From 6d7d722c5d34f69a40c0c64662ab72751c767968 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A2u=20Cao?= <raucao@kosmos.org>
Date: Fri, 11 Apr 2025 16:12:32 +0400
Subject: [PATCH 01/10] Add inetOrgPerson objectclass to user entries

refs #174
---
 app/jobs/create_ldap_user_job.rb       | 2 +-
 spec/jobs/create_ldap_user_job_spec.rb | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/app/jobs/create_ldap_user_job.rb b/app/jobs/create_ldap_user_job.rb
index 4eff181..8fbab0c 100644
--- a/app/jobs/create_ldap_user_job.rb
+++ b/app/jobs/create_ldap_user_job.rb
@@ -4,7 +4,7 @@ class CreateLdapUserJob < ApplicationJob
   def perform(username:, domain:, email:, hashed_pw:, confirmed: false)
     dn = "cn=#{username},ou=#{domain},cn=users,dc=kosmos,dc=org"
     attr = {
-      objectclass: ["top", "account", "person", "extensibleObject"],
+      objectclass: ["top", "account", "person", "inetOrgPerson", "extensibleObject"],
       cn: username,
       sn: username,
       uid: username,
diff --git a/spec/jobs/create_ldap_user_job_spec.rb b/spec/jobs/create_ldap_user_job_spec.rb
index 87a9a44..b86214f 100644
--- a/spec/jobs/create_ldap_user_job_spec.rb
+++ b/spec/jobs/create_ldap_user_job_spec.rb
@@ -32,7 +32,7 @@ RSpec.describe CreateLdapUserJob, type: :job do
     expect(ldap_client_mock).to have_received(:add).with(
       dn: "cn=halfinney,ou=kosmos.org,cn=users,dc=kosmos,dc=org",
       attributes: {
-        objectclass: ["top", "account", "person", "extensibleObject"],
+        objectclass: ["top", "account", "person", "inetOrgPerson", "extensibleObject"],
         cn: "halfinney",
         sn: "halfinney",
         uid: "halfinney",
@@ -51,7 +51,7 @@ RSpec.describe CreateLdapUserJob, type: :job do
     expect(ldap_client_mock).to have_received(:add).with(
       dn: "cn=halfinney,ou=kosmos.org,cn=users,dc=kosmos,dc=org",
       attributes: {
-        objectclass: ["top", "account", "person", "extensibleObject"],
+        objectclass: ["top", "account", "person", "inetOrgPerson", "extensibleObject"],
         cn: "halfinney",
         sn: "halfinney",
         uid: "halfinney",

From 9e2210c45b3b6077d29daee6fe3e2cfec3621667 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A2u=20Cao?= <raucao@kosmos.org>
Date: Wed, 24 Jan 2024 15:56:34 +0300
Subject: [PATCH 02/10] Store avatars as binary instead of base64

---
 app/models/user.rb                         | 13 +++++++----
 app/services/ldap_manager/fetch_avatar.rb  |  6 +++---
 app/services/ldap_manager/update_avatar.rb |  8 +++----
 app/views/settings/_profile.html.erb       |  7 +++---
 spec/features/settings/profile_spec.rb     | 25 +++++++++++++---------
 5 files changed, 35 insertions(+), 24 deletions(-)

diff --git a/app/models/user.rb b/app/models/user.rb
index 1886b1f..d73d780 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -159,6 +159,15 @@ class User < ApplicationRecord
     @display_name ||= ldap_entry[:display_name]
   end
 
+  def avatar
+    @avatar ||= LdapManager::FetchAvatar.call(cn: cn)
+  end
+
+  def avatar_base64
+    return nil if avatar.nil?
+    @avatar_base64 ||= Base64.strict_encode64(avatar)
+  end
+
   def nostr_pubkey
     @nostr_pubkey ||= ldap_entry[:nostr_key]
   end
@@ -186,10 +195,6 @@ class User < ApplicationRecord
     ZBase32.encode(Digest::SHA1.digest(cn))
   end
 
-  def avatar
-    @avatar_base64 ||= LdapManager::FetchAvatar.call(cn: cn)
-  end
-
   def services_enabled
     ldap_entry[:services_enabled] || []
   end
diff --git a/app/services/ldap_manager/fetch_avatar.rb b/app/services/ldap_manager/fetch_avatar.rb
index 11035ae..a838bb8 100644
--- a/app/services/ldap_manager/fetch_avatar.rb
+++ b/app/services/ldap_manager/fetch_avatar.rb
@@ -5,12 +5,12 @@ module LdapManager
     end
 
     def call
-      treebase   = ldap_config["base"]
+      treebase = ldap_config["base"]
       attributes = %w{ jpegPhoto }
-      filter     = Net::LDAP::Filter.eq("cn", @cn)
+      filter = Net::LDAP::Filter.eq("cn", @cn)
 
       entry = client.search(base: treebase, filter: filter, attributes: attributes).first
-      entry.try(:jpegPhoto) ? entry.jpegPhoto.first : nil
+      entry&.jpegPhoto ? entry.jpegPhoto.first : nil
     end
   end
 end
diff --git a/app/services/ldap_manager/update_avatar.rb b/app/services/ldap_manager/update_avatar.rb
index f3c8975..d238303 100644
--- a/app/services/ldap_manager/update_avatar.rb
+++ b/app/services/ldap_manager/update_avatar.rb
@@ -8,20 +8,20 @@ module LdapManager
     end
 
     def call
-      replace_attribute @dn, :jpegPhoto, @img_data
+      result = replace_attribute @dn, :jpegPhoto, @img_data
+      result
     end
 
     private
 
     def process(file)
       processed = ImageProcessing::Vips
-        .resize_to_fill(512, 512)
+        .resize_to_fill(256, 256)
         .source(file)
         .convert("jpeg")
         .saver(strip: true)
         .call
-
-      Base64.strict_encode64 processed.read
+      processed.read
     end
   end
 end
diff --git a/app/views/settings/_profile.html.erb b/app/views/settings/_profile.html.erb
index 4443e25..45ffc37 100644
--- a/app/views/settings/_profile.html.erb
+++ b/app/views/settings/_profile.html.erb
@@ -20,7 +20,7 @@
       </button>
     </p>
     <p class="text-sm text-gray-500">
-      Your user address for Chat and Lightning Network.
+      Your account's address on the Internet
     </p>
   </div>
   <%= form_for(@user, url: setting_path(:profile), html: { :method => :put }) do |f| %>
@@ -40,9 +40,10 @@
         Default profile picture
       </p>
       <div class="flex items-center gap-6">
-        <% if current_user.avatar.present? %>
+        <% unless current_user.avatar.nil? %>
         <p class="flex-none">
-          <%= image_tag "data:image/jpeg;base64,#{current_user.avatar}", class: "h-24 w-24 rounded-lg" %>
+          <%= image_tag "data:image/jpeg;base64,#{current_user.avatar_base64}",
+                class: "h-24 w-24 rounded-lg" %>
         </p>
         <% end %>
         <div class="grow">
diff --git a/spec/features/settings/profile_spec.rb b/spec/features/settings/profile_spec.rb
index 55b861e..8797890 100644
--- a/spec/features/settings/profile_spec.rb
+++ b/spec/features/settings/profile_spec.rb
@@ -2,18 +2,22 @@ require 'rails_helper'
 
 RSpec.describe 'Profile settings', type: :feature do
   let(:user) { create :user, cn: "mwahlberg" }
-  let(:avatar_base64) { File.read("#{Rails.root}/spec/fixtures/files/avatar-base64.txt") }
+  let(:avatar_jpeg) { File.binread("#{Rails.root}/spec/fixtures/files/taipei.jpg") }
 
   before do
+    Flipper.enable "avatar_upload"
+
     login_as user, :scope => :user
     allow(user).to receive(:display_name).and_return("Mark")
-    allow_any_instance_of(User).to receive(:dn).and_return("cn=mwahlberg,ou=kosmos.org,cn=users,dc=kosmos,dc=org")
-    allow_any_instance_of(User).to receive(:ldap_entry).and_return({
-      uid: user.cn, ou: user.ou, display_name: "Mark", pgp_key: nil
-    })
-    allow_any_instance_of(User).to receive(:avatar).and_return(avatar_base64)
 
-    Flipper.enable "avatar_upload"
+    allow_any_instance_of(User).to receive(:dn)
+      .and_return("cn=mwahlberg,ou=kosmos.org,cn=users,dc=kosmos,dc=org")
+    allow_any_instance_of(User).to receive(:ldap_entry)
+      .and_return({
+        uid: user.cn, ou: user.ou, display_name: "Mark", pgp_key: nil
+      })
+    allow_any_instance_of(User).to receive(:avatar)
+      .and_return(avatar_jpeg)
   end
 
   feature "Update display name" do
@@ -70,8 +74,8 @@ RSpec.describe 'Profile settings', type: :feature do
     scenario 'works with valid JPG file' do
       file_path = "#{Rails.root}/spec/fixtures/files/taipei.jpg"
 
-      expect_any_instance_of(LdapManager::UpdateAvatar).to receive(:replace_attribute)
-        .with(user.dn, :jpegPhoto, avatar_base64).and_return(true)
+      expect_any_instance_of(LdapManager::UpdateAvatar)
+        .to receive(:replace_attribute).and_return(true)
 
       visit setting_path(:profile)
       attach_file "Avatar", file_path
@@ -86,7 +90,8 @@ RSpec.describe 'Profile settings', type: :feature do
     scenario 'works with valid PNG file' do
       file_path = "#{Rails.root}/spec/fixtures/files/bender.png"
 
-      expect(LdapManager::UpdateAvatar).to receive(:call).and_return(true)
+      expect_any_instance_of(LdapManager::UpdateAvatar)
+        .to receive(:replace_attribute).and_return(true)
 
       visit setting_path(:profile)
       attach_file "Avatar", file_path

From 17ffbde03a83d43bf7356ed565fa686d0314a656 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A2u=20Cao?= <raucao@kosmos.org>
Date: Sun, 11 May 2025 18:43:21 +0400
Subject: [PATCH 03/10] WIP Store avatars as ActiveStorage attachments

Also push to LDAP as jpegPhoto
---
 app/controllers/admin/users_controller.rb  |  2 +-
 app/controllers/settings_controller.rb     |  9 +++--
 app/models/user.rb                         | 37 ++++++++++++++++----
 app/services/ldap_manager/fetch_avatar.rb  |  2 +-
 app/services/ldap_manager/update_avatar.rb | 40 +++++++++++++++-------
 app/views/admin/users/show.html.erb        |  4 +--
 app/views/settings/_profile.html.erb       | 21 +++++-------
 spec/features/settings/profile_spec.rb     |  7 ++--
 8 files changed, 80 insertions(+), 42 deletions(-)

diff --git a/app/controllers/admin/users_controller.rb b/app/controllers/admin/users_controller.rb
index 82b91da..e73d208 100644
--- a/app/controllers/admin/users_controller.rb
+++ b/app/controllers/admin/users_controller.rb
@@ -22,7 +22,7 @@ class Admin::UsersController < Admin::BaseController
 
     @services_enabled = @user.services_enabled
 
-    @avatar = LdapManager::FetchAvatar.call(cn: @user.cn)
+    @ldap_avatar = LdapManager::FetchAvatar.call(cn: @user.cn)
   end
 
   # POST /admin/users/:username/invitations
diff --git a/app/controllers/settings_controller.rb b/app/controllers/settings_controller.rb
index e469d66..fc3477b 100644
--- a/app/controllers/settings_controller.rb
+++ b/app/controllers/settings_controller.rb
@@ -25,7 +25,7 @@ class SettingsController < ApplicationController
   def update
     @user.preferences.merge!(user_params[:preferences] || {})
     @user.display_name = user_params[:display_name]
-    @user.avatar_new   = user_params[:avatar]
+    @user.avatar_new   = user_params[:avatar_new]
     @user.pgp_pubkey   = user_params[:pgp_pubkey]
 
     if @user.save
@@ -34,7 +34,10 @@ class SettingsController < ApplicationController
       end
 
       if @user.avatar_new.present?
-        LdapManager::UpdateAvatar.call(dn: @user.dn, file: @user.avatar_new)
+        @user.avatar.attach(@user.avatar_new)
+        @user.avatar.blob.update(filename: @user.avatar_filename)
+        @user.save!
+        LdapManager::UpdateAvatar.call(user: @user)
       end
 
       if @user.pgp_pubkey && (@user.pgp_pubkey != @user.ldap_entry[:pgp_key])
@@ -162,7 +165,7 @@ class SettingsController < ApplicationController
 
     def user_params
       params.require(:user).permit(
-        :display_name, :avatar, :pgp_pubkey,
+        :display_name, :avatar_new, :pgp_pubkey,
         preferences: UserPreferences.pref_keys
       )
     end
diff --git a/app/models/user.rb b/app/models/user.rb
index d73d780..2905748 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -4,8 +4,8 @@ class User < ApplicationRecord
   include EmailValidatable
 
   attr_accessor :current_password
-  attr_accessor :avatar_new
   attr_accessor :display_name
+  attr_accessor :avatar_new
   attr_accessor :pgp_pubkey
 
   serialize :preferences, coder: UserPreferences
@@ -27,6 +27,12 @@ class User < ApplicationRecord
 
   has_many :accounts, through: :lndhub_user
 
+  #
+  # Attachments
+  #
+
+  has_one_attached :avatar
+
   #
   # Validations
   #
@@ -159,13 +165,30 @@ class User < ApplicationRecord
     @display_name ||= ldap_entry[:display_name]
   end
 
-  def avatar
-    @avatar ||= LdapManager::FetchAvatar.call(cn: cn)
+  def avatar_base64(size: :medium)
+    return nil unless avatar.attached?
+    variant = avatar_variant(size: size)
+    data = ActiveStorage::Blob.service.download(variant.key)
+    Base64.strict_encode64(data)
   end
 
-  def avatar_base64
-    return nil if avatar.nil?
-    @avatar_base64 ||= Base64.strict_encode64(avatar)
+  def avatar_filename
+    return nil unless avatar.attached?
+    data = ActiveStorage::Blob.service.download(avatar.key)
+    hash = Digest::SHA256.hexdigest(data)
+    ext = avatar.content_type == "image/png" ? "png" : "jpg"
+    "#{hash}.#{ext}"
+  end
+
+  def avatar_variant(size: :medium)
+    dimensions = case size
+                 when :large  then [400, 400]
+                 when :medium then [256, 256]
+                 when :small  then [64, 64]
+                 else [256, 256]
+                 end
+    format = avatar.content_type == "image/png" ? :png : :jpeg
+    avatar.variant(resize_to_fill: dimensions, format: format)
   end
 
   def nostr_pubkey
@@ -232,7 +255,7 @@ class User < ApplicationRecord
       return unless avatar_new.present?
 
       if avatar_new.size > 1.megabyte
-        errors.add(:avatar, "file size is too large")
+        errors.add(:avatar, "must be less than 1MB file size")
       end
 
       acceptable_types = ["image/jpeg", "image/png"]
diff --git a/app/services/ldap_manager/fetch_avatar.rb b/app/services/ldap_manager/fetch_avatar.rb
index a838bb8..982bff2 100644
--- a/app/services/ldap_manager/fetch_avatar.rb
+++ b/app/services/ldap_manager/fetch_avatar.rb
@@ -10,7 +10,7 @@ module LdapManager
       filter = Net::LDAP::Filter.eq("cn", @cn)
 
       entry = client.search(base: treebase, filter: filter, attributes: attributes).first
-      entry&.jpegPhoto ? entry.jpegPhoto.first : nil
+      entry[:jpegPhoto].present? ? entry.jpegPhoto.first : nil
     end
   end
 end
diff --git a/app/services/ldap_manager/update_avatar.rb b/app/services/ldap_manager/update_avatar.rb
index d238303..163af3f 100644
--- a/app/services/ldap_manager/update_avatar.rb
+++ b/app/services/ldap_manager/update_avatar.rb
@@ -2,26 +2,40 @@ require "image_processing/vips"
 
 module LdapManager
   class UpdateAvatar < LdapManagerService
-    def initialize(dn:, file:)
-      @dn = dn
-      @img_data = process(file)
+    def initialize(user:)
+      @user = user
+      @dn = user.dn
     end
 
     def call
-      result = replace_attribute @dn, :jpegPhoto, @img_data
-      result
+      unless @user.avatar.attached?
+        Rails.logger.error { "Cannot store empty jpegPhoto for user #{@user.cn}" }
+        return false
+      end
+
+      img_data = @user.avatar.blob.download
+      jpg_data = process(img_data)
+
+      result = replace_attribute(@dn, :jpegPhoto, jpg_data)
+      result == 0
     end
 
     private
 
-    def process(file)
-      processed = ImageProcessing::Vips
-        .resize_to_fill(256, 256)
-        .source(file)
-        .convert("jpeg")
-        .saver(strip: true)
-        .call
-      processed.read
+    def process(data)
+      @user.avatar.blob.open do |file|
+        processed = ImageProcessing::Vips
+          .source(file)
+          .resize_to_fill(256, 256)
+          .convert("jpeg")
+          .saver(strip: true)
+          .call
+        processed.read
+      end
+    rescue Vips::Error => e
+      Sentry.capture_exception(e) if Setting.sentry_enabled?
+      Rails.logger.error { "Image processing failed for LDAP avatar: #{e.message}" }
+      nil
     end
   end
 end
diff --git a/app/views/admin/users/show.html.erb b/app/views/admin/users/show.html.erb
index 832e930..1007d4a 100644
--- a/app/views/admin/users/show.html.erb
+++ b/app/views/admin/users/show.html.erb
@@ -95,8 +95,8 @@
           <tr>
             <th>Avatar</th>
             <td>
-              <% if @avatar.present? %>
-                <img src="data:image/jpeg;base64,<%= @avatar %>" class="h-48 w-48" />
+              <% if @ldap_avatar.present? %>
+                JPEG size: <%= @ldap_avatar.size %>
               <% else %>
                 &mdash;
               <% end %>
diff --git a/app/views/settings/_profile.html.erb b/app/views/settings/_profile.html.erb
index 45ffc37..7dc0f22 100644
--- a/app/views/settings/_profile.html.erb
+++ b/app/views/settings/_profile.html.erb
@@ -33,22 +33,19 @@
 
     <% if Flipper.enabled?(:avatar_upload, current_user) %>
     <label class="block">
-      <p class="font-bold mb-1">
-        Avatar
-      </p>
-      <p class="text-gray-500">
-        Default profile picture
-      </p>
+      <p class="font-bold mb-1">Avatar</p>
+      <p class="text-gray-500">Default profile picture</p>
       <div class="flex items-center gap-6">
-        <% unless current_user.avatar.nil? %>
-        <p class="flex-none">
-          <%= image_tag "data:image/jpeg;base64,#{current_user.avatar_base64}",
-                class: "h-24 w-24 rounded-lg" %>
-        </p>
+        <% if @user.avatar.attached? %>
+          <p class="flex-none">
+            <%= image_tag @user.avatar_variant(size: :medium),
+              class: "h-24 w-24 rounded-lg" %>
+          </p>
         <% end %>
         <div class="grow">
           <p class="mb-2">
-          <%= f.file_field :avatar, class: "" %>
+            <%= f.file_field :avatar_new, accept: "image/jpeg,image/png" %>
+          </p>
           <p class="text-sm text-gray-500">
             JPEG or PNG image, not larger than 1 megabyte
           </p>
diff --git a/spec/features/settings/profile_spec.rb b/spec/features/settings/profile_spec.rb
index 8797890..9375a81 100644
--- a/spec/features/settings/profile_spec.rb
+++ b/spec/features/settings/profile_spec.rb
@@ -16,8 +16,6 @@ RSpec.describe 'Profile settings', type: :feature do
       .and_return({
         uid: user.cn, ou: user.ou, display_name: "Mark", pgp_key: nil
       })
-    allow_any_instance_of(User).to receive(:avatar)
-      .and_return(avatar_jpeg)
   end
 
   feature "Update display name" do
@@ -61,13 +59,16 @@ RSpec.describe 'Profile settings', type: :feature do
     end
 
     scenario "fails with validation error for file size too large" do
+      expect_any_instance_of(LdapManager::UpdateAvatar)
+        .not_to receive(:replace_attribute).and_return(true)
+
       visit setting_path(:profile)
       attach_file "Avatar", "#{Rails.root}/spec/fixtures/files/fsociety-irc.png"
       click_button "Save"
 
       expect(current_url).to eq(setting_url(:profile))
       within ".error-msg" do
-        expect(page).to have_content("file size is too large")
+        expect(page).to have_content("must be less than 1MB")
       end
     end
 

From 512f0ccca1a856c529c34cb05bbc19ddfa783028 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A2u=20Cao?= <raucao@kosmos.org>
Date: Mon, 12 May 2025 15:04:01 +0400
Subject: [PATCH 04/10] Add controller for rendering avatars on simple URL

---
 app/controllers/avatars_controller.rb | 20 ++++++++++++++++++++
 config/routes.rb                      |  3 +++
 2 files changed, 23 insertions(+)
 create mode 100644 app/controllers/avatars_controller.rb

diff --git a/app/controllers/avatars_controller.rb b/app/controllers/avatars_controller.rb
new file mode 100644
index 0000000..5afde73
--- /dev/null
+++ b/app/controllers/avatars_controller.rb
@@ -0,0 +1,20 @@
+class AvatarsController < ApplicationController
+  def show
+    if user = User.find_by(cn: params[:username])
+      http_status :not_found and return unless user.avatar.attached?
+
+      sha256_hash = params[:hash]
+      format = params[:format].to_sym || :png
+      size = params[:size]&.to_sym || :large
+
+      unless user.avatar_filename == "#{sha256_hash}.#{format}"
+        http_status :not_found and return
+      end
+
+      send_file user.avatar.service.path_for(user.avatar.key),
+        disposition: "inline", type: "image/#{format}"
+    else
+      http_status :not_found and return
+    end
+  end
+end
diff --git a/config/routes.rb b/config/routes.rb
index 8344410..759abcc 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -15,6 +15,9 @@ Rails.application.routes.draw do
   match 'signup/:step', to: 'signup#steps', as: :signup_steps, via: [:get, :post]
   post 'signup_validate', to: 'signup#validate'
 
+
+  get "users/:username/avatars/:hash", to: "avatars#show", as: :user_avatar
+
   namespace :contributions do
     root to: 'donations#index'
     resources :donations, only: ['index', 'create'] do

From 46b908839da7c190b2a5770b189c4cd8721430cf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A2u=20Cao?= <raucao@kosmos.org>
Date: Mon, 12 May 2025 15:04:56 +0400
Subject: [PATCH 05/10] Add avatar URL to Discourse Connect

Discourse should download and set the avatar if the user doesn't have
one set yet.
---
 app/components/app_catalog/web_app_icon_component.rb | 8 --------
 app/controllers/discourse/sso_controller.rb          | 3 +++
 app/helpers/application_helper.rb                    | 8 ++++++++
 3 files changed, 11 insertions(+), 8 deletions(-)

diff --git a/app/components/app_catalog/web_app_icon_component.rb b/app/components/app_catalog/web_app_icon_component.rb
index 8421d4f..0ce082e 100644
--- a/app/components/app_catalog/web_app_icon_component.rb
+++ b/app/components/app_catalog/web_app_icon_component.rb
@@ -9,13 +9,5 @@ module AppCatalog
         @image_url = image_url_for(web_app.apple_touch_icon)
       end
     end
-
-    def image_url_for(attachment)
-      if Setting.s3_enabled?
-        s3_image_url(attachment)
-      else
-        Rails.application.routes.url_helpers.rails_blob_path(attachment, only_path: true)
-      end
-    end
   end
 end
diff --git a/app/controllers/discourse/sso_controller.rb b/app/controllers/discourse/sso_controller.rb
index 658f434..ca47e68 100644
--- a/app/controllers/discourse/sso_controller.rb
+++ b/app/controllers/discourse/sso_controller.rb
@@ -8,6 +8,9 @@ class Discourse::SsoController < ApplicationController
     sso.email = current_user.email
     sso.username = current_user.cn
     sso.name = current_user.display_name
+    if current_user.avatar.attached?
+      sso.avatar_url = helpers.image_url_for(current_user.avatar)
+    end
     sso.admin = current_user.is_admin?
     sso.sso_secret = secret
 
diff --git a/app/helpers/application_helper.rb b/app/helpers/application_helper.rb
index 50959f6..a43b13e 100644
--- a/app/helpers/application_helper.rb
+++ b/app/helpers/application_helper.rb
@@ -14,4 +14,12 @@ module ApplicationHelper
   def badge(text, color)
     tag.span text, class: "inline-flex items-center rounded-full bg-#{color}-100 px-2.5 py-0.5 text-xs font-medium text-#{color}-800"
   end
+
+  def image_url_for(attachment)
+    if Setting.s3_enabled?
+      s3_image_url(attachment)
+    else
+      Rails.application.routes.url_helpers.rails_blob_path(attachment, only_path: true)
+    end
+  end
 end

From 51a3652fc83613b92bb03356f71d0a2ebe83ac45 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A2u=20Cao?= <raucao@kosmos.org>
Date: Mon, 12 May 2025 16:39:53 +0400
Subject: [PATCH 06/10] Fix S3 keys/paths for user avatars

Also fixes the avatars controller to work with all back-ends
---
 app/controllers/avatars_controller.rb  | 18 +++++++++++------
 app/controllers/settings_controller.rb | 27 ++++++++++++++++++++++----
 app/models/user.rb                     |  8 --------
 3 files changed, 35 insertions(+), 18 deletions(-)

diff --git a/app/controllers/avatars_controller.rb b/app/controllers/avatars_controller.rb
index 5afde73..c106384 100644
--- a/app/controllers/avatars_controller.rb
+++ b/app/controllers/avatars_controller.rb
@@ -4,17 +4,23 @@ class AvatarsController < ApplicationController
       http_status :not_found and return unless user.avatar.attached?
 
       sha256_hash = params[:hash]
-      format = params[:format].to_sym || :png
-      size = params[:size]&.to_sym || :large
+      format = params[:format]&.to_sym || :png
+      size = params[:size]&.to_sym || :original
 
-      unless user.avatar_filename == "#{sha256_hash}.#{format}"
+      unless user.avatar.filename.to_s == "#{sha256_hash}.#{format}"
         http_status :not_found and return
       end
 
-      send_file user.avatar.service.path_for(user.avatar.key),
-        disposition: "inline", type: "image/#{format}"
+      blob = if size == :original
+               user.avatar.blob
+             else
+               user.avatar_variant(size: size)&.blob
+             end
+
+      data = blob.download
+      send_data data, type: "image/#{format}", disposition: "inline"
     else
-      http_status :not_found and return
+      http_status :not_found
     end
   end
 end
diff --git a/app/controllers/settings_controller.rb b/app/controllers/settings_controller.rb
index fc3477b..d9e202f 100644
--- a/app/controllers/settings_controller.rb
+++ b/app/controllers/settings_controller.rb
@@ -34,10 +34,12 @@ class SettingsController < ApplicationController
       end
 
       if @user.avatar_new.present?
-        @user.avatar.attach(@user.avatar_new)
-        @user.avatar.blob.update(filename: @user.avatar_filename)
-        @user.save!
-        LdapManager::UpdateAvatar.call(user: @user)
+        if store_user_avatar
+          LdapManager::UpdateAvatar.call(user: @user)
+        else
+          @validation_errors = @user.errors
+          render :show, status: :unprocessable_entity and return
+        end
       end
 
       if @user.pgp_pubkey && (@user.pgp_pubkey != @user.ldap_entry[:pgp_key])
@@ -187,4 +189,21 @@ class SettingsController < ApplicationController
       salt = BCrypt::Engine.generate_salt
       BCrypt::Engine.hash_secret(password, salt)
     end
+
+    def store_user_avatar
+      data = @user.avatar_new.tempfile.read
+      @user.avatar_new.tempfile.rewind
+      hash = Digest::SHA256.hexdigest(data)
+      ext = @user.avatar_new.content_type == "image/png" ? "png" : "jpg"
+      filename = "#{hash}.#{ext}"
+
+      if filename == @user.avatar.filename.to_s
+        @user.errors.add(:avatar, "must be a new file/picture")
+        false
+      else
+        key = "users/#{@user.cn}/avatars/#{filename}"
+        @user.avatar.attach io: @user.avatar_new.tempfile, key: key, filename: filename
+        @user.save
+      end
+    end
 end
diff --git a/app/models/user.rb b/app/models/user.rb
index 2905748..502179d 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -172,14 +172,6 @@ class User < ApplicationRecord
     Base64.strict_encode64(data)
   end
 
-  def avatar_filename
-    return nil unless avatar.attached?
-    data = ActiveStorage::Blob.service.download(avatar.key)
-    hash = Digest::SHA256.hexdigest(data)
-    ext = avatar.content_type == "image/png" ? "png" : "jpg"
-    "#{hash}.#{ext}"
-  end
-
   def avatar_variant(size: :medium)
     dimensions = case size
                  when :large  then [400, 400]

From 1884f082ee527d57022dc41e70c2adbe0e1fffec Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A2u=20Cao?= <raucao@kosmos.org>
Date: Mon, 12 May 2025 18:07:10 +0400
Subject: [PATCH 07/10] Add note about variants not working when not generated
 ad-hoc

---
 app/controllers/avatars_controller.rb | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/app/controllers/avatars_controller.rb b/app/controllers/avatars_controller.rb
index c106384..6519c73 100644
--- a/app/controllers/avatars_controller.rb
+++ b/app/controllers/avatars_controller.rb
@@ -14,6 +14,9 @@ class AvatarsController < ApplicationController
       blob = if size == :original
                user.avatar.blob
              else
+               # TODO Variants use the same custom storage key/path, which
+               # makes blob downloads always fetch the original version instead
+               # of the variant. Needs to be fixed/added in Rails.
                user.avatar_variant(size: size)&.blob
              end
 

From 417e3460746599f2749ed85252c8d8fc0ffe69f8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A2u=20Cao?= <raucao@kosmos.org>
Date: Wed, 14 May 2025 14:42:03 +0400
Subject: [PATCH 08/10] Do not use ActiveStorage variants, process original
 avatar

Variants are currently broken. So we process the original file with the
most common avatar dimensions and stripping metadata, then hash and
upload only that version.
---
 app/controllers/avatars_controller.rb      | 18 +++++------
 app/controllers/settings_controller.rb     | 27 ++++++++++++++---
 app/models/user.rb                         | 35 +++++++++++-----------
 app/services/ldap_manager/update_avatar.rb |  5 ++--
 app/views/settings/_profile.html.erb       |  3 +-
 5 files changed, 53 insertions(+), 35 deletions(-)

diff --git a/app/controllers/avatars_controller.rb b/app/controllers/avatars_controller.rb
index 6519c73..8a7284e 100644
--- a/app/controllers/avatars_controller.rb
+++ b/app/controllers/avatars_controller.rb
@@ -5,22 +5,20 @@ class AvatarsController < ApplicationController
 
       sha256_hash = params[:hash]
       format = params[:format]&.to_sym || :png
-      size = params[:size]&.to_sym || :original
+      # size = params[:size]&.to_sym || :original
 
       unless user.avatar.filename.to_s == "#{sha256_hash}.#{format}"
         http_status :not_found and return
       end
 
-      blob = if size == :original
-               user.avatar.blob
-             else
-               # TODO Variants use the same custom storage key/path, which
-               # makes blob downloads always fetch the original version instead
-               # of the variant. Needs to be fixed/added in Rails.
-               user.avatar_variant(size: size)&.blob
-             end
+      # TODO See note for avatar_variant in user model
+      # blob = if size == :original
+      #          user.avatar.blob
+      #        else
+      #          user.avatar_variant(size: size)&.blob
+      #        end
 
-      data = blob.download
+      data = user.avatar.blob.download
       send_data data, type: "image/#{format}", disposition: "inline"
     else
       http_status :not_found
diff --git a/app/controllers/settings_controller.rb b/app/controllers/settings_controller.rb
index d9e202f..ef03455 100644
--- a/app/controllers/settings_controller.rb
+++ b/app/controllers/settings_controller.rb
@@ -191,9 +191,14 @@ class SettingsController < ApplicationController
     end
 
     def store_user_avatar
-      data = @user.avatar_new.tempfile.read
-      @user.avatar_new.tempfile.rewind
-      hash = Digest::SHA256.hexdigest(data)
+      io = @user.avatar_new.tempfile
+      img_data = process_avatar(io)
+      tempfile = Tempfile.create
+      tempfile.binmode
+      tempfile.write(img_data)
+      tempfile.rewind
+
+      hash = Digest::SHA256.hexdigest(img_data)
       ext = @user.avatar_new.content_type == "image/png" ? "png" : "jpg"
       filename = "#{hash}.#{ext}"
 
@@ -202,8 +207,22 @@ class SettingsController < ApplicationController
         false
       else
         key = "users/#{@user.cn}/avatars/#{filename}"
-        @user.avatar.attach io: @user.avatar_new.tempfile, key: key, filename: filename
+        @user.avatar.attach io: tempfile, key: key, filename: filename
         @user.save
       end
     end
+
+    def process_avatar(io)
+      processed = ImageProcessing::Vips
+        .source(io)
+        .resize_to_fill(400, 400)
+        .saver(strip: true)
+        .call
+      io.rewind
+      processed.read
+    rescue Vips::Error => e
+      Sentry.capture_exception(e) if Setting.sentry_enabled?
+      Rails.logger.error { "Image processing failed for avatar: #{e.message}" }
+      nil
+    end
 end
diff --git a/app/models/user.rb b/app/models/user.rb
index 502179d..a0c49b0 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -56,6 +56,7 @@ class User < ApplicationRecord
   validates_length_of :display_name, minimum: 3, maximum: 35, allow_blank: true,
                                      if: -> { defined?(@display_name) }
 
+
   validate :acceptable_avatar
 
   validate :acceptable_pgp_key_format, if: -> { defined?(@pgp_pubkey) && @pgp_pubkey.present? }
@@ -83,6 +84,10 @@ class User < ApplicationRecord
          :timeoutable,
          :rememberable
 
+  #
+  # Methods
+  #
+
   def ldap_before_save
     self.email = Devise::LDAP::Adapter.get_ldap_param(self.cn, "mail").first
     self.ou    = dn.split(',')
@@ -165,23 +170,19 @@ class User < ApplicationRecord
     @display_name ||= ldap_entry[:display_name]
   end
 
-  def avatar_base64(size: :medium)
-    return nil unless avatar.attached?
-    variant = avatar_variant(size: size)
-    data = ActiveStorage::Blob.service.download(variant.key)
-    Base64.strict_encode64(data)
-  end
-
-  def avatar_variant(size: :medium)
-    dimensions = case size
-                 when :large  then [400, 400]
-                 when :medium then [256, 256]
-                 when :small  then [64, 64]
-                 else [256, 256]
-                 end
-    format = avatar.content_type == "image/png" ? :png : :jpeg
-    avatar.variant(resize_to_fill: dimensions, format: format)
-  end
+  # TODO Variant keys are currently broken for some reason
+  # (They use the same key as the main blob, when it should be
+  # "/variants/#{key)"
+  # def avatar_variant(size: :medium)
+  #   dimensions = case size
+  #                when :large  then [400, 400]
+  #                when :medium then [256, 256]
+  #                when :small  then [64, 64]
+  #                else [256, 256]
+  #                end
+  #   format = avatar.content_type == "image/png" ? :png : :jpeg
+  #   avatar.variant(resize_to_fill: dimensions, format: format)
+  # end
 
   def nostr_pubkey
     @nostr_pubkey ||= ldap_entry[:nostr_key]
diff --git a/app/services/ldap_manager/update_avatar.rb b/app/services/ldap_manager/update_avatar.rb
index 163af3f..793409d 100644
--- a/app/services/ldap_manager/update_avatar.rb
+++ b/app/services/ldap_manager/update_avatar.rb
@@ -14,15 +14,16 @@ module LdapManager
       end
 
       img_data = @user.avatar.blob.download
-      jpg_data = process(img_data)
+      jpg_data = process_avatar
 
+      Rails.logger.debug { "Storing new jpegPhoto for user #{@user.cn} in LDAP" }
       result = replace_attribute(@dn, :jpegPhoto, jpg_data)
       result == 0
     end
 
     private
 
-    def process(data)
+    def process_avatar
       @user.avatar.blob.open do |file|
         processed = ImageProcessing::Vips
           .source(file)
diff --git a/app/views/settings/_profile.html.erb b/app/views/settings/_profile.html.erb
index 7dc0f22..50bdf7e 100644
--- a/app/views/settings/_profile.html.erb
+++ b/app/views/settings/_profile.html.erb
@@ -38,8 +38,7 @@
       <div class="flex items-center gap-6">
         <% if @user.avatar.attached? %>
           <p class="flex-none">
-            <%= image_tag @user.avatar_variant(size: :medium),
-              class: "h-24 w-24 rounded-lg" %>
+            <%= image_tag image_url_for(@user.avatar), class: "h-24 w-24 rounded-lg" %>
           </p>
         <% end %>
         <div class="grow">

From a098ea43bb821b08e6ed0644bd80f494fa142a1b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A2u=20Cao?= <raucao@kosmos.org>
Date: Wed, 14 May 2025 15:39:50 +0400
Subject: [PATCH 09/10] Add avatar URL to Webfinger when available

---
 app/controllers/webfinger_controller.rb | 14 +++++++++
 app/helpers/application_helper.rb       | 11 +++++--
 spec/requests/webfinger_spec.rb         | 40 +++++++++++++++++++++++++
 3 files changed, 63 insertions(+), 2 deletions(-)

diff --git a/app/controllers/webfinger_controller.rb b/app/controllers/webfinger_controller.rb
index 7b28719..a8e00f7 100644
--- a/app/controllers/webfinger_controller.rb
+++ b/app/controllers/webfinger_controller.rb
@@ -33,6 +33,10 @@ class WebfingerController < WellKnownController
       links: []
     }
 
+    if @user.avatar.attached?
+      jrd[:links] += avatar_link
+    end
+
     if Setting.mastodon_enabled && @user.service_enabled?(:mastodon)
       # https://docs.joinmastodon.org/spec/webfinger/
       jrd[:aliases] += mastodon_aliases
@@ -47,6 +51,16 @@ class WebfingerController < WellKnownController
     jrd
   end
 
+  def avatar_link
+    [
+      {
+        rel: "http://webfinger.net/rel/avatar",
+        type: @user.avatar.content_type,
+        href: helpers.image_url_for(@user.avatar)
+      }
+    ]
+  end
+
   def mastodon_aliases
     [
       "#{Setting.mastodon_public_url}/@#{@user.cn}",
diff --git a/app/helpers/application_helper.rb b/app/helpers/application_helper.rb
index a43b13e..c166e06 100644
--- a/app/helpers/application_helper.rb
+++ b/app/helpers/application_helper.rb
@@ -16,8 +16,15 @@ module ApplicationHelper
   end
 
   def image_url_for(attachment)
-    if Setting.s3_enabled?
-      s3_image_url(attachment)
+    return s3_image_url(attachment) if Setting.s3_enabled?
+
+    if attachment.record.is_a?(User) && attachment.name == "avatar"
+      hash, format = attachment.blob.filename.to_s.split(".", 2)
+      user_avatar_url(
+        username: attachment.record.cn,
+        hash: hash,
+        format: format
+      )
     else
       Rails.application.routes.url_helpers.rails_blob_path(attachment, only_path: true)
     end
diff --git a/spec/requests/webfinger_spec.rb b/spec/requests/webfinger_spec.rb
index 285c146..a37d3cb 100644
--- a/spec/requests/webfinger_spec.rb
+++ b/spec/requests/webfinger_spec.rb
@@ -18,6 +18,46 @@ RSpec.describe "WebFinger", type: :request do
       })
     end
 
+    describe "Avatar" do
+      context "not available" do
+        it "does not include an avatar link" do
+          get "/.well-known/webfinger?resource=acct%3Atony%40kosmos.org"
+          expect(response).to have_http_status(:ok)
+          res = JSON.parse(response.body)
+
+          link = res["links"].find{|l| l["rel"] == "http://webfinger.net/rel/avatar"}
+          expect(link).to be_nil
+        end
+      end
+
+      context "available" do
+        let(:fixture_path) { Rails.root.join("spec/fixtures/files/taipei.jpg") }
+        let(:img_data) { File.read(fixture_path) }
+        let(:img_hash) { Digest::SHA256.hexdigest(img_data) }
+
+        before do
+          ActiveStorage::Blob.create_and_upload!(
+            io: File.open(fixture_path),
+            filename: "#{img_hash}.jpg",
+            content_type: "image/jpeg"
+          ).tap do |blob|
+            user.avatar.attach(blob)
+          end
+        end
+
+        it "includes a public avatar link" do
+          get "/.well-known/webfinger?resource=acct%3Atony%40kosmos.org"
+          expect(response).to have_http_status(:ok)
+          res = JSON.parse(response.body)
+
+          link = res["links"].find { |l| l["rel"] == "http://webfinger.net/rel/avatar" }
+          expect(link).to be_present
+          expect(link["type"]).to eq("image/jpeg")
+          expect(link["href"]).to match(%r{users/tony/avatars/#{img_hash}.jpg})
+        end
+      end
+    end
+
     describe "Mastodon entries" do
       context "Mastodon available" do
         it "includes the Mastodon aliases and links for the user" do

From 582d339c0afc9c7d7b247ba2610f2ff3a66d00e3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A2u=20Cao?= <raucao@kosmos.org>
Date: Wed, 14 May 2025 18:55:26 +0400
Subject: [PATCH 10/10] Remove feature gate for avatar upload

---
 app/views/settings/_profile.html.erb   | 2 --
 spec/features/settings/profile_spec.rb | 2 --
 2 files changed, 4 deletions(-)

diff --git a/app/views/settings/_profile.html.erb b/app/views/settings/_profile.html.erb
index 50bdf7e..379e34a 100644
--- a/app/views/settings/_profile.html.erb
+++ b/app/views/settings/_profile.html.erb
@@ -31,7 +31,6 @@
       <% end %>
     <% end %>
 
-    <% if Flipper.enabled?(:avatar_upload, current_user) %>
     <label class="block">
       <p class="font-bold mb-1">Avatar</p>
       <p class="text-gray-500">Default profile picture</p>
@@ -54,7 +53,6 @@
         </div>
       </div>
     </label>
-    <% end %>
 
     <p class="mt-8 pt-6 border-t border-gray-200 text-right">
       <%= f.submit 'Save', class: "btn-md btn-blue w-full md:w-auto" %>
diff --git a/spec/features/settings/profile_spec.rb b/spec/features/settings/profile_spec.rb
index 9375a81..95a4798 100644
--- a/spec/features/settings/profile_spec.rb
+++ b/spec/features/settings/profile_spec.rb
@@ -5,8 +5,6 @@ RSpec.describe 'Profile settings', type: :feature do
   let(:avatar_jpeg) { File.binread("#{Rails.root}/spec/fixtures/files/taipei.jpg") }
 
   before do
-    Flipper.enable "avatar_upload"
-
     login_as user, :scope => :user
     allow(user).to receive(:display_name).and_return("Mark")