Bump version to v4.1.18 (#30911)

* Fix insufficient permission checking for public timeline endpoints

Note that this changes unauthenticated access failure code from 401 to 422

* Add more tests for public timelines

* Require user token in `/api/v1/statuses/:id/translate` and `/api/v1/scheduled_statuses`

.browserslistrc

@@ -0,0 +1,7 @@
+[production]
+defaults
+not IE 11
+not dead
+
+[development]
+supports es6-module

.buildpacks

@@ -1,4 +1,3 @@
 https://github.com/heroku/heroku-buildpack-apt
 https://github.com/Scalingo/ffmpeg-buildpack
-https://github.com/Scalingo/nodejs-buildpack
 https://github.com/Scalingo/ruby-buildpack

.circleci/config.yml

@@ -1,250 +0,0 @@
-version: 2
-
-aliases:
-  - &defaults
-    docker:
-      - image: circleci/ruby:2.7-buster-node
-        environment: &ruby_environment
-          BUNDLE_APP_CONFIG: ./.bundle/
-          BUNDLE_PATH: ./vendor/bundle/
-          DB_HOST: localhost
-          DB_USER: root
-          RAILS_ENV: test
-          PARALLEL_TEST_PROCESSORS: 4
-          ALLOW_NOPAM: true
-          CONTINUOUS_INTEGRATION: true
-          DISABLE_SIMPLECOV: true
-          PAM_ENABLED: true
-          PAM_DEFAULT_SERVICE: pam_test
-          PAM_CONTROLLED_SERVICE: pam_test_controlled
-    working_directory: ~/projects/mastodon/
-
-  - &attach_workspace
-    attach_workspace:
-      at: ~/projects/
-
-  - &persist_to_workspace
-    persist_to_workspace:
-      root: ~/projects/
-      paths:
-        - ./mastodon/
-
-  - &restore_ruby_dependencies
-    restore_cache:
-      keys:
-        - v2-ruby-dependencies-{{ checksum "/tmp/.ruby-version" }}-{{ checksum "Gemfile.lock" }}
-        - v2-ruby-dependencies-{{ checksum "/tmp/.ruby-version" }}-
-        - v2-ruby-dependencies-
-
-  - &install_steps
-    steps:
-      - checkout
-      - *attach_workspace
-      - restore_cache:
-          keys:
-            - v1-node-dependencies-{{ checksum "yarn.lock" }}
-            - v1-node-dependencies-
-      - run: yarn install --frozen-lockfile
-      - save_cache:
-          key: v1-node-dependencies-{{ checksum "yarn.lock" }}
-          paths:
-            - ./node_modules/
-      - *persist_to_workspace
-
-  - &install_system_dependencies
-      run:
-        name: Install system dependencies
-        command: |
-          sudo apt-get update
-          sudo apt-get install -y libicu-dev libidn11-dev libprotobuf-dev protobuf-compiler
-          
-          ## TODO: FIX THESE BUSTER DEPENDANCES
-          sudo wget http://ftp.au.debian.org/debian/pool/main/i/icu/libicu57_57.1-6+deb9u3_amd64.deb
-          sudo dpkg -i libicu57_57.1-6+deb9u3_amd64.deb
-          sudo wget http://ftp.au.debian.org/debian/pool/main/p/protobuf/libprotobuf10_3.0.0-9_amd64.deb
-          sudo dpkg -i libprotobuf10_3.0.0-9_amd64.deb
-
-  - &install_ruby_dependencies
-      steps:
-        - *attach_workspace
-        - *install_system_dependencies
-        - run: ruby -e 'puts RUBY_VERSION' | tee /tmp/.ruby-version
-        - *restore_ruby_dependencies
-        - run: bundle config set clean 'true'
-        - run: bundle config set deployment 'true'
-        - run: bundle config set with 'pam_authentication'
-        - run: bundle config set without 'development production'
-        - run: bundle config set frozen 'true'
-        - run: bundle install --jobs 16 --retry 3 && bundle clean
-        - save_cache:
-            key: v2-ruby-dependencies-{{ checksum "/tmp/.ruby-version" }}-{{ checksum "Gemfile.lock" }}
-            paths:
-              - ./.bundle/
-              - ./vendor/bundle/
-        - persist_to_workspace:
-            root: ~/projects/
-            paths:
-                - ./mastodon/.bundle/
-                - ./mastodon/vendor/bundle/
-
-  - &test_steps
-      steps:
-        - *attach_workspace
-        - *install_system_dependencies
-        - run: sudo apt-get install -y ffmpeg
-        - run:
-            name: Prepare Tests
-            command: ./bin/rails parallel:create parallel:load_schema parallel:prepare
-        - run:
-            name: Run Tests
-            command: ./bin/retry bundle exec parallel_test ./spec/ --group-by filesize --type rspec
-
-jobs:
-  install:
-    <<: *defaults
-    <<: *install_steps
-
-  install-ruby2.7:
-    <<: *defaults
-    <<: *install_ruby_dependencies
-
-  install-ruby2.6:
-    <<: *defaults
-    docker:
-      - image: circleci/ruby:2.6-buster-node
-        environment: *ruby_environment
-    <<: *install_ruby_dependencies
-
-  install-ruby2.5:
-    <<: *defaults
-    docker:
-      - image: circleci/ruby:2.5-buster-node
-        environment: *ruby_environment
-    <<: *install_ruby_dependencies
-
-  build:
-    <<: *defaults
-    steps:
-      - *attach_workspace
-      - *install_system_dependencies
-      - run: ./bin/rails assets:precompile
-      - persist_to_workspace:
-          root: ~/projects/
-          paths:
-              - ./mastodon/public/assets
-              - ./mastodon/public/packs-test/
-
-  test-migrations:
-    <<: *defaults
-    docker:
-      - image: circleci/ruby:2.7-buster-node
-        environment: *ruby_environment
-      - image: circleci/postgres:12.2
-        environment:
-          POSTGRES_USER: root
-          POSTGRES_HOST_AUTH_METHOD: trust
-      - image: circleci/redis:5-alpine
-    steps:
-      - *attach_workspace
-      - *install_system_dependencies
-      - run:
-          name: Create database
-          command: ./bin/rails parallel:create
-      - run:
-          name: Run migrations
-          command: ./bin/rails parallel:migrate
-
-  test-ruby2.7:
-    <<: *defaults
-    docker:
-      - image: circleci/ruby:2.7-buster-node
-        environment: *ruby_environment
-      - image: circleci/postgres:12.2
-        environment:
-          POSTGRES_USER: root
-          POSTGRES_HOST_AUTH_METHOD: trust
-      - image: circleci/redis:5-alpine
-    <<: *test_steps
-
-  test-ruby2.6:
-    <<: *defaults
-    docker:
-      - image: circleci/ruby:2.6-buster-node
-        environment: *ruby_environment
-      - image: circleci/postgres:12.2
-        environment:
-          POSTGRES_USER: root
-          POSTGRES_HOST_AUTH_METHOD: trust
-      - image: circleci/redis:5-alpine
-    <<: *test_steps
-
-  test-ruby2.5:
-    <<: *defaults
-    docker:
-      - image: circleci/ruby:2.5-buster-node
-        environment: *ruby_environment
-      - image: circleci/postgres:12.2
-        environment:
-          POSTGRES_USER: root
-          POSTGRES_HOST_AUTH_METHOD: trust
-      - image: circleci/redis:5-alpine
-    <<: *test_steps
-
-  test-webui:
-    <<: *defaults
-    docker:
-      - image: circleci/node:12-buster
-    steps:
-      - *attach_workspace
-      - run: ./bin/retry yarn test:jest
-
-  check-i18n:
-    <<: *defaults
-    steps:
-      - *attach_workspace
-      - *install_system_dependencies
-      - run: bundle exec i18n-tasks check-normalized
-      - run: bundle exec i18n-tasks unused -l en
-      - run: bundle exec i18n-tasks check-consistent-interpolations
-      - run: bundle exec rake repo:check_locales_files
-
-workflows:
-  version: 2
-  build-and-test:
-    jobs:
-      - install
-      - install-ruby2.7:
-          requires:
-            - install
-      - install-ruby2.6:
-          requires:
-            - install
-            - install-ruby2.7
-      - install-ruby2.5:
-          requires:
-            - install
-            - install-ruby2.7
-      - build:
-          requires:
-            - install-ruby2.7
-      - test-migrations:
-          requires:
-            - install-ruby2.7
-      - test-ruby2.7:
-          requires:
-            - install-ruby2.7
-            - build
-      - test-ruby2.6:
-          requires:
-            - install-ruby2.6
-            - build
-      - test-ruby2.5:
-          requires:
-            - install-ruby2.5
-            - build
-      - test-webui:
-          requires:
-            - install
-      - check-i18n:
-          requires:
-            - install-ruby2.7

.codeclimate.yml

@@ -1,4 +1,4 @@
-version: "2"
+version: '2'
 checks:
   argument-count:
     enabled: false
@@ -26,13 +26,14 @@ plugins:
   bundler-audit:
     enabled: true
   eslint:
-    enabled: true
-    channel: eslint-6
+    enabled: false
   rubocop:
-    enabled: true
-    channel: rubocop-0-76
+    enabled: false
   sass-lint:
-    enabled: true
+    enabled: false
 exclude_patterns:
-- spec/
-- vendor/asset
+  - spec/
+  - vendor/asset/
+
+  - app/javascript/mastodon/locales/**/*.json
+  - config/locales/**/*.yml

.dependabot/config.yml

@@ -1,10 +0,0 @@
-version: 1
-
-update_configs:
-  - package_manager: "ruby:bundler"
-    directory: "/"
-    update_schedule: "weekly"
-
-  - package_manager: "javascript"
-    directory: "/"
-    update_schedule: "weekly"

.devcontainer/Dockerfile

@@ -0,0 +1,24 @@
+# [Choice] Ruby version (use -bullseye variants on local arm64/Apple Silicon): 3, 3.1, 3.0, 2, 2.7, 2.6, 3-bullseye, 3.1-bullseye, 3.0-bullseye, 2-bullseye, 2.7-bullseye, 2.6-bullseye, 3-buster, 3.1-buster, 3.0-buster, 2-buster, 2.7-buster, 2.6-buster
+ARG VARIANT=3.1-bullseye
+FROM mcr.microsoft.com/vscode/devcontainers/ruby:${VARIANT}
+
+# Install Rails
+# RUN gem install rails webdrivers
+
+# Default value to allow debug server to serve content over GitHub Codespace's port forwarding service
+# The value is a comma-separated list of allowed domains
+ENV RAILS_DEVELOPMENT_HOSTS=".githubpreview.dev"
+
+# [Choice] Node.js version: lts/*, 18, 16, 14
+ARG NODE_VERSION="lts/*"
+RUN su vscode -c "source /usr/local/share/nvm/nvm.sh && nvm install ${NODE_VERSION} 2>&1"
+
+# [Optional] Uncomment this section to install additional OS packages.
+RUN apt-get update && export DEBIAN_FRONTEND=noninteractive \
+    && apt-get -y install --no-install-recommends libicu-dev libidn11-dev ffmpeg imagemagick libpam-dev
+
+# [Optional] Uncomment this line to install additional gems.
+RUN gem install foreman
+
+# [Optional] Uncomment this line to install global node packages.
+RUN su vscode -c "source /usr/local/share/nvm/nvm.sh && npm install -g yarn" 2>&1

.devcontainer/devcontainer.json

@@ -0,0 +1,33 @@
+{
+  "name": "Mastodon",
+  "dockerComposeFile": "docker-compose.yml",
+  "service": "app",
+  "workspaceFolder": "/mastodon",
+
+  // Set *default* container specific settings.json values on container create.
+  "settings": {},
+
+  // Add the IDs of extensions you want installed when the container is created.
+  "extensions": [
+    "EditorConfig.EditorConfig",
+    "dbaeumer.vscode-eslint",
+    "rebornix.Ruby",
+    "webben.browserslist"
+  ],
+
+  "features": {
+    "ghcr.io/devcontainers/features/sshd:1": {
+      "version": "latest"
+    }
+  },
+
+  // Use 'forwardPorts' to make a list of ports inside the container available locally.
+  // This can be used to network with other containers or the host.
+  "forwardPorts": [3000, 4000],
+
+  // Use 'postCreateCommand' to run commands after the container is created.
+  "postCreateCommand": ".devcontainer/post-create.sh",
+
+  // Comment out to connect as root instead. More info: https://aka.ms/vscode-remote/containers/non-root.
+  "remoteUser": "vscode"
+}

.devcontainer/docker-compose.yml

@@ -0,0 +1,90 @@
+version: '3'
+
+services:
+  app:
+    build:
+      context: .
+      dockerfile: Dockerfile
+      args:
+        # Update 'VARIANT' to pick a version of Ruby: 3, 3.1, 3.0, 2, 2.7, 2.6
+        # Append -bullseye or -buster to pin to an OS version.
+        # Use -bullseye variants on local arm64/Apple Silicon.
+        VARIANT: '3.0-bullseye'
+        # Optional Node.js version to install
+        NODE_VERSION: '16'
+    volumes:
+      - ..:/mastodon:cached
+    environment:
+      RAILS_ENV: development
+      NODE_ENV: development
+
+      REDIS_HOST: redis
+      REDIS_PORT: '6379'
+      DB_HOST: db
+      DB_USER: postgres
+      DB_PASS: postgres
+      DB_PORT: '5432'
+      ES_ENABLED: 'true'
+      ES_HOST: es
+      ES_PORT: '9200'
+      LIBRE_TRANSLATE_ENDPOINT: http://libretranslate:5000
+    # Overrides default command so things don't shut down after the process ends.
+    command: sleep infinity
+    networks:
+      - external_network
+      - internal_network
+    user: vscode
+
+  db:
+    image: postgres:14-alpine
+    restart: unless-stopped
+    volumes:
+      - postgres-data:/var/lib/postgresql/data
+    environment:
+      POSTGRES_USER: postgres
+      POSTGRES_DB: postgres
+      POSTGRES_PASSWORD: postgres
+      POSTGRES_HOST_AUTH_METHOD: trust
+    networks:
+      - internal_network
+
+  redis:
+    image: redis:6-alpine
+    restart: unless-stopped
+    volumes:
+      - redis-data:/data
+    networks:
+      - internal_network
+
+  es:
+    image: docker.elastic.co/elasticsearch/elasticsearch-oss:7.10.2
+    restart: unless-stopped
+    environment:
+      ES_JAVA_OPTS: -Xms512m -Xmx512m
+      cluster.name: es-mastodon
+      discovery.type: single-node
+      bootstrap.memory_lock: 'true'
+    volumes:
+      - es-data:/usr/share/elasticsearch/data
+    networks:
+      - internal_network
+    ulimits:
+      memlock:
+        soft: -1
+        hard: -1
+
+  libretranslate:
+    image: libretranslate/libretranslate:v1.2.9
+    restart: unless-stopped
+    networks:
+      - internal_network
+
+volumes:
+  postgres-data:
+  redis-data:
+  es-data:
+
+networks:
+  external_network:
+  internal_network:
+    internal: true

.devcontainer/post-create.sh

@@ -0,0 +1,21 @@
+#!/bin/bash
+
+set -e # Fail the whole script on first error
+
+# Fetch Ruby gem dependencies
+bundle install --path vendor/bundle --with='development test'
+
+# Fetch Javascript dependencies
+yarn install
+
+# Make Gemfile.lock pristine again
+git checkout -- Gemfile.lock
+
+# [re]create, migrate, and seed the test database
+RAILS_ENV=test ./bin/rails db:setup
+
+# Precompile assets for development
+RAILS_ENV=development ./bin/rails assets:precompile
+
+# Precompile assets for test
+RAILS_ENV=test NODE_ENV=tests ./bin/rails assets:precompile

.dockerignore

@@ -1,6 +1,10 @@
 .bundle
 .env
 .env.*
+.git
+.gitattributes
+.gitignore
+.github
 public/system
 public/assets
 public/packs
@@ -11,5 +15,7 @@ vendor/bundle
 *.swp
 *~
 postgres
+postgres14
 redis
 elasticsearch
+chart

.env.nanobox

@@ -1,257 +0,0 @@
-# Service dependencies
-# You may set REDIS_URL instead for more advanced options
-REDIS_HOST=$DATA_REDIS_HOST
-REDIS_PORT=6379
-# REDIS_DB=0
-
-# You may set DATABASE_URL instead for more advanced options
-DB_HOST=$DATA_DB_HOST
-DB_USER=$DATA_DB_USER
-DB_NAME=gonano
-DB_PASS=$DATA_DB_PASS
-DB_PORT=5432
-
-# DATABASE_URL=postgresql://$DATA_DB_USER:$DATA_DB_PASS@$DATA_DB_HOST/gonano
-
-# Optional ElasticSearch configuration
-ES_ENABLED=true
-ES_HOST=$DATA_ELASTIC_HOST
-ES_PORT=9200
-
-BIND=0.0.0.0
-
-# Federation
-# Note: Changing LOCAL_DOMAIN at a later time will cause unwanted side effects, including breaking all existing federation.
-# LOCAL_DOMAIN should *NOT* contain the protocol part of the domain e.g https://example.com.
-LOCAL_DOMAIN=${APP_NAME}.nanoapp.io
-
-# Changing LOCAL_HTTPS in production is no longer supported. (Mastodon will always serve https:// links)
-
-# Use this only if you need to run mastodon on a different domain than the one used for federation.
-# You can read more about this option on https://github.com/tootsuite/documentation/blob/master/Running-Mastodon/Serving_a_different_domain.md
-# DO *NOT* USE THIS UNLESS YOU KNOW *EXACTLY* WHAT YOU ARE DOING.
-# WEB_DOMAIN=mastodon.example.com
-
-# Use this if you want to have several aliases handler@example1.com
-# handler@example2.com etc. for the same user. LOCAL_DOMAIN should not
-# be added. Comma separated values
-# ALTERNATE_DOMAINS=example1.com,example2.com
-
-# Application secrets
-# Generate each with the `rake secret` task (`nanobox run bundle exec rake secret`)
-SECRET_KEY_BASE=$SECRET_KEY_BASE
-OTP_SECRET=$OTP_SECRET
-
-# VAPID keys (used for push notifications)
-# You can generate the keys using the following command (first is the private key, second is the public one)
-# You should only generate this once per instance. If you later decide to change it, all push subscription will
-# be invalidated, requiring the users to access the website again to resubscribe.
-#
-# Generate with `rake mastodon:webpush:generate_vapid_key` task (`nanobox run bundle exec rake mastodon:webpush:generate_vapid_key`)
-#
-# For more information visit https://rossta.net/blog/using-the-web-push-api-with-vapid.html
-VAPID_PRIVATE_KEY=$VAPID_PRIVATE_KEY
-VAPID_PUBLIC_KEY=$VAPID_PUBLIC_KEY
-
-# Registrations
-# Single user mode will disable registrations and redirect frontpage to the first profile
-# SINGLE_USER_MODE=true
-# Prevent registrations with following e-mail domains
-# EMAIL_DOMAIN_BLACKLIST=example1.com|example2.de|etc
-# Only allow registrations with the following e-mail domains
-# EMAIL_DOMAIN_WHITELIST=example1.com|example2.de|etc
-
-# Optionally change default language
-# DEFAULT_LOCALE=de
-
-# E-mail configuration
-# Note: Mailgun and SparkPost (https://sparkpo.st/smtp) each have good free tiers
-# If you want to use an SMTP server without authentication (e.g local Postfix relay)
-# then set SMTP_AUTH_METHOD and SMTP_OPENSSL_VERIFY_MODE to 'none' and
-# *comment* SMTP_LOGIN and SMTP_PASSWORD (leaving them blank is not enough).
-SMTP_SERVER=$SMTP_SERVER
-SMTP_PORT=587
-SMTP_LOGIN=$SMTP_LOGIN
-SMTP_PASSWORD=$SMTP_PASSWORD
-SMTP_FROM_ADDRESS=notifications@${APP_NAME}.nanoapp.io
-#SMTP_REPLY_TO=
-#SMTP_DOMAIN= # defaults to LOCAL_DOMAIN
-#SMTP_DELIVERY_METHOD=smtp # delivery method can also be sendmail
-#SMTP_AUTH_METHOD=plain
-#SMTP_CA_FILE=/etc/ssl/certs/ca-certificates.crt
-#SMTP_OPENSSL_VERIFY_MODE=peer
-#SMTP_ENABLE_STARTTLS_AUTO=true
-#SMTP_TLS=true
-
-# Optional user upload path and URL (images, avatars). Default is :rails_root/public/system. If you set this variable, you are responsible for making your HTTP server (eg. nginx) serve these files.
-# PAPERCLIP_ROOT_PATH=/var/lib/mastodon/public-system
-# PAPERCLIP_ROOT_URL=/system
-
-# Optional asset host for multi-server setups
-# The asset host must allow cross origin request from WEB_DOMAIN or LOCAL_DOMAIN
-# if WEB_DOMAIN is not set. For example, the server may have the
-# following header field:
-# Access-Control-Allow-Origin: https://example.com/
-# CDN_HOST=https://assets.example.com
-
-# S3 (optional)
-# The attachment host must allow cross origin request from WEB_DOMAIN or
-# LOCAL_DOMAIN if WEB_DOMAIN is not set. For example, the server may have the
-# following header field:
-# Access-Control-Allow-Origin: https://192.168.1.123:9000/
-# S3_ENABLED=true
-# S3_BUCKET=
-# AWS_ACCESS_KEY_ID=
-# AWS_SECRET_ACCESS_KEY=
-# S3_REGION=
-# S3_PROTOCOL=http
-# S3_HOSTNAME=192.168.1.123:9000
-
-# S3 (Minio Config (optional) Please check Minio instance for details)
-# The attachment host must allow cross origin request - see the description
-# above.
-# S3_ENABLED=true
-# S3_BUCKET=
-# AWS_ACCESS_KEY_ID=
-# AWS_SECRET_ACCESS_KEY=
-# S3_REGION=
-# S3_PROTOCOL=https
-# S3_HOSTNAME=
-# S3_ENDPOINT=
-# S3_SIGNATURE_VERSION=
-
-# Google Cloud Storage (optional)
-# Use S3 compatible API. Since GCS does not support Multipart Upload,
-# increase the value of S3_MULTIPART_THRESHOLD to disable Multipart Upload.
-# The attachment host must allow cross origin request - see the description
-# above.
-# S3_ENABLED=true
-# AWS_ACCESS_KEY_ID=
-# AWS_SECRET_ACCESS_KEY=
-# S3_REGION=
-# S3_PROTOCOL=https
-# S3_HOSTNAME=storage.googleapis.com
-# S3_ENDPOINT=https://storage.googleapis.com
-# S3_MULTIPART_THRESHOLD=52428801 # 50.megabytes
-
-# Swift (optional)
-# The attachment host must allow cross origin request - see the description
-# above.
-# SWIFT_ENABLED=true
-# SWIFT_USERNAME=
-# For Keystone V3, the value for SWIFT_TENANT should be the project name
-# SWIFT_TENANT=
-# SWIFT_PASSWORD=
-# Some OpenStack V3 providers require PROJECT_ID (optional)
-# SWIFT_PROJECT_ID=
-# Keystone V2 and V3 URLs are supported. Use a V3 URL if possible to avoid
-# issues with token rate-limiting during high load.
-# SWIFT_AUTH_URL=
-# SWIFT_CONTAINER=
-# SWIFT_OBJECT_URL=
-# SWIFT_REGION=
-# Defaults to 'default'
-# SWIFT_DOMAIN_NAME=
-# Defaults to 60 seconds. Set to 0 to disable
-# SWIFT_CACHE_TTL=
-
-# Optional alias for S3 (e.g. to serve files on a custom domain, possibly using Cloudfront or Cloudflare)
-# S3_ALIAS_HOST=
-
-# Streaming API integration
-# STREAMING_API_BASE_URL=
-
-# Advanced settings
-# If you need to use pgBouncer, you need to disable prepared statements:
-# PREPARED_STATEMENTS=false
-
-# Cluster number setting for streaming API server.
-# If you comment out following line, cluster number will be `numOfCpuCores - 1`.
-# STREAMING_CLUSTER_NUM=1
-
-# Docker mastodon user
-# If you use Docker, you may want to assign UID/GID manually.
-# UID=1000
-# GID=1000
-
-# LDAP authentication (optional)
-# LDAP_ENABLED=true
-# LDAP_HOST=localhost
-# LDAP_PORT=389
-# LDAP_METHOD=simple_tls
-# LDAP_BASE=
-# LDAP_BIND_DN=
-# LDAP_PASSWORD=
-# LDAP_UID=cn
-# LDAP_MAIL=mail
-# LDAP_SEARCH_FILTER=(|(%{uid}=%{email})(%{mail}=%{email}))
-# LDAP_UID_CONVERSION_ENABLED=true
-# LDAP_UID_CONVERSION_SEARCH=., -
-# LDAP_UID_CONVERSION_REPLACE=_
-
-# PAM authentication (optional)
-# PAM authentication uses for the email generation the "email" pam variable
-# and optional as fallback PAM_DEFAULT_SUFFIX
-# The pam environment variable "email" is provided by:
-# https://github.com/devkral/pam_email_extractor
-# PAM_ENABLED=true
-# Fallback email domain for email address generation (LOCAL_DOMAIN by default)
-# PAM_EMAIL_DOMAIN=example.com
-# Name of the pam service (pam "auth" section is evaluated)
-# PAM_DEFAULT_SERVICE=rpam
-# Name of the pam service used for checking if an user can register (pam "account" section is evaluated) (nil (disabled) by default)
-# PAM_CONTROLLED_SERVICE=rpam
-
-# Global OAuth settings (optional) :
-# If you have only one strategy, you may want to enable this
-# OAUTH_REDIRECT_AT_SIGN_IN=true
-
-# Optional CAS authentication (cf. omniauth-cas) :
-# CAS_ENABLED=true
-# CAS_URL=https://sso.myserver.com/
-# CAS_HOST=sso.myserver.com/
-# CAS_PORT=443
-# CAS_SSL=true
-# CAS_VALIDATE_URL=
-# CAS_CALLBACK_URL=
-# CAS_LOGOUT_URL=
-# CAS_LOGIN_URL=
-# CAS_UID_FIELD='user'
-# CAS_CA_PATH=
-# CAS_DISABLE_SSL_VERIFICATION=false
-# CAS_UID_KEY='user'
-# CAS_NAME_KEY='name'
-# CAS_EMAIL_KEY='email'
-# CAS_NICKNAME_KEY='nickname'
-# CAS_FIRST_NAME_KEY='firstname'
-# CAS_LAST_NAME_KEY='lastname'
-# CAS_LOCATION_KEY='location'
-# CAS_IMAGE_KEY='image'
-# CAS_PHONE_KEY='phone'
-
-# Optional SAML authentication (cf. omniauth-saml)
-# SAML_ENABLED=true
-# SAML_ACS_URL=http://localhost:3000/auth/auth/saml/callback
-# SAML_ISSUER=https://example.com
-# SAML_IDP_SSO_TARGET_URL=https://idp.testshib.org/idp/profile/SAML2/Redirect/SSO
-# SAML_IDP_CERT=
-# SAML_IDP_CERT_FINGERPRINT=
-# SAML_NAME_IDENTIFIER_FORMAT=
-# SAML_CERT=
-# SAML_PRIVATE_KEY=
-# SAML_SECURITY_WANT_ASSERTION_SIGNED=true
-# SAML_SECURITY_WANT_ASSERTION_ENCRYPTED=true
-# SAML_SECURITY_ASSUME_EMAIL_IS_VERIFIED=true
-# SAML_ATTRIBUTES_STATEMENTS_UID="urn:oid:0.9.2342.19200300.100.1.1"
-# SAML_ATTRIBUTES_STATEMENTS_EMAIL="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"
-# SAML_ATTRIBUTES_STATEMENTS_FULL_NAME="urn:oid:2.16.840.1.113730.3.1.241"
-# SAML_ATTRIBUTES_STATEMENTS_FIRST_NAME="urn:oid:2.5.4.42"
-# SAML_ATTRIBUTES_STATEMENTS_LAST_NAME="urn:oid:2.5.4.4"
-# SAML_UID_ATTRIBUTE="urn:oid:0.9.2342.19200300.100.1.1"
-# SAML_ATTRIBUTES_STATEMENTS_VERIFIED=
-# SAML_ATTRIBUTES_STATEMENTS_VERIFIED_EMAIL=
-
-# Use HTTP proxy for outgoing request (optional)
-# http_proxy=http://gateway.local:8118
-# Access control for hidden service.
-# ALLOW_ACCESS_TO_HIDDEN_SERVICE=true

.env.production.sample

@@ -1,262 +1,77 @@
-# Service dependencies
-# You may set REDIS_URL instead for more advanced options
-# You may also set REDIS_NAMESPACE to share Redis between multiple Mastodon servers
-REDIS_HOST=redis
-REDIS_PORT=6379
-# You may set DATABASE_URL instead for more advanced options
-DB_HOST=db
-DB_USER=postgres
-DB_NAME=postgres
-DB_PASS=
-DB_PORT=5432
-# Optional ElasticSearch configuration
-# You may also set ES_PREFIX to share the same cluster between multiple Mastodon servers (falls back to REDIS_NAMESPACE if not set)
-# ES_ENABLED=true
-# ES_HOST=es
-# ES_PORT=9200
+# This is a sample configuration file. You can generate your configuration
+# with the `rake mastodon:setup` interactive setup wizard, but to customize
+# your setup even further, you'll need to edit it manually. This sample does
+# not demonstrate all available configuration options. Please look at
+# https://docs.joinmastodon.org/admin/config/ for the full documentation.
+
+# Note that this file accepts slightly different syntax depending on whether
+# you are using `docker-compose` or not. In particular, if you use
+# `docker-compose`, the value of each declared variable will be taken verbatim,
+# including surrounding quotes.
+# See: https://github.com/mastodon/mastodon/issues/16895
 
 # Federation
-# Note: Changing LOCAL_DOMAIN at a later time will cause unwanted side effects, including breaking all existing federation.
-# LOCAL_DOMAIN should *NOT* contain the protocol part of the domain e.g https://example.com.
+# ----------
+# This identifies your server and cannot be changed safely later
+# ----------
 LOCAL_DOMAIN=example.com
 
-# Changing LOCAL_HTTPS in production is no longer supported. (Mastodon will always serve https:// links)
+# Redis
+# -----
+REDIS_HOST=localhost
+REDIS_PORT=6379
 
-# Use this only if you need to run mastodon on a different domain than the one used for federation.
-# You can read more about this option on https://github.com/tootsuite/documentation/blob/master/Running-Mastodon/Serving_a_different_domain.md
-# DO *NOT* USE THIS UNLESS YOU KNOW *EXACTLY* WHAT YOU ARE DOING.
-# WEB_DOMAIN=mastodon.example.com
+# PostgreSQL
+# ----------
+DB_HOST=/var/run/postgresql
+DB_USER=mastodon
+DB_NAME=mastodon_production
+DB_PASS=
+DB_PORT=5432
 
-# Use this if you want to have several aliases handler@example1.com
-# handler@example2.com etc. for the same user. LOCAL_DOMAIN should not
-# be added. Comma separated values
-# ALTERNATE_DOMAINS=example1.com,example2.com
+# Elasticsearch (optional)
+# ------------------------
+ES_ENABLED=true
+ES_HOST=localhost
+ES_PORT=9200
+# Authentication for ES (optional)
+ES_USER=elastic
+ES_PASS=password
 
-# Application secrets
-# Generate each with the `RAILS_ENV=production bundle exec rake secret` task (`docker-compose run --rm web rake secret` if you use docker compose)
+# Secrets
+# -------
+# Make sure to use `rake secret` to generate secrets
+# -------
 SECRET_KEY_BASE=
 OTP_SECRET=
 
-# VAPID keys (used for push notifications
-# You can generate the keys using the following command (first is the private key, second is the public one)
-# You should only generate this once per instance. If you later decide to change it, all push subscription will
-# be invalidated, requiring the users to access the website again to resubscribe.
-#
-# Generate with `RAILS_ENV=production bundle exec rake mastodon:webpush:generate_vapid_key` task (`docker-compose run --rm web rake mastodon:webpush:generate_vapid_key` if you use docker compose)
-#
-# For more information visit https://rossta.net/blog/using-the-web-push-api-with-vapid.html
+# Web Push
+# --------
+# Generate with `rake mastodon:webpush:generate_vapid_key`
+# --------
 VAPID_PRIVATE_KEY=
 VAPID_PUBLIC_KEY=
 
-# Registrations
-# Single user mode will disable registrations and redirect frontpage to the first profile
-# SINGLE_USER_MODE=true
-# Prevent registrations with following e-mail domains
-# EMAIL_DOMAIN_BLACKLIST=example1.com|example2.de|etc
-# Only allow registrations with the following e-mail domains
-# EMAIL_DOMAIN_WHITELIST=example1.com|example2.de|etc
-
-# Optionally change default language
-# DEFAULT_LOCALE=de
-
-# E-mail configuration
-# Note: Mailgun and SparkPost (https://sparkpo.st/smtp) each have good free tiers
-# If you want to use an SMTP server without authentication (e.g local Postfix relay)
-# then set SMTP_AUTH_METHOD and SMTP_OPENSSL_VERIFY_MODE to 'none' and
-# *comment* SMTP_LOGIN and SMTP_PASSWORD (leaving them blank is not enough).
-SMTP_SERVER=smtp.mailgun.org
+# Sending mail
+# ------------
+SMTP_SERVER=
 SMTP_PORT=587
 SMTP_LOGIN=
 SMTP_PASSWORD=
 SMTP_FROM_ADDRESS=notifications@example.com
-#SMTP_REPLY_TO=
-#SMTP_DOMAIN= # defaults to LOCAL_DOMAIN
-#SMTP_DELIVERY_METHOD=smtp # delivery method can also be sendmail
-#SMTP_AUTH_METHOD=plain
-#SMTP_CA_FILE=/etc/ssl/certs/ca-certificates.crt
-#SMTP_OPENSSL_VERIFY_MODE=peer
-#SMTP_ENABLE_STARTTLS_AUTO=true
-#SMTP_TLS=true
 
-# Optional user upload path and URL (images, avatars). Default is :rails_root/public/system. If you set this variable, you are responsible for making your HTTP server (eg. nginx) serve these files.
-# PAPERCLIP_ROOT_PATH=/var/lib/mastodon/public-system
-# PAPERCLIP_ROOT_URL=/system
+# File storage (optional)
+# -----------------------
+S3_ENABLED=true
+S3_BUCKET=files.example.com
+AWS_ACCESS_KEY_ID=
+AWS_SECRET_ACCESS_KEY=
+S3_ALIAS_HOST=files.example.com
 
-# Optional asset host for multi-server setups
-# The asset host must allow cross origin request from WEB_DOMAIN or LOCAL_DOMAIN
-# if WEB_DOMAIN is not set. For example, the server may have the
-# following header field:
-# Access-Control-Allow-Origin: https://example.com/
-# CDN_HOST=https://assets.example.com
-
-# S3 (optional)
-# The attachment host must allow cross origin request from WEB_DOMAIN or
-# LOCAL_DOMAIN if WEB_DOMAIN is not set. For example, the server may have the
-# following header field:
-# Access-Control-Allow-Origin: https://192.168.1.123:9000/
-# S3_ENABLED=true
-# S3_BUCKET=
-# AWS_ACCESS_KEY_ID=
-# AWS_SECRET_ACCESS_KEY=
-# S3_REGION=
-# S3_PROTOCOL=http
-# S3_HOSTNAME=192.168.1.123:9000
-
-# S3 (Minio Config (optional) Please check Minio instance for details)
-# The attachment host must allow cross origin request - see the description
-# above.
-# S3_ENABLED=true
-# S3_BUCKET=
-# AWS_ACCESS_KEY_ID=
-# AWS_SECRET_ACCESS_KEY=
-# S3_REGION=
-# S3_PROTOCOL=https
-# S3_HOSTNAME=
-# S3_ENDPOINT=
-# S3_SIGNATURE_VERSION=
-
-# Google Cloud Storage (optional)
-# Use S3 compatible API. Since GCS does not support Multipart Upload,
-# increase the value of S3_MULTIPART_THRESHOLD to disable Multipart Upload.
-# The attachment host must allow cross origin request - see the description
-# above.
-# S3_ENABLED=true
-# AWS_ACCESS_KEY_ID=
-# AWS_SECRET_ACCESS_KEY=
-# S3_REGION=
-# S3_PROTOCOL=https
-# S3_HOSTNAME=storage.googleapis.com
-# S3_ENDPOINT=https://storage.googleapis.com
-# S3_MULTIPART_THRESHOLD=52428801 # 50.megabytes
-
-# Swift (optional)
-# The attachment host must allow cross origin request - see the description
-# above.
-# SWIFT_ENABLED=true
-# SWIFT_USERNAME=
-# For Keystone V3, the value for SWIFT_TENANT should be the project name
-# SWIFT_TENANT=
-# SWIFT_PASSWORD=
-# Some OpenStack V3 providers require PROJECT_ID (optional)
-# SWIFT_PROJECT_ID=
-# Keystone V2 and V3 URLs are supported. Use a V3 URL if possible to avoid
-# issues with token rate-limiting during high load.
-# SWIFT_AUTH_URL=
-# SWIFT_CONTAINER=
-# SWIFT_OBJECT_URL=
-# SWIFT_REGION=
-# Defaults to 'default'
-# SWIFT_DOMAIN_NAME=
-# Defaults to 60 seconds. Set to 0 to disable
-# SWIFT_CACHE_TTL=
-
-# Optional alias for S3 (e.g. to serve files on a custom domain, possibly using Cloudfront or Cloudflare)
-# S3_ALIAS_HOST=
-
-# Streaming API integration
-# STREAMING_API_BASE_URL=
-
-# Advanced settings
-# If you need to use pgBouncer, you need to disable prepared statements:
-# PREPARED_STATEMENTS=false
-
-# Cluster number setting for streaming API server.
-# If you comment out following line, cluster number will be `numOfCpuCores - 1`.
-STREAMING_CLUSTER_NUM=1
-
-# Docker mastodon user
-# If you use Docker, you may want to assign UID/GID manually.
-# UID=1000
-# GID=1000
-
-# LDAP authentication (optional)
-# LDAP_ENABLED=true
-# LDAP_HOST=localhost
-# LDAP_PORT=389
-# LDAP_METHOD=simple_tls
-# LDAP_BASE=
-# LDAP_BIND_DN=
-# LDAP_PASSWORD=
-# LDAP_UID=cn
-# LDAP_MAIL=mail
-# LDAP_SEARCH_FILTER=(|(%{uid}=%{email})(%{mail}=%{email}))
-# LDAP_UID_CONVERSION_ENABLED=true
-# LDAP_UID_CONVERSION_SEARCH=., -
-# LDAP_UID_CONVERSION_REPLACE=_
-
-# PAM authentication (optional)
-# PAM authentication uses for the email generation the "email" pam variable
-# and optional as fallback PAM_DEFAULT_SUFFIX
-# The pam environment variable "email" is provided by:
-# https://github.com/devkral/pam_email_extractor
-# PAM_ENABLED=true
-# Fallback email domain for email address generation (LOCAL_DOMAIN by default)
-# PAM_EMAIL_DOMAIN=example.com
-# Name of the pam service (pam "auth" section is evaluated)
-# PAM_DEFAULT_SERVICE=rpam
-# Name of the pam service used for checking if an user can register (pam "account" section is evaluated) (nil (disabled) by default)
-# PAM_CONTROLLED_SERVICE=rpam
-
-# Global OAuth settings (optional) :
-# If you have only one strategy, you may want to enable this
-# OAUTH_REDIRECT_AT_SIGN_IN=true
-
-# Optional CAS authentication (cf. omniauth-cas) :
-# CAS_ENABLED=true
-# CAS_URL=https://sso.myserver.com/
-# CAS_HOST=sso.myserver.com/
-# CAS_PORT=443
-# CAS_SSL=true
-# CAS_VALIDATE_URL=
-# CAS_CALLBACK_URL=
-# CAS_LOGOUT_URL=
-# CAS_LOGIN_URL=
-# CAS_UID_FIELD='user'
-# CAS_CA_PATH=
-# CAS_DISABLE_SSL_VERIFICATION=false
-# CAS_UID_KEY='user'
-# CAS_NAME_KEY='name'
-# CAS_EMAIL_KEY='email'
-# CAS_NICKNAME_KEY='nickname'
-# CAS_FIRST_NAME_KEY='firstname'
-# CAS_LAST_NAME_KEY='lastname'
-# CAS_LOCATION_KEY='location'
-# CAS_IMAGE_KEY='image'
-# CAS_PHONE_KEY='phone'
-
-# Optional SAML authentication (cf. omniauth-saml)
-# SAML_ENABLED=true
-# SAML_ACS_URL=http://localhost:3000/auth/auth/saml/callback
-# SAML_ISSUER=https://example.com
-# SAML_IDP_SSO_TARGET_URL=https://idp.testshib.org/idp/profile/SAML2/Redirect/SSO
-# SAML_IDP_CERT=
-# SAML_IDP_CERT_FINGERPRINT=
-# SAML_NAME_IDENTIFIER_FORMAT=
-# SAML_CERT=
-# SAML_PRIVATE_KEY=
-# SAML_SECURITY_WANT_ASSERTION_SIGNED=true
-# SAML_SECURITY_WANT_ASSERTION_ENCRYPTED=true
-# SAML_SECURITY_ASSUME_EMAIL_IS_VERIFIED=true
-# SAML_ATTRIBUTES_STATEMENTS_UID="urn:oid:0.9.2342.19200300.100.1.1"
-# SAML_ATTRIBUTES_STATEMENTS_EMAIL="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"
-# SAML_ATTRIBUTES_STATEMENTS_FULL_NAME="urn:oid:2.16.840.1.113730.3.1.241"
-# SAML_ATTRIBUTES_STATEMENTS_FIRST_NAME="urn:oid:2.5.4.42"
-# SAML_ATTRIBUTES_STATEMENTS_LAST_NAME="urn:oid:2.5.4.4"
-# SAML_UID_ATTRIBUTE="urn:oid:0.9.2342.19200300.100.1.1"
-# SAML_ATTRIBUTES_STATEMENTS_VERIFIED=
-# SAML_ATTRIBUTES_STATEMENTS_VERIFIED_EMAIL=
-
-# Use HTTP proxy for outgoing request (optional)
-# http_proxy=http://gateway.local:8118
-# Access control for hidden service.
-# ALLOW_ACCESS_TO_HIDDEN_SERVICE=true
-
-# Authorized fetch mode (optional)
-# Require remote servers to authentify when fetching toots, see
-# https://docs.joinmastodon.org/admin/config/#authorized_fetch
-# AUTHORIZED_FETCH=true
-
-# Whitelist mode (optional)
-# Only allow federation with whitelisted domains, see
-# https://docs.joinmastodon.org/admin/config/#whitelist_mode
-# WHITELIST_MODE=true
+# IP and session retention
+# -----------------------
+# Make sure to modify the scheduling of ip_cleanup_scheduler in config/sidekiq.yml
+# to be less than daily if you lower IP_RETENTION_PERIOD below two days (172800).
+# -----------------------
+IP_RETENTION_PERIOD=31556952
+SESSION_RETENTION_PERIOD=31556952

.env.vagrant

@@ -1,3 +1,4 @@
 VAGRANT=true
 LOCAL_DOMAIN=mastodon.local
 BIND=0.0.0.0
+DB_HOST=/var/run/postgresql/

.eslintrc.js

@@ -1,6 +1,12 @@
 module.exports = {
   root: true,
 
+  extends: [
+    'eslint:recommended',
+    'plugin:react/recommended',
+    'plugin:jsx-a11y/recommended',
+  ],
+
   env: {
     browser: true,
     node: true,
@@ -12,7 +18,7 @@ module.exports = {
     ATTACHMENT_HOST: false,
   },
 
-  parser: 'babel-eslint',
+  parser: '@babel/eslint-parser',
 
   plugins: [
     'react',
@@ -27,7 +33,7 @@ module.exports = {
       experimentalObjectRestSpread: true,
       jsx: true,
     },
-    ecmaVersion: 2018,
+    ecmaVersion: 2021,
   },
 
   settings: {
@@ -64,8 +70,8 @@ module.exports = {
     eqeqeq: 'error',
     indent: ['warn', 2],
     'jsx-quotes': ['error', 'prefer-single'],
+    'no-case-declarations': 'off',
     'no-catch-shadow': 'error',
-    'no-cond-assign': 'error',
     'no-console': [
       'warn',
       {
@@ -75,13 +81,14 @@ module.exports = {
         ],
       },
     ],
-    'no-fallthrough': 'error',
-    'no-irregular-whitespace': 'error',
-    'no-mixed-spaces-and-tabs': 'warn',
-    'no-nested-ternary': 'warn',
+    'no-empty': 'off',
+    'no-restricted-properties': [
+      'error',
+      { property: 'substring', message: 'Use .slice instead of .substring.' },
+      { property: 'substr', message: 'Use .slice instead of .substr.' },
+    ],
+    'no-self-assign': 'off',
     'no-trailing-spaces': 'warn',
-    'no-undef': 'error',
-    'no-unreachable': 'error',
     'no-unused-expressions': 'error',
     'no-unused-vars': [
       'error',
@@ -91,6 +98,7 @@ module.exports = {
         ignoreRestSiblings: true,
       },
     ],
+    'no-useless-escape': 'off',
     'object-curly-spacing': ['error', 'always'],
     'padded-blocks': [
       'error',
@@ -100,61 +108,47 @@ module.exports = {
     ],
     quotes: ['error', 'single'],
     semi: 'error',
-    strict: 'off',
     'valid-typeof': 'error',
 
     'react/jsx-boolean-value': 'error',
     'react/jsx-closing-bracket-location': ['error', 'line-aligned'],
     'react/jsx-curly-spacing': 'error',
+    'react/display-name': 'off',
     'react/jsx-equals-spacing': 'error',
     'react/jsx-first-prop-new-line': ['error', 'multiline-multiprop'],
     'react/jsx-indent': ['error', 2],
     'react/jsx-no-bind': 'error',
-    'react/jsx-no-duplicate-props': 'error',
-    'react/jsx-no-undef': 'error',
+    'react/jsx-no-target-blank': 'off',
     'react/jsx-tag-spacing': 'error',
-    'react/jsx-uses-react': 'error',
-    'react/jsx-uses-vars': 'error',
     'react/jsx-wrap-multilines': 'error',
-    'react/no-multi-comp': 'off',
-    'react/no-string-refs': 'error',
-    'react/prop-types': 'error',
+    'react/no-deprecated': 'off',
+    'react/no-unknown-property': 'off',
     'react/self-closing-comp': 'error',
 
+    // recommended values found in https://github.com/jsx-eslint/eslint-plugin-jsx-a11y/blob/main/src/index.js
     'jsx-a11y/accessible-emoji': 'warn',
-    'jsx-a11y/alt-text': 'warn',
-    'jsx-a11y/anchor-has-content': 'warn',
-    'jsx-a11y/anchor-is-valid': [
-      'warn',
-      {
-        components: [
-          'Link',
-          'NavLink',
-        ],
-        specialLink: [
-          'to',
-        ],
-        aspect: [
-          'noHref',
-          'invalidHref',
-          'preferButton',
-        ],
-      },
-    ],
-    'jsx-a11y/aria-activedescendant-has-tabindex': 'warn',
-    'jsx-a11y/aria-props': 'warn',
-    'jsx-a11y/aria-proptypes': 'warn',
-    'jsx-a11y/aria-role': 'warn',
-    'jsx-a11y/aria-unsupported-elements': 'warn',
-    'jsx-a11y/heading-has-content': 'warn',
-    'jsx-a11y/html-has-lang': 'warn',
-    'jsx-a11y/iframe-has-title': 'warn',
-    'jsx-a11y/img-redundant-alt': 'warn',
-    'jsx-a11y/interactive-supports-focus': 'warn',
-    'jsx-a11y/label-has-for': 'off',
-    'jsx-a11y/mouse-events-have-key-events': 'warn',
-    'jsx-a11y/no-access-key': 'warn',
-    'jsx-a11y/no-distracting-elements': 'warn',
+    'jsx-a11y/click-events-have-key-events': 'off',
+    'jsx-a11y/label-has-associated-control': 'off',
+    'jsx-a11y/media-has-caption': 'off',
+    'jsx-a11y/no-autofocus': 'off',
+    // recommended rule is:
+    // 'jsx-a11y/no-interactive-element-to-noninteractive-role': [
+    //   'error',
+    //   {
+    //     tr: ['none', 'presentation'],
+    //     canvas: ['img'],
+    //   },
+    // ],
+    'jsx-a11y/no-interactive-element-to-noninteractive-role': 'off',
+    // recommended rule is:
+    // 'jsx-a11y/no-noninteractive-element-interactions': [
+    //   'error',
+    //   {
+    //     body: ['onError', 'onLoad'],
+    //     iframe: ['onError', 'onLoad'],
+    //     img: ['onError', 'onLoad'],
+    //   },
+    // ],
     'jsx-a11y/no-noninteractive-element-interactions': [
       'warn',
       {
@@ -163,8 +157,18 @@ module.exports = {
         ],
       },
     ],
+    // recommended rule is:
+    // 'jsx-a11y/no-noninteractive-tabindex': [
+    //   'error',
+    //   {
+    //     tags: [],
+    //     roles: ['tabpanel'],
+    //     allowExpressionValues: true,
+    //   },
+    // ],
+    'jsx-a11y/no-noninteractive-tabindex': 'off',
     'jsx-a11y/no-onchange': 'warn',
-    'jsx-a11y/no-redundant-roles': 'warn',
+    // recommended is full 'error'
     'jsx-a11y/no-static-element-interactions': [
       'warn',
       {
@@ -173,10 +177,6 @@ module.exports = {
         ],
       },
     ],
-    'jsx-a11y/role-has-required-aria-props': 'warn',
-    'jsx-a11y/role-supports-aria-props': 'off',
-    'jsx-a11y/scope': 'warn',
-    'jsx-a11y/tabindex-no-positive': 'warn',
 
     'import/extensions': [
       'error',
@@ -199,6 +199,11 @@ module.exports = {
     'import/no-unresolved': 'error',
     'import/no-webpack-loader-syntax': 'error',
 
-    'promise/catch-or-return': 'error',
+    'promise/catch-or-return': [
+      'error',
+      {
+        allowFinally: true,
+      },
+    ],
   },
 };

.github/CODEOWNERS

@@ -1,32 +0,0 @@
-# CODEOWNERS for tootsuite/mastodon
-
-# Translators
-# To add translator, copy these lines, replace `fr` with appropriate language code and replace `@żelipapą` with user's GitHub nickname preceded by `@` sign or e-mail address.
-# /app/javascript/mastodon/locales/fr.json @żelipapą
-# /app/views/user_mailer/*.fr.html.erb @żelipapą
-# /app/views/user_mailer/*.fr.text.erb @żelipapą
-# /config/locales/*.fr.yml @żelipapą
-# /config/locales/fr.yml @żelipapą
-
-# Polish
-/app/javascript/mastodon/locales/pl.json @m4sk1n
-/app/views/user_mailer/*.pl.html.erb @m4sk1n
-/app/views/user_mailer/*.pl.text.erb @m4sk1n
-/config/locales/*.pl.yml @m4sk1n
-/config/locales/pl.yml @m4sk1n
-
-# French
-/app/javascript/mastodon/locales/fr.json @aldarone
-/app/javascript/mastodon/locales/whitelist_fr.json @aldarone
-/app/views/user_mailer/*.fr.html.erb @aldarone
-/app/views/user_mailer/*.fr.text.erb @aldarone
-/config/locales/*.fr.yml @aldarone
-/config/locales/fr.yml @aldarone
-
-# Dutch
-/app/javascript/mastodon/locales/nl.json @jeroenpraat
-/app/javascript/mastodon/locales/whitelist_nl.json @jeroenpraat
-/app/views/user_mailer/*.nl.html.erb @jeroenpraat
-/app/views/user_mailer/*.nl.text.erb @jeroenpraat
-/config/locales/*.nl.yml @jeroenpraat
-/config/locales/nl.yml @jeroenpraat

.github/FUNDING.yml

@@ -1,2 +1,3 @@
 patreon: mastodon
 open_collective: mastodon
+custom: https://sponsor.joinmastodon.org

.github/ISSUE_TEMPLATE/1.bug_report.yml

@@ -0,0 +1,56 @@
+name: Bug Report
+description: If something isn't working as expected
+labels: [bug]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Make sure that you are submitting a new bug that was not previously reported or already fixed.
+
+        Please use a concise and distinct title for the issue.
+  - type: textarea
+    attributes:
+      label: Steps to reproduce the problem
+      description: What were you trying to do?
+      value: |
+        1.
+        2.
+        3.
+        ...
+    validations:
+      required: true
+  - type: input
+    attributes:
+      label: Expected behaviour
+      description: What should have happened?
+    validations:
+      required: true
+  - type: input
+    attributes:
+      label: Actual behaviour
+      description: What happened?
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Detailed description
+    validations:
+      required: false
+  - type: textarea
+    attributes:
+      label: Specifications
+      description: |
+        What version or commit hash of Mastodon did you find this bug in?
+
+        If a front-end issue, what browser and operating systems were you using?
+      placeholder: |
+        Mastodon 3.5.3 (or Edge)
+        Ruby 2.7.6 (or v3.1.2)
+        Node.js 16.18.0
+
+        Google Chrome 106.0.5249.119
+        Firefox 105.0.3
+
+        etc...
+    validations:
+      required: true

.github/ISSUE_TEMPLATE/2.feature_request.yml

@@ -0,0 +1,22 @@
+name: Feature Request
+description: I have a suggestion
+labels: [suggestion]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Please use a concise and distinct title for the issue.
+
+        Consider: Could it be implemented as a 3rd party app using the REST API instead?
+  - type: textarea
+    attributes:
+      label: Pitch
+      description: Describe your idea for a feature. Make sure it has not already been suggested/implemented/turned down before.
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Motivation
+      description: Why do you think this feature is needed? Who would benefit from it?
+    validations:
+      required: true

.github/ISSUE_TEMPLATE/bug_report.md

@@ -1,27 +0,0 @@
----
-name: Bug Report
-about: If something isn't working as expected
-
----
-
-<!-- Make sure that you are submitting a new bug that was not previously reported or already fixed -->
-
-<!-- Please use a concise and distinct title for the issue -->
-
-### Expected behaviour
-
-<!-- What should have happened? -->
-
-### Actual behaviour
-
-<!-- What happened? -->
-
-### Steps to reproduce the problem
-
-<!-- What were you trying to do? -->
-
-### Specifications
-
-<!-- What version or commit hash of Mastodon did you find this bug in? -->
-
-<!-- If a front-end issue, what browser and operating systems were you using? -->

.github/ISSUE_TEMPLATE/config.yml

@@ -1,5 +1,5 @@
 blank_issues_enabled: false
 contact_links:
-  - name: Mastodon Meta Discussion Board
-    url: https://discourse.joinmastodon.org/
+  - name: GitHub Discussions
+    url: https://github.com/mastodon/mastodon/discussions
     about: Please ask and answer questions here.

.github/ISSUE_TEMPLATE/feature_request.md

@@ -1,17 +0,0 @@
----
-name: Feature Request
-about: I have a suggestion
-
----
-
-<!-- Please use a concise and distinct title for the issue -->
-
-<!-- Consider: Could it be implemented as a 3rd party app using the REST API instead? -->
-
-### Pitch
-
-<!-- Describe your idea for a feature. Make sure it has not already been suggested/implemented/turned down before -->
-
-### Motivation
-
-<!-- Why do you think this feature is needed? Who would benefit from it? -->

.github/ISSUE_TEMPLATE/support.md

@@ -1,10 +0,0 @@
----
-name: Support
-about: Ask for help with your deployment
-
----
-
-We primarily use GitHub as a bug and feature tracker. For usage questions, troubleshooting of deployments and other individual technical assistance, please use one of the resources below:
-
-- https://discourse.joinmastodon.org
-- #mastodon on irc.freenode.net

.github/dependabot.yml

@@ -0,0 +1,30 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://help.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+
+version: 2
+updates:
+  - package-ecosystem: npm
+    directory: '/'
+    schedule:
+      interval: weekly
+    open-pull-requests-limit: 99
+    allow:
+      - dependency-type: direct
+
+  - package-ecosystem: bundler
+    directory: '/'
+    schedule:
+      interval: weekly
+    open-pull-requests-limit: 99
+    allow:
+      - dependency-type: direct
+
+  - package-ecosystem: github-actions
+    directory: '/'
+    schedule:
+      interval: weekly
+    open-pull-requests-limit: 99
+    allow:
+      - dependency-type: direct

.github/stylelint-matcher.json

@@ -0,0 +1,21 @@
+{
+  "problemMatcher": [
+    {
+      "owner": "stylelint",
+      "pattern": [
+        {
+          "regexp": "^([^\\s].*)$",
+          "file": 1
+        },
+        {
+          "regexp": "^\\s+((\\d+):(\\d+))?\\s+(✖|×)\\s+(.*)\\s{2,}(.*)$",
+          "line": 2,
+          "column": 3,
+          "message": 5,
+          "code": 6,
+          "loop": true
+        }
+      ]
+    }
+  ]
+}

.github/workflows/build-container-image.yml

@@ -0,0 +1,92 @@
+on:
+  workflow_call:
+    inputs:
+      platforms:
+        required: true
+        type: string
+      cache:
+        type: boolean
+        default: true
+      use_native_arm64_builder:
+        type: boolean
+      push_to_images:
+        type: string
+      flavor:
+        type: string
+      tags:
+        type: string
+      labels:
+        type: string
+
+jobs:
+  build-image:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - uses: docker/setup-qemu-action@v2
+        if: contains(inputs.platforms, 'linux/arm64') && !inputs.use_native_arm64_builder
+
+      - uses: docker/setup-buildx-action@v2
+        id: buildx
+        if: ${{ !(inputs.use_native_arm64_builder && contains(inputs.platforms, 'linux/arm64')) }}
+
+      - name: Start a local Docker Builder
+        if: inputs.use_native_arm64_builder && contains(inputs.platforms, 'linux/arm64')
+        run: |
+          docker run --rm -d --name buildkitd -p 1234:1234 --privileged moby/buildkit:latest --addr tcp://0.0.0.0:1234
+
+      - uses: docker/setup-buildx-action@v2
+        id: buildx-native
+        if: inputs.use_native_arm64_builder && contains(inputs.platforms, 'linux/arm64')
+        with:
+          driver: remote
+          endpoint: tcp://localhost:1234
+          platforms: linux/amd64
+          append: |
+            - endpoint: tcp://${{ vars.DOCKER_BUILDER_HETZNER_ARM64_01_HOST }}:13865
+              platforms: linux/arm64
+              name: mastodon-docker-builder-arm64-01
+              driver-opts:
+                - servername=mastodon-docker-builder-arm64-01
+        env:
+          BUILDER_NODE_1_AUTH_TLS_CACERT: ${{ secrets.DOCKER_BUILDER_HETZNER_ARM64_01_CACERT }}
+          BUILDER_NODE_1_AUTH_TLS_CERT: ${{ secrets.DOCKER_BUILDER_HETZNER_ARM64_01_CERT }}
+          BUILDER_NODE_1_AUTH_TLS_KEY: ${{ secrets.DOCKER_BUILDER_HETZNER_ARM64_01_KEY }}
+
+      - name: Log in to Docker Hub
+        if: contains(inputs.push_to_images, 'tootsuite')
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Log in to the Github Container registry
+        if: contains(inputs.push_to_images, 'ghcr.io')
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - uses: docker/metadata-action@v4
+        id: meta
+        if: ${{ inputs.push_to_images != '' }}
+        with:
+          images: ${{ inputs.push_to_images }}
+          flavor: ${{ inputs.flavor }}
+          tags: ${{ inputs.tags }}
+          labels: ${{ inputs.labels }}
+
+      - uses: docker/build-push-action@v4
+        with:
+          context: .
+          platforms: ${{ inputs.platforms }}
+          provenance: false
+          builder: ${{ steps.buildx.outputs.name || steps.buildx-native.outputs.name }}
+          push: ${{ inputs.push_to_images != '' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: ${{ inputs.cache && 'type=gha' || '' }}
+          cache-to: ${{ inputs.cache && 'type=gha,mode=max' || '' }}

.github/workflows/build-releases.yml

@@ -0,0 +1,27 @@
+name: Build container release images
+on:
+  push:
+    tags:
+      - '*'
+
+permissions:
+  contents: read
+  packages: write
+
+jobs:
+  build-image:
+    uses: ./.github/workflows/build-container-image.yml
+    with:
+      platforms: linux/amd64,linux/arm64
+      use_native_arm64_builder: true
+      push_to_images: |
+        tootsuite/mastodon
+        ghcr.io/mastodon/mastodon
+      # Do not use cache when building releases, so apt update is always ran and the release always contain the latest packages
+      cache: false
+      flavor: |
+        latest=false
+      tags: |
+        type=pep440,pattern={{raw}}
+        type=pep440,pattern=v{{major}}.{{minor}}
+    secrets: inherit

.github/workflows/check-i18n.yml

@@ -0,0 +1,37 @@
+name: Check i18n
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+env:
+  RAILS_ENV: test
+
+permissions:
+  contents: read
+
+jobs:
+  check-i18n:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+      - name: Install system dependencies
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y libicu-dev libidn11-dev
+      - name: Set up Ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: .ruby-version
+          bundler-cache: true
+      - name: Check locale file normalization
+        run: bundle exec i18n-tasks check-normalized
+      - name: Check for unused strings
+        run: bundle exec i18n-tasks unused
+      - name: Check for wrong string interpolations
+        run: bundle exec i18n-tasks check-consistent-interpolations
+      - name: Check that all required locale files exist
+        run: bundle exec rake repo:check_locales_files

.github/workflows/codeql.yml

@@ -0,0 +1,62 @@
+name: 'CodeQL'
+
+on:
+  push:
+    branches: ['main']
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: ['main']
+  schedule:
+    - cron: '22 6 * * 1'
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ['javascript', 'ruby']
+        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
+        # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      # Initializes the CodeQL tools for scanning.
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v2
+        with:
+          languages: ${{ matrix.language }}
+          # If you wish to specify custom queries, you can do so here or in a config file.
+          # By default, queries listed here will override any specified in a config file.
+          # Prefix the list here with "+" to use these queries and those in the config file.
+
+          # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+          # queries: security-extended,security-and-quality
+
+      # Autobuild attempts to build any compiled languages  (C/C++, C#, Go, or Java).
+      # If this step fails, then you should remove it and run the build manually (see below)
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v2
+
+      # ℹ️ Command-line programs to run using the OS shell.
+      # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
+
+      #   If the Autobuild fails above, remove it and uncomment the following three lines.
+      #   modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
+
+      # - run: |
+      #   echo "Run, Build Application using script"
+      #   ./location_of_script_within_repo/buildscript.sh
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v2
+        with:
+          category: '/language:${{matrix.language}}'

.github/workflows/lint-css.yml

@@ -0,0 +1,48 @@
+name: CSS Linting
+on:
+  push:
+    branches-ignore:
+      - 'dependabot/**'
+    paths:
+      - 'package.json'
+      - 'yarn.lock'
+      - '.prettier*'
+      - 'stylelint.config.js'
+      - '**/*.css'
+      - '**/*.scss'
+      - '.github/workflows/lint-css.yml'
+      - '.github/stylelint-matcher.json'
+
+  pull_request:
+    paths:
+      - 'package.json'
+      - 'yarn.lock'
+      - '.prettier*'
+      - 'stylelint.config.js'
+      - '**/*.css'
+      - '**/*.scss'
+      - '.github/workflows/lint-css.yml'
+      - '.github/stylelint-matcher.json'
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Clone repository
+        uses: actions/checkout@v3
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v3
+        with:
+          cache: yarn
+
+      - name: Install all yarn packages
+        run: yarn --frozen-lockfile
+
+      - uses: xt0rted/stylelint-problem-matcher@v1
+
+      - run: echo "::add-matcher::.github/stylelint-matcher.json"
+
+      - name: Stylelint
+        run: yarn test:lint:sass

.github/workflows/lint-js.yml

@@ -0,0 +1,40 @@
+name: JavaScript Linting
+on:
+  push:
+    branches-ignore:
+      - 'dependabot/**'
+    paths:
+      - 'package.json'
+      - 'yarn.lock'
+      - '.prettier*'
+      - '.eslint*'
+      - '**/*.js'
+      - '.github/workflows/lint-js.yml'
+
+  pull_request:
+    paths:
+      - 'package.json'
+      - 'yarn.lock'
+      - '.prettier*'
+      - '.eslint*'
+      - '**/*.js'
+      - '.github/workflows/lint-js.yml'
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Clone repository
+        uses: actions/checkout@v3
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v3
+        with:
+          cache: yarn
+
+      - name: Install all yarn packages
+        run: yarn --frozen-lockfile
+
+      - name: ESLint
+        run: yarn test:lint:js

.github/workflows/lint-json.yml

@@ -0,0 +1,40 @@
+name: JSON Linting
+on:
+  push:
+    branches-ignore:
+      - 'dependabot/**'
+    paths:
+      - 'package.json'
+      - 'yarn.lock'
+      - '.prettier*'
+      - '**/*.json'
+      - '.github/workflows/lint-json.yml'
+      - '!app/javascript/mastodon/locales/*.json'
+
+  pull_request:
+    paths:
+      - 'package.json'
+      - 'yarn.lock'
+      - '.prettier*'
+      - '**/*.json'
+      - '.github/workflows/lint-json.yml'
+      - '!app/javascript/mastodon/locales/*.json'
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Clone repository
+        uses: actions/checkout@v3
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v3
+        with:
+          cache: yarn
+
+      - name: Install all yarn packages
+        run: yarn --frozen-lockfile
+
+      - name: Prettier
+        run: yarn prettier --check "**/*.json"

.github/workflows/lint-yml.yml

@@ -0,0 +1,42 @@
+name: YML Linting
+on:
+  push:
+    branches-ignore:
+      - 'dependabot/**'
+    paths:
+      - 'package.json'
+      - 'yarn.lock'
+      - '.prettier*'
+      - '**/*.yaml'
+      - '**/*.yml'
+      - '.github/workflows/lint-yml.yml'
+      - '!config/locales/*.yml'
+
+  pull_request:
+    paths:
+      - 'package.json'
+      - 'yarn.lock'
+      - '.prettier*'
+      - '**/*.yaml'
+      - '**/*.yml'
+      - '.github/workflows/lint-yml.yml'
+      - '!config/locales/*.yml'
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Clone repository
+        uses: actions/checkout@v3
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v3
+        with:
+          cache: yarn
+
+      - name: Install all yarn packages
+        run: yarn --frozen-lockfile
+
+      - name: Prettier
+        run: yarn prettier --check "**/*.{yml,yaml}"

.github/workflows/rebase-needed.yml

@@ -0,0 +1,17 @@
+name: PR Needs Rebase
+
+on:
+  push:
+  pull_request_target:
+    types: [synchronize]
+
+jobs:
+  label-rebase-needed:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check for merge conflicts
+        uses: eps1lon/actions-label-merge-conflict@releases/2.x
+        with:
+          dirtyLabel: 'rebase needed :construction:'
+          repoToken: '${{ secrets.GITHUB_TOKEN }}'
+          commentOnDirty: This pull request has merge conflicts that must be resolved before it can be merged.

.github/workflows/test-image-build.yml

@@ -0,0 +1,15 @@
+name: Test container image build
+on:
+  pull_request:
+permissions:
+  contents: read
+
+jobs:
+  build-image:
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.ref }}
+      cancel-in-progress: true
+
+    uses: ./.github/workflows/build-container-image.yml
+    with:
+      platforms: linux/amd64 # Testing only on native platform so it is performant

.github/workflows/test-ruby.yml

@@ -0,0 +1,153 @@
+name: Ruby Testing
+
+on:
+  push:
+    branches-ignore:
+      - 'dependabot/**'
+      - 'renovate/**'
+  pull_request:
+
+env:
+  BUNDLE_CLEAN: true
+  BUNDLE_FROZEN: true
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    strategy:
+      fail-fast: true
+      matrix:
+        mode:
+          - production
+          - test
+    env:
+      RAILS_ENV: ${{ matrix.mode }}
+      BUNDLE_WITH: ${{ matrix.mode }}
+      OTP_SECRET: precompile_placeholder
+      SECRET_KEY_BASE: precompile_placeholder
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v3
+        with:
+          cache: yarn
+          node-version-file: '.nvmrc'
+
+      - name: Install native Ruby dependencies
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y libicu-dev libidn11-dev
+
+      - name: Set up bundler cache
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: .ruby-version
+          bundler-cache: true
+
+      - run: yarn --frozen-lockfile --production
+      - name: Precompile assets
+        # Previously had set this, but it's not supported
+        # export NODE_OPTIONS=--openssl-legacy-provider
+        run: |-
+          ./bin/rails assets:precompile
+
+      - uses: actions/upload-artifact@v3
+        if: matrix.mode == 'test'
+        with:
+          path: |-
+            ./public/assets
+            ./public/packs-test
+          name: ${{ github.sha }}
+          retention-days: 0
+
+  test:
+    runs-on: ubuntu-latest
+
+    needs:
+      - build
+
+    services:
+      postgres:
+        image: postgres:14-alpine
+        env:
+          POSTGRES_PASSWORD: postgres
+          POSTGRES_USER: postgres
+        options: >-
+          --health-cmd pg_isready
+          --health-interval 10s
+          --health-timeout 5s
+          --health-retries 5
+        ports:
+          - 5432:5432
+
+      redis:
+        image: redis:7-alpine
+        options: >-
+          --health-cmd "redis-cli ping"
+          --health-interval 10s
+          --health-timeout 5s
+          --health-retries 5
+        ports:
+          - 6379:6379
+
+    env:
+      DB_HOST: localhost
+      DB_USER: postgres
+      DB_PASS: postgres
+      DISABLE_SIMPLECOV: true
+      RAILS_ENV: test
+      ALLOW_NOPAM: true
+      PAM_ENABLED: true
+      PAM_DEFAULT_SERVICE: pam_test
+      PAM_CONTROLLED_SERVICE: pam_test_controlled
+      OIDC_ENABLED: true
+      OIDC_SCOPE: read
+      SAML_ENABLED: true
+      CAS_ENABLED: true
+      BUNDLE_WITH: 'pam_authentication test'
+      CI_JOBS: ${{ matrix.ci_job }}/4
+
+    strategy:
+      fail-fast: false
+      matrix:
+        ruby-version:
+          - '.ruby-version'
+        ci_job:
+          - 1
+          - 2
+          - 3
+          - 4
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/download-artifact@v3
+        with:
+          path: './public'
+          name: ${{ github.sha }}
+
+      - name: Update package index
+        run: sudo apt-get update
+
+      - name: Install native Ruby dependencies
+        run: sudo apt-get install -y libicu-dev libidn11-dev
+
+      - name: Install additional system dependencies
+        run: sudo apt-get install -y ffmpeg imagemagick libpam-dev
+
+      - name: Set up bundler cache
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: ${{ matrix.ruby-version}}
+          bundler-cache: true
+
+      - name: Load database schema
+        run: './bin/rails db:create db:schema:load db:seed'
+
+      - run: bin/rspec

.gitignore

@@ -17,31 +17,32 @@
 /log/*
 !/log/.keep
 /tmp
-coverage
-public/system
-public/assets
-public/packs
-public/packs-test
+/coverage
+/public/system
+/public/assets
+/public/packs
+/public/packs-test
 .env
 .env.production
 .env.development
-node_modules/
-build/
+/node_modules/
+/build/
 
 # Ignore Vagrant files
 .vagrant/
 
 # Ignore Capistrano customizations
-config/deploy/*
+/config/deploy/*
 
 # Ignore IDE files
 .vscode/
 .idea/
 
 # Ignore postgres + redis + elasticsearch volume optionally created by docker-compose
-postgres
-redis
-elasticsearch
+/postgres
+/postgres14
+/redis
+/elasticsearch
 
 # Ignore Apple files
 .DS_Store
@@ -58,7 +59,7 @@ yarn-error.log
 yarn-debug.log
 
 # Ignore vagrant log files
-ubuntu-xenial-16.04-cloudimg-console.log
+*-cloudimg-console.log
 
 # Ignore Docker option files
 docker-compose.override.yml

.nvmrc

@@ -1 +1 @@
-12
+16

.prettierignore

@@ -0,0 +1,72 @@
+# See https://help.github.com/articles/ignoring-files for more about ignoring files.
+#
+# If you find yourself ignoring temporary files generated by your text editor
+# or operating system, you probably want to add a global ignore instead:
+#   git config --global core.excludesfile '~/.gitignore_global'
+
+# Ignore bundler config and downloaded libraries.
+/.bundle
+/vendor/bundle
+
+# Ignore the default SQLite database.
+/db/*.sqlite3
+/db/*.sqlite3-journal
+
+# Ignore all logfiles and tempfiles.
+.eslintcache
+/log/*
+!/log/.keep
+/tmp
+/coverage
+/public/system
+/public/assets
+/public/packs
+/public/packs-test
+.env
+.env.production
+.env.development
+/node_modules/
+/build/
+
+# Ignore Vagrant files
+.vagrant/
+
+# Ignore Capistrano customizations
+/config/deploy/*
+
+# Ignore IDE files
+.vscode/
+.idea/
+
+# Ignore postgres + redis + elasticsearch volume optionally created by docker-compose
+/postgres
+/postgres14
+/redis
+/elasticsearch
+
+# Ignore Apple files
+.DS_Store
+
+# Ignore vim files
+*~
+*.swp
+
+# Ignore npm debug log
+npm-debug.log
+
+# Ignore yarn log files
+yarn-error.log
+yarn-debug.log
+
+# Ignore vagrant log files
+*-cloudimg-console.log
+
+# Ignore Docker option files
+docker-compose.override.yml
+
+# Ignore emoji map file
+/app/javascript/mastodon/features/emoji/emoji_map.json
+
+# Ignore locale files
+/app/javascript/mastodon/locales
+/config/locales

.prettierrc.js

@@ -0,0 +1,3 @@
+module.exports = {
+  singleQuote: true
+}

.rubocop.yml

@@ -1,20 +1,27 @@
 require:
   - rubocop-rails
+  - rubocop-rspec
+  - rubocop-performance
 
 AllCops:
-  TargetRubyVersion: 2.3
+  TargetRubyVersion: 2.7
+  DisplayCopNames: true
+  DisplayStyleGuide: true
+  ExtraDetails: true
+  UseCache: true
+  CacheRootDirectory: tmp
+  NewCops: enable
   Exclude:
-  - 'spec/**/*'
-  - 'db/**/*'
-  - 'app/views/**/*'
-  - 'config/**/*'
-  - 'bin/*'
-  - 'Rakefile'
-  - 'node_modules/**/*'
-  - 'Vagrantfile'
-  - 'vendor/**/*'
-  - 'lib/json_ld/*'
-  - 'lib/templates/**/*'
+    - db/schema.rb
+    - 'app/views/**/*'
+    - 'config/**/*'
+    - 'bin/*'
+    - 'Rakefile'
+    - 'node_modules/**/*'
+    - 'Vagrantfile'
+    - 'vendor/**/*'
+    - 'lib/json_ld/*'
+    - 'lib/templates/**/*'
 
 Bundler/OrderedGems:
   Enabled: false
@@ -25,72 +32,328 @@ Layout/AccessModifierIndentation:
 Layout/EmptyLineAfterMagicComment:
   Enabled: false
 
+Layout/EmptyLineAfterGuardClause:
+  Enabled: false
+
+Layout/EmptyLineBetweenDefs:
+  AllowAdjacentOneLineDefs: true
+
+Layout/EmptyLinesAroundAttributeAccessor:
+  Enabled: true
+
+Layout/FirstHashElementIndentation:
+  EnforcedStyle: consistent
+
+Layout/HashAlignment:
+  Enabled: false
+
+Layout/SpaceAroundMethodCallOperator:
+  Enabled: true
+
 Layout/SpaceInsideHashLiteralBraces:
   EnforcedStyle: space
 
+Lint/DeprecatedOpenSSLConstant:
+  Enabled: true
+
+Lint/DuplicateElsifCondition:
+  Enabled: true
+
+Lint/MixedRegexpCaptureTypes:
+  Enabled: true
+
+Lint/RaiseException:
+  Enabled: true
+
+Lint/StructNewOverride:
+  Enabled: true
+
+Lint/UselessAccessModifier:
+  ContextCreatingMethods:
+    - class_methods
+
 Metrics/AbcSize:
-  Max: 100
+  Max: 34 # RuboCop default 17
+  Exclude:
+    - 'lib/**/*cli*.rb'
+    - db/*migrate/**/*
+    - lib/paperclip/color_extractor.rb
+    - app/workers/scheduler/follow_recommendations_scheduler.rb
+    - app/services/activitypub/fetch*_service.rb
+    - lib/paperclip/**/*
+  CountRepeatedAttributes: false
+  AllowedMethods:
+    - update_media_attachments!
+    - account_link_to
+    - attempt_oembed
+    - build_crutches
+    - calculate_scores
+    - cc
+    - dump_actor!
+    - filter_from_home?
+    - hydrate
+    - import_bookmarks!
+    - import_relationships!
+    - initialize
+    - link_to_mention
+    - log_target
+    - matches_time_window?
+    - parse_metadata
+    - perform_statuses_search!
+    - privatize_media_attachments!
+    - process_update
+    - publish_media_attachments!
+    - remotable_attachment
+    - render_initial_state
+    - render_with_cache
+    - searchable_by
+    - self.cached_filters_for
+    - set_fetchable_attributes!
+    - signed_request_actor
+    - statuses_to_delete
+    - update_poll!
 
 Metrics/BlockLength:
-  Max: 35
+  Max: 55
   Exclude:
-    - 'lib/tasks/**/*'
+    - 'lib/mastodon/*_cli.rb'
+  CountComments: false
+  CountAsOne: [array, heredoc]
+  AllowedMethods:
+    - task
+    - namespace
+    - class_methods
+    - included
 
 Metrics/BlockNesting:
   Max: 3
+  Exclude:
+    - 'lib/mastodon/*_cli.rb'
 
 Metrics/ClassLength:
   CountComments: false
-  Max: 300
+  Max: 500
+  CountAsOne: [array, heredoc]
+  Exclude:
+    - 'lib/mastodon/*_cli.rb'
 
 Metrics/CyclomaticComplexity:
-  Max: 25
+  Max: 12
+  Exclude:
+    - lib/mastodon/*cli*.rb
+    - db/*migrate/**/*
+  AllowedMethods:
+    - attempt_oembed
+    - blocked?
+    - build_crutches
+    - calculate_scores
+    - cc
+    - discover_endpoint!
+    - filter_from_home?
+    - hydrate
+    - klass
+    - link_to_mention
+    - log_target
+    - matches_time_window?
+    - patch_for_forwarding!
+    - preprocess_attributes!
+    - process_update
+    - remotable_attachment
+    - scan_text!
+    - self.cached_filters_for
+    - set_fetchable_attributes!
+    - setup_redis_env_url
+    - update_media_attachments!
 
-Metrics/LineLength:
+Layout/LineLength:
+  Max: 140 # RuboCop default 120
+  AllowHeredoc: true
   AllowURI: true
-  Enabled: false
+  IgnoreCopDirectives: true
+  AllowedPatterns:
+    # Allow comments to be long lines
+    - !ruby/regexp / \# .*$/
+    - !ruby/regexp /^\# .*$/
+  Exclude:
+    - lib/**/*cli*.rb
+    - db/*migrate/**/*
+    - db/seeds/**/*
 
 Metrics/MethodLength:
   CountComments: false
-  Max: 55
+  CountAsOne: [array, heredoc]
+  Max: 25 # RuboCop default 10
+  Exclude:
+    - 'lib/mastodon/*_cli.rb'
+  AllowedMethods:
+    - account_link_to
+    - attempt_oembed
+    - body_with_limit
+    - build_crutches
+    - cached_filters_for
+    - calculate_scores
+    - check_webfinger!
+    - clean_feeds!
+    - collection_items
+    - collection_presenter
+    - copy_account_notes!
+    - deduplicate_accounts!
+    - deduplicate_conversations!
+    - deduplicate_local_accounts!
+    - deduplicate_statuses!
+    - deduplicate_tags!
+    - deduplicate_users!
+    - discover_endpoint!
+    - extract_extra_uris_with_indices
+    - extract_hashtags_with_indices
+    - extract_mentions_or_lists_with_indices
+    - filter_from_home?
+    - from_elasticsearch
+    - handle_explicit_update!
+    - handle_mark_as_sensitive!
+    - hsl_to_rgb
+    - import_bookmarks!
+    - import_domain_blocks!
+    - import_relationships!
+    - ldap_options
+    - matches_time_window?
+    - outbox_presenter
+    - pam_get_user
+    - parallelize_with_progress
+    - parse_and_transform
+    - patch_for_forwarding!
+    - populate_home
+    - post_process_style
+    - preload_cache_collection_target_statuses
+    - privatize_media_attachments!
+    - provides_callback_for
+    - publish_media_attachments!
+    - relevant_account_timestamp
+    - remotable_attachment
+    - rgb_to_hsl
+    - rss_status_content_format
+    - set_fetchable_attributes!
+    - setup_redis_env_url
+    - signed_request_actor
+    - to_preview_card_attributes
+    - upgrade_storage_filesystem
+    - upgrade_storage_s3
+    - user_settings_params
+    - hydrate
+    - cc
+    - self_destruct
 
 Metrics/ModuleLength:
   CountComments: false
   Max: 200
+  CountAsOne: [array, heredoc]
 
 Metrics/ParameterLists:
-  Max: 5
-  CountKeywordArgs: true
+  Max: 5 # RuboCop default 5
+  CountKeywordArgs: true # RuboCop default true
+  MaxOptionalParameters: 3 # RuboCop default 3
+  Exclude:
+    - app/models/concerns/account_interactions.rb
+    - app/services/activitypub/fetch_remote_account_service.rb
+    - app/services/activitypub/fetch_remote_actor_service.rb
 
 Metrics/PerceivedComplexity:
-  Max: 20
+  Max: 16 # RuboCop default 8
+  AllowedMethods:
+    - attempt_oembed
+    - build_crutches
+    - calculate_scores
+    - deduplicate_users!
+    - discover_endpoint!
+    - filter_from_home?
+    - hydrate
+    - patch_for_forwarding!
+    - process_update
+    - remove_orphans
+    - update_media_attachments!
 
 Naming/MemoizedInstanceVariableName:
   Enabled: false
 
+Naming/MethodParameterName:
+  Enabled: true
+
 Rails:
   Enabled: true
 
+Rails/ApplicationController:
+  Enabled: false
+  Exclude:
+    - 'app/controllers/well_known/**/*.rb'
+
+Rails/BelongsTo:
+  Enabled: false
+
+Rails/ContentTag:
+  Enabled: false
+
 Rails/EnumHash:
   Enabled: false
 
-Rails/HasAndBelongsToMany:
-  Enabled: false
-
-Rails/SkipsModelValidations:
-  Enabled: false
-
-Rails/HttpStatus:
-  Enabled: false
-
 Rails/Exit:
   Exclude:
     - 'lib/mastodon/*'
     - 'lib/cli.rb'
 
+Rails/FilePath:
+  Enabled: false
+
+Rails/HasAndBelongsToMany:
+  Enabled: false
+
+Rails/HasManyOrHasOneDependent:
+  Enabled: false
+
 Rails/HelperInstanceVariable:
   Enabled: false
 
+Rails/HttpStatus:
+  Enabled: false
+
+Rails/IndexBy:
+  Enabled: false
+
+Rails/InverseOf:
+  Enabled: false
+
+Rails/LexicallyScopedActionFilter:
+  Enabled: false
+
+Rails/OutputSafety:
+  Enabled: true
+
+Rails/RakeEnvironment:
+  Enabled: false
+
+Rails/RedundantForeignKey:
+  Enabled: false
+
+Rails/SkipsModelValidations:
+  Enabled: false
+
+Rails/UniqueValidationWithoutIndex:
+  Enabled: false
+
+Style/AccessorGrouping:
+  Enabled: true
+
+Style/AccessModifierDeclarations:
+  Enabled: false
+
+Style/ArrayCoercion:
+  Enabled: true
+
+Style/BisectedAttrAccessor:
+  Enabled: true
+
+Style/CaseLikeIf:
+  Enabled: false
+
 Style/ClassAndModuleChildren:
   Enabled: false
 
@@ -105,6 +368,15 @@ Style/Documentation:
 Style/DoubleNegation:
   Enabled: true
 
+Style/ExpandPathArguments:
+  Enabled: false
+
+Style/ExponentialNotation:
+  Enabled: true
+
+Style/FormatString:
+  Enabled: false
+
 Style/FormatStringToken:
   Enabled: false
 
@@ -114,9 +386,37 @@ Style/FrozenStringLiteralComment:
 Style/GuardClause:
   Enabled: false
 
+Style/HashAsLastArrayItem:
+  Enabled: false
+
+Style/HashEachMethods:
+  Enabled: true
+
+Style/HashLikeCase:
+  Enabled: true
+
+Style/HashTransformKeys:
+  Enabled: true
+
+Style/HashTransformValues:
+  Enabled: false
+
+Style/HashSyntax:
+  Enabled: true
+  EnforcedStyle: ruby19_no_mixed_keys
+
+Style/IfUnlessModifier:
+  Enabled: false
+
+Style/InverseMethods:
+  Enabled: false
+
 Style/Lambda:
   Enabled: false
 
+Style/MutableConstant:
+  Enabled: false
+
 Style/PercentLiteralDelimiters:
   PreferredDelimiters:
     '%i': '()'
@@ -125,9 +425,36 @@ Style/PercentLiteralDelimiters:
 Style/PerlBackrefs:
   AutoCorrect: false
 
+Style/RedundantFetchBlock:
+  Enabled: true
+
+Style/RedundantFileExtensionInRequire:
+  Enabled: true
+
+Style/RedundantRegexpCharacterClass:
+  Enabled: false
+
+Style/RedundantRegexpEscape:
+  Enabled: false
+
+Style/RedundantReturn:
+  Enabled: true
+
+Style/RedundantBegin:
+  Enabled: false
+
 Style/RegexpLiteral:
   Enabled: false
 
+Style/RescueStandardError:
+  Enabled: true
+
+Style/SignalException:
+  Enabled: false
+
+Style/SlicingWithRange:
+  Enabled: true
+
 Style/SymbolArray:
   Enabled: false
 
@@ -136,3 +463,17 @@ Style/TrailingCommaInArrayLiteral:
 
 Style/TrailingCommaInHashLiteral:
   EnforcedStyleForMultiline: 'comma'
+
+Style/UnpackFirst:
+  Enabled: false
+
+RSpec/ScatteredSetup:
+  Enabled: false
+RSpec/ImplicitExpect:
+  Enabled: false
+RSpec/NamedSubject:
+  Enabled: false
+RSpec/DescribeClass:
+  Enabled: false
+RSpec/LetSetup:
+  Enabled: false

.ruby-gemset

@@ -0,0 +1 @@
+mastodon

.ruby-version

@@ -1 +1 @@
-2.6.6
+3.0.6

.sass-lint.yml

@@ -1,37 +0,0 @@
-# Linter Documentation:
-# https://github.com/sasstools/sass-lint/tree/v1.13.1/docs/options
-
-files:
-  include: app/javascript/styles/**/*.scss
-  ignore:
-    - app/javascript/styles/mastodon/reset.scss
-
-rules:
-  # Disallows
-  no-color-literals: 0
-  no-css-comments: 0
-  no-duplicate-properties: 0
-  no-ids: 0
-  no-important: 0
-  no-mergeable-selectors: 0
-  no-misspelled-properties: 0
-  no-qualifying-elements: 0
-  no-transition-all: 0
-  no-vendor-prefixes: 0
-
-  # Nesting
-  force-element-nesting: 0
-  force-attribute-nesting: 0
-  force-pseudo-nesting: 0
-
-  # Name Formats
-  class-name-format: 0
-  leading-zero: 0
-
-  # Style Guide
-  attribute-quotes: 0
-  hex-length: 0
-  indentation: 0
-  nesting-depth: 0
-  property-sort-order: 0
-  quotes: 0

Aptfile

@@ -1,29 +1,4 @@
 ffmpeg
-libicu[0-9][0-9]
-libicu-dev
-libidn11
-libidn11-dev
 libpq-dev
-libprotobuf-dev
-libssl-dev
 libxdamage1
 libxfixes3
-protobuf-compiler
-zlib1g-dev
-libcairo2
-libcroco3
-libdatrie1
-libgdk-pixbuf2.0-0
-libgraphite2-3
-libharfbuzz0b
-libpango-1.0-0
-libpangocairo-1.0-0
-libpangoft2-1.0-0
-libpixman-1-0
-librsvg2-2
-libthai-data
-libthai0
-libvpx5
-libxcb-render0
-libxcb-shm0
-libxrender1

CODE_OF_CONDUCT.md

@@ -40,7 +40,7 @@ Project maintainers who do not follow or enforce the Code of Conduct in good fai
 
 ## Attribution
 
-This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, available at [http://contributor-covenant.org/version/1/4][version]
+This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4, available at [https://contributor-covenant.org/version/1/4][version]
 
-[homepage]: http://contributor-covenant.org
-[version]: http://contributor-covenant.org/version/1/4/
+[homepage]: https://contributor-covenant.org
+[version]: https://contributor-covenant.org/version/1/4/

CONTRIBUTING.md

@@ -14,7 +14,7 @@ If your contributions are accepted into Mastodon, you can request to be paid thr
 
 ## Bug reports
 
-Bug reports and feature suggestions must use descriptive and concise titles and be submitted to [GitHub Issues](https://github.com/tootsuite/mastodon/issues). Please use the search function to make sure that you are not submitting duplicates, and that a similar report or request has not already been resolved or rejected.
+Bug reports and feature suggestions must use descriptive and concise titles and be submitted to [GitHub Issues](https://github.com/mastodon/mastodon/issues). Please use the search function to make sure that you are not submitting duplicates, and that a similar report or request has not already been resolved or rejected.
 
 ## Translations
 
@@ -24,9 +24,17 @@ You can submit translations via [Crowdin](https://crowdin.com/project/mastodon).
 
 ## Pull requests
 
-Please use clean, concise titles for your pull requests. We use commit squashing, so the final commit in the master branch will carry the title of the pull request.
+**Please use clean, concise titles for your pull requests.** Unless the pull request is about refactoring code, updating dependencies or other internal tasks, assume that the person reading the pull request title is not a programmer or Mastodon developer, but instead a Mastodon user or server administrator, and **try to describe your change or fix from their perspective**. We use commit squashing, so the final commit in the main branch will carry the title of the pull request, and commits from the main branch are fed into the changelog. The changelog is separated into [keepachangelog.com categories](https://keepachangelog.com/en/1.0.0/), and while that spec does not prescribe how the entries ought to be named, for easier sorting, start your pull request titles using one of the verbs "Add", "Change", "Deprecate", "Remove", or "Fix" (present tense).
 
-The smaller the set of changes in the pull request is, the quicker it can be reviewed and merged. Splitting tasks into multiple smaller pull requests is often preferable.
+Example:
+
+|Not ideal|Better|
+|---|----|
+|Fixed NoMethodError in RemovalWorker|Fix nil error when removing statuses caused by race condition|
+
+It is not always possible to phrase every change in such a manner, but it is desired.
+
+**The smaller the set of changes in the pull request is, the quicker it can be reviewed and merged.** Splitting tasks into multiple smaller pull requests is often preferable.
 
 **Pull requests that do not pass automated checks may not be reviewed**. In particular, you need to keep in mind:
 
@@ -34,6 +42,8 @@ The smaller the set of changes in the pull request is, the quicker it can be rev
 - Code style rules (rubocop, eslint)
 - Normalization of locale files (i18n-tasks)
 
+**Note**: You may need to log in and authorise the GitHub account your fork of this repository belongs to with CircleCI to enable some of the automated checks to run.
+
 ## Documentation
 
-The [Mastodon documentation](https://docs.joinmastodon.org) is a statically generated site. You can [submit merge requests to mastodon/docs](https://source.joinmastodon.org/mastodon/docs).
+The [Mastodon documentation](https://docs.joinmastodon.org) is a statically generated site. You can [submit merge requests to mastodon/documentation](https://github.com/mastodon/documentation).

Dockerfile

@@ -1,139 +1,100 @@
-FROM ubuntu:18.04 as build-dep
+# syntax=docker/dockerfile:1.4
+# This needs to be bullseye-slim because the Ruby image is built on bullseye-slim
+ARG NODE_VERSION="16.18.1-bullseye-slim"
 
-# Use bash for the shell
-SHELL ["bash", "-c"]
+FROM ghcr.io/moritzheiber/ruby-jemalloc:3.0.6-slim as ruby
+FROM node:${NODE_VERSION} as build
 
-# Install Node v12 (LTS)
-ENV NODE_VER="12.16.1"
-RUN	ARCH= && \
-    dpkgArch="$(dpkg --print-architecture)" && \
-  case "${dpkgArch##*-}" in \
-    amd64) ARCH='x64';; \
-    ppc64el) ARCH='ppc64le';; \
-    s390x) ARCH='s390x';; \
-    arm64) ARCH='arm64';; \
-    armhf) ARCH='armv7l';; \
-    i386) ARCH='x86';; \
-    *) echo "unsupported architecture"; exit 1 ;; \
-  esac && \
-    echo "Etc/UTC" > /etc/localtime && \
-	apt update && \
-	apt -y install wget python && \
-	cd ~ && \
-	wget https://nodejs.org/download/release/v$NODE_VER/node-v$NODE_VER-linux-$ARCH.tar.gz && \
-	tar xf node-v$NODE_VER-linux-$ARCH.tar.gz && \
-	rm node-v$NODE_VER-linux-$ARCH.tar.gz && \
-	mv node-v$NODE_VER-linux-$ARCH /opt/node
+COPY --link --from=ruby /opt/ruby /opt/ruby
 
-# Install jemalloc
-ENV JE_VER="5.2.1"
-RUN apt update && \
-	apt -y install make autoconf gcc g++ && \
-	cd ~ && \
-	wget https://github.com/jemalloc/jemalloc/archive/$JE_VER.tar.gz && \
-	tar xf $JE_VER.tar.gz && \
-	cd jemalloc-$JE_VER && \
-	./autogen.sh && \
-	./configure --prefix=/opt/jemalloc && \
-	make -j$(nproc) > /dev/null && \
-	make install_bin install_include install_lib
+ENV DEBIAN_FRONTEND="noninteractive" \
+    PATH="${PATH}:/opt/ruby/bin"
 
-# Install Ruby
-ENV RUBY_VER="2.6.6"
-ENV CPPFLAGS="-I/opt/jemalloc/include"
-ENV LDFLAGS="-L/opt/jemalloc/lib/"
-RUN apt update && \
-	apt -y install build-essential \
-		bison libyaml-dev libgdbm-dev libreadline-dev \
-		libncurses5-dev libffi-dev zlib1g-dev libssl-dev && \
-	cd ~ && \
-	wget https://cache.ruby-lang.org/pub/ruby/${RUBY_VER%.*}/ruby-$RUBY_VER.tar.gz && \
-	tar xf ruby-$RUBY_VER.tar.gz && \
-	cd ruby-$RUBY_VER && \
-	./configure --prefix=/opt/ruby \
-	  --with-jemalloc \
-	  --with-shared \
-	  --disable-install-doc && \
-	ln -s /opt/jemalloc/lib/* /usr/lib/ && \
-	make -j$(nproc) > /dev/null && \
-	make install
-
-ENV PATH="${PATH}:/opt/ruby/bin:/opt/node/bin"
-
-RUN npm install -g yarn && \
-	gem install bundler && \
-	apt update && \
-	apt -y install git libicu-dev libidn11-dev \
-	libpq-dev libprotobuf-dev protobuf-compiler
+SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 
+WORKDIR /opt/mastodon
 COPY Gemfile* package.json yarn.lock /opt/mastodon/
 
-RUN cd /opt/mastodon && \
-  bundle config set deployment 'true' && \
-  bundle config set without 'development test' && \
-	bundle install -j$(nproc) && \
-	yarn install --pure-lockfile
+# hadolint ignore=DL3008
+RUN apt-get update && \
+    apt-get -yq dist-upgrade && \
+    apt-get install -y --no-install-recommends build-essential \
+        ca-certificates \
+        git \
+        libicu-dev \
+        libidn11-dev \
+        libpq-dev \
+        libjemalloc-dev \
+        zlib1g-dev \
+        libgdbm-dev \
+        libgmp-dev \
+        libssl-dev \
+        libyaml-0-2 \
+        ca-certificates \
+        libreadline8 \
+        python3 \
+        shared-mime-info && \
+    bundle config set --local deployment 'true' && \
+    bundle config set --local without 'development test' && \
+    bundle config set silence_root_warning true && \
+    bundle install -j"$(nproc)" && \
+    yarn install --pure-lockfile --network-timeout 600000
 
-FROM ubuntu:18.04
+FROM node:${NODE_VERSION}
 
-# Copy over all the langs needed for runtime
-COPY --from=build-dep /opt/node /opt/node
-COPY --from=build-dep /opt/ruby /opt/ruby
-COPY --from=build-dep /opt/jemalloc /opt/jemalloc
+ARG UID="991"
+ARG GID="991"
 
-# Add more PATHs to the PATH
-ENV PATH="${PATH}:/opt/ruby/bin:/opt/node/bin:/opt/mastodon/bin"
+COPY --link --from=ruby /opt/ruby /opt/ruby
 
-# Create the mastodon user
-ARG UID=991
-ARG GID=991
-RUN apt update && \
-	echo "Etc/UTC" > /etc/localtime && \
-	ln -s /opt/jemalloc/lib/* /usr/lib/ && \
-	apt install -y whois wget && \
-	addgroup --gid $GID mastodon && \
-	useradd -m -u $UID -g $GID -d /opt/mastodon mastodon && \
-	echo "mastodon:`head /dev/urandom | tr -dc A-Za-z0-9 | head -c 24 | mkpasswd -s -m sha-256`" | chpasswd
+SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 
-# Install mastodon runtime deps
-RUN apt -y --no-install-recommends install \
-	  libssl1.1 libpq5 imagemagick ffmpeg \
-	  libicu60 libprotobuf10 libidn11 libyaml-0-2 \
-	  file ca-certificates tzdata libreadline7 && \
-	apt -y install gcc && \
-	ln -s /opt/mastodon /mastodon && \
-	gem install bundler && \
-	rm -rf /var/cache && \
-	rm -rf /var/lib/apt/lists/*
+ENV DEBIAN_FRONTEND="noninteractive" \
+    PATH="${PATH}:/opt/ruby/bin:/opt/mastodon/bin"
 
-# Add tini
-ENV TINI_VERSION="0.18.0"
-ENV TINI_SUM="12d20136605531b09a2c2dac02ccee85e1b874eb322ef6baf7561cd93f93c855"
-ADD https://github.com/krallin/tini/releases/download/v${TINI_VERSION}/tini /tini
-RUN echo "$TINI_SUM tini" | sha256sum -c -
-RUN chmod +x /tini
+# Ignoreing these here since we don't want to pin any versions and the Debian image removes apt-get content after use
+# hadolint ignore=DL3008,DL3009
+RUN apt-get update && \
+    echo "Etc/UTC" > /etc/localtime && \
+    groupadd -g "${GID}" mastodon && \
+    useradd -l -u "$UID" -g "${GID}" -m -d /opt/mastodon mastodon && \
+    apt-get -y --no-install-recommends install whois \
+        wget \
+        procps \
+        libssl1.1 \
+        libpq5 \
+        imagemagick \
+        ffmpeg \
+        libjemalloc2 \
+        libicu67 \
+        libidn11 \
+        libyaml-0-2 \
+        file \
+        ca-certificates \
+        tzdata \
+        libreadline8 \
+        tini && \
+    ln -s /opt/mastodon /mastodon
+
+# Note: no, cleaning here since Debian does this automatically
+# See the file /etc/apt/apt.conf.d/docker-clean within the Docker image's filesystem
 
-# Copy over mastodon source, and dependencies from building, and set permissions
 COPY --chown=mastodon:mastodon . /opt/mastodon
-COPY --from=build-dep --chown=mastodon:mastodon /opt/mastodon /opt/mastodon
+COPY --chown=mastodon:mastodon --from=build /opt/mastodon /opt/mastodon
 
-# Run mastodon services in prod mode
-ENV RAILS_ENV="production"
-ENV NODE_ENV="production"
-
-# Tell rails to serve static files
-ENV RAILS_SERVE_STATIC_FILES="true"
-ENV BIND="0.0.0.0"
+ENV RAILS_ENV="production" \
+    NODE_ENV="production" \
+    RAILS_SERVE_STATIC_FILES="true" \
+    BIND="0.0.0.0"
 
 # Set the run user
 USER mastodon
+WORKDIR /opt/mastodon
 
 # Precompile assets
-RUN cd ~ && \
-	OTP_SECRET=precompile_placeholder SECRET_KEY_BASE=precompile_placeholder rails assets:precompile && \
-	yarn cache clean
+RUN OTP_SECRET=precompile_placeholder SECRET_KEY_BASE=precompile_placeholder rails assets:precompile && \
+    yarn cache clean
 
 # Set the work dir and the container entry point
-WORKDIR /opt/mastodon
-ENTRYPOINT ["/tini", "--"]
+ENTRYPOINT ["/usr/bin/tini", "--"]
 EXPOSE 3000 4000

FEDERATION.md

@@ -0,0 +1,30 @@
+## ActivityPub federation in Mastodon
+
+Mastodon largely follows the ActivityPub server-to-server specification but it makes uses of some non-standard extensions, some of which are required for interacting with Mastodon at all.
+
+Supported vocabulary: https://docs.joinmastodon.org/spec/activitypub/
+
+### Required extensions
+
+#### Webfinger
+
+In Mastodon, users are identified by a `username` and `domain` pair (e.g., `Gargron@mastodon.social`).
+This is used both for discovery and for unambiguously mentioning users across the fediverse. Furthermore, this is part of Mastodon's database design from its very beginnings.
+
+As a result, Mastodon requires that each ActivityPub actor uniquely maps back to an `acct:` URI that can be resolved via WebFinger.
+
+More information and examples are available at: https://docs.joinmastodon.org/spec/webfinger/
+
+#### HTTP Signatures
+
+In order to authenticate activities, Mastodon relies on HTTP Signatures, signing every `POST` and `GET` request to other ActivityPub implementations on behalf of the user authoring an activity (for `POST` requests) or an actor representing the Mastodon server itself (for most `GET` requests).
+
+Mastodon requires all `POST` requests to be signed, and MAY require `GET` requests to be signed, depending on the configuration of the Mastodon server.
+
+More information on HTTP Signatures, as well as examples, can be found here: https://docs.joinmastodon.org/spec/security/#http
+
+### Optional extensions
+
+- Linked-Data Signatures: https://docs.joinmastodon.org/spec/security/#ld
+- Bearcaps: https://docs.joinmastodon.org/spec/bearcaps/
+- Followers collection synchronization: https://git.activitypub.dev/ActivityPubDev/Fediverse-Enhancement-Proposals/src/branch/main/feps/fep-8fcf.md

Gemfile

@@ -1,116 +1,116 @@
 # frozen_string_literal: true
 
 source 'https://rubygems.org'
-ruby '>= 2.5.0', '< 3.0.0'
+ruby '>= 2.7.0', '< 3.1.0'
 
-gem 'pkg-config', '~> 1.4'
+gem 'pkg-config', '~> 1.5'
+gem 'rexml', '~> 3.2'
 
-gem 'puma', '~> 4.3'
-gem 'rails', '~> 5.2.4.2'
+gem 'puma', '~> 5.6'
+gem 'rails', '~> 6.1.7'
 gem 'sprockets', '~> 3.7.2'
-gem 'thor', '~> 0.20'
-gem 'rack', '~> 2.2.2'
-
-gem 'thwait', '~> 0.1.0'
-gem 'e2mmap', '~> 0.1.0'
+gem 'thor', '~> 1.2'
+gem 'rack', '~> 2.2.6'
 
 gem 'hamlit-rails', '~> 0.2'
-gem 'pg', '~> 1.2'
-gem 'makara', '~> 0.4'
-gem 'pghero', '~> 2.4'
-gem 'dotenv-rails', '~> 2.7'
+gem 'pg', '~> 1.4'
+gem 'makara', '~> 0.5'
+gem 'pghero'
+gem 'dotenv-rails', '~> 2.8'
 
-gem 'aws-sdk-s3', '~> 1.61', require: false
-gem 'fog-core', '<= 2.1.0'
+gem 'aws-sdk-s3', '~> 1.119', require: false
+gem 'fog-core', '<= 2.4.0'
 gem 'fog-openstack', '~> 0.3', require: false
-gem 'paperclip', '~> 6.0'
-gem 'paperclip-av-transcoder', '~> 0.6'
-gem 'streamio-ffmpeg', '~> 3.0'
+gem 'kt-paperclip', '~> 7.1'
 gem 'blurhash', '~> 0.1'
 
 gem 'active_model_serializers', '~> 0.10'
-gem 'addressable', '~> 2.7'
-gem 'bootsnap', '~> 1.4', require: false
+gem 'addressable', '~> 2.8'
+gem 'bootsnap', '~> 1.16.0', require: false
 gem 'browser'
 gem 'charlock_holmes', '~> 0.7.7'
-gem 'iso-639'
-gem 'chewy', '~> 5.1'
-gem 'cld3', '~> 3.3.0'
-gem 'devise', '~> 4.7'
-gem 'devise-two-factor', '~> 3.1'
+gem 'chewy', '~> 7.2'
+gem 'devise', '~> 4.8'
+gem 'devise-two-factor', '~> 4.0'
 
 group :pam_authentication, optional: true do
   gem 'devise_pam_authenticatable2', '~> 9.2'
 end
 
-gem 'net-ldap', '~> 0.16'
-gem 'omniauth-cas', '~> 1.1'
+gem 'net-ldap', '~> 0.17'
+gem 'omniauth-cas', '~> 2.0'
 gem 'omniauth-saml', '~> 1.10'
+gem 'gitlab-omniauth-openid-connect', '~>0.10.1', require: 'omniauth_openid_connect'
 gem 'omniauth', '~> 1.9'
+gem 'omniauth-rails_csrf_protection', '~> 0.1'
 
+gem 'color_diff', '~> 0.1'
 gem 'discard', '~> 1.2'
-gem 'doorkeeper', '~> 5.3'
+gem 'doorkeeper', '~> 5.6'
+gem 'ed25519', '~> 1.3'
 gem 'fast_blank', '~> 1.0'
 gem 'fastimage'
-gem 'goldfinger', '~> 2.1'
 gem 'hiredis', '~> 0.6'
-gem 'redis-namespace', '~> 1.7'
-gem 'health_check', git: 'https://github.com/ianheggie/health_check', ref: '0b799ead604f900ed50685e9b2d469cd2befba5b'
+gem 'redis-namespace', '~> 1.10'
 gem 'htmlentities', '~> 4.3'
-gem 'http', '~> 4.3'
+gem 'http', '~> 5.1'
 gem 'http_accept_language', '~> 2.1'
-gem 'http_parser.rb', '~> 0.6', git: 'https://github.com/tmm1/http_parser.rb', ref: '54b17ba8c7d8d20a16dfc65d1775241833219cf2', submodules: true
-gem 'httplog', '~> 1.4.2'
+gem 'httplog', '~> 1.6.2'
 gem 'idn-ruby', require: 'idn'
-gem 'kaminari', '~> 1.1'
+gem 'kaminari', '~> 1.2'
 gem 'link_header', '~> 0.0'
-gem 'mime-types', '~> 3.3.1', require: 'mime/types/columnar'
-gem 'nilsimsa', git: 'https://github.com/witgo/nilsimsa', ref: 'fd184883048b922b176939f851338d0a4971a532'
-gem 'nokogiri', '~> 1.10'
+gem 'mime-types', '~> 3.4.1', require: 'mime/types/columnar'
+gem 'nokogiri', '~> 1.14'
 gem 'nsa', '~> 0.2'
-gem 'oj', '~> 3.10'
-gem 'ox', '~> 2.13'
+gem 'oj', '~> 3.13'
+gem 'ox', '~> 2.14'
 gem 'parslet'
-gem 'parallel', '~> 1.19'
-gem 'posix-spawn', git: 'https://github.com/rtomayko/posix-spawn', ref: '58465d2e213991f8afb13b984854a49fcdcc980c'
-gem 'pundit', '~> 2.1'
+gem 'posix-spawn'
+gem 'public_suffix', '~> 5.0'
+gem 'pundit', '~> 2.3'
 gem 'premailer-rails'
-gem 'rack-attack', '~> 6.2'
+gem 'rack-attack', '~> 6.6'
 gem 'rack-cors', '~> 1.1', require: 'rack/cors'
-gem 'rails-i18n', '~> 5.1'
+gem 'rails-i18n', '~> 6.0'
 gem 'rails-settings-cached', '~> 0.6'
-gem 'redis', '~> 4.1', require: ['redis', 'redis/connection/hiredis']
+gem 'redcarpet', '~> 3.6'
+gem 'redis', '~> 4.5', require: ['redis', 'redis/connection/hiredis']
 gem 'mario-redis-lock', '~> 1.2', require: 'redis_lock'
-gem 'rqrcode', '~> 1.1'
-gem 'ruby-progressbar', '~> 1.10'
-gem 'sanitize', '~> 5.1'
-gem 'sidekiq', '~> 6.0'
-gem 'sidekiq-scheduler', '~> 3.0'
-gem 'sidekiq-unique-jobs', '~> 6.0'
-gem 'sidekiq-bulk', '~>0.2.0'
-gem 'simple-navigation', '~> 4.1'
-gem 'simple_form', '~> 5.0'
-gem 'sprockets-rails', '~> 3.2', require: 'sprockets/railtie'
-gem 'stoplight', '~> 2.2.0'
-gem 'strong_migrations', '~> 0.6'
-gem 'tty-command', '~> 0.9', require: false
-gem 'tty-prompt', '~> 0.21', require: false
-gem 'twitter-text', '~> 1.14'
-gem 'tzinfo-data', '~> 1.2019'
-gem 'webpacker', '~> 4.2'
-gem 'webpush'
+gem 'rqrcode', '~> 2.1'
+gem 'ruby-progressbar', '~> 1.11'
+gem 'sanitize', '~> 6.0'
+gem 'scenic', '~> 1.7'
+gem 'sidekiq', '~> 6.5'
+gem 'sidekiq-scheduler', '~> 4.0'
+gem 'sidekiq-unique-jobs', '~> 7.1'
+gem 'sidekiq-bulk', '~> 0.2.0'
+gem 'simple-navigation', '~> 4.4'
+gem 'simple_form', '~> 5.2'
+gem 'sprockets-rails', '~> 3.4', require: 'sprockets/railtie'
+gem 'stoplight', '~> 3.0.1'
+gem 'strong_migrations', '~> 0.7'
+gem 'tty-prompt', '~> 0.23', require: false
+gem 'twitter-text', '~> 3.1.0'
+gem 'tzinfo-data', '~> 1.2022'
+gem 'webpacker', '~> 5.4'
+gem 'webpush', github: 'ClearlyClaire/webpush', ref: 'f14a4d52e201128b1b00245d11b6de80d6cfdcd9'
+gem 'webauthn', '~> 2.5'
 
 gem 'json-ld'
-gem 'json-ld-preloaded', '~> 3.1'
-gem 'rdf-normalize', '~> 0.4'
+gem 'json-ld-preloaded', '~> 3.2'
+gem 'rdf-normalize', '~> 0.5'
 
 group :development, :test do
-  gem 'fabrication', '~> 2.21'
+  gem 'fabrication', '~> 2.30'
   gem 'fuubar', '~> 2.5'
-  gem 'i18n-tasks', '~> 0.9', require: false
-  gem 'pry-byebug', '~> 3.8'
+  gem 'i18n-tasks', '~> 1.0', require: false
+  gem 'pry-byebug', '~> 3.10'
   gem 'pry-rails', '~> 0.3'
-  gem 'rspec-rails', '~> 4.0'
+  gem 'rspec-rails', '~> 5.1'
+  gem 'rubocop-performance', require: false
+  gem 'rubocop-rails', require: false
+  gem 'rubocop-rspec', require: false
+  gem 'rubocop', require: false
 end
 
 group :production, :test do
@@ -118,43 +118,44 @@ group :production, :test do
 end
 
 group :test do
-  gem 'capybara', '~> 3.31'
+  gem 'capybara', '~> 3.38'
   gem 'climate_control', '~> 0.2'
-  gem 'faker', '~> 2.11'
-  gem 'microformats', '~> 4.2'
+  gem 'faker', '~> 3.1'
+  gem 'json-schema', '~> 3.0'
+  gem 'rack-test', '~> 2.0'  
   gem 'rails-controller-testing', '~> 1.0'
-  gem 'rspec-sidekiq', '~> 3.0'
-  gem 'simplecov', '~> 0.18', require: false
-  gem 'webmock', '~> 3.8'
-  gem 'parallel_tests', '~> 2.32'
+  gem 'rspec_junit_formatter', '~> 0.6'
+  gem 'rspec-sidekiq', '~> 3.1'
+  gem 'simplecov', '~> 0.22', require: false
+  gem 'webmock', '~> 3.18'
 end
 
 group :development do
-  gem 'active_record_query_trace', '~> 1.7'
-  gem 'annotate', '~> 3.0'
-  gem 'better_errors', '~> 2.6'
-  gem 'binding_of_caller', '~> 0.7'
-  gem 'bullet', '~> 6.1'
-  gem 'letter_opener', '~> 1.7'
-  gem 'letter_opener_web', '~> 1.4'
+  gem 'active_record_query_trace', '~> 1.8'
+  gem 'annotate', '~> 3.2'
+  gem 'better_errors', '~> 2.9'
+  gem 'binding_of_caller', '~> 1.0'
+  gem 'bullet', '~> 7.0'
+  gem 'letter_opener', '~> 1.8'
+  gem 'letter_opener_web', '~> 2.0'
   gem 'memory_profiler'
-  gem 'rubocop', '~> 0.79', require: false
-  gem 'rubocop-rails', '~> 2.4', require: false
-  gem 'brakeman', '~> 4.8', require: false
-  gem 'bundler-audit', '~> 0.6', require: false
+  gem 'brakeman', '~> 5.4', require: false
+  gem 'bundler-audit', '~> 0.9', require: false
 
-  gem 'capistrano', '~> 3.12'
-  gem 'capistrano-rails', '~> 1.4'
-  gem 'capistrano-rbenv', '~> 2.1'
+  gem 'capistrano', '~> 3.17'
+  gem 'capistrano-rails', '~> 1.6'
+  gem 'capistrano-rbenv', '~> 2.2'
   gem 'capistrano-yarn', '~> 2.0'
 
   gem 'stackprof'
 end
 
 group :production do
-  gem 'lograge', '~> 0.11'
-  gem 'redis-rails', '~> 5.0'
+  gem 'lograge', '~> 0.12'
 end
 
 gem 'concurrent-ruby', require: false
 gem 'connection_pool', require: false
+gem 'xorcist', '~> 1.1'
+gem 'cocoon', '~> 1.2'
+gem 'mail', '~> 2.8'

Procfile

@@ -1,4 +1,4 @@
-web: if [ "$RUN_STREAMING" != "true" ]; then BIND=0.0.0.0 bundle exec puma -C config/puma.rb; else BIND=0.0.0.0 node ./streaming; fi
+web: bin/heroku-web
 worker: bundle exec sidekiq
 
 # For the streaming API, you need a separate app that shares Postgres and Redis:

Procfile.dev

@@ -1,4 +1,4 @@
-web: env PORT=3000 bundle exec puma -C config/puma.rb
-sidekiq: env PORT=3000 bundle exec sidekiq
+web: env PORT=3000 RAILS_ENV=development bundle exec puma -C config/puma.rb
+sidekiq: env PORT=3000 RAILS_ENV=development bundle exec sidekiq
 stream: env PORT=4000 yarn run start
 webpack: ./bin/webpack-dev-server --listen-host 0.0.0.0

README.md

@@ -1,19 +1,20 @@
-![Mastodon](https://i.imgur.com/NhZc40l.png)
-========
+<h1><picture>
+  <source media="(prefers-color-scheme: dark)" srcset="./lib/assets/wordmark.dark.png?raw=true">
+  <source media="(prefers-color-scheme: light)" srcset="./lib/assets/wordmark.light.png?raw=true">
+  <img alt="Mastodon" src="./lib/assets/wordmark.light.png?raw=true" height="34">
+</picture></h1>
 
-[![GitHub release](https://img.shields.io/github/release/tootsuite/mastodon.svg)][releases]
-[![Build Status](https://img.shields.io/circleci/project/github/tootsuite/mastodon.svg)][circleci]
-[![Code Climate](https://img.shields.io/codeclimate/maintainability/tootsuite/mastodon.svg)][code_climate]
+[![GitHub release](https://img.shields.io/github/release/mastodon/mastodon.svg)][releases]
+[![Build Status](https://img.shields.io/circleci/project/github/mastodon/mastodon.svg)][circleci]
+[![Code Climate](https://img.shields.io/codeclimate/maintainability/mastodon/mastodon.svg)][code_climate]
 [![Crowdin](https://d322cqt584bo4o.cloudfront.net/mastodon/localized.svg)][crowdin]
-[![Docker Pulls](https://img.shields.io/docker/pulls/tootsuite/mastodon.svg)][docker]
 
-[releases]: https://github.com/tootsuite/mastodon/releases
-[circleci]: https://circleci.com/gh/tootsuite/mastodon
-[code_climate]: https://codeclimate.com/github/tootsuite/mastodon
+[releases]: https://github.com/mastodon/mastodon/releases
+[circleci]: https://circleci.com/gh/mastodon/mastodon
+[code_climate]: https://codeclimate.com/github/mastodon/mastodon
 [crowdin]: https://crowdin.com/project/mastodon
-[docker]: https://hub.docker.com/r/tootsuite/mastodon/
 
-Mastodon is a **free, open-source social network server** based on ActivityPub where users can follow friends and discover new ones. On Mastodon, users can publish anything they want: links, pictures, text, video. All Mastodon servers are interoperable as a federated network (users on one server can seamlessly communicate with users from another one, including non-Mastodon software that implements ActivityPub)!
+Mastodon is a **free, open-source social network server** based on ActivityPub where users can follow friends and discover new ones. On Mastodon, users can publish anything they want: links, pictures, text, video. All Mastodon servers are interoperable as a federated network (users on one server can seamlessly communicate with users from another one, including non-Mastodon software that implements ActivityPub!)
 
 Click below to **learn more** in a video:
 
@@ -28,65 +29,72 @@ Click below to **learn more** in a video:
 - [View sponsors](https://joinmastodon.org/sponsors)
 - [Blog](https://blog.joinmastodon.org)
 - [Documentation](https://docs.joinmastodon.org)
-- [Browse Mastodon servers](https://joinmastodon.org/#getting-started)
+- [Official Docker image](https://github.com/mastodon/mastodon/pkgs/container/mastodon)
+- [Browse Mastodon servers](https://joinmastodon.org/communities)
 - [Browse Mastodon apps](https://joinmastodon.org/apps)
 
 [patreon]: https://www.patreon.com/mastodon
 
 ## Features
 
-<img src="https://docs.joinmastodon.org/elephant.svg" align="right" width="30%" />
+<img src="/app/javascript/images/elephant_ui_working.svg?raw=true" align="right" width="30%" />
 
-**No vendor lock-in: Fully interoperable with any conforming platform**
+### No vendor lock-in: Fully interoperable with any conforming platform
 
-It doesn't have to be Mastodon, whatever implements ActivityPub is part of the social network! [Learn more](https://blog.joinmastodon.org/2018/06/why-activitypub-is-the-future/)
+It doesn't have to be Mastodon; whatever implements ActivityPub is part of the social network! [Learn more](https://blog.joinmastodon.org/2018/06/why-activitypub-is-the-future/)
 
-**Real-time, chronological timeline updates**
+### Real-time, chronological timeline updates
 
-See the updates of people you're following appear in real-time in the UI via WebSockets. There's a firehose view as well!
+Updates of people you're following appear in real-time in the UI via WebSockets. There's a firehose view as well!
 
-**Media attachments like images and short videos**
+### Media attachments like images and short videos
 
-Upload and view images and WebM/MP4 videos attached to the updates. Videos with no audio track are treated like GIFs; normal videos are looped - like vines!
+Upload and view images and WebM/MP4 videos attached to the updates. Videos with no audio track are treated like GIFs; normal videos loop continuously!
 
-**Safety and moderation tools**
+### Safety and moderation tools
 
-Private posts, locked accounts, phrase filtering, muting, blocking and all sorts of other features, along with a reporting and moderation system. [Learn more](https://blog.joinmastodon.org/2018/07/cage-the-mastodon/)
+Mastodon includes private posts, locked accounts, phrase filtering, muting, blocking and all sorts of other features, along with a reporting and moderation system. [Learn more](https://blog.joinmastodon.org/2018/07/cage-the-mastodon/)
 
-**OAuth2 and a straightforward REST API**
+### OAuth2 and a straightforward REST API
 
-Mastodon acts as an OAuth2 provider so 3rd party apps can use the REST and Streaming APIs, resulting in a rich app ecosystem with a lot of choices!
+Mastodon acts as an OAuth2 provider, so 3rd party apps can use the REST and Streaming APIs. This results in a rich app ecosystem with a lot of choices!
 
 ## Deployment
 
-**Tech stack:**
+### Tech stack:
 
 - **Ruby on Rails** powers the REST API and other web pages
 - **React.js** and Redux are used for the dynamic parts of the interface
 - **Node.js** powers the streaming API
 
-**Requirements:**
+### Requirements:
 
 - **PostgreSQL** 9.5+
 - **Redis** 4+
-- **Ruby** 2.5+
-- **Node.js** 10.13+
+- **Ruby** 2.7+
+- **Node.js** 14+
 
-The repository includes deployment configurations for **Docker and docker-compose**, but also a few specific platforms like **Heroku**, **Scalingo**, and **Nanobox**. The [**stand-alone** installation guide](https://docs.joinmastodon.org/admin/install/) is available in the documentation.
+The repository includes deployment configurations for **Docker and docker-compose** as well as specific platforms like **Heroku**, **Scalingo**, and **Nanobox**. For Helm charts, reference the [mastodon/chart repository](https://github.com/mastodon/chart). The [**standalone** installation guide](https://docs.joinmastodon.org/admin/install/) is available in the documentation.
 
-A **Vagrant** configuration is included for development purposes.
+A **Vagrant** configuration is included for development purposes. To use it, complete following steps:
+
+- Install Vagrant and Virtualbox
+- Install the `vagrant-hostsupdater` plugin: `vagrant plugin install vagrant-hostsupdater`
+- Run `vagrant up`
+- Run `vagrant ssh -c "cd /vagrant && foreman start"`
+- Open `http://mastodon.local` in your browser
 
 ## Contributing
 
 Mastodon is **free, open-source software** licensed under **AGPLv3**.
 
-You can open issues for bugs you've found or features you think are missing. You can also submit pull requests to this repository, or submit translations using Weblate. To get started, take a look at [CONTRIBUTING.md](CONTRIBUTING.md). If your contributions are accepted into Mastodon, you can request to be paid through [our OpenCollective](https://opencollective.com/mastodon).
+You can open issues for bugs you've found or features you think are missing. You can also submit pull requests to this repository or submit translations using Crowdin. To get started, take a look at [CONTRIBUTING.md](CONTRIBUTING.md). If your contributions are accepted into Mastodon, you can request to be paid through [our OpenCollective](https://opencollective.com/mastodon).
 
-**IRC channel**: #mastodon on irc.freenode.net
+**IRC channel**: #mastodon on irc.libera.chat
 
 ## License
 
-Copyright (C) 2016-2020 Eugen Rochko & other Mastodon contributors (see [AUTHORS.md](AUTHORS.md))
+Copyright (C) 2016-2022 Eugen Rochko & other Mastodon contributors (see [AUTHORS.md](AUTHORS.md))
 
 This program is free software: you can redistribute it and/or modify it under the terms of the GNU Affero General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
 

SECURITY.md

@@ -0,0 +1,17 @@
+# Security Policy
+
+If you believe you've identified a security vulnerability in Mastodon (a bug that allows something to happen that shouldn't be possible), you can reach us at <security@joinmastodon.org>.
+
+You should *not* report such issues on GitHub or in other public spaces to give us time to publish a fix for the issue without exposing Mastodon's users to increased risk.
+
+## Scope
+
+A "vulnerability in Mastodon" is a vulnerability in the code distributed through our main source code repository on GitHub. Vulnerabilities that are specific to a given installation (e.g. misconfiguration) should be reported to the owner of that installation and not us.
+
+## Supported Versions
+
+| Version | Supported        |
+| ------- | ---------------- |
+| 4.2.x   | Yes              |
+| 4.1.x   | Yes              |
+| < 4.1   | No               |

Vagrantfile

@@ -3,16 +3,14 @@
 
 ENV["PORT"] ||= "3000"
 
-$provision = <<SCRIPT
-
-cd /vagrant # This is where the host folder/repo is mounted
+$provisionA = <<SCRIPT
 
 # Add the yarn repo + yarn repo keys
 curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | sudo apt-key add -
 sudo apt-add-repository 'deb https://dl.yarnpkg.com/debian/ stable main'
 
 # Add repo for NodeJS
-curl -sL https://deb.nodesource.com/setup_10.x | sudo bash -
+curl -sL https://deb.nodesource.com/setup_16.x | sudo bash -
 
 # Add firewall rule to redirect 80 to PORT and save
 sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port #{ENV["PORT"]}
@@ -33,65 +31,74 @@ sudo apt-get install \
   redis-tools \
   postgresql \
   postgresql-contrib \
-  protobuf-compiler \
-  yarn \
   libicu-dev \
   libidn11-dev \
+  libreadline6-dev \
+  autoconf \
+  bison \
+  build-essential \
+  ffmpeg \
+  file \
+  gcc \
+  libffi-dev \
+  libgdbm-dev \
+  libjemalloc-dev \
+  libncurses5-dev \
   libprotobuf-dev \
-  libreadline-dev \
-  libpam0g-dev \
+  libssl-dev \
+  libyaml-dev \
+  pkg-config \
+  protobuf-compiler \
+  zlib1g-dev \
   -y
 
 # Install rvm
-read RUBY_VERSION < .ruby-version
+sudo apt-add-repository -y ppa:rael-gc/rvm
+sudo apt-get install rvm -y
 
-gpg_command="gpg --keyserver hkp://keys.gnupg.net --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3 7D2BAF1CF37B13E2069D6956105BD0E739499BDB"
-$($gpg_command)
-if [ $? -ne 0 ];then
-  echo "GPG command failed, This prevented RVM from installing."
-  echo "Retrying once..." && $($gpg_command)
-  if [ $? -ne 0 ];then
-    echo "GPG failed for the second time, please ensure network connectivity."
-    echo "Exiting..." && exit 1
-  fi
-fi
+sudo usermod -a -G rvm $USER
 
-curl -sSL https://raw.githubusercontent.com/rvm/rvm/stable/binscripts/rvm-installer | bash -s stable --ruby=$RUBY_VERSION
-source /home/vagrant/.rvm/scripts/rvm
+SCRIPT
+
+$provisionB = <<SCRIPT
+
+source "/etc/profile.d/rvm.sh"
 
 # Install Ruby
-rvm reinstall ruby-$RUBY_VERSION --disable-binary
+read RUBY_VERSION < /vagrant/.ruby-version
+rvm install ruby-$RUBY_VERSION --disable-binary
 
 # Configure database
 sudo -u postgres createuser -U postgres vagrant -s
 sudo -u postgres createdb -U postgres mastodon_development
 
-# Install gems and node modules
+cd /vagrant # This is where the host folder/repo is mounted
+
+# Install gems
 gem install bundler foreman
 bundle install
+
+# Install node modules
+sudo corepack enable
+yarn set version classic
 yarn install
 
 # Build Mastodon
+export RAILS_ENV=development 
 export $(cat ".env.vagrant" | xargs)
 bundle exec rails db:setup
 
 # Configure automatic loading of environment variable
+echo 'export RAILS_ENV=development' >> ~/.bash_profile
 echo 'export $(cat "/vagrant/.env.vagrant" | xargs)' >> ~/.bash_profile
 
 SCRIPT
 
-$start = <<SCRIPT
-
-echo 'To start server'
-echo '  $ vagrant ssh -c "cd /vagrant && foreman start"'
-
-SCRIPT
-
 VAGRANTFILE_API_VERSION = "2"
 
 Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
 
-  config.vm.box = "ubuntu/bionic64"
+  config.vm.box = "ubuntu/focal64"
 
   config.vm.provider :virtualbox do |vb|
     vb.name = "mastodon"
@@ -108,7 +115,6 @@ Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
     # Use "virtio" network interfaces for better performance.
     vb.customize ["modifyvm", :id, "--nictype1", "virtio"]
     vb.customize ["modifyvm", :id, "--nictype2", "virtio"]
-
   end
 
   # This uses the vagrant-hostsupdater plugin, and lets you
@@ -126,7 +132,7 @@ Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
   end
 
   if config.vm.networks.any? { |type, options| type == :private_network }
-    config.vm.synced_folder ".", "/vagrant", type: "nfs", mount_options: ['rw', 'vers=3', 'tcp', 'actimeo=1']
+    config.vm.synced_folder ".", "/vagrant", type: "nfs", mount_options: ['rw', 'actimeo=1']
   else
     config.vm.synced_folder ".", "/vagrant"
   end
@@ -137,9 +143,12 @@ Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
   config.vm.network :forwarded_port, guest: 8080, host: 8080
 
   # Full provisioning script, only runs on first 'vagrant up' or with 'vagrant provision'
-  config.vm.provision :shell, inline: $provision, privileged: false
+  config.vm.provision :shell, inline: $provisionA, privileged: false, reset: true
+  config.vm.provision :shell, inline: $provisionB, privileged: false
 
-  # Start up script, runs on every 'vagrant up'
-  config.vm.provision :shell, inline: $start, run: 'always', privileged: false
+  config.vm.post_up_message = <<MESSAGE
+To start server
+  $ vagrant ssh -c "cd /vagrant && foreman start"
+MESSAGE
 
 end

app.json

@@ -1,8 +1,8 @@
 {
   "name": "Mastodon",
   "description": "A GNU Social-compatible microblogging server",
-  "repository": "https://github.com/tootsuite/mastodon",
-  "logo": "https://github.com/tootsuite.png",
+  "repository": "https://github.com/mastodon/mastodon",
+  "logo": "https://github.com/mastodon.png",
   "env": {
     "HEROKU": {
       "description": "Leave this as true",
@@ -79,8 +79,13 @@
       "description": "SMTP server certificate verification mode. Defaults is 'peer'.",
       "required": false
     },
+    "SMTP_ENABLE_STARTTLS": {
+      "description": "Enable STARTTLS? Default is 'auto'.",
+      "value": "auto",
+      "required": false
+    },
     "SMTP_ENABLE_STARTTLS_AUTO": {
-      "description": "Enable STARTTLS if SMTP server supports it? Default is true.",
+      "description": "Enable STARTTLS if SMTP server supports it? Deprecated by SMTP_ENABLE_STARTTLS.",
       "required": false
     }
   },
@@ -88,9 +93,6 @@
     {
       "url": "https://github.com/heroku/heroku-buildpack-apt"
     },
-    {
-      "url": "heroku/nodejs"
-    },
     {
       "url": "heroku/ruby"
     }
@@ -98,8 +100,5 @@
   "scripts": {
     "postdeploy": "bundle exec rails db:migrate && bundle exec rails db:seed"
   },
-  "addons": [
-    "heroku-postgresql",
-    "heroku-redis"
-  ]
+  "addons": ["heroku-postgresql", "heroku-redis"]
 }

app/chewy/accounts_index.rb

@@ -1,7 +1,9 @@
 # frozen_string_literal: true
 
 class AccountsIndex < Chewy::Index
-  settings index: { refresh_interval: '5m' }, analysis: {
+  include DatetimeClampingConcern
+
+  settings index: { refresh_interval: '30s' }, analysis: {
     analyzer: {
       content: {
         tokenizer: 'whitespace',
@@ -23,21 +25,21 @@ class AccountsIndex < Chewy::Index
     },
   }
 
-  define_type ::Account.searchable.includes(:account_stat), delete_if: ->(account) { account.destroyed? || !account.searchable? } do
-    root date_detection: false do
-      field :id, type: 'long'
+  index_scope ::Account.searchable.includes(:account_stat)
 
-      field :display_name, type: 'text', analyzer: 'content' do
-        field :edge_ngram, type: 'text', analyzer: 'edge_ngram', search_analyzer: 'content'
-      end
+  root date_detection: false do
+    field :id, type: 'long'
 
-      field :acct, type: 'text', analyzer: 'content', value: ->(account) { [account.username, account.domain].compact.join('@') } do
-        field :edge_ngram, type: 'text', analyzer: 'edge_ngram', search_analyzer: 'content'
-      end
-
-      field :following_count, type: 'long', value: ->(account) { account.following.local.count }
-      field :followers_count, type: 'long', value: ->(account) { account.followers.local.count }
-      field :last_status_at, type: 'date', value: ->(account) { account.last_status_at || account.created_at }
+    field :display_name, type: 'text', analyzer: 'content' do
+      field :edge_ngram, type: 'text', analyzer: 'edge_ngram', search_analyzer: 'content'
     end
+
+    field :acct, type: 'text', analyzer: 'content', value: ->(account) { [account.username, account.domain].compact.join('@') } do
+      field :edge_ngram, type: 'text', analyzer: 'edge_ngram', search_analyzer: 'content'
+    end
+
+    field :following_count, type: 'long', value: ->(account) { account.following_count }
+    field :followers_count, type: 'long', value: ->(account) { account.followers_count }
+    field :last_status_at, type: 'date', value: ->(account) { clamp_date(account.last_status_at || account.created_at) }
   end
 end

app/chewy/concerns/datetime_clamping_concern.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+module DatetimeClampingConcern
+  extend ActiveSupport::Concern
+
+  MIN_ISO8601_DATETIME = '0000-01-01T00:00:00Z'.to_datetime.freeze
+  MAX_ISO8601_DATETIME = '9999-12-31T23:59:59Z'.to_datetime.freeze
+
+  class_methods do
+    def clamp_date(datetime)
+      datetime.clamp(MIN_ISO8601_DATETIME, MAX_ISO8601_DATETIME)
+    end
+  end
+end

app/chewy/statuses_index.rb

@@ -1,7 +1,9 @@
 # frozen_string_literal: true
 
 class StatusesIndex < Chewy::Index
-  settings index: { refresh_interval: '15m' }, analysis: {
+  include FormattingHelper
+
+  settings index: { refresh_interval: '30s' }, analysis: {
     filter: {
       english_stop: {
         type: 'stop',
@@ -31,36 +33,43 @@ class StatusesIndex < Chewy::Index
     },
   }
 
-  define_type ::Status.unscoped.kept.without_reblogs.includes(:media_attachments), delete_if: ->(status) { status.searchable_by.empty? } do
-    crutch :mentions do |collection|
-      data = ::Mention.where(status_id: collection.map(&:id)).where(account: Account.local).pluck(:status_id, :account_id)
-      data.each.with_object({}) { |(id, name), result| (result[id] ||= []).push(name) }
+  # We do not use delete_if option here because it would call a method that we
+  # expect to be called with crutches without crutches, causing n+1 queries
+  index_scope ::Status.unscoped.kept.without_reblogs.includes(:media_attachments, :preloadable_poll)
+
+  crutch :mentions do |collection|
+    data = ::Mention.where(status_id: collection.map(&:id)).where(account: Account.local, silent: false).pluck(:status_id, :account_id)
+    data.each.with_object({}) { |(id, name), result| (result[id] ||= []).push(name) }
+  end
+
+  crutch :favourites do |collection|
+    data = ::Favourite.where(status_id: collection.map(&:id)).where(account: Account.local).pluck(:status_id, :account_id)
+    data.each.with_object({}) { |(id, name), result| (result[id] ||= []).push(name) }
+  end
+
+  crutch :reblogs do |collection|
+    data = ::Status.where(reblog_of_id: collection.map(&:id)).where(account: Account.local).pluck(:reblog_of_id, :account_id)
+    data.each.with_object({}) { |(id, name), result| (result[id] ||= []).push(name) }
+  end
+
+  crutch :bookmarks do |collection|
+    data = ::Bookmark.where(status_id: collection.map(&:id)).where(account: Account.local).pluck(:status_id, :account_id)
+    data.each.with_object({}) { |(id, name), result| (result[id] ||= []).push(name) }
+  end
+
+  crutch :votes do |collection|
+    data = ::PollVote.joins(:poll).where(poll: { status_id: collection.map(&:id) }).where(account: Account.local).pluck(:status_id, :account_id)
+    data.each.with_object({}) { |(id, name), result| (result[id] ||= []).push(name) }
+  end
+
+  root date_detection: false do
+    field :id, type: 'long'
+    field :account_id, type: 'long'
+
+    field :text, type: 'text', value: ->(status) { status.searchable_text } do
+      field :stemmed, type: 'text', analyzer: 'content'
     end
 
-    crutch :favourites do |collection|
-      data = ::Favourite.where(status_id: collection.map(&:id)).where(account: Account.local).pluck(:status_id, :account_id)
-      data.each.with_object({}) { |(id, name), result| (result[id] ||= []).push(name) }
-    end
-
-    crutch :reblogs do |collection|
-      data = ::Status.where(reblog_of_id: collection.map(&:id)).where(account: Account.local).pluck(:reblog_of_id, :account_id)
-      data.each.with_object({}) { |(id, name), result| (result[id] ||= []).push(name) }
-    end
-
-    crutch :bookmarks do |collection|
-      data = ::Bookmark.where(status_id: collection.map(&:id)).where(account: Account.local).pluck(:status_id, :account_id)
-      data.each.with_object({}) { |(id, name), result| (result[id] ||= []).push(name) }
-    end
-
-    root date_detection: false do
-      field :id, type: 'long'
-      field :account_id, type: 'long'
-
-      field :text, type: 'text', value: ->(status) { [status.spoiler_text, Formatter.instance.plaintext(status)].concat(status.media_attachments.map(&:description)).concat(status.preloadable_poll ? status.preloadable_poll.options : []).join("\n\n") } do
-        field :stemmed, type: 'text', analyzer: 'content'
-      end
-
-      field :searchable_by, type: 'long', value: ->(status, crutches) { status.searchable_by(crutches) }
-    end
+    field :searchable_by, type: 'long', value: ->(status, crutches) { status.searchable_by(crutches) }
   end
 end

app/chewy/tags_index.rb

@@ -1,7 +1,9 @@
 # frozen_string_literal: true
 
 class TagsIndex < Chewy::Index
-  settings index: { refresh_interval: '15m' }, analysis: {
+  include DatetimeClampingConcern
+
+  settings index: { refresh_interval: '30s' }, analysis: {
     analyzer: {
       content: {
         tokenizer: 'keyword',
@@ -23,15 +25,19 @@ class TagsIndex < Chewy::Index
     },
   }
 
-  define_type ::Tag.listable, delete_if: ->(tag) { tag.destroyed? || !tag.listable? } do
-    root date_detection: false do
-      field :name, type: 'text', analyzer: 'content' do
-        field :edge_ngram, type: 'text', analyzer: 'edge_ngram', search_analyzer: 'content'
-      end
+  index_scope ::Tag.listable
 
-      field :reviewed, type: 'boolean', value: ->(tag) { tag.reviewed? }
-      field :usage, type: 'long', value: ->(tag) { tag.history.reduce(0) { |total, day| total + day[:accounts].to_i } }
-      field :last_status_at, type: 'date', value: ->(tag) { tag.last_status_at || tag.created_at }
+  crutch :time_period do
+    7.days.ago.to_date..0.days.ago.to_date
+  end
+
+  root date_detection: false do
+    field :name, type: 'text', analyzer: 'content' do
+      field :edge_ngram, type: 'text', analyzer: 'edge_ngram', search_analyzer: 'content'
     end
+
+    field :reviewed, type: 'boolean', value: ->(tag) { tag.reviewed? }
+    field :usage, type: 'long', value: ->(tag, crutches) { tag.history.aggregate(crutches.time_period).accounts }
+    field :last_status_at, type: 'date', value: ->(tag) { clamp_date(tag.last_status_at || tag.created_at) }
   end
 end

app/controllers/about_controller.rb

@@ -1,64 +1,19 @@
 # frozen_string_literal: true
 
 class AboutController < ApplicationController
-  layout 'public'
+  include WebAppControllerConcern
+
+  skip_before_action :require_functional!
 
-  before_action :require_open_federation!, only: [:show, :more]
-  before_action :set_body_classes, only: :show
   before_action :set_instance_presenter
-  before_action :set_expires_in, only: [:show, :more, :terms]
 
-  skip_before_action :require_functional!, only: [:more, :terms]
-
-  def show; end
-
-  def more
-    flash.now[:notice] = I18n.t('about.instance_actor_flash') if params[:instance_actor]
-
-    toc_generator = TOCGenerator.new(@instance_presenter.site_extended_description)
-
-    @contents          = toc_generator.html
-    @table_of_contents = toc_generator.toc
-    @blocks            = DomainBlock.with_user_facing_limitations.by_severity if display_blocks?
+  def show
+    expires_in 0, public: true unless user_signed_in?
   end
 
-  def terms; end
-
-  helper_method :display_blocks?
-  helper_method :display_blocks_rationale?
-  helper_method :public_fetch_mode?
-  helper_method :new_user
-
   private
 
-  def require_open_federation!
-    not_found if whitelist_mode?
-  end
-
-  def display_blocks?
-    Setting.show_domain_blocks == 'all' || (Setting.show_domain_blocks == 'users' && user_signed_in?)
-  end
-
-  def display_blocks_rationale?
-    Setting.show_domain_blocks_rationale == 'all' || (Setting.show_domain_blocks_rationale == 'users' && user_signed_in?)
-  end
-
-  def new_user
-    User.new.tap do |user|
-      user.build_account
-      user.build_invite_request
-    end
-  end
-
   def set_instance_presenter
     @instance_presenter = InstancePresenter.new
   end
-
-  def set_body_classes
-    @hide_navbar = true
-  end
-
-  def set_expires_in
-    expires_in 0, public: true
-  end
 end

app/controllers/account_follow_controller.rb

@@ -1,12 +0,0 @@
-# frozen_string_literal: true
-
-class AccountFollowController < ApplicationController
-  include AccountControllerConcern
-
-  before_action :authenticate_user!
-
-  def create
-    FollowService.new.call(current_user.account, @account, with_rate_limit: true)
-    redirect_to account_path(@account)
-  end
-end

app/controllers/account_unfollow_controller.rb

@@ -1,12 +0,0 @@
-# frozen_string_literal: true
-
-class AccountUnfollowController < ApplicationController
-  include AccountControllerConcern
-
-  before_action :authenticate_user!
-
-  def create
-    UnfollowService.new.call(current_user.account, @account)
-    redirect_to account_path(@account)
-  end
-end

app/controllers/accounts_controller.rb

@@ -1,67 +1,43 @@
 # frozen_string_literal: true
 
 class AccountsController < ApplicationController
-  PAGE_SIZE = 20
+  PAGE_SIZE     = 20
+  PAGE_SIZE_MAX = 200
 
   include AccountControllerConcern
   include SignatureAuthentication
 
+  before_action :require_account_signature!, if: -> { request.format == :json && authorized_fetch_mode? }
   before_action :set_cache_headers
-  before_action :set_body_classes
 
   skip_around_action :set_locale, if: -> { [:json, :rss].include?(request.format&.to_sym) }
-  skip_before_action :require_functional!
+  skip_before_action :require_functional!, unless: :whitelist_mode?
 
   def show
     respond_to do |format|
       format.html do
         expires_in 0, public: true unless user_signed_in?
 
-        @pinned_statuses   = []
-        @endorsed_accounts = @account.endorsed_accounts.to_a.sample(4)
-        @featured_hashtags = @account.featured_tags.order(statuses_count: :desc)
-
-        if current_account && @account.blocking?(current_account)
-          @statuses = []
-          return
-        end
-
-        @pinned_statuses = cache_collection(@account.pinned_statuses, Status) if show_pinned_statuses?
-        @statuses        = filtered_status_page(params)
-        @statuses        = cache_collection(@statuses, Status)
-        @rss_url         = rss_url
-
-        unless @statuses.empty?
-          @older_url = older_url if @statuses.last.id > filtered_statuses.last.id
-          @newer_url = newer_url if @statuses.first.id < filtered_statuses.first.id
-        end
+        @rss_url = rss_url
       end
 
       format.rss do
         expires_in 1.minute, public: true
 
-        @statuses = filtered_statuses.without_reblogs.without_replies.limit(PAGE_SIZE)
+        limit     = params[:limit].present? ? [params[:limit].to_i, PAGE_SIZE_MAX].min : PAGE_SIZE
+        @statuses = filtered_statuses.without_reblogs.limit(limit)
         @statuses = cache_collection(@statuses, Status)
-        render xml: RSS::AccountSerializer.render(@account, @statuses, params[:tag])
       end
 
       format.json do
         expires_in 3.minutes, public: !(authorized_fetch_mode? && signed_request_account.present?)
-        render_with_cache json: @account, content_type: 'application/activity+json', serializer: ActivityPub::ActorSerializer, adapter: ActivityPub::Adapter, fields: restrict_fields_to
+        render_with_cache json: @account, content_type: 'application/activity+json', serializer: ActivityPub::ActorSerializer, adapter: ActivityPub::Adapter
       end
     end
   end
 
   private
 
-  def set_body_classes
-    @body_classes = 'with-modals'
-  end
-
-  def show_pinned_statuses?
-    [replies_requested?, media_requested?, tag_requested?, params[:max_id].present?, params[:min_id].present?].none?
-  end
-
   def filtered_statuses
     default_statuses.tap do |statuses|
       statuses.merge!(hashtag_scope)    if tag_requested?
@@ -75,11 +51,7 @@ class AccountsController < ApplicationController
   end
 
   def only_media_scope
-    Status.where(id: account_media_status_ids)
-  end
-
-  def account_media_status_ids
-    @account.media_attachments.attached.reorder(nil).select(:status_id).distinct
+    Status.joins(:media_attachments).merge(@account.media_attachments.reorder(nil)).group(:id)
   end
 
   def no_replies_scope
@@ -100,6 +72,10 @@ class AccountsController < ApplicationController
     params[:username]
   end
 
+  def skip_temporary_suspension_response?
+    request.format == :json
+  end
+
   def rss_url
     if tag_requested?
       short_account_tag_url(@account, params[:tag], format: 'rss')
@@ -108,51 +84,28 @@ class AccountsController < ApplicationController
     end
   end
 
-  def older_url
-    pagination_url(max_id: @statuses.last.id)
-  end
-
-  def newer_url
-    pagination_url(min_id: @statuses.first.id)
-  end
-
-  def pagination_url(max_id: nil, min_id: nil)
-    if tag_requested?
-      short_account_tag_url(@account, params[:tag], max_id: max_id, min_id: min_id)
-    elsif media_requested?
-      short_account_media_url(@account, max_id: max_id, min_id: min_id)
-    elsif replies_requested?
-      short_account_with_replies_url(@account, max_id: max_id, min_id: min_id)
-    else
-      short_account_url(@account, max_id: max_id, min_id: min_id)
-    end
-  end
-
   def media_requested?
-    request.path.ends_with?('/media') && !tag_requested?
+    request.path.split('.').first.end_with?('/media') && !tag_requested?
   end
 
   def replies_requested?
-    request.path.ends_with?('/with_replies') && !tag_requested?
+    request.path.split('.').first.end_with?('/with_replies') && !tag_requested?
   end
 
   def tag_requested?
-    request.path.split('.').first.ends_with?(Addressable::URI.parse("/tagged/#{params[:tag]}").normalize)
+    request.path.split('.').first.end_with?(Addressable::URI.parse("/tagged/#{params[:tag]}").normalize)
   end
 
-  def filtered_status_page(params)
-    if params[:min_id].present?
-      filtered_statuses.paginate_by_min_id(PAGE_SIZE, params[:min_id]).reverse
-    else
-      filtered_statuses.paginate_by_max_id(PAGE_SIZE, params[:max_id], params[:since_id]).to_a
-    end
+  def cached_filtered_status_page
+    cache_collection_paginated_by_id(
+      filtered_statuses,
+      Status,
+      PAGE_SIZE,
+      params_slice(:max_id, :min_id, :since_id)
+    )
   end
 
-  def restrict_fields_to
-    if signed_request_account.present? || public_fetch_mode?
-      # Return all fields
-    else
-      %i(id type preferred_username inbox public_key endpoints)
-    end
+  def params_slice(*keys)
+    params.slice(*keys).permit(*keys)
   end
 end

app/controllers/activitypub/base_controller.rb

@@ -2,10 +2,16 @@
 
 class ActivityPub::BaseController < Api::BaseController
   skip_before_action :require_authenticated_user!
+  skip_before_action :require_not_suspended!
+  skip_around_action :set_locale
 
   private
 
   def set_cache_headers
     response.headers['Vary'] = 'Signature' if authorized_fetch_mode?
   end
+
+  def skip_temporary_suspension_response?
+    false
+  end
 end

app/controllers/activitypub/claims_controller.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+class ActivityPub::ClaimsController < ActivityPub::BaseController
+  include SignatureVerification
+  include AccountOwnedConcern
+
+  skip_before_action :authenticate_user!
+
+  before_action :require_account_signature!
+  before_action :set_claim_result
+
+  def create
+    render json: @claim_result, serializer: ActivityPub::OneTimeKeySerializer
+  end
+
+  private
+
+  def set_claim_result
+    @claim_result = ::Keys::ClaimService.new.call(@account.id, params[:id])
+  end
+end

app/controllers/activitypub/collections_controller.rb

@@ -4,49 +4,71 @@ class ActivityPub::CollectionsController < ActivityPub::BaseController
   include SignatureVerification
   include AccountOwnedConcern
 
-  before_action :require_signature!, if: :authorized_fetch_mode?
+  before_action :require_account_signature!, if: :authorized_fetch_mode?
+  before_action :set_items
   before_action :set_size
-  before_action :set_statuses
+  before_action :set_type
   before_action :set_cache_headers
 
   def show
     expires_in 3.minutes, public: public_fetch_mode?
-    render_with_cache json: collection_presenter, content_type: 'application/activity+json', serializer: ActivityPub::CollectionSerializer, adapter: ActivityPub::Adapter, skip_activities: true
+    render_with_cache json: collection_presenter, content_type: 'application/activity+json', serializer: ActivityPub::CollectionSerializer, adapter: ActivityPub::Adapter
   end
 
   private
 
-  def set_statuses
-    @statuses = scope_for_collection
-    @statuses = cache_collection(@statuses, Status)
+  def set_items
+    case params[:id]
+    when 'featured'
+      @items = for_signed_account { cache_collection(@account.pinned_statuses, Status) }
+      @items = @items.map { |item| item.distributable? ? item : ActivityPub::TagManager.instance.uri_for(item) }
+    when 'tags'
+      @items = for_signed_account { @account.featured_tags }
+    when 'devices'
+      @items = @account.devices
+    else
+      not_found
+    end
   end
 
   def set_size
     case params[:id]
-    when 'featured'
-      @account.pinned_statuses.count
+    when 'featured', 'devices', 'tags'
+      @size = @items.size
     else
-      raise ActiveRecord::RecordNotFound
+      not_found
     end
   end
 
-  def scope_for_collection
+  def set_type
     case params[:id]
     when 'featured'
-      return Status.none if @account.blocking?(signed_request_account)
-
-      @account.pinned_statuses
+      @type = :ordered
+    when 'devices', 'tags'
+      @type = :unordered
     else
-      raise ActiveRecord::RecordNotFound
+      not_found
     end
   end
 
   def collection_presenter
     ActivityPub::CollectionPresenter.new(
       id: account_collection_url(@account, params[:id]),
-      type: :ordered,
+      type: @type,
       size: @size,
-      items: @statuses
+      items: @items
     )
   end
+
+  def for_signed_account
+    # Because in public fetch mode we cache the response, there would be no
+    # benefit from performing the check below, since a blocked account or domain
+    # would likely be served the cache from the reverse proxy anyway
+
+    if authorized_fetch_mode? && !signed_request_account.nil? && (@account.blocking?(signed_request_account) || (!signed_request_account.domain.nil? && @account.domain_blocking?(signed_request_account.domain)))
+      []
+    else
+      yield
+    end
+  end
 end

app/controllers/activitypub/followers_synchronizations_controller.rb

@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+class ActivityPub::FollowersSynchronizationsController < ActivityPub::BaseController
+  include SignatureVerification
+  include AccountOwnedConcern
+
+  before_action :require_account_signature!
+  before_action :set_items
+  before_action :set_cache_headers
+
+  def show
+    expires_in 0, public: false
+    render json: collection_presenter,
+           serializer: ActivityPub::CollectionSerializer,
+           adapter: ActivityPub::Adapter,
+           content_type: 'application/activity+json'
+  end
+
+  private
+
+  def uri_prefix
+    signed_request_account.uri[Account::URL_PREFIX_RE]
+  end
+
+  def set_items
+    @items = @account.followers.where(Account.arel_table[:uri].matches("#{Account.sanitize_sql_like(uri_prefix)}/%", false, true)).or(@account.followers.where(uri: uri_prefix)).pluck(:uri)
+  end
+
+  def collection_presenter
+    ActivityPub::CollectionPresenter.new(
+      id: account_followers_synchronization_url(@account),
+      type: :ordered,
+      items: @items
+    )
+  end
+end

app/controllers/activitypub/inboxes_controller.rb

@@ -5,25 +5,26 @@ class ActivityPub::InboxesController < ActivityPub::BaseController
   include JsonLdHelper
   include AccountOwnedConcern
 
-  before_action :skip_unknown_actor_delete
-  before_action :require_signature!
+  before_action :skip_unknown_actor_activity
+  before_action :require_actor_signature!
   skip_before_action :authenticate_user!
 
   def create
     upgrade_account
+    process_collection_synchronization
     process_payload
     head 202
   end
 
   private
 
-  def skip_unknown_actor_delete
-    head 202 if unknown_deleted_account?
+  def skip_unknown_actor_activity
+    head 202 if unknown_affected_account?
   end
 
-  def unknown_deleted_account?
+  def unknown_affected_account?
     json = Oj.load(body, mode: :strict)
-    json.is_a?(Hash) && json['type'] == 'Delete' && json['actor'].present? && json['actor'] == value_or_id(json['object']) && !Account.where(uri: json['actor']).exists?
+    json.is_a?(Hash) && %w(Delete Update).include?(json['type']) && json['actor'].present? && json['actor'] == value_or_id(json['object']) && !Account.where(uri: json['actor']).exists?
   rescue Oj::ParseError
     false
   end
@@ -32,6 +33,10 @@ class ActivityPub::InboxesController < ActivityPub::BaseController
     params[:account_username].present?
   end
 
+  def skip_temporary_suspension_response?
+    true
+  end
+
   def body
     return @body if defined?(@body)
 
@@ -44,15 +49,28 @@ class ActivityPub::InboxesController < ActivityPub::BaseController
   end
 
   def upgrade_account
-    if signed_request_account.ostatus?
+    if signed_request_account&.ostatus?
       signed_request_account.update(last_webfingered_at: nil)
       ResolveAccountWorker.perform_async(signed_request_account.acct)
     end
 
-    DeliveryFailureTracker.track_inverse_success!(signed_request_account)
+    DeliveryFailureTracker.reset!(signed_request_actor.inbox_url)
+  end
+
+  def process_collection_synchronization
+    raw_params = request.headers['Collection-Synchronization']
+    return if raw_params.blank? || ENV['DISABLE_FOLLOWERS_SYNCHRONIZATION'] == 'true' || signed_request_account.nil?
+
+    # Re-using the syntax for signature parameters
+    tree   = SignatureParamsParser.new.parse(raw_params)
+    params = SignatureParamsTransformer.new.apply(tree)
+
+    ActivityPub::PrepareFollowersSynchronizationService.new.call(signed_request_account, params)
+  rescue Parslet::ParseFailed
+    Rails.logger.warn 'Error parsing Collection-Synchronization header'
   end
 
   def process_payload
-    ActivityPub::ProcessingWorker.perform_async(signed_request_account.id, body, @account&.id)
+    ActivityPub::ProcessingWorker.perform_async(signed_request_actor.id, body, @account&.id, signed_request_actor.class.name)
   end
 end

app/controllers/activitypub/outboxes_controller.rb

@@ -6,12 +6,16 @@ class ActivityPub::OutboxesController < ActivityPub::BaseController
   include SignatureVerification
   include AccountOwnedConcern
 
-  before_action :require_signature!, if: :authorized_fetch_mode?
+  before_action :require_account_signature!, if: :authorized_fetch_mode?
   before_action :set_statuses
   before_action :set_cache_headers
 
   def show
-    expires_in(page_requested? ? 0 : 3.minutes, public: public_fetch_mode?)
+    if page_requested?
+      expires_in(1.minute, public: public_fetch_mode? && signed_request_account.nil?)
+    else
+      expires_in(3.minutes, public: public_fetch_mode?)
+    end
     render json: outbox_presenter, serializer: ActivityPub::OutboxSerializer, adapter: ActivityPub::Adapter, content_type: 'application/activity+json'
   end
 
@@ -20,45 +24,64 @@ class ActivityPub::OutboxesController < ActivityPub::BaseController
   def outbox_presenter
     if page_requested?
       ActivityPub::CollectionPresenter.new(
-        id: account_outbox_url(@account, page_params),
+        id: outbox_url(**page_params),
         type: :ordered,
-        part_of: account_outbox_url(@account),
+        part_of: outbox_url,
         prev: prev_page,
         next: next_page,
         items: @statuses
       )
     else
       ActivityPub::CollectionPresenter.new(
-        id: account_outbox_url(@account),
+        id: outbox_url,
         type: :ordered,
         size: @account.statuses_count,
-        first: account_outbox_url(@account, page: true),
-        last: account_outbox_url(@account, page: true, min_id: 0)
+        first: outbox_url(page: true),
+        last: outbox_url(page: true, min_id: 0)
       )
     end
   end
 
+  def outbox_url(**kwargs)
+    if params[:account_username].present?
+      account_outbox_url(@account, **kwargs)
+    else
+      instance_actor_outbox_url(**kwargs)
+    end
+  end
+
   def next_page
-    account_outbox_url(@account, page: true, max_id: @statuses.last.id) if @statuses.size == LIMIT
+    outbox_url(page: true, max_id: @statuses.last.id) if @statuses.size == LIMIT
   end
 
   def prev_page
-    account_outbox_url(@account, page: true, min_id: @statuses.first.id) unless @statuses.empty?
+    outbox_url(page: true, min_id: @statuses.first.id) unless @statuses.empty?
   end
 
   def set_statuses
     return unless page_requested?
 
-    @statuses = @account.statuses.permitted_for(@account, signed_request_account)
-    @statuses = params[:min_id].present? ? @statuses.paginate_by_min_id(LIMIT, params[:min_id]).reverse : @statuses.paginate_by_max_id(LIMIT, params[:max_id])
-    @statuses = cache_collection(@statuses, Status)
+    @statuses = cache_collection_paginated_by_id(
+      AccountStatusesFilter.new(@account, signed_request_account).results,
+      Status,
+      LIMIT,
+      params_slice(:max_id, :min_id, :since_id)
+    )
   end
 
   def page_requested?
-    params[:page] == 'true'
+    truthy_param?(:page)
   end
 
   def page_params
     { page: true, max_id: params[:max_id], min_id: params[:min_id] }.compact
   end
+
+  def set_account
+    @account = params[:account_username].present? ? Account.find_local!(username_param) : Account.representative
+  end
+
+  def set_cache_headers
+    response.headers['Vary'] = 'Signature' if authorized_fetch_mode? || page_requested?
+  end
 end

app/controllers/activitypub/replies_controller.rb

@@ -1,13 +1,13 @@
 # frozen_string_literal: true
 
 class ActivityPub::RepliesController < ActivityPub::BaseController
-  include SignatureAuthentication
+  include SignatureVerification
   include Authorization
   include AccountOwnedConcern
 
   DESCENDANTS_LIMIT = 60
 
-  before_action :require_signature!, if: :authorized_fetch_mode?
+  before_action :require_account_signature!, if: :authorized_fetch_mode?
   before_action :set_status
   before_action :set_cache_headers
   before_action :set_replies
@@ -19,15 +19,19 @@ class ActivityPub::RepliesController < ActivityPub::BaseController
 
   private
 
+  def pundit_user
+    signed_request_account
+  end
+
   def set_status
     @status = @account.statuses.find(params[:status_id])
     authorize @status, :show?
   rescue Mastodon::NotPermittedError
-    raise ActiveRecord::RecordNotFound
+    not_found
   end
 
   def set_replies
-    @replies = page_params[:only_other_accounts] ? Status.where.not(account_id: @account.id) : @account.statuses
+    @replies = only_other_accounts? ? Status.where.not(account_id: @account.id).joins(:account).merge(Account.without_suspended) : @account.statuses
     @replies = @replies.where(in_reply_to_id: @status.id, visibility: [:public, :unlisted])
     @replies = @replies.paginate_by_min_id(DESCENDANTS_LIMIT, params[:min_id])
   end
@@ -38,7 +42,7 @@ class ActivityPub::RepliesController < ActivityPub::BaseController
       type: :unordered,
       part_of: account_status_replies_url(@account, @status),
       next: next_page,
-      items: @replies.map { |status| status.local ? status : status.uri }
+      items: @replies.map { |status| status.local? ? status : status.uri }
     )
 
     return page if page_requested?
@@ -51,18 +55,37 @@ class ActivityPub::RepliesController < ActivityPub::BaseController
   end
 
   def page_requested?
-    params[:page] == 'true'
+    truthy_param?(:page)
+  end
+
+  def only_other_accounts?
+    truthy_param?(:only_other_accounts)
   end
 
   def next_page
-    only_other_accounts = !(@replies&.last&.account_id == @account.id && @replies.size == DESCENDANTS_LIMIT)
-    account_status_replies_url(
-      @account,
-      @status,
-      page: true,
-      min_id: only_other_accounts && !page_params[:only_other_accounts] ? nil : @replies&.last&.id,
-      only_other_accounts: only_other_accounts
-    )
+    if only_other_accounts?
+      # Only consider remote accounts
+      return nil if @replies.size < DESCENDANTS_LIMIT
+
+      account_status_replies_url(
+        @account,
+        @status,
+        page: true,
+        min_id: @replies&.last&.id,
+        only_other_accounts: true
+      )
+    else
+      # For now, we're serving only self-replies, but next page might be other accounts
+      next_only_other_accounts = @replies&.last&.account_id != @account.id || @replies.size < DESCENDANTS_LIMIT
+
+      account_status_replies_url(
+        @account,
+        @status,
+        page: true,
+        min_id: next_only_other_accounts ? nil : @replies&.last&.id,
+        only_other_accounts: next_only_other_accounts
+      )
+    end
   end
 
   def page_params

app/controllers/admin/account_actions_controller.rb

@@ -5,11 +5,15 @@ module Admin
     before_action :set_account
 
     def new
+      authorize @account, :show?
+
       @account_action  = Admin::AccountAction.new(type: params[:type], report_id: params[:report_id], send_email_notification: true, include_statuses: true)
       @warning_presets = AccountWarningPreset.all
     end
 
     def create
+      authorize @account, :show?
+
       account_action                 = Admin::AccountAction.new(resource_params)
       account_action.target_account  = @account
       account_action.current_account = current_account
@@ -17,7 +21,7 @@ module Admin
       account_action.save!
 
       if account_action.with_report?
-        redirect_to admin_reports_path
+        redirect_to admin_reports_path, notice: I18n.t('admin.reports.processed_msg', id: resource_params[:report_id])
       else
         redirect_to admin_account_path(@account.id)
       end

app/controllers/admin/account_moderation_notes_controller.rb

@@ -14,7 +14,7 @@ module Admin
       else
         @account          = @account_moderation_note.target_account
         @moderation_notes = @account.targeted_moderation_notes.latest
-        @warnings         = @account.targeted_account_warnings.latest.custom
+        @warnings         = @account.strikes.custom.latest
 
         render template: 'admin/accounts/show'
       end

app/controllers/admin/accounts_controller.rb

@@ -2,61 +2,96 @@
 
 module Admin
   class AccountsController < BaseController
-    before_action :set_account, only: [:show, :redownload, :remove_avatar, :remove_header, :enable, :unsilence, :unsuspend, :memorialize, :approve, :reject]
+    before_action :set_account, except: [:index, :batch]
     before_action :require_remote_account!, only: [:redownload]
     before_action :require_local_account!, only: [:enable, :memorialize, :approve, :reject]
 
     def index
       authorize :account, :index?
+
       @accounts = filtered_accounts.page(params[:page])
+      @form     = Form::AccountBatch.new
+    end
+
+    def batch
+      authorize :account, :index?
+
+      @form = Form::AccountBatch.new(form_account_batch_params)
+      @form.current_account = current_account
+      @form.action = action_from_button
+      @form.select_all_matching = params[:select_all_matching]
+      @form.query = filtered_accounts
+      @form.save
+    rescue ActionController::ParameterMissing
+      flash[:alert] = I18n.t('admin.accounts.no_account_selected')
+    ensure
+      redirect_to admin_accounts_path(filter_params)
     end
 
     def show
       authorize @account, :show?
 
+      @deletion_request        = @account.deletion_request
       @account_moderation_note = current_account.account_moderation_notes.new(target_account: @account)
       @moderation_notes        = @account.targeted_moderation_notes.latest
-      @warnings                = @account.targeted_account_warnings.latest.custom
+      @warnings                = @account.strikes.includes(:target_account, :account, :appeal).latest
+      @domain_block            = DomainBlock.rule_for(@account.domain)
     end
 
     def memorialize
       authorize @account, :memorialize?
       @account.memorialize!
       log_action :memorialize, @account
-      redirect_to admin_account_path(@account.id)
+      redirect_to admin_account_path(@account.id), notice: I18n.t('admin.accounts.memorialized_msg', username: @account.acct)
     end
 
     def enable
       authorize @account.user, :enable?
       @account.user.enable!
       log_action :enable, @account.user
-      redirect_to admin_account_path(@account.id)
+      redirect_to admin_account_path(@account.id), notice: I18n.t('admin.accounts.enabled_msg', username: @account.acct)
     end
 
     def approve
       authorize @account.user, :approve?
       @account.user.approve!
-      redirect_to admin_pending_accounts_path
+      log_action :approve, @account.user
+      redirect_to admin_accounts_path(status: 'pending'), notice: I18n.t('admin.accounts.approved_msg', username: @account.acct)
     end
 
     def reject
       authorize @account.user, :reject?
-      SuspendAccountService.new.call(@account, reserve_email: false, reserve_username: false)
-      redirect_to admin_pending_accounts_path
+      DeleteAccountService.new.call(@account, reserve_email: false, reserve_username: false)
+      log_action :reject, @account.user
+      redirect_to admin_accounts_path(status: 'pending'), notice: I18n.t('admin.accounts.rejected_msg', username: @account.acct)
+    end
+
+    def destroy
+      authorize @account, :destroy?
+      Admin::AccountDeletionWorker.perform_async(@account.id)
+      redirect_to admin_account_path(@account.id), notice: I18n.t('admin.accounts.destroyed_msg', username: @account.acct)
+    end
+
+    def unsensitive
+      authorize @account, :unsensitive?
+      @account.unsensitize!
+      log_action :unsensitive, @account
+      redirect_to admin_account_path(@account.id)
     end
 
     def unsilence
       authorize @account, :unsilence?
       @account.unsilence!
       log_action :unsilence, @account
-      redirect_to admin_account_path(@account.id)
+      redirect_to admin_account_path(@account.id), notice: I18n.t('admin.accounts.unsilenced_msg', username: @account.acct)
     end
 
     def unsuspend
       authorize @account, :unsuspend?
       @account.unsuspend!
+      Admin::UnsuspensionWorker.perform_async(@account.id)
       log_action :unsuspend, @account
-      redirect_to admin_account_path(@account.id)
+      redirect_to admin_account_path(@account.id), notice: I18n.t('admin.accounts.unsuspended_msg', username: @account.acct)
     end
 
     def redownload
@@ -65,7 +100,7 @@ module Admin
       @account.update!(last_webfingered_at: nil)
       ResolveAccountService.new.call(@account)
 
-      redirect_to admin_account_path(@account.id)
+      redirect_to admin_account_path(@account.id), notice: I18n.t('admin.accounts.redownloaded_msg', username: @account.acct)
     end
 
     def remove_avatar
@@ -76,7 +111,7 @@ module Admin
 
       log_action :remove_avatar, @account.user
 
-      redirect_to admin_account_path(@account.id)
+      redirect_to admin_account_path(@account.id), notice: I18n.t('admin.accounts.removed_avatar_msg', username: @account.acct)
     end
 
     def remove_header
@@ -87,7 +122,17 @@ module Admin
 
       log_action :remove_header, @account.user
 
-      redirect_to admin_account_path(@account.id)
+      redirect_to admin_account_path(@account.id), notice: I18n.t('admin.accounts.removed_header_msg', username: @account.acct)
+    end
+
+    def unblock_email
+      authorize @account, :unblock_email?
+
+      CanonicalEmailBlock.where(reference_account: @account).delete_all
+
+      log_action :unblock_email, @account
+
+      redirect_to admin_account_path(@account.id), notice: I18n.t('admin.accounts.unblocked_email_msg', username: @account.acct)
     end
 
     private
@@ -105,11 +150,25 @@ module Admin
     end
 
     def filtered_accounts
-      AccountFilter.new(filter_params).results
+      AccountFilter.new(filter_params.with_defaults(order: 'recent')).results
     end
 
     def filter_params
-      params.slice(*AccountFilter::KEYS).permit(*AccountFilter::KEYS)
+      params.slice(:page, *AccountFilter::KEYS).permit(:page, *AccountFilter::KEYS)
+    end
+
+    def form_account_batch_params
+      params.require(:form_account_batch).permit(:action, account_ids: [])
+    end
+
+    def action_from_button
+      if params[:suspend]
+        'suspend'
+      elsif params[:approve]
+        'approve'
+      elsif params[:reject]
+        'reject'
+      end
     end
   end
 end

app/controllers/admin/action_logs_controller.rb

@@ -4,7 +4,10 @@ module Admin
   class ActionLogsController < BaseController
     before_action :set_action_logs
 
-    def index; end
+    def index
+      authorize :audit_log, :index?
+      @auditable_accounts = Account.where(id: Admin::ActionLog.reorder(nil).select('distinct account_id')).select(:id, :username)
+    end
 
     private
 

app/controllers/admin/announcements_controller.rb

@@ -71,7 +71,7 @@ class Admin::AnnouncementsController < Admin::BaseController
   private
 
   def set_announcements
-    @announcements = AnnouncementFilter.new(filter_params).results.page(params[:page])
+    @announcements = AnnouncementFilter.new(filter_params).results.reverse_chronological.page(params[:page])
   end
 
   def set_announcement

app/controllers/admin/base_controller.rb

@@ -7,8 +7,8 @@ module Admin
 
     layout 'admin'
 
-    before_action :require_staff!
     before_action :set_body_classes
+    after_action :verify_authorized
 
     private
 

app/controllers/admin/confirmations_controller.rb

@@ -17,7 +17,7 @@ module Admin
 
       @user.resend_confirmation_instructions
 
-      log_action :confirm, @user
+      log_action :resend, @user
 
       flash[:notice] = I18n.t('admin.accounts.resend_confirmation.success')
       redirect_to admin_accounts_path

app/controllers/admin/custom_emojis_controller.rb

@@ -29,10 +29,14 @@ module Admin
     end
 
     def batch
+      authorize :custom_emoji, :index?
+
       @form = Form::CustomEmojiBatch.new(form_custom_emoji_batch_params.merge(current_account: current_account, action: action_from_button))
       @form.save
     rescue ActionController::ParameterMissing
-      flash[:alert] = I18n.t('admin.accounts.no_account_selected')
+      flash[:alert] = I18n.t('admin.custom_emojis.no_emoji_selected')
+    rescue Mastodon::NotPermittedError
+      flash[:alert] = I18n.t('admin.custom_emojis.not_permitted')
     ensure
       redirect_to admin_custom_emojis_path(filter_params)
     end

app/controllers/admin/dashboard_controller.rb

@@ -1,55 +1,28 @@
 # frozen_string_literal: true
-require 'sidekiq/api'
 
 module Admin
   class DashboardController < BaseController
+    include Redisable
+
     def index
-      @users_count           = User.count
+      authorize :dashboard, :index?
+
+      @system_checks         = Admin::SystemCheck.perform(current_user)
+      @time_period           = (29.days.ago.to_date...Time.now.utc.to_date)
       @pending_users_count   = User.pending.count
-      @registrations_week    = Redis.current.get("activity:accounts:local:#{current_week}") || 0
-      @logins_week           = Redis.current.pfcount("activity:logins:#{current_week}")
-      @interactions_week     = Redis.current.get("activity:interactions:#{current_week}") || 0
-      @relay_enabled         = Relay.enabled.exists?
-      @single_user_mode      = Rails.configuration.x.single_user_mode
-      @registrations_enabled = Setting.registrations_mode != 'none'
-      @deletions_enabled     = Setting.open_deletion
-      @invites_enabled       = Setting.min_invite_role == 'user'
-      @search_enabled        = Chewy.enabled?
-      @version               = Mastodon::Version.to_s
-      @database_version      = ActiveRecord::Base.connection.execute('SELECT VERSION()').first['version'].match(/\A(?:PostgreSQL |)([^\s]+).*\z/)[1]
-      @redis_version         = redis_info['redis_version']
-      @reports_count         = Report.unresolved.count
-      @queue_backlog         = Sidekiq::Stats.new.enqueued
-      @recent_users          = User.confirmed.recent.includes(:account).limit(8)
-      @database_size         = ActiveRecord::Base.connection.execute('SELECT pg_database_size(current_database())').first['pg_database_size']
-      @redis_size            = redis_info['used_memory']
-      @ldap_enabled          = ENV['LDAP_ENABLED'] == 'true'
-      @cas_enabled           = ENV['CAS_ENABLED'] == 'true'
-      @saml_enabled          = ENV['SAML_ENABLED'] == 'true'
-      @pam_enabled           = ENV['PAM_ENABLED'] == 'true'
-      @hidden_service        = ENV['ALLOW_ACCESS_TO_HIDDEN_SERVICE'] == 'true'
-      @trending_hashtags     = TrendingTags.get(10, filtered: false)
+      @pending_reports_count = Report.unresolved.count
       @pending_tags_count    = Tag.pending_review.count
-      @authorized_fetch      = authorized_fetch_mode?
-      @whitelist_enabled     = whitelist_mode?
-      @profile_directory     = Setting.profile_directory
-      @timeline_preview      = Setting.timeline_preview
-      @spam_check_enabled    = Setting.spam_check_enabled
-      @trends_enabled        = Setting.trends
+      @pending_appeals_count = Appeal.pending.count
     end
 
     private
 
-    def current_week
-      @current_week ||= Time.now.utc.to_date.cweek
-    end
-
     def redis_info
       @redis_info ||= begin
-        if Redis.current.is_a?(Redis::Namespace)
-          Redis.current.redis.info
+        if redis.is_a?(Redis::Namespace)
+          redis.redis.info
         else
-          Redis.current.info
+          redis.info
         end
       end
     end

app/controllers/admin/disputes/appeals_controller.rb

@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+
+class Admin::Disputes::AppealsController < Admin::BaseController
+  before_action :set_appeal, except: :index
+
+  def index
+    authorize :appeal, :index?
+
+    @appeals = filtered_appeals.page(params[:page])
+  end
+
+  def approve
+    authorize @appeal, :approve?
+    log_action :approve, @appeal
+    ApproveAppealService.new.call(@appeal, current_account)
+    redirect_to disputes_strike_path(@appeal.strike)
+  end
+
+  def reject
+    authorize @appeal, :approve?
+    log_action :reject, @appeal
+    @appeal.reject!(current_account)
+    UserMailer.appeal_rejected(@appeal.account.user, @appeal)
+    redirect_to disputes_strike_path(@appeal.strike)
+  end
+
+  private
+
+  def filtered_appeals
+    Admin::AppealFilter.new(filter_params.with_defaults(status: 'pending')).results.includes(strike: :account)
+  end
+
+  def filter_params
+    params.slice(:page, *Admin::AppealFilter::KEYS).permit(:page, *Admin::AppealFilter::KEYS)
+  end
+
+  def set_appeal
+    @appeal = Appeal.find(params[:id])
+  end
+end

app/controllers/admin/domain_allows_controller.rb

@@ -25,6 +25,8 @@ class Admin::DomainAllowsController < Admin::BaseController
   def destroy
     authorize @domain_allow, :destroy?
     UnallowDomainService.new.call(@domain_allow)
+    log_action :destroy, @domain_allow
+
     redirect_to admin_instances_path, notice: I18n.t('admin.domain_allows.destroyed_msg')
   end
 

app/controllers/admin/domain_blocks_controller.rb

@@ -4,6 +4,18 @@ module Admin
   class DomainBlocksController < BaseController
     before_action :set_domain_block, only: [:show, :destroy, :edit, :update]
 
+    def batch
+      authorize :domain_block, :create?
+      @form = Form::DomainBlockBatch.new(form_domain_block_batch_params.merge(current_account: current_account, action: action_from_button))
+      @form.save
+    rescue ActionController::ParameterMissing
+      flash[:alert] = I18n.t('admin.domain_blocks.no_domain_block_selected')
+    rescue Mastodon::NotPermittedError
+      flash[:alert] = I18n.t('admin.domain_blocks.not_permitted')
+    else
+      redirect_to admin_instances_path(limited: '1'), notice: I18n.t('admin.domain_blocks.created_msg')
+    end
+
     def new
       authorize :domain_block, :create?
       @domain_block = DomainBlock.new(domain: params[:_domain])
@@ -22,13 +34,14 @@ module Admin
       if existing_domain_block.present? && !@domain_block.stricter_than?(existing_domain_block)
         @domain_block.save
         flash.now[:alert] = I18n.t('admin.domain_blocks.existing_domain_block_html', name: existing_domain_block.domain, unblock_url: admin_domain_block_path(existing_domain_block)).html_safe # rubocop:disable Rails/OutputSafety
-        @domain_block.errors[:domain].clear
+        @domain_block.errors.delete(:domain)
         render :new
       else
-        if existing_domain_block.present?
+        if existing_domain_block.present? && existing_domain_block.domain == TagManager.instance.normalize_domain(@domain_block.domain.strip)
           @domain_block = existing_domain_block
           @domain_block.update(resource_params)
         end
+
         if @domain_block.save
           DomainBlockWorker.perform_async(@domain_block.id)
           log_action :create, @domain_block
@@ -40,25 +53,17 @@ module Admin
     end
 
     def update
-      authorize :domain_block, :create?
+      authorize :domain_block, :update?
 
-      @domain_block.update(update_params)
-
-      severity_changed = @domain_block.severity_changed?
-
-      if @domain_block.save
-        DomainBlockWorker.perform_async(@domain_block.id, severity_changed)
-        log_action :create, @domain_block
+      if @domain_block.update(update_params)
+        DomainBlockWorker.perform_async(@domain_block.id, @domain_block.severity_previously_changed?)
+        log_action :update, @domain_block
         redirect_to admin_instances_path(limited: '1'), notice: I18n.t('admin.domain_blocks.created_msg')
       else
         render :edit
       end
     end
 
-    def show
-      authorize @domain_block, :show?
-    end
-
     def destroy
       authorize @domain_block, :destroy?
       UnblockDomainService.new.call(@domain_block)
@@ -73,11 +78,21 @@ module Admin
     end
 
     def update_params
-      params.require(:domain_block).permit(:severity, :reject_media, :reject_reports, :private_comment, :public_comment)
+      params.require(:domain_block).permit(:severity, :reject_media, :reject_reports, :private_comment, :public_comment, :obfuscate)
     end
 
     def resource_params
-      params.require(:domain_block).permit(:domain, :severity, :reject_media, :reject_reports, :private_comment, :public_comment)
+      params.require(:domain_block).permit(:domain, :severity, :reject_media, :reject_reports, :private_comment, :public_comment, :obfuscate)
+    end
+
+    def form_domain_block_batch_params
+      params.require(:form_domain_block_batch).permit(domain_blocks_attributes: [:enabled, :domain, :severity, :reject_media, :reject_reports, :private_comment, :public_comment, :obfuscate])
+    end
+
+    def action_from_button
+      if params[:save]
+        'save'
+      end
     end
   end
 end

app/controllers/admin/email_domain_blocks_controller.rb

@@ -6,7 +6,22 @@ module Admin
 
     def index
       authorize :email_domain_block, :index?
+
       @email_domain_blocks = EmailDomainBlock.where(parent_id: nil).includes(:children).order(id: :desc).page(params[:page])
+      @form                = Form::EmailDomainBlockBatch.new
+    end
+
+    def batch
+      authorize :email_domain_block, :index?
+
+      @form = Form::EmailDomainBlockBatch.new(form_email_domain_block_batch_params.merge(current_account: current_account, action: action_from_button))
+      @form.save
+    rescue ActionController::ParameterMissing
+      flash[:alert] = I18n.t('admin.email_domain_blocks.no_email_domain_block_selected')
+    rescue Mastodon::NotPermittedError
+      flash[:alert] = I18n.t('admin.email_domain_blocks.not_permitted')
+    ensure
+      redirect_to admin_email_domain_blocks_path
     end
 
     def new
@@ -19,41 +34,27 @@ module Admin
 
       @email_domain_block = EmailDomainBlock.new(resource_params)
 
-      if @email_domain_block.save
-        log_action :create, @email_domain_block
+      if action_from_button == 'save'
+        EmailDomainBlock.transaction do
+          @email_domain_block.save!
+          log_action :create, @email_domain_block
 
-        if @email_domain_block.with_dns_records?
-          hostnames = []
-          ips       = []
+          (@email_domain_block.other_domains || []).uniq.each do |domain|
+            next if EmailDomainBlock.where(domain: domain).exists?
 
-          Resolv::DNS.open do |dns|
-            dns.timeouts = 1
-
-            hostnames = dns.getresources(@email_domain_block.domain, Resolv::DNS::Resource::IN::MX).to_a.map { |e| e.exchange.to_s }
-
-            ([@email_domain_block.domain] + hostnames).uniq.each do |hostname|
-              ips.concat(dns.getresources(hostname, Resolv::DNS::Resource::IN::A).to_a.map { |e| e.address.to_s })
-              ips.concat(dns.getresources(hostname, Resolv::DNS::Resource::IN::AAAA).to_a.map { |e| e.address.to_s })
-            end
-          end
-
-          (hostnames + ips).each do |hostname|
-            another_email_domain_block = EmailDomainBlock.new(domain: hostname, parent: @email_domain_block)
-            log_action :create, another_email_domain_block if another_email_domain_block.save
+            other_email_domain_block = EmailDomainBlock.create!(domain: domain, parent: @email_domain_block)
+            log_action :create, other_email_domain_block
           end
         end
 
         redirect_to admin_email_domain_blocks_path, notice: I18n.t('admin.email_domain_blocks.created_msg')
       else
+        set_resolved_records
         render :new
       end
-    end
-
-    def destroy
-      authorize @email_domain_block, :destroy?
-      @email_domain_block.destroy!
-      log_action :destroy, @email_domain_block
-      redirect_to admin_email_domain_blocks_path, notice: I18n.t('admin.email_domain_blocks.destroyed_msg')
+    rescue ActiveRecord::RecordInvalid
+      set_resolved_records
+      render :new
     end
 
     private
@@ -62,8 +63,27 @@ module Admin
       @email_domain_block = EmailDomainBlock.find(params[:id])
     end
 
+    def set_resolved_records
+      Resolv::DNS.open do |dns|
+        dns.timeouts = 5
+        @resolved_records = dns.getresources(@email_domain_block.domain, Resolv::DNS::Resource::IN::MX).to_a
+      end
+    end
+
     def resource_params
-      params.require(:email_domain_block).permit(:domain, :with_dns_records)
+      params.require(:email_domain_block).permit(:domain, other_domains: [])
+    end
+
+    def form_email_domain_block_batch_params
+      params.require(:form_email_domain_block_batch).permit(email_domain_block_ids: [])
+    end
+
+    def action_from_button
+      if params[:delete]
+        'delete'
+      elsif params[:save]
+        'save'
+      end
     end
   end
 end

app/controllers/admin/export_domain_allows_controller.rb

@@ -0,0 +1,58 @@
+# frozen_string_literal: true
+
+require 'csv'
+
+module Admin
+  class ExportDomainAllowsController < BaseController
+    include AdminExportControllerConcern
+
+    before_action :set_dummy_import!, only: [:new]
+
+    def new
+      authorize :domain_allow, :create?
+    end
+
+    def export
+      authorize :instance, :index?
+      send_export_file
+    end
+
+    def import
+      authorize :domain_allow, :create?
+      begin
+        @import = Admin::Import.new(import_params)
+        return render :new unless @import.validate
+
+        @import.csv_rows.each do |row|
+          domain = row['#domain'].strip
+          next if DomainAllow.allowed?(domain)
+
+          domain_allow = DomainAllow.new(domain: domain)
+          log_action :create, domain_allow if domain_allow.save
+        end
+        flash[:notice] = I18n.t('admin.domain_allows.created_msg')
+      rescue ActionController::ParameterMissing
+        flash[:error] = I18n.t('admin.export_domain_allows.no_file')
+      end
+      redirect_to admin_instances_path
+    end
+
+    private
+
+    def export_filename
+      'domain_allows.csv'
+    end
+
+    def export_headers
+      %w(#domain)
+    end
+
+    def export_data
+      CSV.generate(headers: export_headers, write_headers: true) do |content|
+        DomainAllow.allowed_domains.each do |instance|
+          content << [instance.domain]
+        end
+      end
+    end
+  end
+end

app/controllers/admin/export_domain_blocks_controller.rb

@@ -0,0 +1,77 @@
+# frozen_string_literal: true
+
+require 'csv'
+
+module Admin
+  class ExportDomainBlocksController < BaseController
+    include AdminExportControllerConcern
+
+    before_action :set_dummy_import!, only: [:new]
+
+    def new
+      authorize :domain_block, :create?
+    end
+
+    def export
+      authorize :instance, :index?
+      send_export_file
+    end
+
+    def import
+      authorize :domain_block, :create?
+
+      @import = Admin::Import.new(import_params)
+      return render :new unless @import.validate
+
+      @global_private_comment = I18n.t('admin.export_domain_blocks.import.private_comment_template', source: @import.data_file_name, date: I18n.l(Time.now.utc))
+
+      @form = Form::DomainBlockBatch.new
+      @domain_blocks = @import.csv_rows.filter_map do |row|
+        domain = row['#domain'].strip
+        next if DomainBlock.rule_for(domain).present?
+
+        domain_block = DomainBlock.new(domain: domain,
+                                       severity: row.fetch('#severity', :suspend),
+                                       reject_media: row.fetch('#reject_media', false),
+                                       reject_reports: row.fetch('#reject_reports', false),
+                                       private_comment: @global_private_comment,
+                                       public_comment: row['#public_comment'],
+                                       obfuscate: row.fetch('#obfuscate', false))
+
+        if domain_block.invalid?
+          flash.now[:alert] = I18n.t('admin.export_domain_blocks.invalid_domain_block', error: domain_block.errors.full_messages.join(', '))
+          next
+        end
+
+        domain_block
+      rescue ArgumentError => e
+        flash.now[:alert] = I18n.t('admin.export_domain_blocks.invalid_domain_block', error: e.message)
+        next
+      end
+
+      @warning_domains = Instance.where(domain: @domain_blocks.map(&:domain)).where('EXISTS (SELECT 1 FROM follows JOIN accounts ON follows.account_id = accounts.id OR follows.target_account_id = accounts.id WHERE accounts.domain = instances.domain)').pluck(:domain)
+    rescue ActionController::ParameterMissing
+      flash.now[:alert] = I18n.t('admin.export_domain_blocks.no_file')
+      set_dummy_import!
+      render :new
+    end
+
+    private
+
+    def export_filename
+      'domain_blocks.csv'
+    end
+
+    def export_headers
+      %w(#domain #severity #reject_media #reject_reports #public_comment #obfuscate)
+    end
+
+    def export_data
+      CSV.generate(headers: export_headers, write_headers: true) do |content|
+        DomainBlock.with_limitations.each do |instance|
+          content << [instance.domain, instance.severity, instance.reject_media, instance.reject_reports, instance.public_comment, instance.obfuscate]
+        end
+      end
+    end
+  end
+end

app/controllers/admin/follow_recommendations_controller.rb

@@ -0,0 +1,55 @@
+# frozen_string_literal: true
+
+module Admin
+  class FollowRecommendationsController < BaseController
+    before_action :set_language
+
+    def show
+      authorize :follow_recommendation, :show?
+
+      @form     = Form::AccountBatch.new
+      @accounts = filtered_follow_recommendations
+    end
+
+    def update
+      authorize :follow_recommendation, :show?
+
+      @form = Form::AccountBatch.new(form_account_batch_params.merge(current_account: current_account, action: action_from_button))
+      @form.save
+    rescue ActionController::ParameterMissing
+      # Do nothing
+    ensure
+      redirect_to admin_follow_recommendations_path(filter_params)
+    end
+
+    private
+
+    def set_language
+      @language = follow_recommendation_filter.language
+    end
+
+    def filtered_follow_recommendations
+      follow_recommendation_filter.results
+    end
+
+    def follow_recommendation_filter
+      @follow_recommendation_filter ||= FollowRecommendationFilter.new(filter_params)
+    end
+
+    def form_account_batch_params
+      params.require(:form_account_batch).permit(:action, account_ids: [])
+    end
+
+    def filter_params
+      params.slice(*FollowRecommendationFilter::KEYS).permit(*FollowRecommendationFilter::KEYS)
+    end
+
+    def action_from_button
+      if params[:suppress]
+        'suppress_follow_recommendation'
+      elsif params[:unsuppress]
+        'unsuppress_follow_recommendation'
+      end
+    end
+  end
+end

app/controllers/admin/instances_controller.rb

@@ -2,48 +2,65 @@
 
 module Admin
   class InstancesController < BaseController
-    before_action :set_domain_block, only: :show
-    before_action :set_domain_allow, only: :show
-    before_action :set_instance, only: :show
+    before_action :set_instances, only: :index
+    before_action :set_instance, except: :index
 
     def index
       authorize :instance, :index?
-
-      @instances = ordered_instances
+      preload_delivery_failures!
     end
 
     def show
       authorize :instance, :show?
+      @time_period = (6.days.ago.to_date...Time.now.utc.to_date)
+    end
 
-      @following_count = Follow.where(account: Account.where(domain: params[:id])).count
-      @followers_count = Follow.where(target_account: Account.where(domain: params[:id])).count
-      @reports_count   = Report.where(target_account: Account.where(domain: params[:id])).count
-      @blocks_count    = Block.where(target_account: Account.where(domain: params[:id])).count
-      @available       = DeliveryFailureTracker.available?(Account.select(:shared_inbox_url).where(domain: params[:id]).first&.shared_inbox_url)
-      @media_storage   = MediaAttachment.where(account: Account.where(domain: params[:id])).sum(:file_file_size)
-      @private_comment = @domain_block&.private_comment
-      @public_comment  = @domain_block&.public_comment
+    def destroy
+      authorize :instance, :destroy?
+      Admin::DomainPurgeWorker.perform_async(@instance.domain)
+      log_action :destroy, @instance
+      redirect_to admin_instances_path, notice: I18n.t('admin.instances.destroyed_msg', domain: @instance.domain)
+    end
+
+    def clear_delivery_errors
+      authorize :delivery, :clear_delivery_errors?
+      @instance.delivery_failure_tracker.clear_failures!
+      redirect_to admin_instance_path(@instance.domain)
+    end
+
+    def restart_delivery
+      authorize :delivery, :restart_delivery?
+
+      if @instance.unavailable?
+        @instance.delivery_failure_tracker.track_success!
+        log_action :destroy, @instance.unavailable_domain
+      end
+
+      redirect_to admin_instance_path(@instance.domain)
+    end
+
+    def stop_delivery
+      authorize :delivery, :stop_delivery?
+      unavailable_domain = UnavailableDomain.create!(domain: @instance.domain)
+      log_action :create, unavailable_domain
+      redirect_to admin_instance_path(@instance.domain)
     end
 
     private
 
-    def set_domain_block
-      @domain_block = DomainBlock.rule_for(params[:id])
-    end
-
-    def set_domain_allow
-      @domain_allow = DomainAllow.rule_for(params[:id])
-    end
-
     def set_instance
-      resource   = Account.by_domain_accounts.find_by(domain: params[:id])
-      resource ||= @domain_block
-      resource ||= @domain_allow
+      @instance = Instance.find(TagManager.instance.normalize_domain(params[:id]&.strip))
+    end
 
-      if resource
-        @instance = Instance.new(resource)
-      else
-        not_found
+    def set_instances
+      @instances = filtered_instances.page(params[:page])
+    end
+
+    def preload_delivery_failures!
+      warning_domains_map = DeliveryFailureTracker.warning_domains_map(@instances.map(&:domain))
+
+      @instances.each do |instance|
+        instance.failure_days = warning_domains_map[instance.domain]
       end
     end
 
@@ -51,16 +68,6 @@ module Admin
       InstanceFilter.new(whitelist_mode? ? { allowed: true } : filter_params).results
     end
 
-    def paginated_instances
-      filtered_instances.page(params[:page])
-    end
-
-    helper_method :paginated_instances
-
-    def ordered_instances
-      paginated_instances.map { |resource| Instance.new(resource) }
-    end
-
     def filter_params
       params.slice(*InstanceFilter::KEYS).permit(*InstanceFilter::KEYS)
     end

app/controllers/admin/ip_blocks_controller.rb

@@ -0,0 +1,58 @@
+# frozen_string_literal: true
+
+module Admin
+  class IpBlocksController < BaseController
+    def index
+      authorize :ip_block, :index?
+
+      @ip_blocks = IpBlock.order(ip: :asc).page(params[:page])
+      @form      = Form::IpBlockBatch.new
+    end
+
+    def new
+      authorize :ip_block, :create?
+
+      @ip_block = IpBlock.new(ip: '', severity: :no_access, expires_in: 1.year)
+    end
+
+    def create
+      authorize :ip_block, :create?
+
+      @ip_block = IpBlock.new(resource_params)
+
+      if @ip_block.save
+        log_action :create, @ip_block
+        redirect_to admin_ip_blocks_path, notice: I18n.t('admin.ip_blocks.created_msg')
+      else
+        render :new
+      end
+    end
+
+    def batch
+      authorize :ip_block, :index?
+
+      @form = Form::IpBlockBatch.new(form_ip_block_batch_params.merge(current_account: current_account, action: action_from_button))
+      @form.save
+    rescue ActionController::ParameterMissing
+      flash[:alert] = I18n.t('admin.ip_blocks.no_ip_block_selected')
+    rescue Mastodon::NotPermittedError
+      flash[:alert] = I18n.t('admin.custom_emojis.not_permitted')
+    ensure
+      redirect_to admin_ip_blocks_path
+    end
+
+    private
+
+    def resource_params
+      params.require(:ip_block).permit(:ip, :severity, :comment, :expires_in)
+    end
+
+    def action_from_button
+      'delete' if params[:delete]
+    end
+
+    def form_ip_block_batch_params
+      params.require(:form_ip_block_batch).permit(ip_block_ids: [])
+    end
+  end
+end

app/controllers/admin/pending_accounts_controller.rb

@@ -1,52 +0,0 @@
-# frozen_string_literal: true
-
-module Admin
-  class PendingAccountsController < BaseController
-    before_action :set_accounts, only: :index
-
-    def index
-      @form = Form::AccountBatch.new
-    end
-
-    def batch
-      @form = Form::AccountBatch.new(form_account_batch_params.merge(current_account: current_account, action: action_from_button))
-      @form.save
-    rescue ActionController::ParameterMissing
-      flash[:alert] = I18n.t('admin.accounts.no_account_selected')
-    ensure
-      redirect_to admin_pending_accounts_path(current_params)
-    end
-
-    def approve_all
-      Form::AccountBatch.new(current_account: current_account, account_ids: User.pending.pluck(:account_id), action: 'approve').save
-      redirect_to admin_pending_accounts_path(current_params)
-    end
-
-    def reject_all
-      Form::AccountBatch.new(current_account: current_account, account_ids: User.pending.pluck(:account_id), action: 'reject').save
-      redirect_to admin_pending_accounts_path(current_params)
-    end
-
-    private
-
-    def set_accounts
-      @accounts = Account.joins(:user).merge(User.pending.recent).includes(user: :invite_request).page(params[:page])
-    end
-
-    def form_account_batch_params
-      params.require(:form_account_batch).permit(:action, account_ids: [])
-    end
-
-    def action_from_button
-      if params[:approve]
-        'approve'
-      elsif params[:reject]
-        'reject'
-      end
-    end
-
-    def current_params
-      params.slice(:page).permit(:page)
-    end
-  end
-end

app/controllers/admin/relationships_controller.rb

@@ -7,9 +7,10 @@ module Admin
     PER_PAGE = 40
 
     def index
-      authorize :account, :index?
+      authorize @account, :show?
 
-      @accounts = RelationshipFilter.new(@account, filter_params).results.page(params[:page]).per(PER_PAGE)
+      @accounts = RelationshipFilter.new(@account, filter_params).results.includes(:account_stat, user: [:ips, :invite_request]).page(params[:page]).per(PER_PAGE)
+      @form     = Form::AccountBatch.new
     end
 
     private

app/controllers/admin/relays_controller.rb

@@ -3,7 +3,7 @@
 module Admin
   class RelaysController < BaseController
     before_action :set_relay, except: [:index, :new, :create]
-    before_action :require_signatures_enabled!, only: [:new, :create, :enable]
+    before_action :warn_signatures_not_enabled!, only: [:new, :create, :enable]
 
     def index
       authorize :relay, :update?
@@ -56,8 +56,8 @@ module Admin
       params.require(:relay).permit(:inbox_url)
     end
 
-    def require_signatures_enabled!
-      redirect_to admin_relays_path, alert: I18n.t('admin.relays.signatures_not_enabled') if authorized_fetch_mode?
+    def warn_signatures_not_enabled!
+      flash.now[:error] = I18n.t('admin.relays.signatures_not_enabled') if authorized_fetch_mode?
     end
   end
 end

app/controllers/admin/report_notes_controller.rb

@@ -14,20 +14,17 @@ module Admin
         if params[:create_and_resolve]
           @report.resolve!(current_account)
           log_action :resolve, @report
-
-          redirect_to admin_reports_path, notice: I18n.t('admin.reports.resolved_msg')
-          return
-        end
-
-        if params[:create_and_unresolve]
+        elsif params[:create_and_unresolve]
           @report.unresolve!
           log_action :reopen, @report
         end
 
-        redirect_to admin_report_path(@report), notice: I18n.t('admin.report_notes.created_msg')
+        redirect_to after_create_redirect_path, notice: I18n.t('admin.report_notes.created_msg')
       else
-        @report_notes = (@report.notes.latest + @report.history + @report.target_account.targeted_account_warnings.latest.custom).sort_by(&:created_at)
-        @form         = Form::StatusBatch.new
+        @report_notes = @report.notes.includes(:account).order(id: :desc)
+        @action_logs  = @report.history.includes(:target)
+        @form         = Admin::StatusBatchAction.new
+        @statuses     = @report.statuses.with_includes
 
         render template: 'admin/reports/show'
       end
@@ -41,6 +38,14 @@ module Admin
 
     private
 
+    def after_create_redirect_path
+      if params[:create_and_resolve]
+        admin_reports_path
+      else
+        admin_report_path(@report)
+      end
+    end
+
     def resource_params
       params.require(:report_note).permit(
         :content,

app/controllers/admin/reported_statuses_controller.rb

@@ -1,44 +0,0 @@
-# frozen_string_literal: true
-
-module Admin
-  class ReportedStatusesController < BaseController
-    before_action :set_report
-
-    def create
-      authorize :status, :update?
-
-      @form         = Form::StatusBatch.new(form_status_batch_params.merge(current_account: current_account, action: action_from_button))
-      flash[:alert] = I18n.t('admin.statuses.failed_to_execute') unless @form.save
-
-      redirect_to admin_report_path(@report)
-    rescue ActionController::ParameterMissing
-      flash[:alert] = I18n.t('admin.statuses.no_status_selected')
-
-      redirect_to admin_report_path(@report)
-    end
-
-    private
-
-    def status_params
-      params.require(:status).permit(:sensitive)
-    end
-
-    def form_status_batch_params
-      params.require(:form_status_batch).permit(status_ids: [])
-    end
-
-    def action_from_button
-      if params[:nsfw_on]
-        'nsfw_on'
-      elsif params[:nsfw_off]
-        'nsfw_off'
-      elsif params[:delete]
-        'delete'
-      end
-    end
-
-    def set_report
-      @report = Report.find(params[:report_id])
-    end
-  end
-end

app/controllers/admin/reports/actions_controller.rb

@@ -0,0 +1,63 @@
+# frozen_string_literal: true
+
+class Admin::Reports::ActionsController < Admin::BaseController
+  before_action :set_report
+
+  def preview
+    authorize @report, :show?
+    @moderation_action = action_from_button
+  end
+
+  def create
+    authorize @report, :show?
+
+    case action_from_button
+    when 'delete', 'mark_as_sensitive'
+      status_batch_action = Admin::StatusBatchAction.new(
+        type: action_from_button,
+        status_ids: @report.status_ids,
+        current_account: current_account,
+        report_id: @report.id,
+        send_email_notification: !@report.spam?,
+        text: params[:text]
+      )
+
+      status_batch_action.save!
+    when 'silence', 'suspend'
+      account_action = Admin::AccountAction.new(
+        type: action_from_button,
+        report_id: @report.id,
+        target_account: @report.target_account,
+        current_account: current_account,
+        send_email_notification: !@report.spam?,
+        text: params[:text]
+      )
+
+      account_action.save!
+    else
+      return redirect_to admin_report_path(@report), alert: I18n.t('admin.reports.unknown_action_msg', action: action_from_button)
+    end
+
+    redirect_to admin_reports_path, notice: I18n.t('admin.reports.processed_msg', id: @report.id)
+  end
+
+  private
+
+  def set_report
+    @report = Report.find(params[:report_id])
+  end
+
+  def action_from_button
+    if params[:delete]
+      'delete'
+    elsif params[:mark_as_sensitive]
+      'mark_as_sensitive'
+    elsif params[:silence]
+      'silence'
+    elsif params[:suspend]
+      'suspend'
+    elsif params[:moderation_action]
+      params[:moderation_action]
+    end
+  end
+end

app/controllers/admin/reports_controller.rb

@@ -13,8 +13,10 @@ module Admin
       authorize @report, :show?
 
       @report_note  = @report.notes.new
-      @report_notes = (@report.notes.latest + @report.history + @report.target_account.targeted_account_warnings.latest.custom).sort_by(&:created_at)
-      @form         = Form::StatusBatch.new
+      @report_notes = @report.notes.includes(:account).order(id: :desc)
+      @action_logs  = @report.history.includes(:target)
+      @form         = Admin::StatusBatchAction.new
+      @statuses     = @report.statuses.with_includes
     end
 
     def assign_to_self

app/controllers/admin/resets_controller.rb

@@ -6,9 +6,9 @@ module Admin
 
     def create
       authorize @user, :reset_password?
-      @user.send_reset_password_instructions
+      @user.reset_password!
       log_action :reset_password, @user
-      redirect_to admin_accounts_path
+      redirect_to admin_account_path(@user.account_id)
     end
   end
 end

app/controllers/admin/roles_controller.rb

@@ -2,20 +2,66 @@
 
 module Admin
   class RolesController < BaseController
-    before_action :set_user
+    before_action :set_role, except: [:index, :new, :create]
 
-    def promote
-      authorize @user, :promote?
-      @user.promote!
-      log_action :promote, @user
-      redirect_to admin_account_path(@user.account_id)
+    def index
+      authorize :user_role, :index?
+
+      @roles = UserRole.order(position: :desc).page(params[:page])
     end
 
-    def demote
-      authorize @user, :demote?
-      @user.demote!
-      log_action :demote, @user
-      redirect_to admin_account_path(@user.account_id)
+    def new
+      authorize :user_role, :create?
+
+      @role = UserRole.new
+    end
+
+    def create
+      authorize :user_role, :create?
+
+      @role = UserRole.new(resource_params)
+      @role.current_account = current_account
+
+      if @role.save
+        log_action :create, @role
+        redirect_to admin_roles_path
+      else
+        render :new
+      end
+    end
+
+    def edit
+      authorize @role, :update?
+    end
+
+    def update
+      authorize @role, :update?
+
+      @role.current_account = current_account
+
+      if @role.update(resource_params)
+        log_action :update, @role
+        redirect_to admin_roles_path
+      else
+        render :edit
+      end
+    end
+
+    def destroy
+      authorize @role, :destroy?
+      @role.destroy!
+      log_action :destroy, @role
+      redirect_to admin_roles_path
+    end
+
+    private
+
+    def set_role
+      @role = UserRole.find(params[:id])
+    end
+
+    def resource_params
+      params.require(:user_role).permit(:name, :color, :highlighted, :position, permissions_as_keys: [])
     end
   end
 end