) -> String;
 }
 #[derive(Template)]
 #[template(path = "mail/change_email.txt")]
 pub struct ChangeEmail<'a> {
 	pub server_name: &'a str,
 	pub user_id: Option<&'a UserId>,
 	pub verification_link: String,
 }
 impl MessageTemplate for ChangeEmail<'_> {
 	fn subject(&self) -> String { "Verify your email address".to_owned() }
 }
 #[derive(Template)]
 #[template(path = "mail/new_account.txt")]
 pub struct NewAccount<'a> {
 	pub server_name: &'a str,
 	pub verification_link: String,
 }
 impl MessageTemplate for NewAccount<'_> {
 	fn subject(&self) -> String { "Create your new Matrix account".to_owned() }
 }
 #[derive(Template)]
 #[template(path = "mail/password_reset.txt")]
 pub struct PasswordReset<'a> {
 	pub display_name: Option<&'a str>,
 	pub user_id: &'a UserId,
 	pub verification_link: String,
 }
 impl MessageTemplate for PasswordReset<'_> {
 	fn subject(&self) -> String { format!("Password reset request for {}", &self.user_id) }
 }
 #[derive(Template)]
 #[template(path = "mail/test.txt")]
 pub struct Test;
 impl MessageTemplate for Test {
 	fn subject(&self) -> String { "Test message".to_owned() }
 }
@@ -0,0 +1,109 @@
 use std::sync::Arc;
 use conduwuit::{Err, Result, err, info};
 use lettre::{
 	AsyncSmtpTransport, AsyncTransport, Tokio1Executor,
 	message::{Mailbox, MessageBuilder, header::ContentType},
 };
 use crate::{Args, mailer::messages::MessageTemplate};
 pub mod messages;
 type Transport = AsyncSmtpTransport<Tokio1Executor>;
 type TransportError = lettre::transport::smtp::Error;
 pub struct Service {
 	transport: Option<(Mailbox, Transport)>,
 }
 #[async_trait::async_trait]
 impl crate::Service for Service {
 	fn build(args: Args<'_>) -> Result<Arc<Self>> {
 		let transport = args
 			.server
 			.config
 			.smtp
 			.as_ref()
 			.map(|config| {
 				Ok((config.sender.clone(), Transport::from_url(&config.connection_uri)?.build()))
 			})
 			.transpose()
 			.map_err(|err: TransportError| err!("Failed to set up SMTP transport: {err}"))?;
 		Ok(Arc::new(Self { transport }))
 	}
 	fn name(&self) -> &str { crate::service::make_name(std::module_path!()) }
 	async fn worker(self: Arc<Self>) -> Result<()> {
 		if let Some((_, ref transport)) = self.transport {
 			match transport.test_connection().await {
 				| Ok(true) => {
 					info!("SMTP connection test successful");
 					Ok(())
 				},
 				| Ok(false) => {
 					Err!("SMTP connection test failed")
 				},
 				| Err(err) => {
 					Err!("SMTP connection test failed: {err}")
 				},
 			}
 		} else {
 			info!("SMTP is not configured, email functionality will be unavailable");
 			Ok(())
 		}
 	}
 }
 impl Service {
 	/// Returns a mailer which allows email to be sent, if SMTP is configured.
 	#[must_use]
 	pub fn mailer(&self) -> Option<Mailer<'_>> {
 		self.transport
 			.as_ref()
 			.map(|(sender, transport)| Mailer { sender, transport })
 	}
 	pub fn expect_mailer(&self) -> Result<Mailer<'_>> {
 		self.mailer().ok_or_else(|| {
 			err!(Request(FeatureDisabled("This homeserver is not configured to send email.")))
 		})
 	}
 }
 pub struct Mailer<'a> {
 	sender: &'a Mailbox,
 	transport: &'a Transport,
 }
 impl Mailer<'_> {
 	/// Sends an email.
 	pub async fn send<Template: MessageTemplate>(
 		&self,
 		recipient: Mailbox,
 		message: Template,
 	) -> Result<()> {
 		let subject = message.subject();
 		let body = message
 			.render()
 			.map_err(|err| err!("Failed to render message template: {err}"))?;
 		let message = MessageBuilder::new()
 			.from(self.sender.clone())
 			.to(recipient)
 			.subject(subject)
 			.date_now()
 			.header(ContentType::TEXT_PLAIN)
 			.body(body)
 			.expect("should have been able to construct message");
 		self.transport
 			.send(message)
 			.await
 			.map_err(|err: TransportError| err!("Failed to send message: {err}"))?;
 		Ok(())
 	}
 }
@@ -21,6 +21,7 @@ pub mod federation;
 pub mod firstrun;
 pub mod globals;
 pub mod key_backups;
 pub mod mailer;
 pub mod media;
 pub mod moderation;
 pub mod password_reset;
@@ -32,6 +33,7 @@ pub mod rooms;
 pub mod sending;
 pub mod server_keys;
 pub mod sync;
 pub mod threepid;
 pub mod transactions;
 pub mod uiaa;
 pub mod users;
@@ -13,8 +13,6 @@ use ruma::OwnedUserId;
 use crate::{Dep, config, firstrun};
 const RANDOM_TOKEN_LENGTH: usize = 16;
 pub struct Service {
 	db: Data,
 	services: Services,
@@ -103,9 +101,11 @@ impl crate::Service for Service {
 }
 impl Service {
 	const RANDOM_TOKEN_LENGTH: usize = 16;
 	/// Generate a random string suitable to be used as a registration token.
 	#[must_use]
-	pub fn generate_token_string() -> String { utils::random_string(RANDOM_TOKEN_LENGTH) }
+	pub fn generate_token_string() -> String { utils::random_string(Self::RANDOM_TOKEN_LENGTH) }
 	/// Issue a new registration token and save it in the database.
 	pub fn issue_token(
@@ -9,12 +9,12 @@ use tokio::sync::Mutex;
 use crate::{
 	account_data, admin, announcements, antispam, appservice, client, config, emergency,
-	federation, firstrun, globals, key_backups,
+	federation, firstrun, globals, key_backups, mailer,
 	manager::Manager,
 	media, moderation, password_reset, presence, pusher, registration_tokens, resolver, rooms,
 	sending, server_keys,
 	service::{self, Args, Map, Service},
-	sync, transactions, uiaa, users,
+	sync, threepid, transactions, uiaa, users,
 };
 pub struct Services {
@@ -28,6 +28,7 @@ pub struct Services {
 	pub key_backups: Arc<key_backups::Service>,
 	pub media: Arc<media::Service>,
 	pub password_reset: Arc<password_reset::Service>,
 	pub mailer: Arc<mailer::Service>,
 	pub presence: Arc<presence::Service>,
 	pub pusher: Arc<pusher::Service>,
 	pub registration_tokens: Arc<registration_tokens::Service>,
@@ -39,6 +40,7 @@ pub struct Services {
 	pub server_keys: Arc<server_keys::Service>,
 	pub sync: Arc<sync::Service>,
 	pub transactions: Arc<transactions::Service>,
 	pub threepid: Arc<threepid::Service>,
 	pub uiaa: Arc<uiaa::Service>,
 	pub users: Arc<users::Service>,
 	pub moderation: Arc<moderation::Service>,
@@ -83,6 +85,7 @@ impl Services {
 			key_backups: build!(key_backups::Service),
 			media: build!(media::Service),
 			password_reset: build!(password_reset::Service),
 			mailer: build!(mailer::Service),
 			presence: build!(presence::Service),
 			pusher: build!(pusher::Service),
 			registration_tokens: build!(registration_tokens::Service),
@@ -112,6 +115,7 @@ impl Services {
 			sending: build!(sending::Service),
 			server_keys: build!(server_keys::Service),
 			sync: build!(sync::Service),
 			threepid: build!(threepid::Service),
 			transactions: build!(transactions::Service),
 			uiaa: build!(uiaa::Service),
 			users: build!(users::Service),
@@ -0,0 +1,3 @@
 {%- block content %}{% endblock %}
 Message sent by Continuwuity {{ env!("CARGO_PKG_VERSION") }}. 🐈
@@ -0,0 +1,13 @@
 {% extends "_base.txt" %}
 {% block content -%}
 Hello!
 {% if let Some(user_id) = user_id -%}
 Somebody, probably you, tried to associate this email address with the Matrix account {{ user_id }}.
 {%- else -%}
 Somebody, probably you, tried to associate this email address with a Matrix account on {{ server_name }}.
 {%- endif %}
 If that was you, and this is your email address, click this link to proceed:
    {{ verification_link }}
 Otherwise, you can ignore this email. The above link will expire in one hour.
 {%- endblock %}
@@ -0,0 +1,10 @@
 {% extends "_base.txt" %}
 {% block content -%}
 Hello!
 Somebody, probably you, tried to create a Matrix account on {{ server_name }} using this email address.
 Use the link below to proceed with creating your account:
    {{ verification_link }}
 If you are not trying to create an account, you can ignore this email. The above link will expire in one hour.
 {%- endblock %}
@@ -0,0 +1,14 @@
 {% extends "_base.txt" %}
 {% block content -%}
 {%- if let Some(display_name) = display_name -%}
 Hello {{ display_name }} ({{ user_id }}),
 {%- else -%}
 Hello {{ user_id }},
 {%- endif %}
 Somebody, probably you, tried to reset your Matrix account's password.
 If you requested for your password to be reset, click this link to proceed:
    {{ verification_link }}
 Otherwise, you can ignore this email. The above link will expire in one hour.
 {%- endblock %}
@@ -0,0 +1,5 @@
 {% extends "_base.txt" %}
 {% block content -%}
 If you're seeing this, SMTP is configured correctly. :3
 {%- endblock %}
@@ -0,0 +1,281 @@
 use std::{borrow::Cow, collections::HashMap, sync::Arc};
 use conduwuit::{Err, Error, Result, result::FlatOk};
 use database::{Deserialized, Map};
 use governor::{DefaultKeyedRateLimiter, Quota, RateLimiter};
 use lettre::{Address, message::Mailbox};
 use nonzero_ext::nonzero;
 use ruma::{
 	ClientSecret, OwnedClientSecret, OwnedSessionId, SessionId, api::client::error::ErrorKind,
 };
 mod session;
 use crate::{
 	Args, Dep, config,
 	mailer::{self, messages::MessageTemplate},
 	threepid::session::{ValidationSessions, ValidationState, ValidationToken},
 };
 pub struct Service {
 	db: Data,
 	services: Services,
 	sessions: tokio::sync::Mutex<ValidationSessions>,
 	send_attempts: std::sync::Mutex<HashMap<(OwnedClientSecret, Address), usize>>,
 	ratelimiter: DefaultKeyedRateLimiter<Address>,
 }
 struct Data {
 	localpart_email: Arc<Map>,
 	email_localpart: Arc<Map>,
 }
 struct Services {
 	config: Dep<config::Service>,
 	mailer: Dep<mailer::Service>,
 }
 impl crate::Service for Service {
 	fn build(args: Args<'_>) -> Result<Arc<Self>> {
 		Ok(Arc::new(Self {
 			db: Data {
 				email_localpart: args.db["email_localpart"].clone(),
 				localpart_email: args.db["localpart_email"].clone(),
 			},
 			services: Services {
 				config: args.depend("config"),
 				mailer: args.depend("mailer"),
 			},
 			sessions: tokio::sync::Mutex::default(),
 			send_attempts: std::sync::Mutex::default(),
 			ratelimiter: RateLimiter::keyed(Self::EMAIL_RATELIMIT),
 		}))
 	}
 	fn name(&self) -> &str { crate::service::make_name(std::module_path!()) }
 }
 impl Service {
 	// Each address gets two tickets to send an email, which refill at a rate of one
 	// per ten minutes. This allows two emails to be sent at once without waiting
 	// (in case the first one gets eaten), but requires a wait of at least ten
 	// minutes before sending another.
 	const EMAIL_RATELIMIT: Quota =
 		Quota::per_minute(nonzero!(10_u32)).allow_burst(nonzero!(2_u32));
 	const VALIDATION_URL_PATH: &str = "/_continuwuity/3pid/email/validate";
 	/// Send a validation message to an email address.
 	///
 	/// Returns the validation session ID on success.
 	#[allow(clippy::impl_trait_in_params)]
 	pub async fn send_validation_email<Template: MessageTemplate>(
 		&self,
 		recipient: Mailbox,
 		prepare_body: impl FnOnce(String) -> Template,
 		client_secret: &ClientSecret,
 		send_attempt: usize,
 	) -> Result<OwnedSessionId> {
 		let mailer = self.services.mailer.expect_mailer()?;
 		let mut sessions = self.sessions.lock().await;
 		let session = match sessions.get_session_by_client_secret(client_secret) {
 			// If a validation session already exists for this client secret, we can either
 			// reuse it with a new token or return early because it's already valid.
 			| Some(session) => {
 				match session.validation_state {
 					| ValidationState::Validated => {
 						// If the existing session is already valid, don't send an email.
 						return Ok(session.session_id.clone());
 					},
 					| ValidationState::Pending(ref mut token) => {
 						// Check ratelimiting for the target address.
 						if self.ratelimiter.check_key(&recipient.email).is_err() {
 							return Err(Error::BadRequest(
 								ErrorKind::LimitExceeded { retry_after: None },
 								"You're sending emails too fast, try again in a few minutes.",
 							));
 						}
 						// Check the send attempt for this session.
 						let mut send_attempts = self.send_attempts.lock().unwrap();
 						let last_send_attempt = send_attempts
 							.entry((session.client_secret.clone(), session.email.clone()))
 							.or_default();
 						if send_attempt <= *last_send_attempt {
 							// If the supplied send attempt isn't higher than the last
 							// one, don't send an email.
 							return Ok(session.session_id.clone());
 						}
 						// Save this send attempt.
 						*last_send_attempt = send_attempt;
 						drop(send_attempts);
 						// Create a new token for the existing session.
 						*token = ValidationToken::new_random();
 						session
 					},
 				}
 			},
 			// If no session exists, create a new one.
 			| None => sessions.create_session(recipient.email.clone(), client_secret.to_owned()),
 		};
 		// Clone this so it can outlive the lock we're holding on `sessions`
 		let session_id = session.session_id.clone();
 		let ValidationState::Pending(token) = &session.validation_state else {
 			unreachable!("session should be pending")
 		};
 		let mut validation_url = self
 			.services
 			.config
 			.get_client_domain()
 			.join(Self::VALIDATION_URL_PATH)
 			.unwrap();
 		validation_url
 			.query_pairs_mut()
 			.append_pair("session", session_id.as_str())
 			.append_pair("token", &token.token);
 		// Once the validation URL is built, we don't need any data borrowed from
 		// `sessions` anymore and can release our lock
 		drop(sessions);
 		let message = prepare_body(validation_url.to_string());
 		mailer.send(recipient, message).await?;
 		Ok(session_id)
 	}
 	/// Attempt to mark a validation session as valid using a validation token.
 	pub async fn try_validate_session(
 		&self,
 		session_id: &SessionId,
 		supplied_token: &str,
 	) -> Result<(), Cow<'static, str>> {
 		let mut sessions = self.sessions.lock().await;
 		let Some(session) = sessions.get_session(session_id) else {
 			return Err("Validation session does not exist".into());
 		};
 		session.validation_state = match &session.validation_state {
 			| ValidationState::Validated => {
 				// If the session is already validated, do nothing.
 				return Ok(());
 			},
 			| ValidationState::Pending(token) => {
 				// Otherwise check the token and mark the session as valid.
 				if *token != *supplied_token || !token.is_valid() {
 					return Err("Validation token is invalid or expired, please request a new \
 					            one"
 					.into());
 				}
 				ValidationState::Validated
 			},
 		};
 		Ok(())
 	}
 	/// Consume a validated validation session, removing it from the database
 	/// and returning the newly validated email address.
 	pub async fn consume_valid_session(
 		&self,
 		session_id: &SessionId,
 		client_secret: &ClientSecret,
 	) -> Result<Address, Cow<'static, str>> {
 		let mut sessions = self.sessions.lock().await;
 		let Some(session) = sessions.get_session(session_id) else {
 			return Err("Validation session does not exist".into());
 		};
 		if session.client_secret == client_secret
 			&& matches!(session.validation_state, ValidationState::Validated)
 		{
 			let session = sessions.remove_session(session_id);
 			Ok(session.email)
 		} else {
 			Err("This email address has not been validated. Did you use the link that was sent \
 			     to you?"
 				.into())
 		}
 	}
 	/// Associate a localpart with an email address.
 	pub async fn associate_localpart_email(
 		&self,
 		localpart: &str,
 		email: &Address,
 	) -> Result<()> {
 		match self.get_localpart_for_email(email).await {
 			| Some(existing_localpart) if existing_localpart != localpart => {
 				// Another account is already using the supplied email.
 				Err!(Request(ThreepidInUse("This email address is already in use.")))
 			},
 			| Some(_) => {
 				// The supplied localpart is already associated with the supplied email,
 				// no changes are necessary.
 				Ok(())
 			},
 			| None => {
 				// The supplied email is not already in use.
 				let email: &str = email.as_ref();
 				self.db.localpart_email.insert(localpart, email);
 				self.db.email_localpart.insert(email, localpart);
 				Ok(())
 			},
 		}
 	}
 	/// Given a localpart, remove its corresponding email address.
 	///
 	/// [`Self::get_localpart_for_email`] may be used if only the email is
 	/// known.
 	pub async fn disassociate_localpart_email(&self, localpart: &str) -> Option<Address> {
 		let email = self.get_email_for_localpart(localpart).await?;
 		self.db.localpart_email.remove(localpart);
 		self.db
 			.email_localpart
 			.remove(<Address as AsRef<str>>::as_ref(&email));
 		Some(email)
 	}
 	/// Get the email associated with a localpart, if one exists.
 	pub async fn get_email_for_localpart(&self, localpart: &str) -> Option<Address> {
 		self.db
 			.localpart_email
 			.get(localpart)
 			.await
 			.deserialized::<String>()
 			.ok()
 			.map(TryInto::try_into)
 			.flat_ok()
 	}
 	/// Get the localpart associated with an email, if one exists.
 	pub async fn get_localpart_for_email(&self, email: &Address) -> Option<String> {
 		self.db
 			.email_localpart
 			.get(<Address as AsRef<str>>::as_ref(email))
 			.await
 			.deserialized()
 			.ok()
 	}
 }
@@ -0,0 +1,128 @@
 use std::{
 	collections::HashMap,
 	time::{Duration, SystemTime},
 };
 use conduwuit::utils;
 use lettre::Address;
 use ruma::{ClientSecret, OwnedClientSecret, OwnedSessionId, SessionId};
 #[derive(Default)]
 pub(super) struct ValidationSessions {
 	sessions: HashMap<OwnedSessionId, ValidationSession>,
 	client_secrets: HashMap<OwnedClientSecret, OwnedSessionId>,
 }
 /// A pending or completed email validation session.
 #[derive(Debug)]
 pub(crate) struct ValidationSession {
 	/// The session's ID
 	pub session_id: OwnedSessionId,
 	/// The client's supplied client secret
 	pub client_secret: OwnedClientSecret,
 	/// The email address which is being validated
 	pub email: Address,
 	/// The session's validation state
 	pub validation_state: ValidationState,
 }
 /// The state of an email validation session.
 #[derive(Debug)]
 pub(crate) enum ValidationState {
 	/// The session is waiting for this validation token to be provided
 	Pending(ValidationToken),
 	/// The session has been validated
 	Validated,
 }
 #[derive(Clone, Debug)]
 pub(crate) struct ValidationToken {
 	pub token: String,
 	pub issued_at: SystemTime,
 }
 impl ValidationToken {
 	// one hour
 	const MAX_TOKEN_AGE: Duration = Duration::from_secs(60 * 60);
 	const RANDOM_TOKEN_LENGTH: usize = 16;
 	pub(super) fn new_random() -> Self {
 		Self {
 			token: utils::random_string(Self::RANDOM_TOKEN_LENGTH),
 			issued_at: SystemTime::now(),
 		}
 	}
 	pub(crate) fn is_valid(&self) -> bool {
 		let now = SystemTime::now();
 		now.duration_since(self.issued_at)
 			.is_ok_and(|duration| duration < Self::MAX_TOKEN_AGE)
 	}
 }
 impl PartialEq<str> for ValidationToken {
 	fn eq(&self, other: &str) -> bool { self.token == other }
 }
 impl ValidationSessions {
 	const RANDOM_SID_LENGTH: usize = 16;
 	#[must_use]
 	pub(super) fn generate_session_id() -> OwnedSessionId {
 		OwnedSessionId::parse(utils::random_string(Self::RANDOM_SID_LENGTH)).unwrap()
 	}
 	pub(super) fn create_session(
 		&mut self,
 		email: Address,
 		client_secret: OwnedClientSecret,
 	) -> &mut ValidationSession {
 		let session = ValidationSession {
 			session_id: Self::generate_session_id(),
 			client_secret,
 			email,
 			validation_state: ValidationState::Pending(ValidationToken::new_random()),
 		};
 		self.client_secrets
 			.insert(session.client_secret.clone(), session.session_id.clone());
 		self.sessions
 			.entry(session.session_id.clone())
 			.insert_entry(session)
 			.into_mut()
 	}
 	pub(super) fn get_session(
 		&mut self,
 		session_id: &SessionId,
 	) -> Option<&mut ValidationSession> {
 		self.sessions.get_mut(session_id)
 	}
 	pub(super) fn get_session_by_client_secret(
 		&mut self,
 		client_secret: &ClientSecret,
 	) -> Option<&mut ValidationSession> {
 		let session_id = self.client_secrets.get(client_secret)?;
 		let session = self
 			.sessions
 			.get_mut(session_id)
 			.expect("session should exist with session id");
 		Some(session)
 	}
 	pub(super) fn remove_session(&mut self, session_id: &SessionId) -> ValidationSession {
 		let session = self
 			.sessions
 			.remove(session_id)
 			.expect("session ID should exist");
 		self.client_secrets
 			.remove(&session.client_secret)
 			.expect("session should have an associated client secret");
 		session
 	}
 }
@@ -1,24 +1,29 @@
-use std::{collections::BTreeMap, sync::Arc};
+use std::{
-
+	borrow::Cow,
-use conduwuit::{
+	collections::{HashMap, HashSet, hash_map::Entry},
-	Err, Error, Result, SyncRwLock, err, error, implement, utils,
+	sync::Arc,
 	utils::{hash, string::EMPTY},
 };
-use database::{Deserialized, Json, Map};
+
 use conduwuit::{Err, Error, Result, error, utils, utils::hash};
 use lettre::Address;
 use ruma::{
-	CanonicalJsonValue, DeviceId, OwnedDeviceId, OwnedUserId, UserId,
+	UserId,
 	api::client::{
 		error::{ErrorKind, StandardErrorBody},
-		uiaa::{AuthData, AuthType, Password, UiaaInfo, UserIdentifier},
+		uiaa::{
 			AuthData, AuthFlow, AuthType, EmailIdentity, Password, ReCaptcha, RegistrationToken,
 			ThirdpartyIdCredentials, UiaaInfo, UserIdentifier,
 		},
 	},
 };
 use serde_json::value::RawValue;
 use tokio::sync::Mutex;
-use crate::{Dep, config, globals, registration_tokens, users};
+use crate::{Dep, config, globals, registration_tokens, threepid, users};
 pub struct Service {
 	userdevicesessionid_uiaarequest: SyncRwLock<RequestMap>,
 	db: Data,
 	services: Services,
 	uiaa_sessions: Mutex<HashMap<String, UiaaSession>>,
 }
 struct Services {
@@ -26,205 +31,191 @@ struct Services {
 	users: Dep<users::Service>,
 	config: Dep<config::Service>,
 	registration_tokens: Dep<registration_tokens::Service>,
 	threepid: Dep<threepid::Service>,
 }
 struct Data {
 	userdevicesessionid_uiaainfo: Arc<Map>,
 }
 type RequestMap = BTreeMap<RequestKey, CanonicalJsonValue>;
 type RequestKey = (OwnedUserId, OwnedDeviceId, String);
 pub const SESSION_ID_LENGTH: usize = 32;
 impl crate::Service for Service {
 	fn build(args: crate::Args<'_>) -> Result<Arc<Self>> {
 		Ok(Arc::new(Self {
 			userdevicesessionid_uiaarequest: SyncRwLock::new(RequestMap::new()),
 			db: Data {
 				userdevicesessionid_uiaainfo: args.db["userdevicesessionid_uiaainfo"].clone(),
 			},
 			services: Services {
 				globals: args.depend::<globals::Service>("globals"),
 				users: args.depend::<users::Service>("users"),
 				config: args.depend::<config::Service>("config"),
 				registration_tokens: args
 					.depend::<registration_tokens::Service>("registration_tokens"),
 				threepid: args.depend::<threepid::Service>("threepid"),
 			},
 			uiaa_sessions: Mutex::new(HashMap::new()),
 		}))
 	}
 	fn name(&self) -> &str { crate::service::make_name(std::module_path!()) }
 }
-/// Creates a new Uiaa session. Make sure the session token is unique.
+struct UiaaSession {
-#[implement(Service)]
+	info: UiaaInfo,
-pub fn create(
+	identity: Identity,
 	&self,
 	user_id: &UserId,
 	device_id: &DeviceId,
 	uiaainfo: &UiaaInfo,
 	json_body: &CanonicalJsonValue,
 ) {
 	// TODO: better session error handling (why is uiaainfo.session optional in
 	// ruma?)
 	self.set_uiaa_request(
 		user_id,
 		device_id,
 		uiaainfo.session.as_ref().expect("session should be set"),
 		json_body,
 	);
 	self.update_uiaa_session(
 		user_id,
 		device_id,
 		uiaainfo.session.as_ref().expect("session should be set"),
 		Some(uiaainfo),
 	);
 }
-#[implement(Service)]
+/// Information about the authenticated user's identity.
-#[allow(clippy::useless_let_if_seq)]
+///
-pub async fn try_auth(
+/// A field of this struct will only be Some if the user completed
-	&self,
+/// a stage which provided that information. If multiple stages provide
-	user_id: &UserId,
+/// the same field, authentication will fail if they do not all provide
-	device_id: &DeviceId,
+/// _identical_ values for that field.
-	auth: &AuthData,
+#[derive(Default, Clone)]
-	uiaainfo: &UiaaInfo,
+pub struct Identity {
-) -> Result<(bool, UiaaInfo)> {
+	/// The authenticated user's user ID, if it could be determined.
-	let mut uiaainfo = if let Some(session) = auth.session() {
+	///
-		self.get_uiaa_session(user_id, device_id, session).await?
+	/// This will be Some if:
-	} else {
+	/// - The user completed a m.login.password stage
-		uiaainfo.clone()
+	/// - The user completed a m.login.email.identity stage, and their email has
-	};
+	///   an associated user ID
 	pub localpart: Option<String>,
-	if uiaainfo.session.is_none() {
+	/// The authenticated user's email address, if it could be determined.
-		uiaainfo.session = Some(utils::random_string(SESSION_ID_LENGTH));
+	///
 	/// This will be Some if:
 	/// - The user completed a m.login.email.identity stage
 	/// - The user completed a m.login.password stage, and their user ID has an
 	///   associated email
 	pub email: Option<Address>,
 }
 macro_rules! identity_update_fn {
 	(fn $method:ident($field:ident : $type:ty)else $error:literal) => {
 		fn $method(&mut self, $field: $type) -> Result<(), StandardErrorBody> {
 			if self.$field.is_none() {
 				self.$field = Some($field);
 				Ok(())
 			} else if self.$field == Some($field) {
 				Ok(())
 			} else {
 				Err(StandardErrorBody {
 					kind: ErrorKind::InvalidParam,
 					message: $error.to_owned(),
 				})
 			}
 		}
 	};
 }
 impl Identity {
 	identity_update_fn!(fn try_set_localpart(localpart: String) else "User ID mismatch");
 	identity_update_fn!(fn try_set_email(email: Address) else "Email mismatch");
 	/// Create an Identity with the localpart of the provided user ID
 	/// and all other fields set to None.
 	#[must_use]
 	pub fn from_user_id(user_id: &UserId) -> Self {
 		Self {
 			localpart: Some(user_id.localpart().to_owned()),
 			..Default::default()
 		}
 	}
 }
 impl Service {
 	const SESSION_ID_LENGTH: usize = 32;
 	/// Perform the full UIAA authentication sequence for a route given its
 	/// authentication data.
 	pub async fn authenticate(
 		&self,
 		auth: &Option<AuthData>,
 		flows: Vec<AuthFlow>,
 		params: Box<RawValue>,
 		identity: Option<Identity>,
 	) -> Result<Identity> {
 		match auth.as_ref() {
 			| None => {
 				let info = self.create_session(flows, params, identity).await;
 				Err(Error::Uiaa(info))
 			},
 			| Some(auth) => {
 				let session: Cow<'_, str> = match auth.session() {
 					| Some(session) => session.into(),
 					| None => {
 						// Clients are allowed to send UIAA requests with an auth dict and no
 						// session if they want to start the UIAA exchange with existing
 						// authentication data. If that happens, we create a new session
 						// here.
 						self.create_session(flows, params, identity)
 							.await
 							.session
 							.unwrap()
 							.into()
 					},
 				};
 				match self.continue_session(auth, &session).await? {
 					| Ok(identity) => Ok(identity),
 					| Err(info) => Err(Error::Uiaa(info)),
 				}
 			},
 		}
 	}
-	match auth {
+	/// A helper to perform UIAA authentication with just a password stage.
-		// Find out what the user completed
+	#[inline]
-		| AuthData::Password(Password {
+	pub async fn authenticate_password(
-			identifier,
+		&self,
-			password,
+		auth: &Option<AuthData>,
-			#[cfg(feature = "element_hacks")]
+		identity: Option<Identity>,
-			user,
+	) -> Result<Identity> {
-			..
+		self.authenticate(
-		}) => {
+			auth,
-			#[cfg(feature = "element_hacks")]
+			vec![AuthFlow::new(vec![AuthType::Password])],
-			let username = if let Some(UserIdentifier::UserIdOrLocalpart(username)) = identifier {
+			Box::default(),
-				username
+			identity,
-			} else if let Some(username) = user {
+		)
-				username
+		.await
-			} else {
+	}
 				return Err(Error::BadRequest(
 					ErrorKind::Unrecognized,
 					"Identifier type not recognized.",
 				));
 			};
-			#[cfg(not(feature = "element_hacks"))]
+	/// Create a new UIAA session with a random session ID.
-			let Some(UserIdentifier::UserIdOrLocalpart(username)) = identifier else {
+	///
-				return Err(Error::BadRequest(
+	/// If information about the user's identity is already known, it may be
-					ErrorKind::Unrecognized,
+	/// supplied with the `identity` parameter. Authentication will fail if
-					"Identifier type not recognized.",
+	/// flows provide different values for known identity information.
-				));
+	///
-			};
+	/// Returns the info of the newly created session.
 	async fn create_session(
 		&self,
 		flows: Vec<AuthFlow>,
 		params: Box<RawValue>,
 		identity: Option<Identity>,
 	) -> UiaaInfo {
 		let mut uiaa_sessions = self.uiaa_sessions.lock().await;
-			let user_id_from_username = UserId::parse_with_server_name(
+		let session_id = utils::random_string(Self::SESSION_ID_LENGTH);
-				username.clone(),
+		let mut info = UiaaInfo::new(flows, params);
-				self.services.globals.server_name(),
+		info.session = Some(session_id.clone());
 			)
 			.map_err(|_| Error::BadRequest(ErrorKind::InvalidParam, "User ID is invalid."))?;
-			// Check if the access token being used matches the credentials used for UIAA
+		uiaa_sessions.insert(session_id, UiaaSession {
-			if user_id.localpart() != user_id_from_username.localpart() {
+			info: info.clone(),
-				return Err!(Request(Forbidden("User ID and access token mismatch.")));
+			identity: identity.unwrap_or_default(),
-			}
+		});
 			let user_id = user_id_from_username;
-			// Check if password is correct
+		info
-			let mut password_verified = false;
+	}
-			// First try local password hash verification
+	/// Proceed with UIAA authentication given a client's authorization data.
-			if let Ok(hash) = self.services.users.password_hash(&user_id).await {
+	async fn continue_session(
-				password_verified = hash::verify_password(password, &hash).is_ok();
+		&self,
-			}
+		auth: &AuthData,
 		session: &str,
 	) -> Result<Result<Identity, UiaaInfo>> {
 		// Hold this lock for the entire function to make sure that, if try_auth()
 		// is called concurrently with the same session, only one call will succeed
 		let mut uiaa_sessions = self.uiaa_sessions.lock().await;
-			// If local password verification failed, try LDAP authentication
+		let Entry::Occupied(mut session) = uiaa_sessions.entry(session.to_owned()) else {
-			#[cfg(feature = "ldap")]
+			return Err!(Request(InvalidParam("Invalid session")));
-			if !password_verified && self.services.config.ldap.enable {
+		};
 				// Search for user in LDAP to get their DN
 				if let Ok(dns) = self.services.users.search_ldap(&user_id).await {
 					if let Some((user_dn, _is_admin)) = dns.first() {
 						// Try to authenticate with LDAP
 						password_verified = self
 							.services
 							.users
 							.auth_ldap(user_dn, password)
 							.await
 							.is_ok();
 					}
 				}
 			}
-			if !password_verified {
+		if let &AuthData::FallbackAcknowledgement(_) = auth {
 				uiaainfo.auth_error = Some(StandardErrorBody {
 					kind: ErrorKind::forbidden(),
 					message: "Invalid username or password.".to_owned(),
 				});
 				return Ok((false, uiaainfo));
 			}
 			// Password was correct! Let's add it to `completed`
 			uiaainfo.completed.push(AuthType::Password);
 		},
 		| AuthData::ReCaptcha(r) => {
 			let Some(ref private_site_key) = self.services.config.recaptcha_private_site_key
 			else {
 				return Err!(Request(Forbidden("ReCaptcha is not configured.")));
 			};
 			match recaptcha_verify::verify_v3(private_site_key, r.response.as_str(), None).await {
 				| Ok(()) => {
 					uiaainfo.completed.push(AuthType::ReCaptcha);
 				},
 				| Err(e) => {
 					error!("ReCaptcha verification failed: {e:?}");
 					uiaainfo.auth_error = Some(StandardErrorBody {
 						kind: ErrorKind::forbidden(),
 						message: "ReCaptcha verification failed.".to_owned(),
 					});
 					return Ok((false, uiaainfo));
 				},
 			}
 		},
 		| AuthData::RegistrationToken(t) => {
 			let token = t.token.trim().to_owned();
 			if let Some(valid_token) = self
 				.services
 				.registration_tokens
 				.validate_token(token)
 				.await
 			{
 				self.services
 					.registration_tokens
 					.mark_token_as_used(valid_token);
 				uiaainfo.completed.push(AuthType::RegistrationToken);
 			} else {
 				uiaainfo.auth_error = Some(StandardErrorBody {
 					kind: ErrorKind::forbidden(),
 					message: "Invalid registration token.".to_owned(),
 				});
 				return Ok((false, uiaainfo));
 			}
 		},
 		| AuthData::Dummy(_) => {
 			uiaainfo.completed.push(AuthType::Dummy);
 		},
 		| AuthData::FallbackAcknowledgement(_) => {
 			// The client is checking if authentication has succeeded out-of-band. This is
 			// possible if the client is using "fallback auth" (see spec section
 			// 4.9.1.4), which we don't support (and probably never will, because it's a
@@ -232,109 +223,243 @@ pub async fn try_auth(
 			// Return early to tell the client that no, authentication did not succeed while
 			// it wasn't looking.
-			return Ok((false, uiaainfo));
+			return Ok(Err(session.get().info.clone()));
-		},
+		}
-		| k => error!("type not supported: {:?}", k),
+
-	}
+		let completed = {
-
+			let UiaaSession { info, identity } = session.get_mut();
-	// Check if a flow now succeeds
+
-	let mut completed = false;
+			let auth_type = auth.auth_type().expect("auth type should be set");
-	'flows: for flow in &mut uiaainfo.flows {
+
-		for stage in &flow.stages {
+			let flow_stages: Vec<HashSet<_>> = info
-			if !uiaainfo.completed.contains(stage) {
+				.flows
-				continue 'flows;
+				.iter()
-			}
+				.map(|flow| {
 					flow.stages
 						.iter()
 						.map(AuthType::as_str)
 						.map(ToOwned::to_owned)
 						.collect()
 				})
 				.collect();
 			let mut completed_stages: HashSet<_> = info
 				.completed
 				.iter()
 				.map(AuthType::as_str)
 				.map(ToOwned::to_owned)
 				.collect();
 			// Don't allow stages which aren't in any flows
 			if !flow_stages
 				.iter()
 				.any(|stages| stages.contains(auth_type.as_str()))
 			{
 				return Err!(Request(InvalidParam("No flows include the supplied stage")));
 			}
 			// If the provided stage hasn't already been completed, check it for completion
 			if !completed_stages.contains(auth_type.as_str()) {
 				match self.check_stage(auth, identity.clone()).await {
 					| Ok((completed_stage, updated_identity)) => {
 						info.auth_error = None;
 						completed_stages.insert(completed_stage.to_string());
 						info.completed.push(completed_stage);
 						*identity = updated_identity;
 					},
 					| Err(error) => {
 						info.auth_error = Some(error);
 					},
 				}
 			}
 			// UIAA is completed if all stages in any flow are completed
 			flow_stages
 				.iter()
 				.any(|stages| completed_stages.is_superset(stages))
 		};
 		if completed {
 			// This session is complete, remove it and return success
 			let (_, UiaaSession { identity, .. }) = session.remove_entry();
 			Ok(Ok(identity))
 		} else {
 			// The client needs to try again, return the updated session
 			Ok(Err(session.get().info.clone()))
 		}
 		// We didn't break, so this flow succeeded!
 		completed = true;
 	}
-	if !completed {
+	/// Check if the provided authentication data is valid.
-		self.update_uiaa_session(
+	///
-			user_id,
+	/// Returns the completed stage's type on success and error information on
-			device_id,
+	/// failure.
-			uiaainfo.session.as_ref().expect("session is always set"),
+	async fn check_stage(
-			Some(&uiaainfo),
+		&self,
-		);
+		auth: &AuthData,
 		mut identity: Identity,
 	) -> Result<(AuthType, Identity), StandardErrorBody> {
 		// Note: This function takes ownership of `identity` because mutations to the
 		// identity must not be applied unless checking the stage succeeds. The
 		// updated identity is returned as part of the Ok value, and
 		// `continue_session` handles saving it to `uiaa_sessions`.
 		//
 		// This also means it's fine to mutate `identity` at any point in this function,
 		// because those mutations won't be saved unless the function returns Ok.
-		return Ok((false, uiaainfo));
+		match auth {
-	}
+			| AuthData::Dummy(_) => Ok(AuthType::Dummy),
 			| AuthData::EmailIdentity(EmailIdentity {
 				thirdparty_id_creds: ThirdpartyIdCredentials { client_secret, sid, .. },
 				..
 			}) => {
 				match self
 					.services
 					.threepid
 					.consume_valid_session(sid, client_secret)
 					.await
 				{
 					| Ok(email) => {
 						if let Some(localpart) =
 							self.services.threepid.get_localpart_for_email(&email).await
 						{
 							identity.try_set_localpart(localpart)?;
 						}
-	// UIAA was successful! Remove this session and return true
+						identity.try_set_email(email)?;
 	self.update_uiaa_session(
 		user_id,
 		device_id,
 		uiaainfo.session.as_ref().expect("session is always set"),
 		None,
 	);
-	Ok((true, uiaainfo))
+						Ok(AuthType::EmailIdentity)
-}
+					},
 					| Err(message) => Err(StandardErrorBody {
 						kind: ErrorKind::ThreepidAuthFailed,
 						message: message.into_owned(),
 					}),
 				}
 			},
 			#[allow(clippy::useless_let_if_seq)]
 			| AuthData::Password(Password { identifier, password, .. }) => {
 				let user_id_or_localpart = match identifier {
 					| Some(UserIdentifier::UserIdOrLocalpart(username)) => username.to_owned(),
 					| Some(UserIdentifier::Email { address }) => {
 						let Ok(email) = Address::try_from(address.to_owned()) else {
 							return Err(StandardErrorBody {
 								kind: ErrorKind::InvalidParam,
 								message: "Email is malformed".to_owned(),
 							});
 						};
-#[implement(Service)]
+						if let Some(localpart) =
-fn set_uiaa_request(
+							self.services.threepid.get_localpart_for_email(&email).await
-	&self,
+						{
-	user_id: &UserId,
+							identity.try_set_email(email)?;
 	device_id: &DeviceId,
 	session: &str,
 	request: &CanonicalJsonValue,
 ) {
 	let key = (user_id.to_owned(), device_id.to_owned(), session.to_owned());
 	self.userdevicesessionid_uiaarequest
 		.write()
 		.insert(key, request.to_owned());
 }
-#[implement(Service)]
+							localpart
-pub fn get_uiaa_request(
+						} else {
-	&self,
+							return Err(StandardErrorBody {
-	user_id: &UserId,
+								kind: ErrorKind::forbidden(),
-	device_id: Option<&DeviceId>,
+								message: "Invalid identifier or password".to_owned(),
-	session: &str,
+							});
-) -> Option<CanonicalJsonValue> {
+						}
-	let key = (
+					},
-		user_id.to_owned(),
+					| _ =>
-		device_id.unwrap_or_else(|| EMPTY.into()).to_owned(),
+						return Err(StandardErrorBody {
-		session.to_owned(),
+							kind: ErrorKind::Unrecognized,
-	);
+							message: "Identifier type not recognized".to_owned(),
 						}),
 				};
-	self.userdevicesessionid_uiaarequest
+				let Ok(user_id) = UserId::parse_with_server_name(
-		.read()
+					user_id_or_localpart,
-		.get(&key)
+					self.services.globals.server_name(),
-		.cloned()
+				) else {
-}
+					return Err(StandardErrorBody {
 						kind: ErrorKind::InvalidParam,
 						message: "User ID is malformed".to_owned(),
 					});
 				};
-#[implement(Service)]
+				// Check if password is correct
-fn update_uiaa_session(
+				let mut password_verified = false;
 	&self,
 	user_id: &UserId,
 	device_id: &DeviceId,
 	session: &str,
 	uiaainfo: Option<&UiaaInfo>,
 ) {
 	let key = (user_id, device_id, session);
-	if let Some(uiaainfo) = uiaainfo {
+				// First try local password hash verification
-		self.db
+				if let Ok(hash) = self.services.users.password_hash(&user_id).await {
-			.userdevicesessionid_uiaainfo
+					password_verified = hash::verify_password(password, &hash).is_ok();
-			.put(key, Json(uiaainfo));
+				}
-	} else {
+
-		self.db.userdevicesessionid_uiaainfo.del(key);
+				// If local password verification failed, try LDAP authentication
 				#[cfg(feature = "ldap")]
 				if !password_verified && self.services.config.ldap.enable {
 					// Search for user in LDAP to get their DN
 					if let Ok(dns) = self.services.users.search_ldap(&user_id).await {
 						if let Some((user_dn, _is_admin)) = dns.first() {
 							// Try to authenticate with LDAP
 							password_verified = self
 								.services
 								.users
 								.auth_ldap(user_dn, password)
 								.await
 								.is_ok();
 						}
 					}
 				}
 				if password_verified {
 					identity.try_set_localpart(user_id.localpart().to_owned())?;
 					Ok(AuthType::Password)
 				} else {
 					Err(StandardErrorBody {
 						kind: ErrorKind::forbidden(),
 						message: "Invalid identifier or password".to_owned(),
 					})
 				}
 			},
 			| AuthData::ReCaptcha(ReCaptcha { response, .. }) => {
 				let Some(ref private_site_key) = self.services.config.recaptcha_private_site_key
 				else {
 					return Err(StandardErrorBody {
 						kind: ErrorKind::forbidden(),
 						message: "ReCaptcha is not configured".to_owned(),
 					});
 				};
 				match recaptcha_verify::verify_v3(private_site_key, response, None).await {
 					| Ok(()) => Ok(AuthType::ReCaptcha),
 					| Err(e) => {
 						error!("ReCaptcha verification failed: {e:?}");
 						Err(StandardErrorBody {
 							kind: ErrorKind::forbidden(),
 							message: "ReCaptcha verification failed".to_owned(),
 						})
 					},
 				}
 			},
 			| AuthData::RegistrationToken(RegistrationToken { token, .. }) => {
 				let token = token.trim().to_owned();
 				if let Some(valid_token) = self
 					.services
 					.registration_tokens
 					.validate_token(token)
 					.await
 				{
 					self.services
 						.registration_tokens
 						.mark_token_as_used(valid_token);
 					Ok(AuthType::RegistrationToken)
 				} else {
 					Err(StandardErrorBody {
 						kind: ErrorKind::forbidden(),
 						message: "Invalid registration token".to_owned(),
 					})
 				}
 			},
 			| _ => Err(StandardErrorBody {
 				kind: ErrorKind::Unrecognized,
 				message: "Unsupported stage type".into(),
 			}),
 		}
 		.map(|auth_type| (auth_type, identity))
 	}
 }
 #[implement(Service)]
 async fn get_uiaa_session(
 	&self,
 	user_id: &UserId,
 	device_id: &DeviceId,
 	session: &str,
 ) -> Result<UiaaInfo> {
 	let key = (user_id, device_id, session);
 	self.db
 		.userdevicesessionid_uiaainfo
 		.qry(&key)
 		.await
 		.deserialized()
 		.map_err(|_| err!(Request(Forbidden("UIAA session does not exist."))))
 }
@@ -90,6 +90,7 @@ pub fn build() -> Router<state::State> {
 				.merge(resources::build())
 				.merge(password_reset::build())
 				.merge(debug::build())
 				.merge(threepid::build())
 				.fallback(async || WebError::NotFound),
 		)
 		.layer(CatchPanicLayer::custom(|panic: Box<dyn Any + Send + 'static>| {
@@ -1,17 +1,14 @@
 use askama::Template;
 use axum::{Router, extract::State, response::IntoResponse, routing::get};
 use crate::{WebError, template};
 pub(crate) fn build() -> Router<crate::State> {
 	Router::new()
-		.route("/", get(index_handler))
+		.route("/", get(index))
-		.route("/_continuwuity/", get(index_handler))
+		.route("/_continuwuity/", get(index))
 }
-async fn index_handler(
+async fn index(State(services): State<crate::State>) -> Result<impl IntoResponse, WebError> {
 	State(services): State<crate::State>,
 ) -> Result<impl IntoResponse, WebError> {
 	template! {
 		struct Index<'a> use "index.html.j2" {
 			server_name: &'a str,
@@ -3,6 +3,7 @@ pub(super) mod debug;
 pub(super) mod index;
 pub(super) mod password_reset;
 pub(super) mod resources;
 pub(super) mod threepid;
 #[derive(Debug)]
 pub(crate) struct TemplateContext {
@@ -43,6 +44,8 @@ macro_rules! template {
        #[allow(single_use_lifetimes)]
        impl$(<$lifetime>)? axum::response::IntoResponse for $name$(<$lifetime>)? {
            fn into_response(self) -> axum::response::Response {
                use askama::Template;
                match self.render() {
                    Ok(rendered) => axum::response::Html(rendered).into_response(),
                    Err(err) => $crate::WebError::from(err).into_response()
@@ -1,4 +1,3 @@
 use askama::Template;
 use axum::{
 	Router,
 	extract::{
@@ -20,11 +19,6 @@ use crate::{
 const INVALID_TOKEN_ERROR: &str = "Invalid reset token. Your reset link may have expired.";
 #[derive(Deserialize)]
 struct PasswordResetQuery {
 	token: String,
 }
 template! {
 	struct PasswordReset<'a> use "password_reset.html.j2" {
 		user_card: UserCard<'a>,
@@ -63,6 +57,11 @@ pub(crate) fn build() -> Router<crate::State> {
 		.route("/account/reset_password", get(get_password_reset).post(post_password_reset))
 }
 #[derive(Deserialize)]
 struct PasswordResetQuery {
 	token: String,
 }
 async fn password_reset_form(
 	services: crate::State,
 	query: PasswordResetQuery,
@@ -0,0 +1,8 @@
 {% extends "_layout.html.j2" %}
 {%- block content -%}
 <div class="panel">
    <h1>Email verification</h1>
    <p>Your email address has been verified. Return to your Matrix client to continue.</p>
 </div>
 {%- endblock content -%}
@@ -0,0 +1,39 @@
 use axum::{
 	Router,
 	extract::{Query, State, rejection::QueryRejection},
 	response::IntoResponse,
 	routing::get,
 };
 use ruma::OwnedSessionId;
 use serde::Deserialize;
 use crate::{WebError, template};
 template! {
 	struct ThreepidValidation use "threepid_validation.html.j2" {}
 }
 pub(crate) fn build() -> Router<crate::State> {
 	Router::new().route("/3pid/email/validate", get(threepid_validation))
 }
 #[derive(Deserialize)]
 struct ThreepidValidationQuery {
 	session: OwnedSessionId,
 	token: String,
 }
 async fn threepid_validation(
 	State(services): State<crate::State>,
 	query: Result<Query<ThreepidValidationQuery>, QueryRejection>,
 ) -> Result<impl IntoResponse, WebError> {
 	let Query(query) = query?;
 	services
 		.threepid
 		.try_validate_session(&query.session, &query.token)
 		.await
 		.map_err(|message| WebError::BadRequest(message.into_owned()))?;
 	Ok(ThreepidValidation::new(&services))
 }
Author	SHA1	Message	Date
Ginger	0177810e2d	fix: Don't allow UIAA stages to be completed if no flow includes them	2026-03-30 13:17:16 -04:00
ginger	a7f51d460e	feat: Add a notice about email to the first-run banner	2026-03-30 16:02:43 +00:00
Ginger	f6ce156acc	chore: Update admin command docs	2026-03-30 11:50:02 -04:00
Ginger	8260856638	fix: Update connection_uri docs	2026-03-30 11:45:10 -04:00
Ginger	a7bdcc9ab9	feat: Supply more informative error message if email is disabled	2026-03-30 11:43:15 -04:00
Ginger	854901d79a	feat: Ratelimit sending threepid validation emails	2026-03-27 12:21:58 -04:00
Ginger	d899c6e17a	fix: Release session lock before sending threepid validation email	2026-03-27 11:49:02 -04:00
Ginger	9a0dd36b8d	refactor: Remove UiaaStatus enum	2026-03-27 10:31:10 -04:00
Ginger	5bdaf478c4	feat: Fall back to email when registering a user who didn't provide a username	2026-03-26 13:42:51 -04:00
Ginger	666adb705c	fix: Don't bail out on email association failures when registering a new user	2026-03-26 10:53:21 -04:00
Ginger	203d55d2f7	refactor: Remove workarounds for matrix-appservice-irc	2026-03-26 10:48:35 -04:00
ginger	7b70cdba75	chore: Update news fragment	2026-03-24 13:37:20 +00:00
Ginger	7ff448b325	chore: Fix typo	2026-03-23 11:01:08 -04:00
Ginger	e8a06f51b7	fix: Remove associated email on account deactivation	2026-03-23 09:58:03 -04:00
Ginger	900d41bcef	chore: News fragment	2026-03-23 09:35:50 -04:00
Ginger	f4cbc3270d	feat: Add support for 3pid management	2026-03-23 09:21:33 -04:00
Ginger	9a623738cd	feat: Add support for registering a new account with an email address	2026-03-22 20:51:14 -04:00
Ginger	3b730233bc	feat: Add support for logging in with an email address	2026-03-22 19:58:14 -04:00
Ginger	f9497606f8	feat: Add support for password resets via email	2026-03-22 19:34:37 -04:00
Ginger	ec52428e06	feat: Add a webpage for threepid validation links	2026-03-22 19:34:13 -04:00
Ginger	4426437130	feat: Store threepid validation sessions in memory instead of the database	2026-03-22 17:42:35 -04:00
Ginger	585f0e1104	feat: Add admin commands for managing users' email addresses	2026-03-22 11:46:26 -04:00
Ginger	23ecec65a9	refactor: Split account routes into multiple files	2026-03-21 21:33:23 -04:00
Ginger	38eb184b4c	feat: Refactor UIAA service, add support for email stage	2026-03-21 21:00:09 -04:00
Ginger	346e58fd62	feat: Implement threepid service	2026-03-21 21:00:09 -04:00
Ginger	cf10a1edaa	feat: Implement mailer service for sending emails	2026-03-21 21:00:09 -04:00
		`@@ -0,0 +1 @@`
							`Added support for associating email addresses with accounts, requiring email addresses for registration, and resetting passwords via email. Contributed by @ginger`
		`@@ -0,0 +1,3 @@`
							`{%- block content %}{% endblock %}`

							`Message sent by Continuwuity {{ env!("CARGO_PKG_VERSION") }}. 🐈`