Add suggested assertations to prevent potentially broken extremities

.forgejo/actions/rust-toolchain/action.yml

@@ -19,20 +19,11 @@ outputs:
   rustc_version:
     description: The rustc version installed
     value: ${{ steps.rustc-version.outputs.version }}
-  rustup_version:
-    description: The rustup version installed
-    value: ${{ steps.rustup-version.outputs.version }}
 
 runs:
   using: composite
   steps:
-    - name: Check if rustup is already installed
-      shell: bash
-      id: rustup-version
-      run: |
-        echo "version=$(rustup --version)" >> $GITHUB_OUTPUT
     - name: Cache rustup toolchains
-      if: steps.rustup-version.outputs.version == ''
       uses: actions/cache@v3
       with:
         path: |
@@ -42,7 +33,6 @@ runs:
         # Requires repo to be cloned if toolchain is not specified
         key: ${{ runner.os }}-rustup-${{ inputs.toolchain || hashFiles('**/rust-toolchain.toml') }}
     - name: Install Rust toolchain
-      if: steps.rustup-version.outputs.version == ''
       shell: bash
       run: |
         if ! command -v rustup &> /dev/null ; then

.forgejo/workflows/release-image.yml

@@ -57,6 +57,7 @@ jobs:
 
   build-image:
     runs-on: dind
+    container: ghcr.io/catthehacker/ubuntu:act-latest
     needs: define-variables
     permissions:
       contents: read
@@ -180,14 +181,14 @@ jobs:
           file: "docker/Dockerfile"
           build-args: |
             GIT_COMMIT_HASH=${{ github.sha }})
-            GIT_COMMIT_HASH_SHORT=${{ env.COMMIT_SHORT_SHA }}
+            GIT_COMMIT_HASH_SHORT=${{ env.COMMIT_SHORT_SHA }})
             GIT_REMOTE_URL=${{github.event.repository.html_url }}
             GIT_REMOTE_COMMIT_URL=${{github.event.head_commit.url }}
           platforms: ${{ matrix.platform }}
           labels: ${{ steps.meta.outputs.labels }}
           annotations: ${{ steps.meta.outputs.annotations }}
           cache-from: type=gha
-          # cache-to: type=gha,mode=max
+          cache-to: type=gha,mode=max
           sbom: true
           outputs: type=image,"name=${{ needs.define-variables.outputs.images_list }}",push-by-digest=true,name-canonical=true,push=true
         env:
@@ -210,6 +211,7 @@ jobs:
 
   merge:
     runs-on: dind
+    container: ghcr.io/catthehacker/ubuntu:act-latest
     needs: [define-variables, build-image]
     steps:
       - name: Download digests

Cargo.lock

@@ -987,7 +987,6 @@ dependencies = [
  "base64 0.22.1",
  "blurhash",
  "bytes",
- "conduwuit_build_metadata",
  "conduwuit_core",
  "conduwuit_database",
  "const-str",

SECURITY.md

@@ -20,10 +20,10 @@ We may backport fixes to the previous release at our discretion, but we don't gu
 
 We appreciate the efforts of security researchers and the community in identifying and reporting vulnerabilities. To ensure that potential vulnerabilities are addressed properly, please follow these guidelines:
 
-1. **Contact members of the team directly** over E2EE private message.
+1. Contact members of the team over E2EE private message.
    - [@jade:ellis.link](https://matrix.to/#/@jade:ellis.link)
    - [@nex:nexy7574.co.uk](https://matrix.to/#/@nex:nexy7574.co.uk) <!-- ? -->
-2. **Email the security team** at [security@continuwuity.org](mailto:security@continuwuity.org). This is not E2EE, so don't include sensitive details.
+2. **Email the security team** directly at [security@continuwuity.org](mailto:security@continuwuity.org). This is not E2EE, so don't include sensitive details.
 3. **Do not disclose the vulnerability publicly** until it has been addressed
 4. **Provide detailed information** about the vulnerability, including:
    - A clear description of the issue
@@ -48,7 +48,7 @@ When you report a security vulnerability:
 
 When security vulnerabilities are identified:
 
-1. We will develop and test fixes in a private fork
+1. We will develop and test fixes in a private branch
 2. Security updates will be released as soon as possible
 3. Release notes will include information about the vulnerabilities, avoiding details that could facilitate exploitation where possible
 4. Critical security updates may be backported to the previous stable release

conduwuit-example.toml

@@ -119,15 +119,6 @@
 #
 #allow_announcements_check = true
 
-# If enabled, continuwuity will send anonymous analytics data periodically
-# to help improve development. This includes basic server metadata like
-# version, commit hash, and federation status. All requests are signed
-# with the server's federation signing key. Data is sent on startup (with
-# up to 5 minutes jitter) and every 12 hours thereafter (with up to 30
-# minutes jitter) to distribute load.
-#
-#allow_analytics = true
-
 # Set this to any float value to multiply continuwuity's in-memory LRU
 # caches with such as "auth_chain_cache_capacity".
 #

docs/static/announcements.schema.json

@@ -3,7 +3,7 @@
     "$id": "https://continwuity.org/schema/announcements.schema.json",
     "type": "object",
     "properties": {
-      "announcements": {
+      "updates": {
         "type": "array",
         "items": {
           "type": "object",
@@ -16,10 +16,6 @@
             },
             "date": {
               "type": "string"
-            },
-            "mention_room": {
-              "type": "boolean",
-              "description": "Whether to mention the room (@room) when posting this announcement"
             }
           },
           "required": [
@@ -30,6 +26,6 @@
       }
     },
     "required": [
-      "announcements"
+      "updates"
     ]
   }

src/admin/debug/mod.rs

@@ -125,13 +125,13 @@ pub(super) enum DebugCommand {
 		reset: bool,
 	},
 
-	/// - Sign JSON blob
+	/// - Verify json signatures
 	///
 	/// This command needs a JSON blob provided in a Markdown code block below
 	/// the command.
 	SignJson,
 
-	/// - Verify JSON signatures
+	/// - Verify json signatures
 	///
 	/// This command needs a JSON blob provided in a Markdown code block below
 	/// the command.

src/admin/server/commands.rs

@@ -145,16 +145,6 @@ pub(super) async fn restart(&self, force: bool) -> Result {
 	self.write_str("Restarting server...").await
 }
 
-#[admin_command]
-pub(super) async fn upload_analytics(&self) -> Result {
-	match self.services.analytics.force_upload().await {
-		| Ok(()) => self.write_str("Analytics uploaded successfully.").await,
-		| Err(e) =>
-			self.write_str(&format!("Failed to upload analytics: {e}"))
-				.await,
-	}
-}
-
 #[admin_command]
 pub(super) async fn shutdown(&self) -> Result {
 	warn!("shutdown command");

src/admin/server/mod.rs

@@ -64,7 +64,4 @@ pub(super) enum ServerCommand {
 
 	/// - Shutdown the server
 	Shutdown,
-
-	/// - Upload analytics
-	UploadAnalytics,
 }

src/api/client/membership.rs

@@ -1243,6 +1243,7 @@ async fn join_room_by_id_helper_remote(
 		services.rooms.timeline.get_pdu(event_id).await.ok()
 	};
 
+	debug!("running stateres check on send_join parsed PDU");
 	let auth_check = state_res::event_auth::auth_check(
 		&state_res::RoomVersion::new(&room_version_id)?,
 		&parsed_join_pdu,
@@ -2162,109 +2163,6 @@ async fn knock_room_by_id_helper(
 		}
 	}
 
-	// For knock_restricted rooms, check if the user meets the restricted conditions
-	// If they do, attempt to join instead of knock
-	// This is not mentioned in the spec, but should be allowable (we're allowed to
-	// auto-join invites to knocked rooms)
-	let join_rule = services.rooms.state_accessor.get_join_rules(room_id).await;
-	if let JoinRule::KnockRestricted(restricted) = &join_rule {
-		let restriction_rooms: Vec<_> = restricted
-			.allow
-			.iter()
-			.filter_map(|a| match a {
-				| AllowRule::RoomMembership(r) => Some(&r.room_id),
-				| _ => None,
-			})
-			.collect();
-
-		// Check if the user is in any of the allowed rooms
-		let mut user_meets_restrictions = false;
-		for restriction_room_id in &restriction_rooms {
-			if services
-				.rooms
-				.state_cache
-				.is_joined(sender_user, restriction_room_id)
-				.await
-			{
-				user_meets_restrictions = true;
-				break;
-			}
-		}
-
-		// If the user meets the restrictions, try joining instead
-		if user_meets_restrictions {
-			debug_info!(
-				"{sender_user} meets the restricted criteria in knock_restricted room \
-				 {room_id}, attempting to join instead of knock"
-			);
-			// For this case, we need to drop the state lock and get a new one in
-			// join_room_by_id_helper We need to release the lock here and let
-			// join_room_by_id_helper acquire it again
-			drop(state_lock);
-			match join_room_by_id_helper(
-				services,
-				sender_user,
-				room_id,
-				reason.clone(),
-				servers,
-				None,
-				&None,
-			)
-			.await
-			{
-				| Ok(_) => return Ok(knock_room::v3::Response::new(room_id.to_owned())),
-				| Err(e) => {
-					debug_warn!(
-						"Failed to convert knock to join for {sender_user} in {room_id}: {e:?}"
-					);
-					// Get a new state lock for the remaining knock logic
-					let new_state_lock = services.rooms.state.mutex.lock(room_id).await;
-
-					let server_in_room = services
-						.rooms
-						.state_cache
-						.server_in_room(services.globals.server_name(), room_id)
-						.await;
-
-					let local_knock = server_in_room
-						|| servers.is_empty()
-						|| (servers.len() == 1 && services.globals.server_is_ours(&servers[0]));
-
-					if local_knock {
-						knock_room_helper_local(
-							services,
-							sender_user,
-							room_id,
-							reason,
-							servers,
-							new_state_lock,
-						)
-						.boxed()
-						.await?;
-					} else {
-						knock_room_helper_remote(
-							services,
-							sender_user,
-							room_id,
-							reason,
-							servers,
-							new_state_lock,
-						)
-						.boxed()
-						.await?;
-					}
-
-					return Ok(knock_room::v3::Response::new(room_id.to_owned()));
-				},
-			}
-		}
-	} else if !matches!(join_rule, JoinRule::Knock | JoinRule::KnockRestricted(_)) {
-		debug_warn!(
-			"{sender_user} attempted to knock on room {room_id} but its join rule is \
-			 {join_rule:?}, not knock or knock_restricted"
-		);
-	}
-
 	let server_in_room = services
 		.rooms
 		.state_cache
@@ -2312,12 +2210,6 @@ async fn knock_room_helper_local(
 		return Err!(Request(Forbidden("This room does not support knocking.")));
 	}
 
-	// Verify that this room has a valid knock or knock_restricted join rule
-	let join_rule = services.rooms.state_accessor.get_join_rules(room_id).await;
-	if !matches!(join_rule, JoinRule::Knock | JoinRule::KnockRestricted(_)) {
-		return Err!(Request(Forbidden("This room's join rule does not allow knocking.")));
-	}
-
 	let content = RoomMemberEventContent {
 		displayname: services.users.displayname(sender_user).await.ok(),
 		avatar_url: services.users.avatar_url(sender_user).await.ok(),

src/build_metadata/build.rs

@@ -79,12 +79,12 @@ fn main() {
 
 	// --- Rerun Triggers ---
 	// TODO: The git rerun triggers seem to always run
-	// // Rerun if the git HEAD changes
+	// Rerun if the git HEAD changes
-	// println!("cargo:rerun-if-changed=.git/HEAD");
+	println!("cargo:rerun-if-changed=.git/HEAD");
-	// // Rerun if the ref pointed to by HEAD changes (e.g., new commit on branch)
+	// Rerun if the ref pointed to by HEAD changes (e.g., new commit on branch)
-	// if let Some(ref_path) = run_git_command(&["symbolic-ref", "--quiet", "HEAD"])
+	if let Some(ref_path) = run_git_command(&["symbolic-ref", "--quiet", "HEAD"]) {
-	// { 	println!("cargo:rerun-if-changed=.git/{ref_path}");
+		println!("cargo:rerun-if-changed=.git/{ref_path}");
-	// }
+	}
 
 	println!("cargo:rerun-if-env-changed=GIT_COMMIT_HASH");
 	println!("cargo:rerun-if-env-changed=GIT_COMMIT_HASH_SHORT");

src/core/config/check.rs

@@ -219,15 +219,6 @@ pub fn check(config: &Config) -> Result {
 		));
 	}
 
-	// Check if support contact information is configured
-	if config.well_known.support_email.is_none() && config.well_known.support_mxid.is_none() {
-		warn!(
-			"No support contact information (support_email or support_mxid) is configured in \
-			 the well_known section. Users in the admin room will be automatically listed as \
-			 support contacts in the /.well-known/matrix/support endpoint."
-		);
-	}
-
 	if config
 		.url_preview_domain_contains_allowlist
 		.contains(&"*".to_owned())

src/core/config/mod.rs

@@ -169,18 +169,6 @@ pub struct Config {
 	#[serde(alias = "allow_check_for_updates", default = "true_fn")]
 	pub allow_announcements_check: bool,
 
-	/// If enabled, continuwuity will send anonymous analytics data periodically
-	/// to help improve development. This includes basic server metadata like
-	/// version, build information and federation status. All requests are
-	/// signed with the server's federation signing key.
-	///
-	/// This is also used to warn about potential problems with federation, if
-	/// federation is enabled.
-	///
-	/// default: true
-	#[serde(default = "true_fn")]
-	pub allow_analytics: bool,
-
 	/// Set this to any float value to multiply continuwuity's in-memory LRU
 	/// caches with such as "auth_chain_cache_capacity".
 	///

src/core/matrix/state_res/event_auth.rs

@@ -13,6 +13,7 @@ use ruma::{
 		power_levels::RoomPowerLevelsEventContent,
 		third_party_invite::RoomThirdPartyInviteEventContent,
 	},
+	EventId,
 	int,
 	serde::{Base64, Raw},
 };
@@ -21,7 +22,6 @@ use serde::{
 	de::{Error as _, IgnoredAny},
 };
 use serde_json::{from_str as from_json_str, value::RawValue as RawJsonValue};
-
 use super::{
 	Error, Event, Result, StateEventType, StateKey, TimelineEventType,
 	power_levels::{
@@ -217,8 +217,9 @@ where
 	}
 
 	/*
-	// TODO: In the past this code caused problems federating with synapse, maybe this has been
+	// TODO: In the past this code was commented as it caused problems with Synapse. This is no
-	// resolved already. Needs testing.
+	// longer the case. This needs to be implemented.
+	// See also: https://github.com/ruma/ruma/pull/2064
 	//
 	// 2. Reject if auth_events
 	// a. auth_events cannot have duplicate keys since it's a BTree
@@ -250,11 +251,33 @@ where
 
 	let room_create_event = match room_create_event {
 		| None => {
-			warn!("no m.room.create event in auth chain");
+			error!(
+				create_event = room_create_event.as_ref().map(Event::event_id).unwrap_or(<&EventId>::try_from("$unknown").unwrap()).as_str(),
+				power_levels = power_levels_event.as_ref().map(Event::event_id).unwrap_or(<&EventId>::try_from("$unknown").unwrap()).as_str(),
+				member_event = sender_member_event.as_ref().map(Event::event_id).unwrap_or(<&EventId>::try_from("$unknown").unwrap()).as_str(),
+				"no m.room.create event found for {} ({})!",
+				incoming_event.event_id().as_str(),
+				incoming_event.room_id().as_str()
+			);
 			return Ok(false);
 		},
 		| Some(e) => e,
 	};
+	// just re-check 1.2 to work around a bug
+	let Some(room_id_server_name) = incoming_event.room_id().server_name() else {
+		warn!("room ID has no servername");
+		return Ok(false);
+	};
+
+	if room_id_server_name != room_create_event.sender().server_name() {
+		warn!(
+			"servername of room ID origin ({}) does not match servername of m.room.create \
+			 sender ({})",
+			room_id_server_name,
+			room_create_event.sender().server_name()
+		);
+		return Ok(false);
+	}
 
 	// 3. If event does not have m.room.create in auth_events reject
 	if !incoming_event
@@ -638,7 +661,7 @@ fn valid_membership_change(
 				warn!(?target_user_membership_event_id, "Banned user can't join");
 				false
 			} else if (join_rules == JoinRule::Invite
-                    || room_version.allow_knocking && (join_rules == JoinRule::Knock || matches!(join_rules, JoinRule::KnockRestricted(_))))
+                    || room_version.allow_knocking && join_rules == JoinRule::Knock)
                 // If the join_rule is invite then allow if membership state is invite or join
                     && (target_user_current_membership == MembershipState::Join
                         || target_user_current_membership == MembershipState::Invite)

src/core/matrix/state_res/mod.rs

@@ -609,7 +609,7 @@ where
 		let fetch_state = |ty: &StateEventType, key: &str| {
 			future::ready(auth_state.get(&ty.with_state_key(key)))
 		};
-
+		debug!("running auth check on {:?}", event.event_id());
 		let auth_result =
 			auth_check(room_version, &event, current_third_party.as_ref(), fetch_state).await;
 
@@ -726,8 +726,12 @@ where
 	Fut: Future<Output = Option<E>> + Send,
 	E: Event + Send + Sync,
 {
+	let mut room_id = None;
 	while let Some(sort_ev) = event {
-		debug!(event_id = sort_ev.event_id().as_str(), "mainline");
+		trace!(event_id = sort_ev.event_id().as_str(), "mainline");
+		if room_id.is_none() {
+			room_id = Some(sort_ev.room_id().to_owned());
+		}
 
 		let id = sort_ev.event_id();
 		if let Some(depth) = mainline_map.get(id) {
@@ -746,7 +750,7 @@ where
 			}
 		}
 	}
-	// Did not find a power level event so we default to zero
+	warn!("could not find a power event in the mainline map for {room_id:?}, defaulting to zero depth");
 	Ok(0)
 }
 

src/core/mod.rs

@@ -21,10 +21,7 @@ pub use ::toml;
 pub use ::tracing;
 pub use config::Config;
 pub use error::Error;
-pub use info::{
+pub use info::{rustc_flags_capture, version, version::version};
-	rustc_flags_capture, version,
-	version::{name, version},
-};
 pub use matrix::{Event, EventTypeExt, PduCount, PduEvent, PduId, RoomVersion, pdu, state_res};
 pub use server::Server;
 pub use utils::{ctor, dtor, implement, result, result::Result};

src/main/clap.rs

@@ -15,7 +15,7 @@ use conduwuit_core::{
 #[clap(
 	about,
 	long_about = None,
-	name = conduwuit_core::name(),
+	name = "conduwuit",
 	version = conduwuit_core::version(),
 )]
 pub(crate) struct Args {

src/service/Cargo.toml

@@ -78,7 +78,6 @@ zstd_compression = [
 async-trait.workspace = true
 base64.workspace = true
 bytes.workspace = true
-conduwuit-build-metadata.workspace = true
 conduwuit-core.workspace = true
 conduwuit-database.workspace = true
 const-str.workspace = true

src/service/analytics/mod.rs

@@ -1,245 +0,0 @@
-//! # Analytics service
-//!
-//! This service is responsible for collecting and uploading anonymous server
-//! metadata to help improve continuwuity development.
-//!
-//! All requests are signed with the server's federation signing key for
-//! authentication. This service respects the `allow_analytics` configuration
-//! option and is enabled by default.
-//!
-//! Analytics are sent on startup (with up to 5 minutes jitter) and every 12
-//! hours thereafter (with up to 30 minutes jitter) to distribute load.
-
-use std::{sync::Arc, time::Duration};
-
-use async_trait::async_trait;
-use conduwuit::{
-	Result, Server, debug, err, info,
-	version::{self, user_agent},
-	warn,
-};
-use database::{Deserialized, Map};
-use rand::Rng;
-use ruma::ServerName;
-use serde::{Deserialize, Serialize};
-use tokio::{
-	sync::Notify,
-	time::{MissedTickBehavior, interval},
-};
-
-use crate::{Dep, client, config, federation, globals, server_keys, users};
-
-extern crate conduwuit_build_metadata as build_metadata;
-
-pub struct Service {
-	interval: Duration,
-	jitter: Duration,
-	startup_jitter: Duration,
-	interrupt: Notify,
-	db: Arc<Map>,
-	services: Services,
-}
-
-struct Services {
-	client: Dep<client::Service>,
-	globals: Dep<globals::Service>,
-	server_keys: Dep<server_keys::Service>,
-	federation: Dep<federation::Service>,
-	users: Dep<users::Service>,
-	server: Arc<Server>,
-	config: Dep<config::Service>,
-}
-
-#[derive(Debug, Serialize)]
-struct AnalyticsPayload {
-	server_name: String,
-	version: &'static str,
-	commit_hash: Option<&'static str>,
-	user_count: usize,
-	federation_enabled: bool,
-	room_creation_allowed: bool,
-	public_room_directory_over_federation: bool,
-	build_profile: &'static str,
-	opt_level: &'static str,
-	rustc_version: &'static str,
-	features: Vec<&'static str>,
-	host: &'static str,
-	target: &'static str,
-	// the following can all be derived from the target
-	target_arch: &'static str,
-	target_os: &'static str,
-	target_env: &'static str,
-	target_family: &'static str,
-}
-
-#[derive(Debug, Deserialize)]
-struct AnalyticsResponse {
-	success: bool,
-	message: Option<String>,
-}
-
-const ANALYTICS_URL: &str = "https://analytics.continuwuity.org/api/v1/metrics";
-const ANALYTICS_SERVERNAME: &str = "analytics.continuwuity.org";
-const ANALYTICS_INTERVAL: u64 = 43200; // 12 hours in seconds
-const ANALYTICS_JITTER: u64 = 1800; // 30 minutes in seconds
-const ANALYTICS_STARTUP_JITTER: u64 = 300; // 5 minutes in seconds
-const LAST_ANALYTICS_TIMESTAMP: &[u8; 21] = b"last_analytics_upload";
-
-#[async_trait]
-impl crate::Service for Service {
-	fn build(args: crate::Args<'_>) -> Result<Arc<Self>> {
-		let mut rng = rand::thread_rng();
-		let jitter_seconds = rng.gen_range(0..=ANALYTICS_JITTER);
-		let startup_jitter_seconds = rng.gen_range(0..=ANALYTICS_STARTUP_JITTER);
-
-		Ok(Arc::new(Self {
-			interval: Duration::from_secs(ANALYTICS_INTERVAL),
-			jitter: Duration::from_secs(jitter_seconds),
-			startup_jitter: Duration::from_secs(startup_jitter_seconds),
-			interrupt: Notify::new(),
-			db: args.db["global"].clone(),
-			services: Services {
-				globals: args.depend::<globals::Service>("globals"),
-				client: args.depend::<client::Service>("client"),
-				config: args.depend::<config::Service>("config"),
-				server_keys: args.depend::<server_keys::Service>("server_keys"),
-				users: args.depend::<users::Service>("users"),
-				federation: args.depend::<federation::Service>("federation"),
-				server: args.server.clone(),
-			},
-		}))
-	}
-
-	#[tracing::instrument(skip_all, name = "analytics", level = "debug")]
-	async fn worker(self: Arc<Self>) -> Result<()> {
-		if !self.services.server.config.allow_analytics {
-			debug!("Analytics collection is disabled");
-			return Ok(());
-		}
-
-		// Send initial analytics on startup (with shorter jitter)
-		tokio::time::sleep(self.startup_jitter).await;
-		if let Err(e) = self.upload_analytics().await {
-			warn!(%e, "Failed to upload initial analytics");
-		}
-
-		let mut i = interval(self.interval);
-		i.set_missed_tick_behavior(MissedTickBehavior::Delay);
-		i.reset_after(self.interval + self.jitter);
-
-		loop {
-			tokio::select! {
-				() = self.interrupt.notified() => break,
-				_ = i.tick() => {
-					if let Err(e) = self.upload_analytics().await {
-						warn!(%e, "Failed to upload analytics");
-					}
-				}
-			}
-		}
-
-		Ok(())
-	}
-
-	fn interrupt(&self) { self.interrupt.notify_waiters(); }
-
-	fn name(&self) -> &str { crate::service::make_name(std::module_path!()) }
-}
-
-impl Service {
-	#[tracing::instrument(skip_all)]
-	async fn upload_analytics(&self) -> Result<()> {
-		let payload = self.collect_metadata().await;
-		let json_payload = serde_json::to_vec(&payload)?;
-
-		// Create HTTP request
-		let request = http::Request::builder()
-			.method("POST")
-			.uri(ANALYTICS_URL)
-			.header("Content-Type", "application/json")
-			.header("User-Agent", user_agent())
-			.body(json_payload)?;
-
-		// Sign the request using federation signing
-		let reqwest_request = self.services.federation.sign_non_federation_request(
-			ServerName::parse(ANALYTICS_SERVERNAME).unwrap(),
-			request,
-		)?;
-		// self.sign_analytics_request(&mut request).await?;
-
-		let response = self
-			.services
-			.client
-			.default
-			.execute(reqwest_request)
-			.await?;
-		let status = response.status();
-		if let Ok(analytics_response) =
-			serde_json::from_str::<AnalyticsResponse>(&response.text().await?)
-		{
-			if analytics_response.success {
-				debug!("Analytics uploaded successfully");
-				self.update_last_upload_timestamp().await;
-			}
-			let msg = analytics_response.message.unwrap_or_default();
-			warn!("Analytics upload warning: {}", msg);
-		} else if status.is_success() {
-			info!("Analytics uploaded successfully (no structured response)");
-			self.update_last_upload_timestamp().await;
-		} else {
-			warn!("Analytics upload failed (no structured response) with status: {}", status);
-		}
-
-		Ok(())
-	}
-
-	async fn collect_metadata(&self) -> AnalyticsPayload {
-		let config = &self.services.config;
-
-		AnalyticsPayload {
-			server_name: self.services.globals.server_name().to_string(),
-			version: version::version(),
-			commit_hash: build_metadata::GIT_COMMIT_HASH,
-			user_count: self.services.users.count().await,
-			federation_enabled: config.allow_federation,
-			room_creation_allowed: config.allow_room_creation,
-			public_room_directory_over_federation: config
-				.allow_public_room_directory_over_federation,
-			build_profile: build_metadata::built::PROFILE,
-			opt_level: build_metadata::built::OPT_LEVEL,
-			rustc_version: build_metadata::built::RUSTC_VERSION,
-			features: build_metadata::built::FEATURES.to_vec(),
-			host: build_metadata::built::HOST,
-			target: build_metadata::built::TARGET,
-			target_arch: build_metadata::built::CFG_TARGET_ARCH,
-			target_os: build_metadata::built::CFG_OS,
-			target_env: build_metadata::built::CFG_ENV,
-			target_family: build_metadata::built::CFG_FAMILY,
-		}
-	}
-
-	async fn update_last_upload_timestamp(&self) {
-		let timestamp = std::time::SystemTime::now()
-			.duration_since(std::time::UNIX_EPOCH)
-			.unwrap_or_default()
-			.as_secs();
-
-		self.db.raw_put(LAST_ANALYTICS_TIMESTAMP, timestamp);
-	}
-
-	pub async fn last_upload_timestamp(&self) -> u64 {
-		self.db
-			.get(LAST_ANALYTICS_TIMESTAMP)
-			.await
-			.deserialized()
-			.unwrap_or(0_u64)
-	}
-
-	pub async fn force_upload(&self) -> Result<()> {
-		if !self.services.config.allow_analytics {
-			return Err(err!(Config("allow_analytics", "Analytics collection is disabled")));
-		}
-
-		self.upload_analytics().await
-	}
-}

src/service/announcements/mod.rs

@@ -20,7 +20,7 @@ use std::{sync::Arc, time::Duration};
 use async_trait::async_trait;
 use conduwuit::{Result, Server, debug, info, warn};
 use database::{Deserialized, Map};
-use ruma::events::{Mentions, room::message::RoomMessageEventContent};
+use ruma::events::room::message::RoomMessageEventContent;
 use serde::Deserialize;
 use tokio::{
 	sync::Notify,
@@ -53,8 +53,6 @@ struct CheckForAnnouncementsResponseEntry {
 	id: u64,
 	date: Option<String>,
 	message: String,
-	#[serde(default, skip_serializing_if = "bool::not")]
-	mention_room: bool,
 }
 
 const CHECK_FOR_ANNOUNCEMENTS_URL: &str =
@@ -141,20 +139,19 @@ impl Service {
 		} else {
 			info!("[announcements] {:#}", announcement.message);
 		}
-		let mut message = RoomMessageEventContent::text_markdown(format!(
-			"### New announcement{}\n\n{}",
-			announcement
-				.date
-				.as_ref()
-				.map_or_else(String::new, |date| format!(" - `{date}`")),
-			announcement.message
-		));
 
-		if announcement.mention_room {
+		self.services
-			message = message.add_mentions(Mentions::with_room_mention());
+			.admin
-		}
+			.send_message(RoomMessageEventContent::text_markdown(format!(
-
+				"### New announcement{}\n\n{}",
-		self.services.admin.send_message(message).await.ok();
+				announcement
+					.date
+					.as_ref()
+					.map_or_else(String::new, |date| format!(" - `{date}`")),
+				announcement.message
+			)))
+			.await
+			.ok();
 	}
 
 	#[inline]

src/service/federation/execute.rs

@@ -107,20 +107,6 @@ fn prepare(&self, dest: &ServerName, mut request: http::Request<Vec<u8>>) -> Res
 	Ok(request)
 }
 
-#[implement(super::Service)]
-pub fn sign_non_federation_request(
-	&self,
-	dest: &ServerName,
-	mut request: http::Request<Vec<u8>>,
-) -> Result<Request> {
-	self.sign_request(&mut request, dest);
-
-	let request = Request::try_from(request)?;
-	self.services.server.check_running()?;
-
-	Ok(request)
-}
-
 #[implement(super::Service)]
 fn validate_url(&self, url: &Url) -> Result<()> {
 	if let Some(url_host) = url.host_str() {

src/service/mod.rs

@@ -9,7 +9,6 @@ pub mod state;
 
 pub mod account_data;
 pub mod admin;
-pub mod analytics;
 pub mod announcements;
 pub mod appservice;
 pub mod client;

src/service/rooms/event_handler/handle_outlier_pdu.rs

@@ -76,7 +76,7 @@ pub(super) async fn handle_outlier_pdu<'a>(
 		// 5. Reject "due to auth events" if can't get all the auth events or some of
 		//    the auth events are also rejected "due to auth events"
 		// NOTE: Step 5 is not applied anymore because it failed too often
-		debug!("Fetching auth events");
+		debug!("Fetching auth events for {}", incoming_pdu.event_id);
 		Box::pin(self.fetch_and_handle_outliers(
 			origin,
 			&incoming_pdu.auth_events,
@@ -88,12 +88,12 @@ pub(super) async fn handle_outlier_pdu<'a>(
 
 	// 6. Reject "due to auth events" if the event doesn't pass auth based on the
 	//    auth events
-	debug!("Checking based on auth events");
+	debug!("Checking {} based on auth events", incoming_pdu.event_id);
 	// Build map of auth events
 	let mut auth_events = HashMap::with_capacity(incoming_pdu.auth_events.len());
 	for id in &incoming_pdu.auth_events {
 		let Ok(auth_event) = self.services.timeline.get_pdu(id).await else {
-			warn!("Could not find auth event {id}");
+			warn!("Could not find auth event {id} for {}", incoming_pdu.event_id);
 			continue;
 		};
 
@@ -119,10 +119,7 @@ pub(super) async fn handle_outlier_pdu<'a>(
 	}
 
 	// The original create event must be in the auth events
-	if !matches!(
+	if !auth_events.contains_key(&(StateEventType::RoomCreate, String::new().into())) {
-		auth_events.get(&(StateEventType::RoomCreate, String::new().into())),
-		Some(_) | None
-	) {
 		return Err!(Request(InvalidParam("Incoming event refers to wrong create event.")));
 	}
 
@@ -131,6 +128,7 @@ pub(super) async fn handle_outlier_pdu<'a>(
 		ready(auth_events.get(&key))
 	};
 
+	debug!("running auth check to handle outlier pdu {:?}", incoming_pdu.event_id);
 	let auth_check = state_res::event_auth::auth_check(
 		&to_room_version(&room_version_id),
 		&incoming_pdu,

src/service/rooms/event_handler/upgrade_outlier_pdu.rs

@@ -1,12 +1,6 @@
 use std::{borrow::Borrow, collections::BTreeMap, iter::once, sync::Arc, time::Instant};
 
-use conduwuit::{
+use conduwuit::{Err, Result, debug, debug_info, err, implement, matrix::{EventTypeExt, PduEvent, StateKey, state_res}, trace, utils::stream::{BroadbandExt, ReadyExt}, warn, info};
-	Err, Result, debug, debug_info, err, implement,
-	matrix::{EventTypeExt, PduEvent, StateKey, state_res},
-	trace,
-	utils::stream::{BroadbandExt, ReadyExt},
-	warn,
-};
 use futures::{FutureExt, StreamExt, future::ready};
 use ruma::{CanonicalJsonValue, RoomId, ServerName, events::StateEventType};
 
@@ -44,7 +38,7 @@ pub(super) async fn upgrade_outlier_to_timeline_pdu(
 		return Err!(Request(InvalidParam("Event has been soft failed")));
 	}
 
-	debug!("Upgrading to timeline pdu");
+	debug!("Upgrading pdu {} from outlier to timeline pdu", incoming_pdu.event_id);
 	let timer = Instant::now();
 	let room_version_id = get_room_version_id(create_event)?;
 
@@ -52,7 +46,7 @@ pub(super) async fn upgrade_outlier_to_timeline_pdu(
 	//     backwards extremities doing all the checks in this list starting at 1.
 	//     These are not timeline events.
 
-	debug!("Resolving state at event");
+	debug!("Resolving state at event {}", incoming_pdu.event_id);
 	let mut state_at_incoming_event = if incoming_pdu.prev_events.len() == 1 {
 		self.state_at_incoming_degree_one(&incoming_pdu).await?
 	} else {
@@ -70,7 +64,7 @@ pub(super) async fn upgrade_outlier_to_timeline_pdu(
 		state_at_incoming_event.expect("we always set this to some above");
 	let room_version = to_room_version(&room_version_id);
 
-	debug!("Performing auth check");
+	debug!("Performing auth check to upgrade {}", incoming_pdu.event_id);
 	// 11. Check the auth of the event passes based on the state of the event
 	let state_fetch_state = &state_at_incoming_event;
 	let state_fetch = |k: StateEventType, s: StateKey| async move {
@@ -80,6 +74,7 @@ pub(super) async fn upgrade_outlier_to_timeline_pdu(
 		self.services.timeline.get_pdu(event_id).await.ok()
 	};
 
+	debug!("running auth check on {}", incoming_pdu.event_id);
 	let auth_check = state_res::event_auth::auth_check(
 		&room_version,
 		&incoming_pdu,
@@ -93,7 +88,7 @@ pub(super) async fn upgrade_outlier_to_timeline_pdu(
 		return Err!(Request(Forbidden("Event has failed auth check with state at the event.")));
 	}
 
-	debug!("Gathering auth events");
+	debug!("Gathering auth events for {}", incoming_pdu.event_id);
 	let auth_events = self
 		.services
 		.state
@@ -111,6 +106,7 @@ pub(super) async fn upgrade_outlier_to_timeline_pdu(
 		ready(auth_events.get(&key).cloned())
 	};
 
+	debug!("running auth check on {} with claimed state auth", incoming_pdu.event_id);
 	let auth_check = state_res::event_auth::auth_check(
 		&room_version,
 		&incoming_pdu,
@@ -121,7 +117,7 @@ pub(super) async fn upgrade_outlier_to_timeline_pdu(
 	.map_err(|e| err!(Request(Forbidden("Auth check failed: {e:?}"))))?;
 
 	// Soft fail check before doing state res
-	debug!("Performing soft-fail check");
+	debug!("Performing soft-fail check on {}", incoming_pdu.event_id);
 	let soft_fail = match (auth_check, incoming_pdu.redacts_id(&room_version_id)) {
 		| (false, _) => true,
 		| (true, None) => false,
@@ -218,7 +214,8 @@ pub(super) async fn upgrade_outlier_to_timeline_pdu(
 	// 14. Check if the event passes auth based on the "current state" of the room,
 	//     if not soft fail it
 	if soft_fail {
-		debug!("Soft failing event");
+		info!("Soft failing event {}", incoming_pdu.event_id);
+		assert!(extremities.is_empty(), "soft_fail extremities empty");
 		let extremities = extremities.iter().map(Borrow::borrow);
 
 		self.services

src/service/rooms/timeline/mod.rs

@@ -698,6 +698,20 @@ impl Service {
 			.await
 			.saturating_add(uint!(1));
 
+		if state_key.is_none() {
+			if prev_events.is_empty() {
+				warn!("Timeline event had zero prev_events, something broke.");
+				return Err!(Request(Unknown("Timeline event had zero prev_events.")));
+			}
+			if depth.le(&uint!(2)) {
+				warn!(
+					"Had unsafe depth of {depth} in {room_id} when creating non-state event. \
+					 Bad!"
+				);
+				return Err!(Request(Unknown("Unsafe depth for non-state event.")));
+			}
+		};
+
 		let mut unsigned = unsigned.unwrap_or_default();
 
 		if let Some(state_key) = &state_key {
@@ -757,6 +771,7 @@ impl Service {
 			ready(auth_events.get(&key))
 		};
 
+		debug!("running auth check on new {} event by {} in {}", pdu.kind, pdu.sender, pdu.room_id);
 		let auth_check = state_res::auth_check(
 			&room_version,
 			&pdu,
@@ -961,8 +976,9 @@ impl Service {
 		state_lock: &'a RoomMutexGuard,
 	) -> Result<Option<RawPduId>>
 	where
-		Leaves: Iterator<Item = &'a EventId> + Send + 'a,
+		Leaves: Iterator<Item = &'a EventId> + Send + Clone + 'a,
 	{
+		assert!(new_room_leaves.clone().count() > 0, "extremities are empty");
 		// We append to state before appending the pdu, so we don't have a moment in
 		// time with the pdu without it's state. This is okay because append_pdu can't
 		// fail.
@@ -1142,7 +1158,7 @@ impl Service {
 			.boxed();
 
 		while let Some(ref backfill_server) = servers.next().await {
-			info!("Asking {backfill_server} for backfill");
+			info!("Asking {backfill_server} for backfill in {:?}", room_id.to_owned());
 			let response = self
 				.services
 				.sending
@@ -1170,7 +1186,7 @@ impl Service {
 			}
 		}
 
-		info!("No servers could backfill, but backfill was needed in room {room_id}");
+		warn!("No servers could backfill, but backfill was needed in room {room_id}");
 		Ok(())
 	}
 

src/service/services.rs

@@ -10,8 +10,8 @@ use futures::{Stream, StreamExt, TryStreamExt};
 use tokio::sync::Mutex;
 
 use crate::{
-	account_data, admin, analytics, announcements, appservice, client, config, emergency,
+	account_data, admin, announcements, appservice, client, config, emergency, federation,
-	federation, globals, key_backups,
+	globals, key_backups,
 	manager::Manager,
 	media, moderation, presence, pusher, resolver, rooms, sending, server_keys, service,
 	service::{Args, Map, Service},
@@ -21,7 +21,6 @@ use crate::{
 pub struct Services {
 	pub account_data: Arc<account_data::Service>,
 	pub admin: Arc<admin::Service>,
-	pub analytics: Arc<analytics::Service>,
 	pub appservice: Arc<appservice::Service>,
 	pub config: Arc<config::Service>,
 	pub client: Arc<client::Service>,
@@ -69,7 +68,6 @@ impl Services {
 		Ok(Arc::new(Self {
 			account_data: build!(account_data::Service),
 			admin: build!(admin::Service),
-			analytics: build!(analytics::Service),
 			appservice: build!(appservice::Service),
 			resolver: build!(resolver::Service),
 			client: build!(client::Service),