From 705bd63b422db1e37cf86754220b32968e3d9705 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A2u=20Cao?= <raucao@kip.pe>
Date: Fri, 7 Apr 2023 23:02:11 +0200
Subject: [PATCH 01/47] Add configurable default room bookmarks for new users

---
 app/jobs/xmpp_set_default_bookmarks_job.rb    | 26 +++++++++
 app/models/setting.rb                         |  7 +++
 app/services/ejabberd_api_client.rb           |  7 ++-
 .../settings/services/_ejabberd.html.erb      | 57 ++++++++++++-------
 4 files changed, 77 insertions(+), 20 deletions(-)
 create mode 100644 app/jobs/xmpp_set_default_bookmarks_job.rb

diff --git a/app/jobs/xmpp_set_default_bookmarks_job.rb b/app/jobs/xmpp_set_default_bookmarks_job.rb
new file mode 100644
index 0000000..92cd8a5
--- /dev/null
+++ b/app/jobs/xmpp_set_default_bookmarks_job.rb
@@ -0,0 +1,26 @@
+class XmppSetDefaultBookmarksJob < ApplicationJob
+  queue_as :default
+
+  def perform(user)
+    return unless Setting.xmpp_default_rooms.any?
+    @user = user
+    ejabberd = EjabberdApiClient.new
+    ejabberd.private_set user, storage_content
+  end
+
+  def storage_content
+    bookmarks = ""
+    Setting.xmpp_default_rooms.each do |r|
+      bookmarks << conference_element(
+        jid: r[/<(.+)>/, 1], name: r[/^(.+)\s/, 1], nick: @user.cn,
+        autojoin: Setting.xmpp_autojoin_default_rooms
+      )
+    end
+
+    "<storage xmlns='storage:bookmarks'>#{bookmarks}</storage>"
+  end
+
+  def conference_element(jid:, name:, autojoin: false, nick:)
+    "<conference jid='#{jid}' name='#{name}' autojoin='#{autojoin.to_s}'><nick>#{nick}</nick></conference>"
+  end
+end
diff --git a/app/models/setting.rb b/app/models/setting.rb
index dff6425..4b02225 100644
--- a/app/models/setting.rb
+++ b/app/models/setting.rb
@@ -17,6 +17,13 @@ class Setting < RailsSettings::Base
     account accounts donations mail webmaster support
   ]
 
+  #
+  # XMPP
+  #
+
+  field :xmpp_default_rooms, type: :array, default: []
+  field :xmpp_autojoin_default_rooms, type: :boolean, default: false
+
   #
   # Sentry
   #
diff --git a/app/services/ejabberd_api_client.rb b/app/services/ejabberd_api_client.rb
index 7930aa1..b90b499 100644
--- a/app/services/ejabberd_api_client.rb
+++ b/app/services/ejabberd_api_client.rb
@@ -10,7 +10,7 @@ class EjabberdApiClient
     if res.status != 200
       Rails.logger.error "[ejabberd] API request failed:"
       Rails.logger.error res.body
-      #TODO add some kind of exception tracking/notifications
+      #TODO Send custom event to Sentry
     end
   end
 
@@ -21,4 +21,9 @@ class EjabberdApiClient
   def send_message(payload)
     post "send_message", payload
   end
+
+  def private_set(user, content)
+    payload = { user: user.cn, host: user.ou, element: content }
+    post "private_set", payload
+  end
 end
diff --git a/app/views/admin/settings/services/_ejabberd.html.erb b/app/views/admin/settings/services/_ejabberd.html.erb
index 46e3ca6..887c1c1 100644
--- a/app/views/admin/settings/services/_ejabberd.html.erb
+++ b/app/views/admin/settings/services/_ejabberd.html.erb
@@ -7,24 +7,43 @@
     title: "Enable ejabberd integration",
     description: "ejabberd configuration present and features enabled"
   ) %>
-  <% if Setting.ejabberd_enabled? %>
-    <%= render FormElements::FieldsetComponent.new(title: "API URL") do %>
-      <%= f.text_field :ejabberd_api_url,
-        value: Setting.ejabberd_api_url,
-        class: "w-full", disabled: true %>
-    <% end %>
-    <%= render FormElements::FieldsetComponent.new(title: "Admin URL") do %>
-      <%= f.text_field :ejabberd_admin_url,
-        value: Setting.ejabberd_admin_url,
-        class: "w-full", disabled: true %>
-    <% end %>
-    <%= render FormElements::FieldsetComponent.new(
-          title: "Contact roster name",
-          description: "Used when exchanging contacts after signup from invitation"
-        ) do %>
-      <%= f.text_field :ejabberd_buddy_roster,
-        value: Setting.ejabberd_buddy_roster,
-        class: "w-full" %>
-    <% end %>
+<% if Setting.ejabberd_enabled? %>
+  <%= render FormElements::FieldsetComponent.new(title: "API URL") do %>
+    <%= f.text_field :ejabberd_api_url,
+      value: Setting.ejabberd_api_url,
+      class: "w-full", disabled: true %>
+  <% end %>
+  <%= render FormElements::FieldsetComponent.new(title: "Admin URL") do %>
+    <%= f.text_field :ejabberd_admin_url,
+      value: Setting.ejabberd_admin_url,
+      class: "w-full", disabled: true %>
   <% end %>
 </ul>
+<h3 class="mt-8">User default settings</h3>
+<ul role="list">
+  <%= render FormElements::FieldsetComponent.new(
+        title: "Default rooms",
+        description: "Add these default rooms to new users' bookmarks"
+      ) do %>
+    <%= f.text_area :xmpp_default_rooms,
+          value: Setting.xmpp_default_rooms.join("\n"),
+          placeholder: "Welcome <welcome@kosmos.chat>\nKosmos <kosmos@kosmos.chat>",
+          class: "h-24 w-full" %>
+  <% end %>
+  <%= render FormElements::FieldsetToggleComponent.new(
+    form: f,
+    attribute: :xmpp_autojoin_default_rooms,
+    enabled: Setting.xmpp_autojoin_default_rooms?,
+    title: "Auto-join default rooms",
+    description: "Automatically join above default rooms in chat clients"
+  ) %>
+  <%= render FormElements::FieldsetComponent.new(
+        title: "Contact roster name",
+        description: "Used when exchanging contacts after signup from invitation"
+      ) do %>
+    <%= f.text_field :ejabberd_buddy_roster,
+      value: Setting.ejabberd_buddy_roster,
+      class: "w-full" %>
+  <% end %>
+<% end %>
+</ul>

From ad90fcd539d872680e893020b841fe60de919885 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A2u=20Cao?= <raucao@kip.pe>
Date: Sat, 8 Apr 2023 16:37:21 +0200
Subject: [PATCH 02/47] Add specs for xmpp default bookmarks, refactor xmpp job
 usage

---
 app/jobs/xmpp_exchange_contacts_job.rb        | 11 ++--
 app/models/user.rb                            | 13 ++---
 spec/jobs/xmpp_exchange_contacts_job_spec.rb  |  7 ++-
 .../xmpp_set_default_bookmarks_job_spec.rb    | 34 +++++++++++++
 spec/models/user_spec.rb                      | 50 +++++++------------
 5 files changed, 68 insertions(+), 47 deletions(-)
 create mode 100644 spec/jobs/xmpp_set_default_bookmarks_job_spec.rb

diff --git a/app/jobs/xmpp_exchange_contacts_job.rb b/app/jobs/xmpp_exchange_contacts_job.rb
index 50f6fa2..c082e32 100644
--- a/app/jobs/xmpp_exchange_contacts_job.rb
+++ b/app/jobs/xmpp_exchange_contacts_job.rb
@@ -1,18 +1,21 @@
 class XmppExchangeContactsJob < ApplicationJob
   queue_as :default
 
-  def perform(inviter, username, domain)
+  def perform(inviter, invitee)
+    return unless inviter.services_enabled.include?("ejabberd") &&
+                  invitee.services_enabled.include?("ejabberd")
+
     ejabberd = EjabberdApiClient.new
 
     ejabberd.add_rosteritem({
-      "localuser": username, "localhost": domain,
+      "localuser": invitee.cn, "localhost": invitee.ou,
       "user": inviter.cn, "host": inviter.ou,
       "nick": inviter.cn, "group": Setting.ejabberd_buddy_roster, "subs": "both"
     })
     ejabberd.add_rosteritem({
       "localuser": inviter.cn, "localhost": inviter.ou,
-      "user": username, "host": domain,
-      "nick": username, "group": Setting.ejabberd_buddy_roster, "subs": "both"
+      "user": invitee.cn, "host": invitee.ou,
+      "nick": invitee.cn, "group": Setting.ejabberd_buddy_roster, "subs": "both"
     })
   end
 end
diff --git a/app/models/user.rb b/app/models/user.rb
index 94c3b14..937bc9c 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -59,11 +59,10 @@ class User < ApplicationRecord
     enable_service %w[ discourse ejabberd gitea mediawiki ]
 
     #TODO enable in development when we have easy setup of ejabberd etc.
-    return if Rails.env.development?
+    return if Rails.env.development? || !Setting.ejabberd_enabled?
 
-    if inviter.present?
-      exchange_xmpp_contact_with_inviter if Setting.ejabberd_enabled?
-    end
+    XmppExchangeContactsJob.perform_later(inviter, self) if inviter.present?
+    XmppSetDefaultBookmarksJob.perform_later(self)
   end
 
   def send_devise_notification(notification, *args)
@@ -134,12 +133,6 @@ class User < ApplicationRecord
     ldap.delete_attribute(dn,:service)
   end
 
-  def exchange_xmpp_contact_with_inviter
-    return unless inviter.services_enabled.include?("ejabberd") &&
-                  services_enabled.include?("ejabberd")
-    XmppExchangeContactsJob.perform_later(inviter, self.cn, self.ou)
-  end
-
   private
 
     def ldap
diff --git a/spec/jobs/xmpp_exchange_contacts_job_spec.rb b/spec/jobs/xmpp_exchange_contacts_job_spec.rb
index f7732dc..013a80d 100644
--- a/spec/jobs/xmpp_exchange_contacts_job_spec.rb
+++ b/spec/jobs/xmpp_exchange_contacts_job_spec.rb
@@ -2,15 +2,18 @@ require 'rails_helper'
 require 'webmock/rspec'
 
 RSpec.describe XmppExchangeContactsJob, type: :job do
-  let(:user) { create :user, cn: "willherschel", ou: "kosmos.org" }
+  let(:user)  { create :user, cn: "willherschel", ou: "kosmos.org" }
+  let(:guest) { create :user, cn: "isaacnewton", ou: "kosmos.org",
+                              id: 2, email: "hotapple42@eol.com" }
 
   subject(:job) {
-    described_class.perform_later(user, 'isaacnewton', 'kosmos.org')
+    described_class.perform_later(user, guest)
   }
 
   before do
     stub_request(:post, "http://xmpp.example.com/api/add_rosteritem")
       .to_return(status: 200, body: "", headers: {})
+    allow_any_instance_of(User).to receive(:services_enabled).and_return(["ejabberd"])
   end
 
   it "posts add_rosteritem commands to the ejabberd API" do
diff --git a/spec/jobs/xmpp_set_default_bookmarks_job_spec.rb b/spec/jobs/xmpp_set_default_bookmarks_job_spec.rb
new file mode 100644
index 0000000..299cbcc
--- /dev/null
+++ b/spec/jobs/xmpp_set_default_bookmarks_job_spec.rb
@@ -0,0 +1,34 @@
+require 'rails_helper'
+require 'webmock/rspec'
+
+RSpec.describe XmppSetDefaultBookmarksJob, type: :job do
+  let(:user) { create :user, cn: "willherschel", ou: "kosmos.org" }
+
+  before do
+    Setting.xmpp_default_rooms = [
+      "Welcome <welcome@kosmos.chat>",
+      "Kosmos Dev <kosmos-dev@kosmos.chat>"
+    ]
+  end
+
+  subject(:job) {
+    described_class.perform_later(user)
+  }
+
+  before do
+    stub_request(:post, "http://xmpp.example.com/api/private_set")
+      .to_return(status: 200, body: "", headers: {})
+  end
+
+  it "posts a private_set command to the ejabberd API" do
+    perform_enqueued_jobs { job }
+
+    expect(WebMock).to have_requested(:post, "http://xmpp.example.com/api/private_set")
+      .with { |req| req.body == '{"user":"willherschel","host":"kosmos.org","element":"\u003cstorage xmlns=\'storage:bookmarks\'\u003e\u003cconference jid=\'welcome@kosmos.chat\' name=\'Welcome\' autojoin=\'false\'\u003e\u003cnick\u003ewillherschel\u003c/nick\u003e\u003c/conference\u003e\u003cconference jid=\'kosmos-dev@kosmos.chat\' name=\'Kosmos Dev\' autojoin=\'false\'\u003e\u003cnick\u003ewillherschel\u003c/nick\u003e\u003c/conference\u003e\u003c/storage\u003e"}' }
+  end
+
+  after do
+    clear_enqueued_jobs
+    clear_performed_jobs
+  end
+end
diff --git a/spec/models/user_spec.rb b/spec/models/user_spec.rb
index 1dfc1ac..b8f8675 100644
--- a/spec/models/user_spec.rb
+++ b/spec/models/user_spec.rb
@@ -101,38 +101,23 @@ RSpec.describe User, type: :model do
     end
   end
 
-  describe "#exchange_xmpp_contact_with_inviter" do
-    include ActiveJob::TestHelper
-
-    let(:user) { create :user, cn: "willherschel", ou: "kosmos.org" }
-    let(:guest) { create :user, id: 2, cn: "isaacnewton", ou: "kosmos.org", email: "newt@example.com" }
-
-    before do
-      Invitation.create! user: user, invited_user_id: guest.id, used_at: DateTime.now
-      allow_any_instance_of(User).to receive(:services_enabled).and_return(%w[ ejabberd ])
-    end
-
-    it "enqueues a job to exchange XMPP contacts between inviter and invitee" do
-      guest.send(:exchange_xmpp_contact_with_inviter)
-
-      expect(enqueued_jobs.size).to eq(1)
-      args = enqueued_jobs.first['arguments']
-      expect(args[0]['_aj_globalid']).to match('gid://akkounts/User')
-      expect(args[1]).to eq('isaacnewton')
-      expect(args[2]).to eq('kosmos.org')
-    end
-
-    after do
-      clear_enqueued_jobs
-    end
-  end
-
   describe "#devise_after_confirmation" do
+    include ActiveJob::TestHelper
+    after { clear_enqueued_jobs }
+
     let(:user) { create :user, cn: "willherschel", ou: "kosmos.org" }
 
     it "enables default services" do
       expect(user).to receive(:enable_service).with(%w[ discourse ejabberd gitea mediawiki ])
-      user.send(:devise_after_confirmation)
+      user.send :devise_after_confirmation
+    end
+
+    it "enqueues a job to set default chatroom bookmarks for XMPP" do
+      allow(user).to receive(:enable_service).and_return(true)
+      user.send :devise_after_confirmation
+
+      job = enqueued_jobs.select{|j| j['job_class'] == "XmppSetDefaultBookmarksJob"}.first
+      expect(job['arguments'][0]['_aj_globalid']).to eq('gid://akkounts/User/1')
     end
 
     context "for invited user with ejabberd enabled" do
@@ -140,12 +125,15 @@ RSpec.describe User, type: :model do
 
       before do
         Invitation.create! user: user, invited_user_id: guest.id, used_at: DateTime.now
-        allow_any_instance_of(User).to receive(:enable_service).and_return(true)
+        allow_any_instance_of(User).to receive(:enable_service)
       end
 
-      it "exchanges XMPP contacts with the inviter" do
-        expect(guest).to receive(:exchange_xmpp_contact_with_inviter)
-        guest.send(:devise_after_confirmation)
+      it "enqueues jobs to exchange XMPP contacts between inviter and invitee" do
+        guest.send :devise_after_confirmation
+
+        job = enqueued_jobs.select{|j| j['job_class'] == "XmppExchangeContactsJob"}.first
+        expect(job["arguments"][0]['_aj_globalid']).to eq('gid://akkounts/User/1')
+        expect(job["arguments"][1]['_aj_globalid']).to eq('gid://akkounts/User/2')
       end
     end
   end

From 34849b28b0a9e5e84c9193ecda744e466d243995 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A2u=20Cao?= <raucao@kip.pe>
Date: Mon, 1 May 2023 15:15:23 +0200
Subject: [PATCH 03/47] WIP show fees of Lightning transactions

---
 app/controllers/wallet_controller.rb   | 1 +
 app/views/wallet/transactions.html.erb | 3 ++-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/app/controllers/wallet_controller.rb b/app/controllers/wallet_controller.rb
index a7920d4..07de29b 100644
--- a/app/controllers/wallet_controller.rb
+++ b/app/controllers/wallet_controller.rb
@@ -78,6 +78,7 @@ class WalletController < ApplicationController
         tx["received"] = true
       else
         tx["amount_sats"] = tx["value"] || tx["amt"]
+        tx["fee"] = tx["type"] == "paid_invoice" ? tx["fee"] : nil
         tx["datetime"] = Time.at(tx["timestamp"].to_i)
         tx["title"] = tx["type"] == "paid_invoice" ? "Sent" : "Received"
         tx["description"] = tx["memo"] || tx["description"]
diff --git a/app/views/wallet/transactions.html.erb b/app/views/wallet/transactions.html.erb
index 44859e3..5ebc2cc 100644
--- a/app/views/wallet/transactions.html.erb
+++ b/app/views/wallet/transactions.html.erb
@@ -35,7 +35,8 @@
             </p>
             <p class="col-span-4 md:col-span-1 md:text-right mb-0">
               <span class="col-span-2 md:col-span-1 text-sm text-gray-500">
-                <%= tx["datetime"].strftime("%B %e, %H:%M") %>
+                <%= tx["datetime"].strftime("%B %e, %H:%M") -%>
+                <% if tx["fee"] && (tx["fee"] > 0) %>, Fee: <%= tx["fee"] %> sats<% end %>
               </span>
             </p>
           </li>

From 67a9fc02d77b2c0b668b21973565bbc7eb6d3907 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A2u=20Cao?= <raucao@kip.pe>
Date: Mon, 1 May 2023 16:13:41 +0200
Subject: [PATCH 04/47] Rename Wallet to Lightning Network, move to Services

---
 app/controllers/dashboard_controller.rb            |  2 +-
 .../lightning_controller.rb}                       |  4 ++--
 app/views/dashboard/index.html.erb                 |  4 ++--
 .../lightning_sats_received.text.erb               |  2 +-
 .../{wallet => services/lightning}/index.html.erb  |  4 ++--
 .../lightning}/transactions.html.erb               |  4 ++--
 app/views/shared/_main_nav.html.erb                |  8 +++-----
 app/views/shared/_tabnav_lightning.html.erb        | 14 ++++++++++++++
 app/views/shared/_tabnav_wallet.html.erb           | 14 --------------
 config/routes.rb                                   |  8 ++++++++
 10 files changed, 35 insertions(+), 29 deletions(-)
 rename app/controllers/{wallet_controller.rb => services/lightning_controller.rb} (96%)
 rename app/views/{wallet => services/lightning}/index.html.erb (97%)
 rename app/views/{wallet => services/lightning}/transactions.html.erb (95%)
 create mode 100644 app/views/shared/_tabnav_lightning.html.erb
 delete mode 100644 app/views/shared/_tabnav_wallet.html.erb

diff --git a/app/controllers/dashboard_controller.rb b/app/controllers/dashboard_controller.rb
index 49c0764..3f9c14e 100644
--- a/app/controllers/dashboard_controller.rb
+++ b/app/controllers/dashboard_controller.rb
@@ -2,6 +2,6 @@ class DashboardController < ApplicationController
   before_action :require_user_signed_in
 
   def index
-    @current_section = :dashboard
+    @current_section = :services
   end
 end
diff --git a/app/controllers/wallet_controller.rb b/app/controllers/services/lightning_controller.rb
similarity index 96%
rename from app/controllers/wallet_controller.rb
rename to app/controllers/services/lightning_controller.rb
index 07de29b..a6b7381 100644
--- a/app/controllers/wallet_controller.rb
+++ b/app/controllers/services/lightning_controller.rb
@@ -1,6 +1,6 @@
 require "rqrcode"
 
-class WalletController < ApplicationController
+class Services::LightningController < ApplicationController
   before_action :require_user_signed_in
   before_action :authenticate_with_lndhub
   before_action :set_current_section
@@ -42,7 +42,7 @@ class WalletController < ApplicationController
   end
 
   def set_current_section
-    @current_section = :wallet
+    @current_section = :services
   end
 
   def fetch_balance
diff --git a/app/views/dashboard/index.html.erb b/app/views/dashboard/index.html.erb
index 9e24f78..8b90fc0 100644
--- a/app/views/dashboard/index.html.erb
+++ b/app/views/dashboard/index.html.erb
@@ -43,9 +43,9 @@
       <div class="border border-gray-300 rounded-md hover:border-gray-400
                   bg-cover bg-center sm:bg-[center_top_-140px] bg-no-repeat
                   bg-[url(/img/logos/icon_lightning.svg)]">
-        <%= link_to wallet_path,
+        <%= link_to services_lightning_index_path,
               class: "block h-full px-6 py-6 rounded-md" do %>
-          <h3 class="mb-3.5">Wallet</h3>
+          <h3 class="mb-3.5">Lightning Network</h3>
           <p class="text-gray-600">
             Send and receive sats over the Bitcoin Lightning Network
           </p>
diff --git a/app/views/notification_mailer/lightning_sats_received.text.erb b/app/views/notification_mailer/lightning_sats_received.text.erb
index 1e122d4..22becf6 100644
--- a/app/views/notification_mailer/lightning_sats_received.text.erb
+++ b/app/views/notification_mailer/lightning_sats_received.text.erb
@@ -1,3 +1,3 @@
 You just received <%= number_with_delimiter @amount_sats %> sats in your Lightning account (<%= @user.address %>). Check your wallet app, or open the account page for details:
 
-<%= wallet_transactions_url %>
+<%= transactions_lightning_index_url %>
diff --git a/app/views/wallet/index.html.erb b/app/views/services/lightning/index.html.erb
similarity index 97%
rename from app/views/wallet/index.html.erb
rename to app/views/services/lightning/index.html.erb
index 4a4a37f..fda9558 100644
--- a/app/views/wallet/index.html.erb
+++ b/app/views/services/lightning/index.html.erb
@@ -1,9 +1,9 @@
-<%= render HeaderComponent.new(title: "Wallet") %>
+<%= render HeaderComponent.new(title: "Lightning Network") %>
 
 <%= render MainSimpleComponent.new do %>
   <%= render WalletSummaryComponent.new(balance: @balance) %>
 
-  <%= render partial: "shared/tabnav_wallet" %>
+  <%= render partial: "shared/tabnav_lightning" %>
 
   <section>
     <h3>Lightning Address</h3>
diff --git a/app/views/wallet/transactions.html.erb b/app/views/services/lightning/transactions.html.erb
similarity index 95%
rename from app/views/wallet/transactions.html.erb
rename to app/views/services/lightning/transactions.html.erb
index 5ebc2cc..cba8d3b 100644
--- a/app/views/wallet/transactions.html.erb
+++ b/app/views/services/lightning/transactions.html.erb
@@ -1,9 +1,9 @@
-<%= render HeaderComponent.new(title: "Wallet") %>
+<%= render HeaderComponent.new(title: "Lightning Network") %>
 
 <%= render MainSimpleComponent.new do %>
   <%= render WalletSummaryComponent.new(balance: @balance) %>
 
-  <%= render partial: "shared/tabnav_wallet" %>
+  <%= render partial: "shared/tabnav_lightning" %>
 
   <section>
     <h3 class="hidden">Transactions</h3>
diff --git a/app/views/shared/_main_nav.html.erb b/app/views/shared/_main_nav.html.erb
index 7f5ee02..7fb011b 100644
--- a/app/views/shared/_main_nav.html.erb
+++ b/app/views/shared/_main_nav.html.erb
@@ -1,10 +1,8 @@
 <%= link_to "Services", root_path,
-      class: main_nav_class(@current_section, :dashboard) %>
-<%= link_to "Contributions", contributions_donations_path,
-      class: main_nav_class(@current_section, :contributions) %>
+      class: main_nav_class(@current_section, :services) %>
 <%= link_to "Invitations", invitations_path,
       class: main_nav_class(@current_section, :invitations) %>
-<%= link_to "Wallet", wallet_path,
-      class: main_nav_class(@current_section, :wallet) %>
+<%= link_to "Contributions", contributions_donations_path,
+      class: main_nav_class(@current_section, :contributions) %>
 <%= link_to "Settings", settings_path,
       class: main_nav_class(@current_section, :settings) %>
diff --git a/app/views/shared/_tabnav_lightning.html.erb b/app/views/shared/_tabnav_lightning.html.erb
new file mode 100644
index 0000000..b9f6f09
--- /dev/null
+++ b/app/views/shared/_tabnav_lightning.html.erb
@@ -0,0 +1,14 @@
+<section>
+  <div class="border-b border-gray-200">
+    <nav class="-mb-px flex" aria-label="Tabs">
+      <%= render TabnavLinkComponent.new(
+        name: "Info", path: services_lightning_index_path,
+        active: current_page?(services_lightning_index_path)
+      ) %>
+      <%= render TabnavLinkComponent.new(
+        name: "Transactions", path: transactions_services_lightning_index_path,
+        active: current_page?(transactions_services_lightning_index_path)
+      ) %>
+    </nav>
+  </div>
+</section>
diff --git a/app/views/shared/_tabnav_wallet.html.erb b/app/views/shared/_tabnav_wallet.html.erb
deleted file mode 100644
index abdc5ad..0000000
--- a/app/views/shared/_tabnav_wallet.html.erb
+++ /dev/null
@@ -1,14 +0,0 @@
-<section>
-  <div class="border-b border-gray-200">
-    <nav class="-mb-px flex" aria-label="Tabs">
-      <%= render TabnavLinkComponent.new(
-        name: "Info", path: wallet_path,
-        active: current_page?(wallet_path)
-      ) %>
-      <%= render TabnavLinkComponent.new(
-        name: "Transactions", path: wallet_transactions_path,
-        active: current_page?(wallet_transactions_path)
-      ) %>
-    </nav>
-  </div>
-</section>
diff --git a/config/routes.rb b/config/routes.rb
index fdc8454..be4195b 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -21,6 +21,14 @@ Rails.application.routes.draw do
   get 'wallet', to: 'wallet#index'
   get 'wallet/transactions', to: 'wallet#transactions'
 
+  namespace :services do
+    resources :lightning, only: [:index] do
+      collection do
+        get 'transactions'
+      end
+    end
+  end
+
   resources :settings, param: 'section', only: ['index', 'show', 'update'] do
     collection do
       post 'reset_password'

From f1ae5667de679dae33f608a409eecb203bfe4e43 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A2u=20Cao?= <raucao@kip.pe>
Date: Wed, 3 May 2023 12:51:22 +0200
Subject: [PATCH 05/47] Shape tx details UI a bit

---
 app/views/services/lightning/transactions.html.erb | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/app/views/services/lightning/transactions.html.erb b/app/views/services/lightning/transactions.html.erb
index cba8d3b..0f11698 100644
--- a/app/views/services/lightning/transactions.html.erb
+++ b/app/views/services/lightning/transactions.html.erb
@@ -27,7 +27,7 @@
             <p class="col-span-2 md:col-span-1 mb-0 text-right">
               <span class="text-xl font-mono <%= tx["received"] ? "text-emerald-600" : "" %>">
                 <%= tx["received"] ? "+" : "" %><%= number_with_delimiter tx["amount_sats"]  %>
-                <span class="hidden md:inline">sats</span>
+                <span class="text-base md:text-lg">sats</span>
               </span>
             </p>
             <p class="col-span-4 md:col-span-3 mb-0 text-gray-500">
@@ -36,7 +36,9 @@
             <p class="col-span-4 md:col-span-1 md:text-right mb-0">
               <span class="col-span-2 md:col-span-1 text-sm text-gray-500">
                 <%= tx["datetime"].strftime("%B %e, %H:%M") -%>
-                <% if tx["fee"] && (tx["fee"] > 0) %>, Fee: <%= tx["fee"] %> sats<% end %>
+                <% if tx["fee"] && (tx["fee"] > 0) %>
+                  ~ Fee: <%= pluralize tx["fee"], "sat" %>
+                <% end %>
               </span>
             </p>
           </li>

From ce7387a409fcbd4a653862e165865a672c5418d9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A2u=20Cao?= <raucao@kip.pe>
Date: Wed, 3 May 2023 21:54:33 +0200
Subject: [PATCH 06/47] Remove obsolete routes

---
 config/routes.rb | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/config/routes.rb b/config/routes.rb
index be4195b..c8dd8a4 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -18,9 +18,6 @@ Rails.application.routes.draw do
 
   resources :invitations, only: ['index', 'show', 'create', 'destroy']
 
-  get 'wallet', to: 'wallet#index'
-  get 'wallet/transactions', to: 'wallet#transactions'
-
   namespace :services do
     resources :lightning, only: [:index] do
       collection do

From 90480523183df0e685509e5f2851036df7b9eb14 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A2u=20Cao?= <raucao@kip.pe>
Date: Tue, 16 May 2023 13:22:44 +0200
Subject: [PATCH 07/47] Fix URL in email template

---
 app/views/notification_mailer/lightning_sats_received.text.erb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/views/notification_mailer/lightning_sats_received.text.erb b/app/views/notification_mailer/lightning_sats_received.text.erb
index 22becf6..befb2f7 100644
--- a/app/views/notification_mailer/lightning_sats_received.text.erb
+++ b/app/views/notification_mailer/lightning_sats_received.text.erb
@@ -1,3 +1,3 @@
 You just received <%= number_with_delimiter @amount_sats %> sats in your Lightning account (<%= @user.address %>). Check your wallet app, or open the account page for details:
 
-<%= transactions_lightning_index_url %>
+<%= transactions_services_lightning_index_url %>

From 287adbd36597c57b702c2c8e94b1fde14a2dd5c8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A2u=20Cao?= <raucao@kip.pe>
Date: Tue, 23 May 2023 14:09:35 +0200
Subject: [PATCH 08/47] Add flipper gem and database migration/tables

---
 Gemfile                                       |  2 ++
 Gemfile.lock                                  |  7 ++++++
 .../20230523120753_create_flipper_tables.rb   | 22 +++++++++++++++++++
 db/schema.rb                                  | 18 ++++++++++++++-
 4 files changed, 48 insertions(+), 1 deletion(-)
 create mode 100644 db/migrate/20230523120753_create_flipper_tables.rb

diff --git a/Gemfile b/Gemfile
index 1b6704e..fc00335 100644
--- a/Gemfile
+++ b/Gemfile
@@ -40,6 +40,8 @@ gem 'net-ldap'
 gem "rqrcode", "~> 2.0"
 gem 'rails-settings-cached', '~> 2.8.3'
 gem 'pagy', '~> 6.0', '>= 6.0.2'
+gem 'flipper'
+gem 'flipper-active_record'
 
 # HTTP requests
 gem 'faraday'
diff --git a/Gemfile.lock b/Gemfile.lock
index 2d92414..24d410b 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -128,6 +128,11 @@ GEM
       ruby2_keywords (>= 0.0.4)
     faraday-net_http (3.0.2)
     ffi (1.15.5)
+    flipper (0.28.0)
+      concurrent-ruby (< 2)
+    flipper-active_record (0.28.0)
+      activerecord (>= 4.2, < 8)
+      flipper (~> 0.28.0)
     fugit (1.7.2)
       et-orbi (~> 1, >= 1.2.7)
       raabro (~> 1.4)
@@ -374,6 +379,8 @@ DEPENDENCIES
   factory_bot_rails
   faker
   faraday
+  flipper
+  flipper-active_record
   importmap-rails
   jbuilder (~> 2.7)
   letter_opener
diff --git a/db/migrate/20230523120753_create_flipper_tables.rb b/db/migrate/20230523120753_create_flipper_tables.rb
new file mode 100644
index 0000000..b07fd68
--- /dev/null
+++ b/db/migrate/20230523120753_create_flipper_tables.rb
@@ -0,0 +1,22 @@
+class CreateFlipperTables < ActiveRecord::Migration[7.0]
+  def self.up
+    create_table :flipper_features do |t|
+      t.string :key, null: false
+      t.timestamps null: false
+    end
+    add_index :flipper_features, :key, unique: true
+
+    create_table :flipper_gates do |t|
+      t.string :feature_key, null: false
+      t.string :key, null: false
+      t.string :value
+      t.timestamps null: false
+    end
+    add_index :flipper_gates, [:feature_key, :key, :value], unique: true
+  end
+
+  def self.down
+    drop_table :flipper_gates
+    drop_table :flipper_features
+  end
+end
diff --git a/db/schema.rb b/db/schema.rb
index 1a85f04..7f06b96 100644
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -10,7 +10,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema[7.0].define(version: 2023_04_03_135149) do
+ActiveRecord::Schema[7.0].define(version: 2023_05_23_120753) do
   create_table "donations", force: :cascade do |t|
     t.integer "user_id"
     t.integer "amount_sats"
@@ -23,6 +23,22 @@ ActiveRecord::Schema[7.0].define(version: 2023_04_03_135149) do
     t.index ["user_id"], name: "index_donations_on_user_id"
   end
 
+  create_table "flipper_features", force: :cascade do |t|
+    t.string "key", null: false
+    t.datetime "created_at", null: false
+    t.datetime "updated_at", null: false
+    t.index ["key"], name: "index_flipper_features_on_key", unique: true
+  end
+
+  create_table "flipper_gates", force: :cascade do |t|
+    t.string "feature_key", null: false
+    t.string "key", null: false
+    t.string "value"
+    t.datetime "created_at", null: false
+    t.datetime "updated_at", null: false
+    t.index ["feature_key", "key", "value"], name: "index_flipper_gates_on_feature_key_and_key_and_value", unique: true
+  end
+
   create_table "invitations", force: :cascade do |t|
     t.string "token"
     t.integer "user_id"

From c58358c66e14e3aaeb16e0f3d2cb9de46cb68472 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A2u=20Cao?= <raucao@kip.pe>
Date: Tue, 23 May 2023 18:51:29 +0200
Subject: [PATCH 09/47] Add feature flags, RS dashboard dummy

closes #124
refs #94
---
 Gemfile                                       |  1 +
 Gemfile.lock                                  | 12 ++++++++
 README.md                                     |  4 +++
 .../services/remotestorage_controller.rb      | 30 +++++++++++++++++++
 app/views/admin/users/show.html.erb           |  4 +++
 app/views/dashboard/index.html.erb            | 11 +++++++
 .../services/remotestorage/dashboard.html.erb |  7 +++++
 config/routes.rb                              |  3 ++
 8 files changed, 72 insertions(+)
 create mode 100644 app/controllers/services/remotestorage_controller.rb
 create mode 100644 app/views/services/remotestorage/dashboard.html.erb

diff --git a/Gemfile b/Gemfile
index fc00335..3445c32 100644
--- a/Gemfile
+++ b/Gemfile
@@ -42,6 +42,7 @@ gem 'rails-settings-cached', '~> 2.8.3'
 gem 'pagy', '~> 6.0', '>= 6.0.2'
 gem 'flipper'
 gem 'flipper-active_record'
+gem 'flipper-ui'
 
 # HTTP requests
 gem 'faraday'
diff --git a/Gemfile.lock b/Gemfile.lock
index 24d410b..9a37e04 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -133,6 +133,12 @@ GEM
     flipper-active_record (0.28.0)
       activerecord (>= 4.2, < 8)
       flipper (~> 0.28.0)
+    flipper-ui (0.28.0)
+      erubi (>= 1.0.0, < 2.0.0)
+      flipper (~> 0.28.0)
+      rack (>= 1.4, < 3)
+      rack-protection (>= 1.5.3, <= 4.0.0)
+      sanitize (< 7)
     fugit (1.7.2)
       et-orbi (~> 1, >= 1.2.7)
       raabro (~> 1.4)
@@ -204,6 +210,8 @@ GEM
     raabro (1.4.0)
     racc (1.6.0)
     rack (2.2.4)
+    rack-protection (3.0.6)
+      rack
     rack-test (2.0.2)
       rack (>= 1.3)
     rails (7.0.4)
@@ -288,6 +296,9 @@ GEM
     ruby2_keywords (0.0.5)
     rufus-scheduler (3.8.2)
       fugit (~> 1.1, >= 1.1.6)
+    sanitize (6.0.1)
+      crass (~> 1.0.2)
+      nokogiri (>= 1.12.0)
     sentry-rails (5.8.0)
       railties (>= 5.0)
       sentry-ruby (~> 5.8.0)
@@ -381,6 +392,7 @@ DEPENDENCIES
   faraday
   flipper
   flipper-active_record
+  flipper-ui
   importmap-rails
   jbuilder (~> 2.7)
   letter_opener
diff --git a/README.md b/README.md
index 90fec7f..df1a1e9 100644
--- a/README.md
+++ b/README.md
@@ -114,6 +114,10 @@ command:
 * [Sidekiq](https://github.com/mperham/sidekiq/wiki/)
 * [ActiveJob](https://github.com/mperham/sidekiq/wiki/Active-Job)
 
+### Feature Flags
+
+* [Flipper](https://www.flippercloud.io/docs/get-started/self-hosted)
+
 ## License
 
 [GNU Affero General Public License v3.0](https://choosealicense.com/licenses/agpl-3.0/)
diff --git a/app/controllers/services/remotestorage_controller.rb b/app/controllers/services/remotestorage_controller.rb
new file mode 100644
index 0000000..231e359
--- /dev/null
+++ b/app/controllers/services/remotestorage_controller.rb
@@ -0,0 +1,30 @@
+class Services::RemotestorageController < ApplicationController
+  before_action :require_user_signed_in
+  before_action :require_service_enabled
+  before_action :require_feature_enabled
+  before_action :set_current_section
+
+  def dashboard
+    # unless current_user.services_enabled.include?(:remotestorage)
+    #   redirect_to service_remotestorage_info_path
+    # end
+  end
+
+  private
+
+    def require_feature_enabled
+      unless Flipper.enabled?(:remotestorage, current_user)
+        http_status :forbidden
+      end
+    end
+
+    def require_service_enabled
+      unless Setting.remotestorage_enabled?
+        http_status :not_found
+      end
+    end
+
+    def set_current_section
+      @current_section = :services
+    end
+end
diff --git a/app/views/admin/users/show.html.erb b/app/views/admin/users/show.html.erb
index 42c7963..9a95e23 100644
--- a/app/views/admin/users/show.html.erb
+++ b/app/views/admin/users/show.html.erb
@@ -6,6 +6,10 @@
       <h3>Account</h3>
       <table class="divided">
         <tbody>
+          <tr>
+            <th>ID</th>
+            <td><%= @user.id %></td>
+          </tr>
           <tr>
             <th>Created at</th>
             <td><%= @user.created_at.strftime("%Y-%m-%d (%H:%M UTC)") %></td>
diff --git a/app/views/dashboard/index.html.erb b/app/views/dashboard/index.html.erb
index 8b90fc0..8ebbec3 100644
--- a/app/views/dashboard/index.html.erb
+++ b/app/views/dashboard/index.html.erb
@@ -73,6 +73,17 @@
           </p>
         <% end %>
       </div>
+      <% if Setting.remotestorage_enabled? && Flipper.enabled?(:remotestorage, current_user) %>
+        <div class="border border-gray-300 rounded-md hover:border-gray-400">
+          <%= link_to services_storage_path,
+                class: "block h-full px-6 py-6 rounded-md" do %>
+            <h3 class="mb-3.5">Storage</h3>
+            <p class="text-gray-600">
+              Sync your data between apps and devices
+            </p>
+          <% end %>
+        </div>
+      <% end %>
       <!-- <div class="border border&#45;gray&#45;300 rounded&#45;md hover:border&#45;gray&#45;400 -->
       <!--             bg&#45;[length:80%] bg&#45;[right_top_&#45;30px] bg&#45;no&#45;repeat -->
       <!--             bg&#45;[url(/img/logos/icon_mastodon.svg)]"> -->
diff --git a/app/views/services/remotestorage/dashboard.html.erb b/app/views/services/remotestorage/dashboard.html.erb
new file mode 100644
index 0000000..f6b0932
--- /dev/null
+++ b/app/views/services/remotestorage/dashboard.html.erb
@@ -0,0 +1,7 @@
+<%= render HeaderComponent.new(title: "Storage") %>
+
+<%= render MainSimpleComponent.new do %>
+  <section>
+    <h3>Feature enabled</h3>
+  </section>
+<% end %>
diff --git a/config/routes.rb b/config/routes.rb
index c8dd8a4..e08f097 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -19,6 +19,8 @@ Rails.application.routes.draw do
   resources :invitations, only: ['index', 'show', 'create', 'destroy']
 
   namespace :services do
+    get 'storage', to: 'remotestorage#dashboard'
+
     resources :lightning, only: [:index] do
       collection do
         get 'transactions'
@@ -62,6 +64,7 @@ Rails.application.routes.draw do
 
   authenticate :user, ->(user) { user.is_admin? } do
     mount Sidekiq::Web => '/sidekiq'
+    mount Flipper::UI.app(Flipper) => '/flipper'
   end
 
   # Letter Opener (open "sent" emails in dev and staging)

From 61f12c274162b8b051bddc48ebb7037c3d8fbeeb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A2u=20Cao?= <raucao@kip.pe>
Date: Thu, 25 May 2023 16:53:16 +0200
Subject: [PATCH 10/47] Improve form fields with errors for model updates

---
 app/assets/stylesheets/components/buttons.css | 4 ----
 app/assets/stylesheets/components/forms.css   | 9 +++++----
 config/initializers/field_with_errors.rb      | 9 +++++++++
 3 files changed, 14 insertions(+), 8 deletions(-)
 create mode 100644 config/initializers/field_with_errors.rb

diff --git a/app/assets/stylesheets/components/buttons.css b/app/assets/stylesheets/components/buttons.css
index 5da9116..c50d071 100644
--- a/app/assets/stylesheets/components/buttons.css
+++ b/app/assets/stylesheets/components/buttons.css
@@ -32,8 +32,4 @@
     @apply bg-red-600 hover:bg-red-700 text-white
            focus:ring-red-500 focus:ring-opacity-75;
   }
-
-  input[type=text]:disabled {
-    @apply text-gray-700;
-  }
 }
diff --git a/app/assets/stylesheets/components/forms.css b/app/assets/stylesheets/components/forms.css
index 633c293..46f1df9 100644
--- a/app/assets/stylesheets/components/forms.css
+++ b/app/assets/stylesheets/components/forms.css
@@ -6,12 +6,13 @@
            focus:ring-blue-600 focus:ring-opacity-75;
   }
 
-  .field_with_errors {
-    @apply inline-block;
+  input[type=text]:disabled,
+  input[type=email]:disabled {
+    @apply text-gray-700;
   }
 
-  .field_with_errors input {
-    @apply w-full bg-red-100;
+  input.field_with_errors {
+    @apply border-b-red-600;
   }
 
   .error-msg {
diff --git a/config/initializers/field_with_errors.rb b/config/initializers/field_with_errors.rb
new file mode 100644
index 0000000..3652aa9
--- /dev/null
+++ b/config/initializers/field_with_errors.rb
@@ -0,0 +1,9 @@
+ActionView::Base.field_error_proc = Proc.new do |html_tag, instance|
+  if html_tag.match('class')
+    html_tag.gsub(/class="(.*?)"/, 'class="\1 field_with_errors"').html_safe
+  else
+    parts = html_tag.split('>', 2)
+    parts[0] += ' class="field_with_errors">'
+    (parts[0] + parts[1]).html_safe
+  end
+end

From 7b321577dba5e47b914e29a7949981260fa01250 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A2u=20Cao?= <raucao@kip.pe>
Date: Thu, 25 May 2023 16:55:27 +0200
Subject: [PATCH 11/47] Update LDAP mail attribute when re-confirming email

---
 app/models/user.rb                        | 16 +++++++++++-----
 app/services/ldap_manager/update_email.rb | 12 ++++++++++++
 app/services/ldap_manager_service.rb      |  2 ++
 3 files changed, 25 insertions(+), 5 deletions(-)
 create mode 100644 app/services/ldap_manager/update_email.rb
 create mode 100644 app/services/ldap_manager_service.rb

diff --git a/app/models/user.rb b/app/models/user.rb
index 4945d6e..93b7a5d 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -58,13 +58,19 @@ class User < ApplicationRecord
   end
 
   def devise_after_confirmation
-    enable_service %w[ discourse gitea mediawiki xmpp ]
+    if ldap_entry[:mail] != self.email
+      # E-Mail update confirmed
+      LdapManager::UpdateEmail.call(self.dn, self.email)
+    else
+      # E-Mail from signup confirmed (i.e. account activation)
+      enable_service %w[ discourse gitea mediawiki xmpp ]
 
-    #TODO enable in development when we have easy setup of ejabberd etc.
-    return if Rails.env.development? || !Setting.ejabberd_enabled?
+      #TODO enable in development when we have easy setup of ejabberd etc.
+      return if Rails.env.development? || !Setting.ejabberd_enabled?
 
-    XmppExchangeContactsJob.perform_later(inviter, self) if inviter.present?
-    XmppSetDefaultBookmarksJob.perform_later(self)
+      XmppExchangeContactsJob.perform_later(inviter, self) if inviter.present?
+      XmppSetDefaultBookmarksJob.perform_later(self)
+    end
   end
 
   def send_devise_notification(notification, *args)
diff --git a/app/services/ldap_manager/update_email.rb b/app/services/ldap_manager/update_email.rb
new file mode 100644
index 0000000..5acd77f
--- /dev/null
+++ b/app/services/ldap_manager/update_email.rb
@@ -0,0 +1,12 @@
+module LdapManager
+  class UpdateEmail < LdapManagerService
+    def initialize(dn, address)
+      @dn = dn
+      @address = address
+    end
+
+    def call
+      replace_attribute @dn, :mail, [ @address ]
+    end
+  end
+end
diff --git a/app/services/ldap_manager_service.rb b/app/services/ldap_manager_service.rb
new file mode 100644
index 0000000..0f43e32
--- /dev/null
+++ b/app/services/ldap_manager_service.rb
@@ -0,0 +1,2 @@
+class LdapManagerService < LdapService
+end

From 33a9e1eaa9a9613a549ceea8b196ea80ed50e09a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A2u=20Cao?= <raucao@kip.pe>
Date: Thu, 25 May 2023 16:56:40 +0200
Subject: [PATCH 12/47] Use username instead of email in Devise mails

---
 app/views/devise/mailer/confirmation_instructions.html.erb   | 4 ++--
 app/views/devise/mailer/email_changed.html.erb               | 2 +-
 app/views/devise/mailer/password_change.html.erb             | 2 +-
 app/views/devise/mailer/reset_password_instructions.html.erb | 2 +-
 app/views/devise/mailer/unlock_instructions.html.erb         | 2 +-
 5 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/app/views/devise/mailer/confirmation_instructions.html.erb b/app/views/devise/mailer/confirmation_instructions.html.erb
index dc55f64..7cfe815 100644
--- a/app/views/devise/mailer/confirmation_instructions.html.erb
+++ b/app/views/devise/mailer/confirmation_instructions.html.erb
@@ -1,5 +1,5 @@
-<p>Welcome <%= @email %>!</p>
+<p>Welcome <%= @resource.cn %>!</p>
 
-<p>You can confirm your account email through the link below:</p>
+<p>Please confirm your email address through the link below:</p>
 
 <p><%= link_to 'Confirm my account', confirmation_url(@resource, confirmation_token: @token) %></p>
diff --git a/app/views/devise/mailer/email_changed.html.erb b/app/views/devise/mailer/email_changed.html.erb
index 32f4ba8..26ac013 100644
--- a/app/views/devise/mailer/email_changed.html.erb
+++ b/app/views/devise/mailer/email_changed.html.erb
@@ -1,4 +1,4 @@
-<p>Hello <%= @email %>!</p>
+<p>Hello <%= @resource.cn %>!</p>
 
 <% if @resource.try(:unconfirmed_email?) %>
   <p>We're contacting you to notify you that your email is being changed to <%= @resource.unconfirmed_email %>.</p>
diff --git a/app/views/devise/mailer/password_change.html.erb b/app/views/devise/mailer/password_change.html.erb
index b41daf4..4793cbe 100644
--- a/app/views/devise/mailer/password_change.html.erb
+++ b/app/views/devise/mailer/password_change.html.erb
@@ -1,3 +1,3 @@
-<p>Hello <%= @resource.email %>!</p>
+<p>Hello <%= @resource.cn %>!</p>
 
 <p>We're contacting you to notify you that your password has been changed.</p>
diff --git a/app/views/devise/mailer/reset_password_instructions.html.erb b/app/views/devise/mailer/reset_password_instructions.html.erb
index f667dc1..d10b9dc 100644
--- a/app/views/devise/mailer/reset_password_instructions.html.erb
+++ b/app/views/devise/mailer/reset_password_instructions.html.erb
@@ -1,4 +1,4 @@
-<p>Hello <%= @resource.email %>!</p>
+<p>Hello <%= @resource.cn %>!</p>
 
 <p>Someone has requested a link to change your password. You can do this through the link below.</p>
 
diff --git a/app/views/devise/mailer/unlock_instructions.html.erb b/app/views/devise/mailer/unlock_instructions.html.erb
index 41e148b..c216377 100644
--- a/app/views/devise/mailer/unlock_instructions.html.erb
+++ b/app/views/devise/mailer/unlock_instructions.html.erb
@@ -1,4 +1,4 @@
-<p>Hello <%= @resource.email %>!</p>
+<p>Hello <%= @resource.cn %>!</p>
 
 <p>Your account has been locked due to an excessive number of unsuccessful sign in attempts.</p>
 

From 75bd879f8475f4ae7823eef57ed15b2579e79b0f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A2u=20Cao?= <raucao@kip.pe>
Date: Thu, 25 May 2023 16:57:14 +0200
Subject: [PATCH 13/47] Rename settings menu item for Lightning

---
 app/views/shared/_sidenav_settings.html.erb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/views/shared/_sidenav_settings.html.erb b/app/views/shared/_sidenav_settings.html.erb
index 3d6c17e..3ebf8e1 100644
--- a/app/views/shared/_sidenav_settings.html.erb
+++ b/app/views/shared/_sidenav_settings.html.erb
@@ -14,7 +14,7 @@
 <% end %>
 <% if Setting.lndhub_enabled %>
 <%= render SidenavLinkComponent.new(
-  name: "Wallet", path: setting_path(:lightning), icon: "zap",
+  name: "Lightning", path: setting_path(:lightning), icon: "zap",
   active: current_page?(setting_path(:lightning))
 ) %>
 <% end %>

From b1a693e7cf3d7a7e47078a658423334422cb7fe8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A2u=20Cao?= <raucao@kip.pe>
Date: Thu, 25 May 2023 16:57:43 +0200
Subject: [PATCH 14/47] Send different Devise mail for re-confirmations

---
 app/mailers/devise/mailer.rb                  | 34 +++++++++++++++++++
 .../reconfirmation_instructions.html.erb      |  5 +++
 config/locales/devise.en.yml                  |  2 +-
 3 files changed, 40 insertions(+), 1 deletion(-)
 create mode 100644 app/mailers/devise/mailer.rb
 create mode 100644 app/views/devise/mailer/reconfirmation_instructions.html.erb

diff --git a/app/mailers/devise/mailer.rb b/app/mailers/devise/mailer.rb
new file mode 100644
index 0000000..3ff2bb3
--- /dev/null
+++ b/app/mailers/devise/mailer.rb
@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+if defined?(ActionMailer)
+  class Devise::Mailer < Devise.parent_mailer.constantize
+    include Devise::Mailers::Helpers
+
+    def confirmation_instructions(record, token, opts = {})
+      @token = token
+      if record.pending_reconfirmation?
+        devise_mail(record, :reconfirmation_instructions, opts)
+      else
+        devise_mail(record, :confirmation_instructions, opts)
+      end
+    end
+
+    def reset_password_instructions(record, token, opts = {})
+      @token = token
+      devise_mail(record, :reset_password_instructions, opts)
+    end
+
+    def unlock_instructions(record, token, opts = {})
+      @token = token
+      devise_mail(record, :unlock_instructions, opts)
+    end
+
+    def email_changed(record, opts = {})
+      devise_mail(record, :email_changed, opts)
+    end
+
+    def password_change(record, opts = {})
+      devise_mail(record, :password_change, opts)
+    end
+  end
+end
diff --git a/app/views/devise/mailer/reconfirmation_instructions.html.erb b/app/views/devise/mailer/reconfirmation_instructions.html.erb
new file mode 100644
index 0000000..2897428
--- /dev/null
+++ b/app/views/devise/mailer/reconfirmation_instructions.html.erb
@@ -0,0 +1,5 @@
+<p>Hello <%= @resource.cn %>,</p>
+
+<p>Please confirm your new email address through the link below:</p>
+
+<p><%= link_to 'Confirm my address', confirmation_url(@resource, confirmation_token: @token) %></p>
diff --git a/config/locales/devise.en.yml b/config/locales/devise.en.yml
index 9003184..f696f4d 100644
--- a/config/locales/devise.en.yml
+++ b/config/locales/devise.en.yml
@@ -3,7 +3,7 @@
 en:
   devise:
     confirmations:
-      confirmed: "Thanks for confirming your email address! Your account has been activated."
+      confirmed: "Thanks for confirming your email address."
       send_instructions: "You will receive an email with instructions for how to confirm your email address in a moment."
       send_paranoid_instructions: "If your email address exists in our database, you will receive an email with instructions for how to confirm your email address in a few minutes."
     failure:

From 134c81460a9aca1e25462413cc2019c4a934c019 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A2u=20Cao?= <raucao@kip.pe>
Date: Thu, 25 May 2023 16:58:53 +0200
Subject: [PATCH 15/47] Allow email address updates on account settings page

---
 app/controllers/settings_controller.rb        | 25 ++++++++-
 .../settings/account/email_controller.js      | 27 +++++++++
 app/views/icons/_edit-2.html.erb              |  2 +-
 app/views/icons/_edit-3.html.erb              |  2 +-
 app/views/icons/_edit.html.erb                |  2 +-
 app/views/settings/_account.html.erb          | 49 ++++++++++++++---
 config/routes.rb                              |  1 +
 spec/features/settings/account_spec.rb        | 55 +++++++++++++++++++
 spec/models/user_spec.rb                      | 42 ++++++++++++--
 9 files changed, 188 insertions(+), 17 deletions(-)
 create mode 100644 app/javascript/controllers/settings/account/email_controller.js
 create mode 100644 spec/features/settings/account_spec.rb

diff --git a/app/controllers/settings_controller.rb b/app/controllers/settings_controller.rb
index c5bd8f8..d9f5979 100644
--- a/app/controllers/settings_controller.rb
+++ b/app/controllers/settings_controller.rb
@@ -1,7 +1,7 @@
 class SettingsController < ApplicationController
   before_action :authenticate_user!
   before_action :set_main_nav_section
-  before_action :set_settings_section, only: ['show', 'update']
+  before_action :set_settings_section, only: [:show, :update, :update_email]
 
   def index
     redirect_to setting_path(:profile)
@@ -21,6 +21,25 @@ class SettingsController < ApplicationController
     }
   end
 
+  def update_email
+    if current_user.valid_ldap_authentication?(email_params[:current_password])
+      current_user.email = email_params[:email]
+
+      if current_user.update email: email_params[:email]
+        redirect_to setting_path(:account), flash: {
+          notice: 'Please confirm your new address using the confirmation link we just sent you.'
+        }
+      else
+        @validation_errors = current_user.errors
+        render :show, status: :unprocessable_entity
+      end
+    else
+      redirect_to setting_path(:account), flash: {
+        error: 'Password did not match your current password. Try again.'
+      }
+    end
+  end
+
   def reset_password
     current_user.send_reset_password_instructions
     sign_out current_user
@@ -49,4 +68,8 @@ class SettingsController < ApplicationController
       :xmpp_exchange_contacts_with_invitees
     ])
   end
+
+  def email_params
+    params.require(:user).permit(:email, :current_password)
+  end
 end
diff --git a/app/javascript/controllers/settings/account/email_controller.js b/app/javascript/controllers/settings/account/email_controller.js
new file mode 100644
index 0000000..fc5763d
--- /dev/null
+++ b/app/javascript/controllers/settings/account/email_controller.js
@@ -0,0 +1,27 @@
+import { Controller } from "@hotwired/stimulus"
+
+export default class extends Controller {
+  static targets = [ "emailField", "editEmailButton" ]
+  static values = { validationFailed: Boolean }
+
+  connect () {
+    if (this.validationFailedValue) return;
+
+    this.emailFieldTarget.disabled = true;
+    this.element.querySelectorAll(".initial-hidden").forEach(el => {
+      el.classList.add("hidden");
+    })
+    this.element.querySelectorAll(".initial-visible").forEach(el => {
+      el.classList.remove("hidden");
+    })
+  }
+
+  editEmail (evt) {
+    this.emailFieldTarget.disabled = false;
+    this.emailFieldTarget.select();
+    this.editEmailButtonTarget.classList.add("hidden");
+    this.element.querySelectorAll(".initial-hidden").forEach(el => {
+      el.classList.remove("hidden");
+    })
+  }
+}
diff --git a/app/views/icons/_edit-2.html.erb b/app/views/icons/_edit-2.html.erb
index 06830c9..736b6c8 100644
--- a/app/views/icons/_edit-2.html.erb
+++ b/app/views/icons/_edit-2.html.erb
@@ -1 +1 @@
-<svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather feather-edit-2"><path d="M17 3a2.828 2.828 0 1 1 4 4L7.5 20.5 2 22l1.5-5.5L17 3z"></path></svg>
\ No newline at end of file
+<svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather feather-edit-2 <%= custom_class %>"><path d="M17 3a2.828 2.828 0 1 1 4 4L7.5 20.5 2 22l1.5-5.5L17 3z"></path></svg>
diff --git a/app/views/icons/_edit-3.html.erb b/app/views/icons/_edit-3.html.erb
index d728efc..0473c82 100644
--- a/app/views/icons/_edit-3.html.erb
+++ b/app/views/icons/_edit-3.html.erb
@@ -1 +1 @@
-<svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather feather-edit-3"><path d="M12 20h9"></path><path d="M16.5 3.5a2.121 2.121 0 0 1 3 3L7 19l-4 1 1-4L16.5 3.5z"></path></svg>
\ No newline at end of file
+<svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather feather-edit-3 <%= custom_class %>"><path d="M12 20h9"></path><path d="M16.5 3.5a2.121 2.121 0 0 1 3 3L7 19l-4 1 1-4L16.5 3.5z"></path></svg>
diff --git a/app/views/icons/_edit.html.erb b/app/views/icons/_edit.html.erb
index ec7b4ca..62c65ee 100644
--- a/app/views/icons/_edit.html.erb
+++ b/app/views/icons/_edit.html.erb
@@ -1 +1 @@
-<svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather feather-edit"><path d="M11 4H4a2 2 0 0 0-2 2v14a2 2 0 0 0 2 2h14a2 2 0 0 0 2-2v-7"></path><path d="M18.5 2.5a2.121 2.121 0 0 1 3 3L12 15l-4 1 1-4 9.5-9.5z"></path></svg>
\ No newline at end of file
+<svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather feather-edit <%= custom_class %>"><path d="M11 4H4a2 2 0 0 0-2 2v14a2 2 0 0 0 2 2h14a2 2 0 0 0 2-2v-7"></path><path d="M18.5 2.5a2.121 2.121 0 0 1 3 3L12 15l-4 1 1-4 9.5-9.5z"></path></svg>
diff --git a/app/views/settings/_account.html.erb b/app/views/settings/_account.html.erb
index df0a2ad..426bfcc 100644
--- a/app/views/settings/_account.html.erb
+++ b/app/views/settings/_account.html.erb
@@ -1,13 +1,44 @@
-<section>
+<%= tag.section data: {
+      controller: "settings--account--email",
+      "settings--account--email-validation-failed-value": @validation_errors.present?
+    } do %>
   <h3>E-Mail</h3>
-  <p class="mb-2">
-    <%= label :email, 'Address', class: 'font-bold' %>
-  </p>
-  <p class="flex gap-1 mb-2 sm:w-3/5">
-    <input type="text" id="email" class="grow"
-           value=<%= current_user.email %> disabled="disabled" />
-  </p>
-</section>
+  <%= form_for(current_user, url: update_email_settings_path, method: "post") do |f| %>
+    <%= hidden_field_tag :section, "account" %>
+    <p class="mb-2">
+      <%= f.label :email, 'Address', class: 'font-bold' %>
+    </p>
+    <p class="mb-2 flex gap-1 sm:w-3/5">
+      <%= f.email_field :email, class: "grow", data: {
+            'settings--account--email-target': 'emailField'
+          }, required: true %>
+      <button type="button" id="edit-email"
+              class="btn-md btn-icon btn-blue shrink-0 hidden initial-visible"
+              data-settings--account--email-target="editEmailButton"
+              data-action="settings--account--email#editEmail"
+              title="Edit email address">
+        <span class="">
+          <%= render partial: "icons/edit-3", locals: {
+                custom_class: "text-white h-4 w-4 inline" } %>
+        </span>
+      </button>
+    </p>
+    <% if @validation_errors.present? && @validation_errors[:email].present? %>
+      <p class="error-msg"><%= @validation_errors[:email].first %></p>
+    <% end %>
+    <div class="initial-hidden">
+      <p class="mt-4 mb-2">
+        <%= f.label :current_password, 'Current password', class: 'font-bold' %>
+      </p>
+      <p class="sm:w-3/5">
+        <%= f.password_field :current_password, class: "w-full", required: true %>
+      </p>
+      <p class="mt-6">
+        <%= f.submit "Update", class: "btn-md btn-blue" %>
+      </p>
+    </div>
+  <% end %>
+<% end %>
 <section>
   <h3>Password</h3>
   <p class="mb-8">Use the following button to request an email with a password reset link:</p>
diff --git a/config/routes.rb b/config/routes.rb
index c8dd8a4..a369bd3 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -28,6 +28,7 @@ Rails.application.routes.draw do
 
   resources :settings, param: 'section', only: ['index', 'show', 'update'] do
     collection do
+      post 'update_email'
       post 'reset_password'
     end
   end
diff --git a/spec/features/settings/account_spec.rb b/spec/features/settings/account_spec.rb
new file mode 100644
index 0000000..b90777f
--- /dev/null
+++ b/spec/features/settings/account_spec.rb
@@ -0,0 +1,55 @@
+require 'rails_helper'
+
+RSpec.describe 'Account settings', type: :feature do
+  let(:user) { create :user }
+  let(:geraint) { create :user, id: 2, cn: 'geraint', email: "lamagliarosa@example.com" }
+
+  before do
+    login_as user, :scope => :user
+    geraint.save!
+
+    allow_any_instance_of(User).to receive(:valid_ldap_authentication?)
+      .with("invalid password").and_return(false)
+    allow_any_instance_of(User).to receive(:valid_ldap_authentication?)
+      .with("valid password").and_return(true)
+  end
+
+  scenario 'Update email address fails with invalid password' do
+    visit setting_path(:account)
+    fill_in 'Address', with: "lamagliarosa@example.com"
+    fill_in 'Current password', with: "invalid password"
+    click_button "Update"
+
+    expect(current_url).to eq(setting_url(:account))
+    expect(user.reload.unconfirmed_email).to be_nil
+    within ".flash-msg" do
+      expect(page).to have_content("did not match your current password")
+    end
+  end
+
+  scenario 'Update email address fails when new address already taken' do
+    visit setting_path(:account)
+    fill_in 'Address', with: "lamagliarosa@example.com"
+    fill_in 'Current password', with: "valid password"
+    click_button "Update"
+
+    expect(current_url).to eq(setting_url(:update_email))
+    expect(user.reload.unconfirmed_email).to be_nil
+    within ".error-msg" do
+      expect(page).to have_content("has already been taken")
+    end
+  end
+
+  scenario 'Update email address works' do
+    visit setting_path(:account)
+    fill_in 'Address', with: "lamagliabianca@example.com"
+    fill_in 'Current password', with: "valid password"
+    click_button "Update"
+
+    expect(current_url).to eq(setting_url(:account))
+    expect(user.reload.unconfirmed_email).to eq("lamagliabianca@example.com")
+    within ".flash-msg" do
+      expect(page).to have_content("Please confirm your new address")
+    end
+  end
+end
diff --git a/spec/models/user_spec.rb b/spec/models/user_spec.rb
index 68677b7..8bd2382 100644
--- a/spec/models/user_spec.rb
+++ b/spec/models/user_spec.rb
@@ -103,9 +103,16 @@ RSpec.describe User, type: :model do
 
   describe "#devise_after_confirmation" do
     include ActiveJob::TestHelper
-    after { clear_enqueued_jobs }
 
-    let(:user) { create :user, cn: "willherschel", ou: "kosmos.org" }
+    let(:user) { create :user, cn: "willherschel", ou: "kosmos.org", email: "will@hrsch.el" }
+
+    before do
+      allow(user).to receive(:ldap_entry).and_return({
+        uid: "willherschel", ou: "kosmos.org", mail: "will@hrsch.el"
+      })
+    end
+
+    after { clear_enqueued_jobs }
 
     it "enables default services" do
       expect(user).to receive(:enable_service).with(%w[ discourse gitea mediawiki xmpp ])
@@ -124,10 +131,11 @@ RSpec.describe User, type: :model do
       let(:guest) { create :user, id: 2, cn: "isaacnewton", ou: "kosmos.org", email: "newt@example.com" }
 
       before do
-        # TODO remove when defaults are implemented
-        user.update! preferences: { xmpp_exchange_contacts_with_invitees: true }
         Invitation.create! user: user, invited_user_id: guest.id, used_at: DateTime.now
         allow_any_instance_of(User).to receive(:enable_service)
+        allow(guest).to receive(:ldap_entry).and_return({
+          uid: "isaacnewton", ou: "kosmos.org", mail: "newt@example.com"
+        })
       end
 
       it "enqueues jobs to exchange XMPP contacts between inviter and invitee" do
@@ -138,5 +146,31 @@ RSpec.describe User, type: :model do
         expect(job["arguments"][1]['_aj_globalid']).to eq('gid://akkounts/User/2')
       end
     end
+
+    context "for email address update of existing account" do
+      before do
+        allow(user).to receive(:ldap_entry)
+          .and_return({ uid: "willherschel", ou: "kosmos.org", mail: "willyboy@aol.com" })
+        allow(user).to receive(:dn)
+          .and_return("cn=willherschel,ou=kosmos.org,cn=users,dc=kosmos,dc=org")
+        allow(LdapManager::UpdateEmail).to receive(:call)
+      end
+
+      it "updates the LDAP 'mail' attribute" do
+        expect(LdapManager::UpdateEmail).to receive(:call)
+          .with("cn=willherschel,ou=kosmos.org,cn=users,dc=kosmos,dc=org", "will@hrsch.el")
+        user.send :devise_after_confirmation
+      end
+
+      it "does not re-enable default services" do
+        expect(user).not_to receive(:enable_service)
+        user.send :devise_after_confirmation
+      end
+
+      it "does not enqueue any delayed jobs" do
+        user.send :devise_after_confirmation
+        expect(enqueued_jobs).to be_empty
+      end
+    end
   end
 end

From 193a4c2edd5e8e5f4ea47b0d3a0e4d008bddf67a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A2u=20Cao?= <raucao@kip.pe>
Date: Thu, 25 May 2023 19:31:16 +0200
Subject: [PATCH 16/47] Remove obsolete function argument

---
 app/javascript/controllers/settings/account/email_controller.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/javascript/controllers/settings/account/email_controller.js b/app/javascript/controllers/settings/account/email_controller.js
index fc5763d..5967cfd 100644
--- a/app/javascript/controllers/settings/account/email_controller.js
+++ b/app/javascript/controllers/settings/account/email_controller.js
@@ -16,7 +16,7 @@ export default class extends Controller {
     })
   }
 
-  editEmail (evt) {
+  editEmail () {
     this.emailFieldTarget.disabled = false;
     this.emailFieldTarget.select();
     this.editEmailButtonTarget.classList.add("hidden");

From 32d19926322a07e1c4a9d8c79afc023e07210131 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A2u=20Cao?= <raucao@kip.pe>
Date: Sat, 27 May 2023 19:58:59 +0200
Subject: [PATCH 17/47] Set user instance var for settings routes where needed

---
 app/controllers/settings_controller.rb | 14 +++++++-------
 app/views/settings/_account.html.erb   |  2 +-
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/app/controllers/settings_controller.rb b/app/controllers/settings_controller.rb
index d9f5979..01f56cd 100644
--- a/app/controllers/settings_controller.rb
+++ b/app/controllers/settings_controller.rb
@@ -2,17 +2,16 @@ class SettingsController < ApplicationController
   before_action :authenticate_user!
   before_action :set_main_nav_section
   before_action :set_settings_section, only: [:show, :update, :update_email]
+  before_action :set_user, only: [:show, :update, :update_email]
 
   def index
     redirect_to setting_path(:profile)
   end
 
   def show
-    @user = current_user
   end
 
   def update
-    @user = current_user
     @user.preferences.merge! user_params[:preferences]
     @user.save!
 
@@ -22,15 +21,13 @@ class SettingsController < ApplicationController
   end
 
   def update_email
-    if current_user.valid_ldap_authentication?(email_params[:current_password])
-      current_user.email = email_params[:email]
-
-      if current_user.update email: email_params[:email]
+    if @user.valid_ldap_authentication?(email_params[:current_password])
+      if @user.update email: email_params[:email]
         redirect_to setting_path(:account), flash: {
           notice: 'Please confirm your new address using the confirmation link we just sent you.'
         }
       else
-        @validation_errors = current_user.errors
+        @validation_errors = @user.errors
         render :show, status: :unprocessable_entity
       end
     else
@@ -68,6 +65,9 @@ class SettingsController < ApplicationController
       :xmpp_exchange_contacts_with_invitees
     ])
   end
+    def set_user
+      @user = current_user
+    end
 
   def email_params
     params.require(:user).permit(:email, :current_password)
diff --git a/app/views/settings/_account.html.erb b/app/views/settings/_account.html.erb
index 426bfcc..cba8715 100644
--- a/app/views/settings/_account.html.erb
+++ b/app/views/settings/_account.html.erb
@@ -3,7 +3,7 @@
       "settings--account--email-validation-failed-value": @validation_errors.present?
     } do %>
   <h3>E-Mail</h3>
-  <%= form_for(current_user, url: update_email_settings_path, method: "post") do |f| %>
+  <%= form_for(@user, url: update_email_settings_path, method: "post") do |f| %>
     <%= hidden_field_tag :section, "account" %>
     <p class="mb-2">
       <%= f.label :email, 'Address', class: 'font-bold' %>

From f74227fedbf44beb4636f24012508348d9d4eb37 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A2u=20Cao?= <raucao@kip.pe>
Date: Sat, 27 May 2023 19:59:49 +0200
Subject: [PATCH 18/47] Allow users to set/update their display name in LDAP

---
 app/controllers/settings_controller.rb        | 60 +++++++++++--------
 app/models/user.rb                            | 15 ++++-
 .../ldap_manager/update_display_name.rb       | 12 ++++
 app/services/ldap_manager/update_email.rb     |  2 +-
 app/services/ldap_service.rb                  |  3 +-
 app/views/settings/_account.html.erb          |  2 +-
 app/views/settings/_profile.html.erb          | 17 ++++--
 app/views/shared/_sidenav_settings.html.erb   |  8 +--
 config/routes.rb                              |  1 +
 9 files changed, 79 insertions(+), 41 deletions(-)
 create mode 100644 app/services/ldap_manager/update_display_name.rb

diff --git a/app/controllers/settings_controller.rb b/app/controllers/settings_controller.rb
index 01f56cd..622b623 100644
--- a/app/controllers/settings_controller.rb
+++ b/app/controllers/settings_controller.rb
@@ -12,12 +12,21 @@ class SettingsController < ApplicationController
   end
 
   def update
-    @user.preferences.merge! user_params[:preferences]
-    @user.save!
+    @user.preferences.merge!(user_params[:preferences] || {})
+    @user.display_name = user_params[:display_name]
 
-    redirect_to setting_path(@settings_section), flash: {
-      success: 'Settings saved.'
-    }
+    if @user.save
+      if @user.display_name && (@user.display_name != @user.ldap_entry[:display_name])
+        LdapManager::UpdateDisplayName.call(@user.dn, user_params[:display_name])
+      end
+
+      redirect_to setting_path(@settings_section), flash: {
+        success: 'Settings saved.'
+      }
+    else
+      @validation_errors = @user.errors
+      render :show, status: :unprocessable_entity
+    end
   end
 
   def update_email
@@ -46,30 +55,31 @@ class SettingsController < ApplicationController
 
   private
 
-  def set_main_nav_section
-    @current_section = :settings
-  end
-
-  def set_settings_section
-    @settings_section = params[:section]
-    allowed_sections = [:profile, :account, :lightning, :xmpp]
-
-    unless allowed_sections.include?(@settings_section.to_sym)
-      redirect_to setting_path(:profile)
+    def set_main_nav_section
+      @current_section = :settings
+    end
+
+    def set_settings_section
+      @settings_section = params[:section]
+      allowed_sections = [:profile, :account, :lightning, :xmpp]
+
+      unless allowed_sections.include?(@settings_section.to_sym)
+        redirect_to setting_path(:profile)
+      end
     end
-  end
 
-  def user_params
-    params.require(:user).permit(preferences: [
-      :lightning_notify_sats_received,
-      :xmpp_exchange_contacts_with_invitees
-    ])
-  end
     def set_user
       @user = current_user
     end
 
-  def email_params
-    params.require(:user).permit(:email, :current_password)
-  end
+    def user_params
+      params.require(:user).permit(:display_name, preferences: [
+        :lightning_notify_sats_received,
+        :xmpp_exchange_contacts_with_invitees
+      ])
+    end
+
+    def email_params
+      params.require(:user).permit(:email, :current_password)
+    end
 end
diff --git a/app/models/user.rb b/app/models/user.rb
index 93b7a5d..07d1bbe 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -1,6 +1,8 @@
 class User < ApplicationRecord
   include EmailValidatable
 
+  attr_accessor :display_name
+
   serialize :preferences, UserPreferences
 
   # Relations
@@ -17,7 +19,7 @@ class User < ApplicationRecord
   has_many :accounts, through: :lndhub_user
 
   validates_uniqueness_of :cn
-  validates_length_of :cn, :minimum => 3
+  validates_length_of :cn, minimum: 3
   validates_format_of :cn, with: /\A([a-z0-9\-])*\z/,
                            if: Proc.new{ |u| u.cn.present? },
                            message: "is invalid. Please use only letters, numbers and -"
@@ -31,6 +33,8 @@ class User < ApplicationRecord
   validates_uniqueness_of :email
   validates :email, email: true
 
+  validates_length_of :display_name, minimum: 3, maximum: 35, allow_blank: true
+
   scope :confirmed, -> { where.not(confirmed_at: nil) }
   scope :pending,   -> { where(confirmed_at: nil) }
 
@@ -115,8 +119,13 @@ class User < ApplicationRecord
     @dn = Devise::LDAP::Adapter.get_dn(self.cn)
   end
 
-  def ldap_entry
-    ldap.fetch_users(uid: self.cn, ou: self.ou).first
+  def ldap_entry(reload: false)
+    return @ldap_entry if defined?(@ldap_entry) && !reload
+    @ldap_entry = ldap.fetch_users(uid: self.cn, ou: self.ou).first
+  end
+
+  def display_name
+    @display_name ||= ldap_entry[:display_name]
   end
 
   def services_enabled
diff --git a/app/services/ldap_manager/update_display_name.rb b/app/services/ldap_manager/update_display_name.rb
new file mode 100644
index 0000000..2d3e90f
--- /dev/null
+++ b/app/services/ldap_manager/update_display_name.rb
@@ -0,0 +1,12 @@
+module LdapManager
+  class UpdateDisplayName < LdapManagerService
+    def initialize(dn, display_name)
+      @dn = dn
+      @display_name = display_name
+    end
+
+    def call
+      replace_attribute @dn, :displayName, @display_name
+    end
+  end
+end
diff --git a/app/services/ldap_manager/update_email.rb b/app/services/ldap_manager/update_email.rb
index 5acd77f..80f40e4 100644
--- a/app/services/ldap_manager/update_email.rb
+++ b/app/services/ldap_manager/update_email.rb
@@ -6,7 +6,7 @@ module LdapManager
     end
 
     def call
-      replace_attribute @dn, :mail, [ @address ]
+      replace_attribute @dn, :mail, @address
     end
   end
 end
diff --git a/app/services/ldap_service.rb b/app/services/ldap_service.rb
index 5a572c5..eac64c2 100644
--- a/app/services/ldap_service.rb
+++ b/app/services/ldap_service.rb
@@ -50,7 +50,7 @@ class LdapService < ApplicationService
       treebase = ldap_config["base"]
     end
 
-    attributes = %w{dn cn uid mail admin service}
+    attributes = %w{dn cn uid mail displayName admin service}
     filter     = Net::LDAP::Filter.eq("uid", args[:uid] || "*")
 
     entries = ldap_client.search(base: treebase, filter: filter, attributes: attributes)
@@ -59,6 +59,7 @@ class LdapService < ApplicationService
       {
         uid: e.uid.first,
         mail: e.try(:mail) ? e.mail.first : nil,
+        display_name: e.try(:displayName) ? e.displayName.first : nil,
         admin: e.try(:admin) ? 'admin' : nil,
         service: e.try(:service)
       }
diff --git a/app/views/settings/_account.html.erb b/app/views/settings/_account.html.erb
index cba8715..5726230 100644
--- a/app/views/settings/_account.html.erb
+++ b/app/views/settings/_account.html.erb
@@ -34,7 +34,7 @@
         <%= f.password_field :current_password, class: "w-full", required: true %>
       </p>
       <p class="mt-6">
-        <%= f.submit "Update", class: "btn-md btn-blue" %>
+        <%= f.submit "Update", class: "btn-md btn-blue w-full md:w-auto" %>
       </p>
     </div>
   <% end %>
diff --git a/app/views/settings/_profile.html.erb b/app/views/settings/_profile.html.erb
index f1d14ae..e72430c 100644
--- a/app/views/settings/_profile.html.erb
+++ b/app/views/settings/_profile.html.erb
@@ -21,10 +21,15 @@
   <p class="text-sm text-gray-500">
     Your user address for Chat and Lightning Network.
   </p>
-
-  <%# <%= form_for(@user, as: "profile", url: settings_profile_path) do |f| %>
-  <%#   <p class="mt-8">
-  <%#     <%= f.submit "Save changes", class: 'btn-md btn-blue w-full sm:w-auto' %>
-  <%#   </p>
-  <%# <% end %>
+  <%= form_for(@user, url: setting_path(:profile), html: { :method => :put }) do |f| %>
+    <%= render FormElements::FieldsetComponent.new(tag: "div", title: "Display name") do %>
+      <%= f.text_field :display_name, class: "w-full sm:w-3/5 mb-2" %>
+      <% if @validation_errors.present? && @validation_errors[:display_name].present? %>
+        <p class="error-msg"><%= @validation_errors[:display_name].first %></p>
+      <% end %>
+    <% end %>
+    <p class="mt-8 pt-6 border-t border-gray-200 text-right">
+      <%= f.submit 'Save', class: "btn-md btn-blue w-full md:w-auto" %>
+    </p>
+  <% end %>
 </section>
diff --git a/app/views/shared/_sidenav_settings.html.erb b/app/views/shared/_sidenav_settings.html.erb
index 3ebf8e1..ce2a527 100644
--- a/app/views/shared/_sidenav_settings.html.erb
+++ b/app/views/shared/_sidenav_settings.html.erb
@@ -1,20 +1,20 @@
 <%= render SidenavLinkComponent.new(
   name: "Profile", path: setting_path(:profile), icon: "user",
-  active: current_page?(setting_path(:profile))
+  active: @settings_section.to_s == "profile"
 ) %>
 <%= render SidenavLinkComponent.new(
   name: "Account", path: setting_path(:account), icon: "key",
-  active: current_page?(setting_path(:account))
+  active: @settings_section.to_s == "account"
 ) %>
 <% if Setting.ejabberd_enabled %>
 <%= render SidenavLinkComponent.new(
   name: "Chat", path: setting_path(:xmpp), icon: "message-circle",
-  active: current_page?(setting_path(:xmpp))
+  active: @settings_section.to_s == "xmpp"
 ) %>
 <% end %>
 <% if Setting.lndhub_enabled %>
 <%= render SidenavLinkComponent.new(
   name: "Lightning", path: setting_path(:lightning), icon: "zap",
-  active: current_page?(setting_path(:lightning))
+  active: @settings_section.to_s == "lightning"
 ) %>
 <% end %>
diff --git a/config/routes.rb b/config/routes.rb
index a369bd3..71f7620 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -28,6 +28,7 @@ Rails.application.routes.draw do
 
   resources :settings, param: 'section', only: ['index', 'show', 'update'] do
     collection do
+      post 'update_profile'
       post 'update_email'
       post 'reset_password'
     end

From 445cdfa0241c73765fe3d1e571d9139e944561cf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A2u=20Cao?= <raucao@kip.pe>
Date: Sat, 27 May 2023 20:09:02 +0200
Subject: [PATCH 19/47] Only validate display name when updated

Otherwise we needlessly fetch the validated one from LDAP every time a
model is saved.
---
 app/models/user.rb | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/app/models/user.rb b/app/models/user.rb
index 07d1bbe..855fd0d 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -33,7 +33,8 @@ class User < ApplicationRecord
   validates_uniqueness_of :email
   validates :email, email: true
 
-  validates_length_of :display_name, minimum: 3, maximum: 35, allow_blank: true
+  validates_length_of :display_name, minimum: 3, maximum: 35, allow_blank: true,
+                                     if: -> { defined?(@display_name) }
 
   scope :confirmed, -> { where.not(confirmed_at: nil) }
   scope :pending,   -> { where(confirmed_at: nil) }

From 05426e4ced65fcae080d8028d2f08595dd759003 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A2u=20Cao?= <raucao@kip.pe>
Date: Sun, 28 May 2023 15:25:42 +0200
Subject: [PATCH 20/47] Add specs for display name update

---
 spec/features/settings/profile_spec.rb | 45 ++++++++++++++++++++++++++
 1 file changed, 45 insertions(+)
 create mode 100644 spec/features/settings/profile_spec.rb

diff --git a/spec/features/settings/profile_spec.rb b/spec/features/settings/profile_spec.rb
new file mode 100644
index 0000000..c54cffe
--- /dev/null
+++ b/spec/features/settings/profile_spec.rb
@@ -0,0 +1,45 @@
+require 'rails_helper'
+
+RSpec.describe 'Profile settings', type: :feature do
+  let(:user) { create :user, cn: "mwahlberg" }
+
+  before do
+    login_as user, :scope => :user
+  end
+
+  feature "Update display name" do
+    before do
+      allow(user).to receive(:display_name).and_return("Mark")
+      allow_any_instance_of(User).to receive(:dn).and_return("cn=mwahlberg,ou=kosmos.org,cn=users,dc=kosmos,dc=org")
+      allow_any_instance_of(User).to receive(:ldap_entry).and_return({
+        uid: user.cn, ou: user.ou, display_name: "Mark"
+      })
+    end
+
+    scenario 'fails with validation error' do
+      visit setting_path(:profile)
+      fill_in 'Display name', with: "M"
+      click_button "Save"
+
+      expect(current_url).to eq(setting_url(:profile))
+      expect(page).to have_field('Display name', with: 'M')
+      within ".error-msg" do
+        expect(page).to have_content("is too short")
+      end
+    end
+
+    scenario 'works with valid input' do
+      expect(LdapManager::UpdateDisplayName).to receive(:call)
+        .with(user.dn, "Marky Mark").and_return(true)
+
+      visit setting_path(:profile)
+      fill_in 'Display name', with: "Marky Mark"
+      click_button "Save"
+
+      expect(current_url).to eq(setting_url(:profile))
+      within ".flash-msg" do
+        expect(page).to have_content("Settings saved")
+      end
+    end
+  end
+end

From 51489a83abd3ca4e8126dce9b1d96e293a01a460 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A2u=20Cao?= <raucao@kip.pe>
Date: Sun, 28 May 2023 15:25:53 +0200
Subject: [PATCH 21/47] Use feature block for email update specs

---
 spec/features/settings/account_spec.rb | 81 +++++++++++++-------------
 1 file changed, 42 insertions(+), 39 deletions(-)

diff --git a/spec/features/settings/account_spec.rb b/spec/features/settings/account_spec.rb
index b90777f..51f1c83 100644
--- a/spec/features/settings/account_spec.rb
+++ b/spec/features/settings/account_spec.rb
@@ -2,54 +2,57 @@ require 'rails_helper'
 
 RSpec.describe 'Account settings', type: :feature do
   let(:user) { create :user }
-  let(:geraint) { create :user, id: 2, cn: 'geraint', email: "lamagliarosa@example.com" }
 
-  before do
-    login_as user, :scope => :user
-    geraint.save!
+  feature "Update email address" do
+    let(:geraint) { create :user, id: 2, cn: 'geraint', email: "lamagliarosa@example.com" }
 
-    allow_any_instance_of(User).to receive(:valid_ldap_authentication?)
-      .with("invalid password").and_return(false)
-    allow_any_instance_of(User).to receive(:valid_ldap_authentication?)
-      .with("valid password").and_return(true)
-  end
+    before do
+      login_as user, :scope => :user
+      geraint.save!
 
-  scenario 'Update email address fails with invalid password' do
-    visit setting_path(:account)
-    fill_in 'Address', with: "lamagliarosa@example.com"
-    fill_in 'Current password', with: "invalid password"
-    click_button "Update"
-
-    expect(current_url).to eq(setting_url(:account))
-    expect(user.reload.unconfirmed_email).to be_nil
-    within ".flash-msg" do
-      expect(page).to have_content("did not match your current password")
+      allow_any_instance_of(User).to receive(:valid_ldap_authentication?)
+        .with("invalid password").and_return(false)
+      allow_any_instance_of(User).to receive(:valid_ldap_authentication?)
+        .with("valid password").and_return(true)
     end
-  end
 
-  scenario 'Update email address fails when new address already taken' do
-    visit setting_path(:account)
-    fill_in 'Address', with: "lamagliarosa@example.com"
-    fill_in 'Current password', with: "valid password"
-    click_button "Update"
+    scenario 'fails with invalid password' do
+      visit setting_path(:account)
+      fill_in 'Address', with: "lamagliarosa@example.com"
+      fill_in 'Current password', with: "invalid password"
+      click_button "Update"
 
-    expect(current_url).to eq(setting_url(:update_email))
-    expect(user.reload.unconfirmed_email).to be_nil
-    within ".error-msg" do
-      expect(page).to have_content("has already been taken")
+      expect(current_url).to eq(setting_url(:account))
+      expect(user.reload.unconfirmed_email).to be_nil
+      within ".flash-msg" do
+        expect(page).to have_content("did not match your current password")
+      end
     end
-  end
 
-  scenario 'Update email address works' do
-    visit setting_path(:account)
-    fill_in 'Address', with: "lamagliabianca@example.com"
-    fill_in 'Current password', with: "valid password"
-    click_button "Update"
+    scenario 'fails when new address already taken' do
+      visit setting_path(:account)
+      fill_in 'Address', with: "lamagliarosa@example.com"
+      fill_in 'Current password', with: "valid password"
+      click_button "Update"
 
-    expect(current_url).to eq(setting_url(:account))
-    expect(user.reload.unconfirmed_email).to eq("lamagliabianca@example.com")
-    within ".flash-msg" do
-      expect(page).to have_content("Please confirm your new address")
+      expect(current_url).to eq(setting_url(:update_email))
+      expect(user.reload.unconfirmed_email).to be_nil
+      within ".error-msg" do
+        expect(page).to have_content("has already been taken")
+      end
+    end
+
+    scenario 'works with valid password and address' do
+      visit setting_path(:account)
+      fill_in 'Address', with: "lamagliabianca@example.com"
+      fill_in 'Current password', with: "valid password"
+      click_button "Update"
+
+      expect(current_url).to eq(setting_url(:account))
+      expect(user.reload.unconfirmed_email).to eq("lamagliabianca@example.com")
+      within ".flash-msg" do
+        expect(page).to have_content("Please confirm your new address")
+      end
     end
   end
 end

From e284996c1cf8db256fb73733663509e0dc06f0b5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A2u=20Cao?= <raucao@kip.pe>
Date: Sun, 28 May 2023 15:28:51 +0200
Subject: [PATCH 22/47] Remove obsolete route

---
 config/routes.rb | 1 -
 1 file changed, 1 deletion(-)

diff --git a/config/routes.rb b/config/routes.rb
index 71f7620..a369bd3 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -28,7 +28,6 @@ Rails.application.routes.draw do
 
   resources :settings, param: 'section', only: ['index', 'show', 'update'] do
     collection do
-      post 'update_profile'
       post 'update_email'
       post 'reset_password'
     end

From 19bafe081f9a88cd2ae27e073bb21fe1af64dd28 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A2u=20Cao?= <raucao@kip.pe>
Date: Mon, 29 May 2023 23:05:18 +0200
Subject: [PATCH 23/47] Integrate Discourse Connect (SSO)

---
 .env.example                                  |  2 +
 Gemfile                                       |  3 ++
 Gemfile.lock                                  | 11 +++++
 app/controllers/discourse/sso_controller.rb   | 17 +++++++
 app/models/setting.rb                         |  6 +++
 .../settings/services/_discourse.html.erb     | 47 ++++++++++++++++---
 .../admin/settings/services/index.html.erb    |  6 +++
 app/views/devise/sessions/new.html.erb        |  8 +++-
 config/routes.rb                              |  4 ++
 9 files changed, 97 insertions(+), 7 deletions(-)
 create mode 100644 app/controllers/discourse/sso_controller.rb

diff --git a/.env.example b/.env.example
index 155ec8a..de85a10 100644
--- a/.env.example
+++ b/.env.example
@@ -19,6 +19,8 @@ LDAP_SUFFIX='dc=kosmos,dc=org'
 WEBHOOKS_ALLOWED_IPS='10.1.1.163'
 
 DISCOURSE_PUBLIC_URL='https://community.kosmos.org'
+DISCOURSE_CONNECT_SECRET='discourse_connect_ftw'
+
 GITEA_PUBLIC_URL='https://gitea.kosmos.org'
 MASTODON_PUBLIC_URL='https://kosmos.social'
 MEDIAWIKI_PUBLIC_URL='https://wiki.kosmos.org'
diff --git a/Gemfile b/Gemfile
index 3445c32..dad66b1 100644
--- a/Gemfile
+++ b/Gemfile
@@ -51,6 +51,9 @@ gem 'faraday'
 gem 'sidekiq', '< 7'
 gem 'sidekiq-scheduler'
 
+# Service integrations
+gem 'discourse_api'
+
 # Monitoring
 gem "sentry-ruby"
 gem "sentry-rails"
diff --git a/Gemfile.lock b/Gemfile.lock
index 9a37e04..6b33fa8 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -108,6 +108,11 @@ GEM
       devise (>= 3.4.1)
       net-ldap (>= 0.16.0)
     diff-lcs (1.5.0)
+    discourse_api (2.0.0)
+      faraday (~> 2.7)
+      faraday-follow_redirects
+      faraday-multipart
+      rack (>= 1.6)
     dotenv (2.8.1)
     dotenv-rails (2.8.1)
       dotenv (= 2.8.1)
@@ -126,6 +131,10 @@ GEM
     faraday (2.7.1)
       faraday-net_http (>= 2.0, < 3.1)
       ruby2_keywords (>= 0.0.4)
+    faraday-follow_redirects (0.3.0)
+      faraday (>= 1, < 3)
+    faraday-multipart (1.0.4)
+      multipart-post (~> 2)
     faraday-net_http (3.0.2)
     ffi (1.15.5)
     flipper (0.28.0)
@@ -183,6 +192,7 @@ GEM
     mini_mime (1.1.2)
     mini_portile2 (2.8.0)
     minitest (5.16.3)
+    multipart-post (2.3.0)
     net-imap (0.3.1)
       net-protocol
     net-ldap (0.17.1)
@@ -386,6 +396,7 @@ DEPENDENCIES
   database_cleaner
   devise (~> 4.9.0)
   devise_ldap_authenticatable
+  discourse_api
   dotenv-rails
   factory_bot_rails
   faker
diff --git a/app/controllers/discourse/sso_controller.rb b/app/controllers/discourse/sso_controller.rb
new file mode 100644
index 0000000..658f434
--- /dev/null
+++ b/app/controllers/discourse/sso_controller.rb
@@ -0,0 +1,17 @@
+class Discourse::SsoController < ApplicationController
+  before_action :authenticate_user!
+
+  def connect
+    secret = Setting.discourse_connect_secret
+    sso = DiscourseApi::SingleSignOn.parse(request.query_string, secret)
+    sso.external_id = current_user.id
+    sso.email = current_user.email
+    sso.username = current_user.cn
+    sso.name = current_user.display_name
+    sso.admin = current_user.is_admin?
+    sso.sso_secret = secret
+
+    redirect_to sso.to_url("#{Setting.discourse_public_url}/session/sso_login"),
+                allow_other_host: true
+  end
+end
diff --git a/app/models/setting.rb b/app/models/setting.rb
index 2cbc615..d25da65 100644
--- a/app/models/setting.rb
+++ b/app/models/setting.rb
@@ -2,6 +2,9 @@
 class Setting < RailsSettings::Base
   cache_prefix { "v1" }
 
+  field :accounts_domain, type: :string,
+    default: ENV["AKKOUNTS_DOMAIN"].presence
+
   #
   # Internal services
   #
@@ -41,6 +44,9 @@ class Setting < RailsSettings::Base
   field :discourse_enabled, type: :boolean,
     default: (ENV["DISCOURSE_PUBLIC_URL"].present?.to_s || false)
 
+  field :discourse_connect_secret, type: :string, readonly: true,
+    default: ENV["DISCOURSE_CONNECT_SECRET"].presence
+
   #
   # ejabberd
   #
diff --git a/app/views/admin/settings/services/_discourse.html.erb b/app/views/admin/settings/services/_discourse.html.erb
index 498dd5f..6af5525 100644
--- a/app/views/admin/settings/services/_discourse.html.erb
+++ b/app/views/admin/settings/services/_discourse.html.erb
@@ -7,11 +7,46 @@
     title: "Enable Discourse integration",
     description: "Discourse configuration present and features enabled"
   ) %>
-  <% if Setting.discourse_enabled? %>
-    <%= render FormElements::FieldsetComponent.new(title: "Public URL") do %>
-      <%= f.text_field :discourse_public_url,
-        value: Setting.discourse_public_url,
-        class: "w-full", disabled: true %>
-    <% end %>
+<% if Setting.discourse_enabled? %>
+  <%= render FormElements::FieldsetComponent.new(title: "Public URL") do %>
+    <%= f.text_field :discourse_public_url,
+      value: Setting.discourse_public_url,
+      class: "w-full", disabled: true %>
   <% end %>
+  <%= render FormElements::FieldsetComponent.new(title: "Connect secret") do %>
+    <%= f.password_field :discourse_connect_secret,
+      value: Setting.discourse_connect_secret,
+      class: "w-full", disabled: true %>
+  <% end %>
+<% end %>
 </ul>
+<% if Setting.discourse_enabled? %>
+  <% content_for :documentation do %>
+    <h3 class="mt-8">How to configure Discourse</h3>
+    <ol class="list-decimal list-inside">
+    <li class="mb-6">
+      Set the <strong>Discourse Connect URL</strong> to the following URL:
+    </li>
+    <li data-controller="clipboard" class="mb-6 flex gap-1">
+      <input type="text" class="grow" disabled="disabled"
+             value="https://<%= Setting.accounts_domain %>/discourse/connect"
+             data-clipboard-target="source" />
+      <button class="btn-md btn-icon btn-blue shrink-0"
+              data-clipboard-target="trigger" data-action="clipboard#copy"
+              title="Copy to clipboard">
+        <span class="content-initial">
+          <%= render partial: "icons/copy", locals: { custom_class: "text-white h-4 w-4 inline" } %>
+        </span>
+        <span class="content-active hidden">
+          <%= render partial: "icons/check", locals: { custom_class: "text-white h-4 w-4 inline" } %>
+        </span>
+      </button>
+    </li>
+    <li class="mb-6">
+      Set the <strong>Discourse Connect Secret</strong> to the value above.
+    </li>
+    <li>
+      Enable Discourse Connect.
+    </li>
+  <% end %>
+<% end %>
diff --git a/app/views/admin/settings/services/index.html.erb b/app/views/admin/settings/services/index.html.erb
index 58360dd..f63653d 100644
--- a/app/views/admin/settings/services/index.html.erb
+++ b/app/views/admin/settings/services/index.html.erb
@@ -20,4 +20,10 @@
       </p>
     </section>
   <% end %>
+
+  <% if content_for?(:documentation) %>
+  <section>
+    <%= yield :documentation %>
+  </section>
+  <% end %>
 <% end %>
diff --git a/app/views/devise/sessions/new.html.erb b/app/views/devise/sessions/new.html.erb
index f7c0a70..aa964fb 100644
--- a/app/views/devise/sessions/new.html.erb
+++ b/app/views/devise/sessions/new.html.erb
@@ -1,7 +1,13 @@
+<%
+  # TODO remove when https://github.com/hotwired/turbo/issues/203 is fixed
+  enable_turbo = !session[:user_return_to].match?('/discourse/connect')
+%>
+
 <%= render HeaderCompactComponent.new(title: "Log in") %>
 
 <%= render MainCompactComponent.new do %>
-  <%= form_for(resource, as: resource_name, url: session_path(resource_name)) do |f| %>
+  <%= form_for(resource, as: resource_name, url: session_path(resource_name),
+                         data: { turbo: enable_turbo.to_s }) do |f| %>
     <%= render "devise/shared/error_messages", resource: resource %>
     <div class="mb-6">
       <%= f.label :cn, 'User', class: 'block mb-2 font-bold' %>
diff --git a/config/routes.rb b/config/routes.rb
index aa7fac3..89986a3 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -63,6 +63,10 @@ Rails.application.routes.draw do
 
   get ".well-known/webfinger" => "webfinger#show"
 
+  namespace :discourse do
+    get "connect", to: 'sso#connect'
+  end
+
   authenticate :user, ->(user) { user.is_admin? } do
     mount Sidekiq::Web => '/sidekiq'
     mount Flipper::UI.app(Flipper) => '/flipper'

From f829bb337907d4c0e61990f05ae5ef0e8d7e50ae Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A2u=20Cao?= <raucao@kip.pe>
Date: Mon, 29 May 2023 23:09:48 +0200
Subject: [PATCH 24/47] Use devise method for requiring login

---
 app/controllers/account_controller.rb                 | 2 +-
 app/controllers/contributions/donations_controller.rb | 2 +-
 app/controllers/contributions/projects_controller.rb  | 2 +-
 app/controllers/dashboard_controller.rb               | 2 +-
 app/controllers/invitations_controller.rb             | 2 +-
 app/controllers/services/lightning_controller.rb      | 2 +-
 6 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/app/controllers/account_controller.rb b/app/controllers/account_controller.rb
index 182a5f8..7ee4d7d 100644
--- a/app/controllers/account_controller.rb
+++ b/app/controllers/account_controller.rb
@@ -1,5 +1,5 @@
 class AccountController < ApplicationController
-  before_action :require_user_signed_in
+  before_action :authenticate_user!
 
   def index
     @current_section = :account
diff --git a/app/controllers/contributions/donations_controller.rb b/app/controllers/contributions/donations_controller.rb
index 5839030..1533abb 100644
--- a/app/controllers/contributions/donations_controller.rb
+++ b/app/controllers/contributions/donations_controller.rb
@@ -1,5 +1,5 @@
 class Contributions::DonationsController < ApplicationController
-  before_action :require_user_signed_in
+  before_action :authenticate_user!
 
   # GET /donations
   # GET /donations.json
diff --git a/app/controllers/contributions/projects_controller.rb b/app/controllers/contributions/projects_controller.rb
index 77e9fdf..7989fef 100644
--- a/app/controllers/contributions/projects_controller.rb
+++ b/app/controllers/contributions/projects_controller.rb
@@ -1,5 +1,5 @@
 class Contributions::ProjectsController < ApplicationController
-  before_action :require_user_signed_in
+  before_action :authenticate_user!
 
   # GET /contributions
   def index
diff --git a/app/controllers/dashboard_controller.rb b/app/controllers/dashboard_controller.rb
index 3f9c14e..d6234c6 100644
--- a/app/controllers/dashboard_controller.rb
+++ b/app/controllers/dashboard_controller.rb
@@ -1,5 +1,5 @@
 class DashboardController < ApplicationController
-  before_action :require_user_signed_in
+  before_action :authenticate_user!
 
   def index
     @current_section = :services
diff --git a/app/controllers/invitations_controller.rb b/app/controllers/invitations_controller.rb
index 3bb038a..0f1a778 100644
--- a/app/controllers/invitations_controller.rb
+++ b/app/controllers/invitations_controller.rb
@@ -1,5 +1,5 @@
 class InvitationsController < ApplicationController
-  before_action :require_user_signed_in, except: ["show"]
+  before_action :authenticate_user!, except: ["show"]
   before_action :require_user_signed_out, only: ["show"]
 
   # GET /invitations
diff --git a/app/controllers/services/lightning_controller.rb b/app/controllers/services/lightning_controller.rb
index a6b7381..4dd9607 100644
--- a/app/controllers/services/lightning_controller.rb
+++ b/app/controllers/services/lightning_controller.rb
@@ -1,7 +1,7 @@
 require "rqrcode"
 
 class Services::LightningController < ApplicationController
-  before_action :require_user_signed_in
+  before_action :authenticate_user!
   before_action :authenticate_with_lndhub
   before_action :set_current_section
   before_action :fetch_balance

From 745a319b3dd6e46da91297e44503c4c251db587f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A2u=20Cao?= <raucao@kip.pe>
Date: Mon, 29 May 2023 23:10:39 +0200
Subject: [PATCH 25/47] Minor refactoring

---
 app/views/admin/settings/services/_ejabberd.html.erb |  2 +-
 config/routes.rb                                     | 10 +++++-----
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/app/views/admin/settings/services/_ejabberd.html.erb b/app/views/admin/settings/services/_ejabberd.html.erb
index 887c1c1..81490f9 100644
--- a/app/views/admin/settings/services/_ejabberd.html.erb
+++ b/app/views/admin/settings/services/_ejabberd.html.erb
@@ -19,7 +19,7 @@
       class: "w-full", disabled: true %>
   <% end %>
 </ul>
-<h3 class="mt-8">User default settings</h3>
+<h3 class="mt-10">User default settings</h3>
 <ul role="list">
   <%= render FormElements::FieldsetComponent.new(
         title: "Default rooms",
diff --git a/config/routes.rb b/config/routes.rb
index 89986a3..684f386 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -1,7 +1,7 @@
 require 'sidekiq/web'
 
 Rails.application.routes.draw do
-  devise_for :users, controllers: { confirmations: "users/confirmations" }
+  devise_for :users, controllers: { confirmations: 'users/confirmations' }
 
   get 'welcome', to: 'welcome#index'
   get 'check_your_email', to: 'welcome#check_your_email'
@@ -61,20 +61,20 @@ Rails.application.routes.draw do
     end
   end
 
-  get ".well-known/webfinger" => "webfinger#show"
+  get ".well-known/webfinger", to: 'webfinger#show'
 
   namespace :discourse do
     get "connect", to: 'sso#connect'
   end
 
   authenticate :user, ->(user) { user.is_admin? } do
-    mount Sidekiq::Web => '/sidekiq'
-    mount Flipper::UI.app(Flipper) => '/flipper'
+    mount Sidekiq::Web, at: '/sidekiq'
+    mount Flipper::UI.app(Flipper), at: '/flipper'
   end
 
   # Letter Opener (open "sent" emails in dev and staging)
   if Rails.env.match(/staging|development/)
-    mount LetterOpenerWeb::Engine, at: "letter_opener"
+    mount LetterOpenerWeb::Engine, at: '/letter_opener'
   end
 
   root to: 'dashboard#index'

From 7e05530ab7b3188f6bd59ddd458f212aa0124de3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A2u=20Cao?= <raucao@kip.pe>
Date: Tue, 30 May 2023 23:19:49 +0200
Subject: [PATCH 26/47] Add specs for Discourse Connect

---
 .env.test                           |  3 +++
 spec/requests/discourse/sso_spec.rb | 41 +++++++++++++++++++++++++++++
 2 files changed, 44 insertions(+)
 create mode 100644 spec/requests/discourse/sso_spec.rb

diff --git a/.env.test b/.env.test
index 016655b..31947dd 100644
--- a/.env.test
+++ b/.env.test
@@ -1,3 +1,6 @@
+DISCOURSE_PUBLIC_URL='http://discourse.example.com'
+DISCOURSE_CONNECT_SECRET='discourse_connect_ftw'
+
 EJABBERD_API_URL='http://xmpp.example.com/api'
 
 BTCPAY_API_URL='http://btcpay.example.com/api/v1'
diff --git a/spec/requests/discourse/sso_spec.rb b/spec/requests/discourse/sso_spec.rb
new file mode 100644
index 0000000..7cbb0a9
--- /dev/null
+++ b/spec/requests/discourse/sso_spec.rb
@@ -0,0 +1,41 @@
+require 'rails_helper'
+require 'webmock/rspec'
+
+RSpec.describe "Discourse SSO", type: :request do
+
+  describe "GET /discourse/connect" do
+    let(:user) { create :user, cn: 'jimmy', ou: 'kosmos.org' }
+
+    before do
+      Warden.test_mode!
+      login_as user, scope: :user
+      allow(user).to receive(:display_name).and_return('Jimbo')
+      allow(user).to receive(:is_admin?).and_return(false)
+    end
+
+    after do
+      Warden.test_reset!
+    end
+
+    context "with invalid SSO credentials" do
+      it "results in a failed signature check" do
+        expect {
+          get discourse_connect_path(
+            sso: "bm9uY2U9ODk2N2NiMmFlZTdlMjdjNzZiZTNkZWQ5ODIwYzMzN2QmcmV0dXJuX3Nzb191cmw9aHR0cCUzQSUyRiUyRmxvY2FsaG9zdCUzQTMwMDAlMkZzZXNzaW9uJTJGc3NvX2xvZ2lu",
+            sig: "01fc008ff7b51855217e879b6f14aaddefbbd4df2d128951f7bb70cfde834c2a"
+          )
+        }.to raise_error(DiscourseApi::SingleSignOn::ParseError)
+      end
+    end
+
+    context "valid SSO credentials" do
+      it "redirects to the Discourse SSO endpoint" do
+        get discourse_connect_path(
+          sso: "bm9uY2U9YjQwYWZmYzg0YWQ2NWE1ZTk5MjdlZWU1NWEzMjdhMTQmcmV0dXJuX3Nzb191cmw9aHR0cCUzQSUyRiUyRmxvY2FsaG9zdCUzQTMwMDAlMkZzZXNzaW9uJTJGc3NvX2xvZ2lu",
+          sig: "b7905c5db612391293249ad5272dac493681efcd255133f6c2aff91ba654a319"
+        )
+        expect(response).to redirect_to('http://discourse.example.com/session/sso_login?sso=YWRtaW49ZmFsc2UmZW1haWw9amltbXklNDBleGFtcGxlLmNvbSZleHRlcm5hbF9pZD0xJm5hbWU9SmltYm8mbm9uY2U9YjQwYWZmYzg0YWQ2NWE1ZTk5MjdlZWU1NWEzMjdhMTQmcmV0dXJuX3Nzb191cmw9aHR0cCUzQSUyRiUyRmxvY2FsaG9zdCUzQTMwMDAlMkZzZXNzaW9uJTJGc3NvX2xvZ2luJnVzZXJuYW1lPWppbW15&sig=d5f8b1d6db66569bef789fda4a3216119c2d42b84725d043c9a57dde1e528842')
+      end
+    end
+  end
+end

From 387a2fa2e617d814cbeee06258f4be9636be66e9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A2u=20Cao?= <raucao@kip.pe>
Date: Wed, 31 May 2023 14:12:26 +0200
Subject: [PATCH 27/47] 0.6.0

---
 package.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/package.json b/package.json
index 60a5ede..e05bf0e 100644
--- a/package.json
+++ b/package.json
@@ -11,7 +11,7 @@
     "postcss-preset-env": "^7.8.3",
     "tailwindcss": "^3.2.4"
   },
-  "version": "0.5.0",
+  "version": "0.6.0",
   "scripts": {
     "build:css:tailwind": "tailwindcss --postcss -i ./app/assets/stylesheets/application.tailwind.css -o ./app/assets/builds/application.css",
     "build:css": "yarn run build:css:tailwind"

From df0c13b4005b87b243718d683aa07831b49fca43 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A2u=20Cao?= <raucao@kip.pe>
Date: Wed, 31 May 2023 14:43:00 +0200
Subject: [PATCH 28/47] Fix potential nil access

---
 app/views/devise/sessions/new.html.erb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/views/devise/sessions/new.html.erb b/app/views/devise/sessions/new.html.erb
index aa964fb..22ff5be 100644
--- a/app/views/devise/sessions/new.html.erb
+++ b/app/views/devise/sessions/new.html.erb
@@ -1,6 +1,6 @@
 <%
   # TODO remove when https://github.com/hotwired/turbo/issues/203 is fixed
-  enable_turbo = !session[:user_return_to].match?('/discourse/connect')
+  enable_turbo = !session[:user_return_to] || !session[:user_return_to].match?('/discourse/connect')
 %>
 
 <%= render HeaderCompactComponent.new(title: "Log in") %>

From 700090889184d2b1869234ef2b8ffbac783d9c84 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A2u=20Cao?= <raucao@kip.pe>
Date: Sun, 4 Jun 2023 15:15:09 +0300
Subject: [PATCH 29/47] Auto-login Discourse link

---
 app/views/dashboard/index.html.erb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/views/dashboard/index.html.erb b/app/views/dashboard/index.html.erb
index 8ebbec3..590361b 100644
--- a/app/views/dashboard/index.html.erb
+++ b/app/views/dashboard/index.html.erb
@@ -21,7 +21,7 @@
       <div class="border border-gray-300 rounded-md hover:border-gray-400
                   bg-[length:95%] bg-center bg-no-repeat
                   bg-[url(/img/logos/icon_discourse.svg)]">
-        <%= link_to "https://community.kosmos.org",
+        <%= link_to "#{Setting.discourse_public_url}/session/sso?return_path=/",
               class: "block h-full px-6 py-6 rounded-md" do %>
           <h3 class="mb-3.5">Discourse</h3>
           <p class="text-gray-600">

From 259e72167b710b44ac24624a26d74286e8773362 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A2u=20Cao?= <raucao@kip.pe>
Date: Mon, 5 Jun 2023 13:06:49 +0300
Subject: [PATCH 30/47] Hide unsuccessful outgoing lndhub txs in list

---
 app/controllers/services/lightning_controller.rb | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/app/controllers/services/lightning_controller.rb b/app/controllers/services/lightning_controller.rb
index 4dd9607..573d155 100644
--- a/app/controllers/services/lightning_controller.rb
+++ b/app/controllers/services/lightning_controller.rb
@@ -86,6 +86,10 @@ class Services::LightningController < ApplicationController
       end
     end
 
+    # Handle an edge case where lndhub.go includes a failed payment in the
+    # list, which wasn't actually booked
+    txs.reject!{ |tx| tx["type"] == "paid_invoice" && tx["payment_preimage"].blank? }
+
     txs.sort{ |a,b| b["datetime"] <=> a["datetime"] }
   end
 end

From 82019f47be3556988c717927fbf8a1c8d46ccb76 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A2u=20Cao?= <raucao@kip.pe>
Date: Mon, 5 Jun 2023 13:51:40 +0300
Subject: [PATCH 31/47] Report lndhub errors to Sentry

---
 app/controllers/services/lightning_controller.rb |  4 ++--
 app/services/lndhub.rb                           | 16 ++++++++++------
 2 files changed, 12 insertions(+), 8 deletions(-)

diff --git a/app/controllers/services/lightning_controller.rb b/app/controllers/services/lightning_controller.rb
index 4dd9607..9e39feb 100644
--- a/app/controllers/services/lightning_controller.rb
+++ b/app/controllers/services/lightning_controller.rb
@@ -37,8 +37,8 @@ class Services::LightningController < ApplicationController
       session[:ln_auth_token] = auth_token
       @ln_auth_token = auth_token
     end
-  rescue
-    # TODO add exception tracking
+  rescue => e
+    Sentry.capture_exception(e) if Setting.sentry_enabled?
   end
 
   def set_current_section
diff --git a/app/services/lndhub.rb b/app/services/lndhub.rb
index 9febebf..4c8ad66 100644
--- a/app/services/lndhub.rb
+++ b/app/services/lndhub.rb
@@ -12,12 +12,7 @@ class Lndhub
     end
 
     res = Faraday.post "#{@base_url}/#{endpoint}", payload.to_json, headers
-
-    if res.status != 200
-      Rails.logger.error "[lndhub] API request failed:"
-      Rails.logger.error res.body
-      #TODO add some kind of exception tracking/notifications
-    end
+    log_error(res) if res.status != 200
 
     JSON.parse(res.body)
   end
@@ -68,4 +63,13 @@ class Lndhub
 
     invoice["payment_request"]
   end
+
+  def log_error(res)
+    Rails.logger.error "[lndhub] API request failed:"
+    Rails.logger.error res.body
+
+    if Setting.sentry_enabled?
+      Sentry.capture_message("Lndhub API request failed: #{res.body}")
+    end
+  end
 end

From 8b870724851234310bb9e255a940991583bb8aad Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A2u=20Cao?= <raucao@kip.pe>
Date: Mon, 5 Jun 2023 13:52:41 +0300
Subject: [PATCH 32/47] Raise custom auth error, re-raise on failed re-auth

---
 app/controllers/services/lightning_controller.rb | 8 ++++----
 app/errors/auth_error.rb                         | 1 +
 app/services/lndhub.rb                           | 2 +-
 3 files changed, 6 insertions(+), 5 deletions(-)
 create mode 100644 app/errors/auth_error.rb

diff --git a/app/controllers/services/lightning_controller.rb b/app/controllers/services/lightning_controller.rb
index 9e39feb..51b7dbd 100644
--- a/app/controllers/services/lightning_controller.rb
+++ b/app/controllers/services/lightning_controller.rb
@@ -49,9 +49,9 @@ class Services::LightningController < ApplicationController
     lndhub = Lndhub.new
     data = lndhub.balance @ln_auth_token
     @balance = data["BTC"]["AvailableBalance"] rescue nil
-  rescue
+  rescue AuthError
     authenticate_with_lndhub(force_reauth: true)
-    return nil if @fetch_balance_retried
+    raise if @fetch_balance_retried
     @fetch_balance_retried = true
     fetch_balance
   end
@@ -61,9 +61,9 @@ class Services::LightningController < ApplicationController
     txs = lndhub.gettxs @ln_auth_token
     invoices = lndhub.getuserinvoices(@ln_auth_token).select{|i| i["ispaid"]}
     process_transactions(txs + invoices)
-  rescue
+  rescue AuthError
     authenticate_with_lndhub(force_reauth: true)
-    return [] if @fetch_transactions_retried
+    raise if @fetch_transactions_retried
     @fetch_transactions_retried = true
     fetch_transactions
   end
diff --git a/app/errors/auth_error.rb b/app/errors/auth_error.rb
new file mode 100644
index 0000000..4d55106
--- /dev/null
+++ b/app/errors/auth_error.rb
@@ -0,0 +1 @@
+class AuthError < StandardError; end
diff --git a/app/services/lndhub.rb b/app/services/lndhub.rb
index 4c8ad66..44b7880 100644
--- a/app/services/lndhub.rb
+++ b/app/services/lndhub.rb
@@ -26,7 +26,7 @@ class Lndhub
     data = JSON.parse(res.body)
 
     if data.is_a?(Hash) && data["error"] && data["message"] == "bad auth"
-      raise "BAD_AUTH"
+      raise AuthError
     else
       data
     end

From 2f90393eb6efcbd9b4f7e2ef66f10626614d9626 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A2u=20Cao?= <raucao@kip.pe>
Date: Mon, 5 Jun 2023 13:53:24 +0300
Subject: [PATCH 33/47] Lndhub v2 service inherits from v1, only adds
 v2-specific code

---
 app/services/lndhub_v2.rb | 62 ++-------------------------------------
 1 file changed, 3 insertions(+), 59 deletions(-)

diff --git a/app/services/lndhub_v2.rb b/app/services/lndhub_v2.rb
index 693f812..e0a84dd 100644
--- a/app/services/lndhub_v2.rb
+++ b/app/services/lndhub_v2.rb
@@ -1,9 +1,4 @@
-class LndhubV2
-  attr_accessor :auth_token
-
-  def initialize
-    @base_url = ENV["LNDHUB_API_URL"]
-  end
+class LndhubV2 < Lndhub
 
   def post(endpoint, payload, options={})
     headers = { "Content-Type" => "application/json" }
@@ -12,64 +7,12 @@ class LndhubV2
     elsif options[:admin_token]
       headers.merge!({ "Authorization" => "Bearer #{options[:admin_token]}" })
     end
-
     res = Faraday.post "#{@base_url}/#{endpoint}", payload.to_json, headers
-
-    if res.status != 200
-      Rails.logger.error "[lndhub] API request failed:"
-      Rails.logger.error res.body
-      #TODO add some kind of exception tracking/notifications
-    end
+    log_error(res) if res.status != 200
 
     JSON.parse(res.body)
   end
 
-  def get(endpoint, auth_token)
-    res = Faraday.get("#{@base_url}/#{endpoint}", {}, {
-      "Content-Type" => "application/json",
-      "Accept" => "application/json",
-      "Authorization" => "Bearer #{auth_token}"
-    })
-
-    JSON.parse(res.body)
-  end
-
-  def create(payload)
-    post "create", payload
-  end
-
-  def authenticate(user)
-    credentials = post "auth?type=auth", { login: user.ln_account, password: user.ln_password }
-    self.auth_token = credentials["access_token"]
-    self.auth_token
-  end
-
-  def balance(user_token=nil)
-    get "balance", user_token || auth_token
-  end
-
-  def gettxs(user_token)
-    get "gettxs", user_token || auth_token
-  end
-
-  def getuserinvoices(user_token)
-    get "getuserinvoices", user_token || auth_token
-  end
-
-  def addinvoice(payload)
-    invoice = post "addinvoice", {
-      amt: payload[:amount],
-      memo: payload[:memo],
-      description_hash: payload[:description_hash]
-    }
-
-    invoice["payment_request"]
-  end
-
-  #
-  # V2
-  #
-
   def create_account(payload={})
     post "v2/users", payload, admin_token: Rails.application.credentials.lndhub[:admin_token]
   end
@@ -78,4 +21,5 @@ class LndhubV2
     # Payload: { amount: 1000, description: "", description_hash: "" }
     post "v2/invoices", payload
   end
+
 end

From 8eb5f093a439fdae44cf1be81700012d420066cd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A2u=20Cao?= <raucao@kip.pe>
Date: Thu, 8 Jun 2023 08:04:23 +0300
Subject: [PATCH 34/47] Don't show flash message when opening the root URL
 while signed out

---
 app/controllers/dashboard_controller.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/controllers/dashboard_controller.rb b/app/controllers/dashboard_controller.rb
index d6234c6..3f9c14e 100644
--- a/app/controllers/dashboard_controller.rb
+++ b/app/controllers/dashboard_controller.rb
@@ -1,5 +1,5 @@
 class DashboardController < ApplicationController
-  before_action :authenticate_user!
+  before_action :require_user_signed_in
 
   def index
     @current_section = :services

From b03c6e9513865eb253cd4841b5cc323635291863 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A2u=20Cao?= <raucao@kip.pe>
Date: Tue, 7 Mar 2023 18:30:09 +0800
Subject: [PATCH 35/47] Support vendoring npm module code

---
 README.md                     | 8 ++++++++
 app/assets/config/manifest.js | 1 +
 bin/importmap                 | 4 ++++
 config/importmap.rb           | 1 +
 4 files changed, 14 insertions(+)
 create mode 100755 bin/importmap

diff --git a/README.md b/README.md
index df1a1e9..f14c3de 100644
--- a/README.md
+++ b/README.md
@@ -78,6 +78,13 @@ The setup task will first delete any existing entries in the directory tree
 Note that all 389ds data is stored in `tmp/389ds`. So if you want to start over
 with a fresh installation, delete both that directory as well as the container.
 
+### Adding npm modules to use with Stimulus controllers
+
+The following command downloads the specified npm module to `vendor/javascript`
+and adds an entry for it to `config/importmap.rb`.
+
+    bin/importmap pin bech32 --download
+
 ### Solargraph
 
 [Solargraph](https://solargraph.org/) is a Ruby language server, which you may
@@ -98,6 +105,7 @@ command:
 
 * [Tailwind CSS](https://tailwindcss.com/)
 * [Sass](https://sass-lang.com/documentation)
+* [Stimulus](https://stimulus.hotwired.dev/handbook/)
 
 ### Testing
 
diff --git a/app/assets/config/manifest.js b/app/assets/config/manifest.js
index bff5c5b..4d205bf 100644
--- a/app/assets/config/manifest.js
+++ b/app/assets/config/manifest.js
@@ -1,3 +1,4 @@
 //= link_tree ../images
 //= link_tree ../../javascript .js
 //= link_tree ../builds
+//= link_tree ../../../vendor/javascript .js
diff --git a/bin/importmap b/bin/importmap
new file mode 100755
index 0000000..36502ab
--- /dev/null
+++ b/bin/importmap
@@ -0,0 +1,4 @@
+#!/usr/bin/env ruby
+
+require_relative "../config/application"
+require "importmap/commands"
diff --git a/config/importmap.rb b/config/importmap.rb
index 8dce42d..17d5cd6 100644
--- a/config/importmap.rb
+++ b/config/importmap.rb
@@ -5,3 +5,4 @@ pin "@hotwired/turbo-rails", to: "turbo.min.js", preload: true
 pin "@hotwired/stimulus", to: "stimulus.min.js", preload: true
 pin "@hotwired/stimulus-loading", to: "stimulus-loading.js", preload: true
 pin_all_from "app/javascript/controllers", under: "controllers"
+pin "bech32" # @2.0.0

From bc4d9ff528a59764e8c04da1670fdda552776d55 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A2u=20Cao?= <raucao@kip.pe>
Date: Tue, 7 Mar 2023 18:31:54 +0800
Subject: [PATCH 36/47] Add nostr_pubkey to users

---
 db/migrate/20230304155240_add_nostr_pubkey_to_users.rb | 5 +++++
 db/schema.rb                                           | 6 +++---
 2 files changed, 8 insertions(+), 3 deletions(-)
 create mode 100644 db/migrate/20230304155240_add_nostr_pubkey_to_users.rb

diff --git a/db/migrate/20230304155240_add_nostr_pubkey_to_users.rb b/db/migrate/20230304155240_add_nostr_pubkey_to_users.rb
new file mode 100644
index 0000000..4cb4e8b
--- /dev/null
+++ b/db/migrate/20230304155240_add_nostr_pubkey_to_users.rb
@@ -0,0 +1,5 @@
+class AddNostrPubkeyToUsers < ActiveRecord::Migration[7.0]
+  def change
+    add_column :users, :nostr_pubkey, :string
+  end
+end
diff --git a/db/schema.rb b/db/schema.rb
index 7f06b96..28851e7 100644
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -70,13 +70,13 @@ ActiveRecord::Schema[7.0].define(version: 2023_05_23_120753) do
     t.datetime "confirmed_at", precision: nil
     t.datetime "confirmation_sent_at", precision: nil
     t.string "unconfirmed_email"
+    t.datetime "remember_created_at"
+    t.string "remember_token"
+    t.text "preferences"
     t.text "ln_login_ciphertext"
     t.text "ln_password_ciphertext"
     t.string "ln_account"
     t.string "nostr_pubkey"
-    t.datetime "remember_created_at"
-    t.string "remember_token"
-    t.text "preferences"
     t.index ["email"], name: "index_users_on_email", unique: true
     t.index ["reset_password_token"], name: "index_users_on_reset_password_token", unique: true
   end

From 49de4007abddbcefb08a8824ece33925d1daba6c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A2u=20Cao?= <raucao@kip.pe>
Date: Wed, 8 Mar 2023 13:44:18 +0700
Subject: [PATCH 37/47] Settings page for adding verified nostr pubkeys

---
 Gemfile                                       |   7 +-
 Gemfile.lock                                  | 316 ++++++++++--------
 app/assets/stylesheets/components/base.css    |   4 +
 app/assets/stylesheets/components/buttons.css |   5 +
 app/assets/stylesheets/components/forms.css   |   4 +
 app/controllers/settings_controller.rb        |  43 ++-
 .../settings/nostr_pubkey_controller.js       |  63 ++++
 app/models/user.rb                            |   9 +-
 app/services/nostr_manager/validate_id.rb     |  11 +
 .../nostr_manager/verify_signature.rb         |  17 +
 app/services/nostr_manager_service.rb         |   4 +
 app/views/icons/_science.html.erb             |   1 +
 app/views/settings/_experiments.html.erb      |  62 ++++
 app/views/shared/_sidenav_settings.html.erb   |   6 +
 config/routes.rb                              |   1 +
 db/schema.rb                                  |  21 +-
 spec/features/settings/experiments_spec.rb    |  22 ++
 spec/requests/settings_spec.rb                | 104 ++++++
 vendor/javascript/.keep                       |   0
 vendor/javascript/bech32.js                   |   2 +
 yarn.lock                                     | 152 ++++-----
 21 files changed, 621 insertions(+), 233 deletions(-)
 create mode 100644 app/javascript/controllers/settings/nostr_pubkey_controller.js
 create mode 100644 app/services/nostr_manager/validate_id.rb
 create mode 100644 app/services/nostr_manager/verify_signature.rb
 create mode 100644 app/services/nostr_manager_service.rb
 create mode 100644 app/views/icons/_science.html.erb
 create mode 100644 app/views/settings/_experiments.html.erb
 create mode 100644 spec/features/settings/experiments_spec.rb
 create mode 100644 spec/requests/settings_spec.rb
 create mode 100644 vendor/javascript/.keep
 create mode 100644 vendor/javascript/bech32.js

diff --git a/Gemfile b/Gemfile
index dad66b1..81aceee 100644
--- a/Gemfile
+++ b/Gemfile
@@ -51,13 +51,14 @@ gem 'faraday'
 gem 'sidekiq', '< 7'
 gem 'sidekiq-scheduler'
 
-# Service integrations
-gem 'discourse_api'
-
 # Monitoring
 gem "sentry-ruby"
 gem "sentry-rails"
 
+# Services
+gem 'discourse_api'
+gem 'nostr', git: 'https://gitea.kosmos.org/kosmos/nostr-gem.git', branch: 'feature/ruby_2.7_compat'
+
 group :development, :test do
   # Use sqlite3 as the database for Active Record
   gem 'sqlite3', '~> 1.4'
diff --git a/Gemfile.lock b/Gemfile.lock
index 6b33fa8..75236f6 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -1,81 +1,98 @@
+GIT
+  remote: https://gitea.kosmos.org/kosmos/nostr-gem.git
+  revision: 596529d9eb50d13b3f385245636698fccf37b442
+  branch: feature/ruby_2.7_compat
+  specs:
+    nostr (0.4.0)
+      bech32 (~> 1.3)
+      bip-schnorr (~> 0.4)
+      ecdsa (~> 1.2)
+      event_emitter (~> 0.2)
+      faye-websocket (~> 0.11)
+      json (~> 2.6)
+
 GEM
   remote: https://rubygems.org/
   specs:
-    actioncable (7.0.4)
-      actionpack (= 7.0.4)
-      activesupport (= 7.0.4)
+    actioncable (7.0.5)
+      actionpack (= 7.0.5)
+      activesupport (= 7.0.5)
       nio4r (~> 2.0)
       websocket-driver (>= 0.6.1)
-    actionmailbox (7.0.4)
-      actionpack (= 7.0.4)
-      activejob (= 7.0.4)
-      activerecord (= 7.0.4)
-      activestorage (= 7.0.4)
-      activesupport (= 7.0.4)
+    actionmailbox (7.0.5)
+      actionpack (= 7.0.5)
+      activejob (= 7.0.5)
+      activerecord (= 7.0.5)
+      activestorage (= 7.0.5)
+      activesupport (= 7.0.5)
       mail (>= 2.7.1)
       net-imap
       net-pop
       net-smtp
-    actionmailer (7.0.4)
-      actionpack (= 7.0.4)
-      actionview (= 7.0.4)
-      activejob (= 7.0.4)
-      activesupport (= 7.0.4)
+    actionmailer (7.0.5)
+      actionpack (= 7.0.5)
+      actionview (= 7.0.5)
+      activejob (= 7.0.5)
+      activesupport (= 7.0.5)
       mail (~> 2.5, >= 2.5.4)
       net-imap
       net-pop
       net-smtp
       rails-dom-testing (~> 2.0)
-    actionpack (7.0.4)
-      actionview (= 7.0.4)
-      activesupport (= 7.0.4)
-      rack (~> 2.0, >= 2.2.0)
+    actionpack (7.0.5)
+      actionview (= 7.0.5)
+      activesupport (= 7.0.5)
+      rack (~> 2.0, >= 2.2.4)
       rack-test (>= 0.6.3)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.0, >= 1.2.0)
-    actiontext (7.0.4)
-      actionpack (= 7.0.4)
-      activerecord (= 7.0.4)
-      activestorage (= 7.0.4)
-      activesupport (= 7.0.4)
+    actiontext (7.0.5)
+      actionpack (= 7.0.5)
+      activerecord (= 7.0.5)
+      activestorage (= 7.0.5)
+      activesupport (= 7.0.5)
       globalid (>= 0.6.0)
       nokogiri (>= 1.8.5)
-    actionview (7.0.4)
-      activesupport (= 7.0.4)
+    actionview (7.0.5)
+      activesupport (= 7.0.5)
       builder (~> 3.1)
       erubi (~> 1.4)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.1, >= 1.2.0)
-    activejob (7.0.4)
-      activesupport (= 7.0.4)
+    activejob (7.0.5)
+      activesupport (= 7.0.5)
       globalid (>= 0.3.6)
-    activemodel (7.0.4)
-      activesupport (= 7.0.4)
-    activerecord (7.0.4)
-      activemodel (= 7.0.4)
-      activesupport (= 7.0.4)
-    activestorage (7.0.4)
-      actionpack (= 7.0.4)
-      activejob (= 7.0.4)
-      activerecord (= 7.0.4)
-      activesupport (= 7.0.4)
+    activemodel (7.0.5)
+      activesupport (= 7.0.5)
+    activerecord (7.0.5)
+      activemodel (= 7.0.5)
+      activesupport (= 7.0.5)
+    activestorage (7.0.5)
+      actionpack (= 7.0.5)
+      activejob (= 7.0.5)
+      activerecord (= 7.0.5)
+      activesupport (= 7.0.5)
       marcel (~> 1.0)
       mini_mime (>= 1.1.0)
-    activesupport (7.0.4)
+    activesupport (7.0.5)
       concurrent-ruby (~> 1.0, >= 1.0.2)
       i18n (>= 1.6, < 2)
       minitest (>= 5.1)
       tzinfo (~> 2.0)
-    addressable (2.8.1)
+    addressable (2.8.4)
       public_suffix (>= 2.0.2, < 6.0)
     ast (2.4.2)
     backport (1.2.0)
     bcrypt (3.1.18)
+    bech32 (1.3.0)
+      thor (>= 1.1.0)
     benchmark (0.2.1)
     bindex (0.8.1)
+    bip-schnorr (0.6.0)
+      ecdsa_ext (~> 0.5.0)
     builder (3.2.4)
     byebug (11.1.3)
-    capybara (3.38.0)
+    capybara (3.39.2)
       addressable
       matrix
       mini_mime (>= 0.1.3)
@@ -85,20 +102,21 @@ GEM
       regexp_parser (>= 1.5, < 3.0)
       xpath (~> 3.2)
     chunky_png (1.4.0)
-    concurrent-ruby (1.1.10)
-    connection_pool (2.3.0)
+    concurrent-ruby (1.2.2)
+    connection_pool (2.4.1)
     crack (0.4.5)
       rexml
     crass (1.0.6)
-    cssbundling-rails (1.1.1)
+    cssbundling-rails (1.1.2)
       railties (>= 6.0.0)
-    database_cleaner (2.0.1)
-      database_cleaner-active_record (~> 2.0.0)
-    database_cleaner-active_record (2.0.1)
+    database_cleaner (2.0.2)
+      database_cleaner-active_record (>= 2, < 3)
+    database_cleaner-active_record (2.1.0)
       activerecord (>= 5.a)
       database_cleaner-core (~> 2.0.0)
     database_cleaner-core (2.0.1)
-    devise (4.9.0)
+    date (3.3.3)
+    devise (4.9.2)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
       railties (>= 4.1.0)
@@ -108,7 +126,7 @@ GEM
       devise (>= 3.4.1)
       net-ldap (>= 0.16.0)
     diff-lcs (1.5.0)
-    discourse_api (2.0.0)
+    discourse_api (2.0.1)
       faraday (~> 2.7)
       faraday-follow_redirects
       faraday-multipart
@@ -118,17 +136,22 @@ GEM
       dotenv (= 2.8.1)
       railties (>= 3.2)
     e2mmap (0.1.0)
-    erubi (1.11.0)
+    ecdsa (1.2.0)
+    ecdsa_ext (0.5.0)
+      ecdsa (~> 1.2.0)
+    erubi (1.12.0)
     et-orbi (1.2.7)
       tzinfo
+    event_emitter (0.2.6)
+    eventmachine (1.2.7)
     factory_bot (6.2.1)
       activesupport (>= 5.0.0)
     factory_bot_rails (6.2.0)
       factory_bot (~> 6.2.0)
       railties (>= 5.0.0)
-    faker (3.0.0)
+    faker (3.2.0)
       i18n (>= 1.8.11, < 2)
-    faraday (2.7.1)
+    faraday (2.7.6)
       faraday-net_http (>= 2.0, < 3.1)
       ruby2_keywords (>= 0.0.4)
     faraday-follow_redirects (0.3.0)
@@ -136,6 +159,9 @@ GEM
     faraday-multipart (1.0.4)
       multipart-post (~> 2)
     faraday-net_http (3.0.2)
+    faye-websocket (0.11.2)
+      eventmachine (>= 0.12.0)
+      websocket-driver (>= 0.5.1)
     ffi (1.15.5)
     flipper (0.28.0)
       concurrent-ruby (< 2)
@@ -148,18 +174,18 @@ GEM
       rack (>= 1.4, < 3)
       rack-protection (>= 1.5.3, <= 4.0.0)
       sanitize (< 7)
-    fugit (1.7.2)
+    fugit (1.8.1)
       et-orbi (~> 1, >= 1.2.7)
       raabro (~> 1.4)
-    globalid (1.0.0)
+    globalid (1.1.0)
       activesupport (>= 5.0)
     hashdiff (1.0.1)
-    i18n (1.12.0)
+    i18n (1.14.1)
       concurrent-ruby (~> 1.0)
-    importmap-rails (1.1.5)
+    importmap-rails (1.1.6)
       actionpack (>= 6.0.0)
       railties (>= 6.0.0)
-    jaro_winkler (1.5.4)
+    jaro_winkler (1.5.6)
     jbuilder (2.11.5)
       actionview (>= 5.0.0)
       activesupport (>= 5.0.0)
@@ -168,8 +194,8 @@ GEM
       rexml
     kramdown-parser-gfm (1.1.0)
       kramdown (~> 2.0)
-    launchy (2.5.0)
-      addressable (~> 2.7)
+    launchy (2.5.2)
+      addressable (~> 2.8)
     letter_opener (1.8.1)
       launchy (>= 2.2, < 3)
     letter_opener_web (2.0.0)
@@ -177,78 +203,80 @@ GEM
       letter_opener (~> 1.7)
       railties (>= 5.2)
       rexml
-    listen (3.7.1)
+    listen (3.8.0)
       rb-fsevent (~> 0.10, >= 0.10.3)
       rb-inotify (~> 0.9, >= 0.9.10)
-    lockbox (1.1.0)
-    loofah (2.19.0)
+    lockbox (1.2.0)
+    loofah (2.21.3)
       crass (~> 1.0.2)
-      nokogiri (>= 1.5.9)
-    mail (2.7.1)
+      nokogiri (>= 1.12.0)
+    mail (2.8.1)
       mini_mime (>= 0.1.1)
+      net-imap
+      net-pop
+      net-smtp
     marcel (1.0.2)
     matrix (0.4.2)
     method_source (1.0.0)
     mini_mime (1.1.2)
-    mini_portile2 (2.8.0)
-    minitest (5.16.3)
+    minitest (5.18.0)
     multipart-post (2.3.0)
-    net-imap (0.3.1)
+    net-imap (0.3.6)
+      date
       net-protocol
-    net-ldap (0.17.1)
+    net-ldap (0.18.0)
     net-pop (0.1.2)
       net-protocol
-    net-protocol (0.1.3)
+    net-protocol (0.2.1)
       timeout
     net-smtp (0.3.3)
       net-protocol
-    nio4r (2.5.8)
-    nokogiri (1.13.9)
-      mini_portile2 (~> 2.8.0)
-      racc (~> 1.4)
-    nokogiri (1.13.9-x86_64-linux)
+    nio4r (2.5.9)
+    nokogiri (1.15.2-x86_64-linux)
       racc (~> 1.4)
     orm_adapter (0.5.0)
-    pagy (6.0.2)
-    parallel (1.22.1)
-    parser (3.2.1.1)
+    pagy (6.0.4)
+    parallel (1.23.0)
+    parser (3.2.2.3)
       ast (~> 2.4.1)
+      racc
     pg (1.2.3)
-    public_suffix (5.0.0)
+    public_suffix (5.0.1)
     puma (4.3.12)
       nio4r (~> 2.0)
     raabro (1.4.0)
-    racc (1.6.0)
-    rack (2.2.4)
+    racc (1.7.1)
+    rack (2.2.7)
     rack-protection (3.0.6)
       rack
-    rack-test (2.0.2)
+    rack-test (2.1.0)
       rack (>= 1.3)
-    rails (7.0.4)
-      actioncable (= 7.0.4)
-      actionmailbox (= 7.0.4)
-      actionmailer (= 7.0.4)
-      actionpack (= 7.0.4)
-      actiontext (= 7.0.4)
-      actionview (= 7.0.4)
-      activejob (= 7.0.4)
-      activemodel (= 7.0.4)
-      activerecord (= 7.0.4)
-      activestorage (= 7.0.4)
-      activesupport (= 7.0.4)
+    rails (7.0.5)
+      actioncable (= 7.0.5)
+      actionmailbox (= 7.0.5)
+      actionmailer (= 7.0.5)
+      actionpack (= 7.0.5)
+      actiontext (= 7.0.5)
+      actionview (= 7.0.5)
+      activejob (= 7.0.5)
+      activemodel (= 7.0.5)
+      activerecord (= 7.0.5)
+      activestorage (= 7.0.5)
+      activesupport (= 7.0.5)
       bundler (>= 1.15.0)
-      railties (= 7.0.4)
+      railties (= 7.0.5)
     rails-dom-testing (2.0.3)
       activesupport (>= 4.2.0)
       nokogiri (>= 1.6)
-    rails-html-sanitizer (1.4.3)
-      loofah (~> 2.3)
+    rails-html-sanitizer (1.6.0)
+      loofah (~> 2.21)
+      nokogiri (~> 1.14)
     rails-settings-cached (2.8.3)
       activerecord (>= 5.0.0)
       railties (>= 5.0.0)
-    railties (7.0.4)
-      actionpack (= 7.0.4)
-      activesupport (= 7.0.4)
+    railties (7.0.5)
+      actionpack (= 7.0.5)
+      activesupport (= 7.0.5)
       method_source
       rake (>= 12.2)
       thor (~> 1.0)
@@ -258,110 +286,106 @@ GEM
     rb-fsevent (0.11.2)
     rb-inotify (0.10.1)
       ffi (~> 1.0)
-    redis (5.0.5)
-      redis-client (>= 0.9.0)
-    redis-client (0.11.2)
-      connection_pool
-    regexp_parser (2.6.1)
+    rbs (2.8.4)
+    redis (4.8.1)
+    regexp_parser (2.8.1)
     responders (3.1.0)
       actionpack (>= 5.2)
       railties (>= 5.2)
     reverse_markdown (2.1.1)
       nokogiri
     rexml (3.2.5)
-    rqrcode (2.1.2)
+    rqrcode (2.2.0)
       chunky_png (~> 1.0)
       rqrcode_core (~> 1.0)
     rqrcode_core (1.2.0)
-    rspec-core (3.12.0)
+    rspec-core (3.12.2)
       rspec-support (~> 3.12.0)
-    rspec-expectations (3.12.0)
+    rspec-expectations (3.12.3)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.12.0)
-    rspec-mocks (3.12.0)
+    rspec-mocks (3.12.5)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.12.0)
-    rspec-rails (6.0.1)
+    rspec-rails (6.0.3)
       actionpack (>= 6.1)
       activesupport (>= 6.1)
       railties (>= 6.1)
-      rspec-core (~> 3.11)
-      rspec-expectations (~> 3.11)
-      rspec-mocks (~> 3.11)
-      rspec-support (~> 3.11)
+      rspec-core (~> 3.12)
+      rspec-expectations (~> 3.12)
+      rspec-mocks (~> 3.12)
+      rspec-support (~> 3.12)
     rspec-support (3.12.0)
-    rubocop (1.48.1)
+    rubocop (1.52.1)
       json (~> 2.3)
       parallel (~> 1.10)
-      parser (>= 3.2.0.0)
+      parser (>= 3.2.2.3)
       rainbow (>= 2.2.2, < 4.0)
       regexp_parser (>= 1.8, < 3.0)
       rexml (>= 3.2.5, < 4.0)
-      rubocop-ast (>= 1.26.0, < 2.0)
+      rubocop-ast (>= 1.28.0, < 2.0)
       ruby-progressbar (~> 1.7)
       unicode-display_width (>= 2.4.0, < 3.0)
-    rubocop-ast (1.28.0)
+    rubocop-ast (1.29.0)
       parser (>= 3.2.1.0)
     ruby-progressbar (1.13.0)
     ruby2_keywords (0.0.5)
-    rufus-scheduler (3.8.2)
+    rufus-scheduler (3.9.1)
       fugit (~> 1.1, >= 1.1.6)
     sanitize (6.0.1)
       crass (~> 1.0.2)
       nokogiri (>= 1.12.0)
-    sentry-rails (5.8.0)
+    sentry-rails (5.9.0)
       railties (>= 5.0)
-      sentry-ruby (~> 5.8.0)
-    sentry-ruby (5.8.0)
+      sentry-ruby (~> 5.9.0)
+    sentry-ruby (5.9.0)
       concurrent-ruby (~> 1.0, >= 1.0.2)
-    sidekiq (6.5.5)
-      connection_pool (>= 2.2.2)
+    sidekiq (6.5.9)
+      connection_pool (>= 2.2.5, < 3)
       rack (~> 2.0)
-      redis (>= 4.5.0)
-    sidekiq-scheduler (4.0.3)
-      redis (>= 4.2.0)
+      redis (>= 4.5.0, < 5)
+    sidekiq-scheduler (5.0.3)
       rufus-scheduler (~> 3.2)
-      sidekiq (>= 4, < 7)
+      sidekiq (>= 6, < 8)
       tilt (>= 1.4.0)
-    solargraph (0.48.0)
+    solargraph (0.49.0)
       backport (~> 1.2)
       benchmark
-      bundler (>= 1.17.2)
+      bundler (~> 2.0)
       diff-lcs (~> 1.4)
       e2mmap
       jaro_winkler (~> 1.5)
       kramdown (~> 2.3)
       kramdown-parser-gfm (~> 1.1)
       parser (~> 3.0)
-      reverse_markdown (>= 1.0.5, < 3)
-      rubocop (>= 0.52)
+      rbs (~> 2.0)
+      reverse_markdown (~> 2.0)
+      rubocop (~> 1.38)
       thor (~> 1.0)
       tilt (~> 2.0)
       yard (~> 0.9, >= 0.9.24)
-    sprockets (4.1.1)
+    sprockets (4.2.0)
       concurrent-ruby (~> 1.0)
-      rack (> 1, < 3)
+      rack (>= 2.2.4, < 4)
     sprockets-rails (3.4.2)
       actionpack (>= 5.2)
       activesupport (>= 5.2)
       sprockets (>= 3.0.0)
-    sqlite3 (1.5.4)
-      mini_portile2 (~> 2.8.0)
-    sqlite3 (1.5.4-x86_64-linux)
+    sqlite3 (1.6.3-x86_64-linux)
     stimulus-rails (1.2.1)
       railties (>= 6.0.0)
-    thor (1.2.1)
-    tilt (2.0.11)
-    timeout (0.3.0)
-    turbo-rails (1.3.2)
+    thor (1.2.2)
+    tilt (2.2.0)
+    timeout (0.3.2)
+    turbo-rails (1.4.0)
       actionpack (>= 6.0.0)
       activejob (>= 6.0.0)
       railties (>= 6.0.0)
-    tzinfo (2.0.5)
+    tzinfo (2.0.6)
       concurrent-ruby (~> 1.0)
     unicode-display_width (2.4.2)
-    view_component (2.78.0)
-      activesupport (>= 5.0.0, < 8.0)
+    view_component (3.2.0)
+      activesupport (>= 5.2.0, < 8.0)
       concurrent-ruby (~> 1.0)
       method_source (~> 1.0)
     warden (1.2.9)
@@ -375,18 +399,15 @@ GEM
       addressable (>= 2.8.0)
       crack (>= 0.3.2)
       hashdiff (>= 0.4.0, < 2.0.0)
-    webrick (1.7.0)
     websocket-driver (0.7.5)
       websocket-extensions (>= 0.1.0)
     websocket-extensions (0.1.5)
     xpath (3.2.0)
       nokogiri (~> 1.8)
-    yard (0.9.28)
-      webrick (~> 1.7.0)
-    zeitwerk (2.6.6)
+    yard (0.9.34)
+    zeitwerk (2.6.8)
 
 PLATFORMS
-  ruby
   x86_64-linux
 
 DEPENDENCIES
@@ -411,6 +432,7 @@ DEPENDENCIES
   listen (~> 3.2)
   lockbox
   net-ldap
+  nostr!
   pagy (~> 6.0, >= 6.0.2)
   pg (~> 1.2.3)
   puma (~> 4.1)
diff --git a/app/assets/stylesheets/components/base.css b/app/assets/stylesheets/components/base.css
index b4fa491..6824786 100644
--- a/app/assets/stylesheets/components/base.css
+++ b/app/assets/stylesheets/components/base.css
@@ -24,6 +24,10 @@
     @apply text-xl mb-6;
   }
 
+  h4 {
+    @apply font-bold mb-4 leading-6;
+  }
+
   main section {
     @apply pt-8 sm:pt-12;
   }
diff --git a/app/assets/stylesheets/components/buttons.css b/app/assets/stylesheets/components/buttons.css
index c50d071..c1269ce 100644
--- a/app/assets/stylesheets/components/buttons.css
+++ b/app/assets/stylesheets/components/buttons.css
@@ -32,4 +32,9 @@
     @apply bg-red-600 hover:bg-red-700 text-white
            focus:ring-red-500 focus:ring-opacity-75;
   }
+
+  .btn:disabled {
+    @apply bg-gray-100 hover:bg-gray-200 text-gray-400
+           focus:ring-gray-300 focus:ring-opacity-75;
+  }
 }
diff --git a/app/assets/stylesheets/components/forms.css b/app/assets/stylesheets/components/forms.css
index 46f1df9..5883569 100644
--- a/app/assets/stylesheets/components/forms.css
+++ b/app/assets/stylesheets/components/forms.css
@@ -15,6 +15,10 @@
     @apply border-b-red-600;
   }
 
+  .field_with_errors {
+    @apply inline-block;
+  }
+
   .error-msg {
     @apply text-red-700;
   }
diff --git a/app/controllers/settings_controller.rb b/app/controllers/settings_controller.rb
index 622b623..7a42a3e 100644
--- a/app/controllers/settings_controller.rb
+++ b/app/controllers/settings_controller.rb
@@ -1,3 +1,5 @@
+require 'securerandom'
+
 class SettingsController < ApplicationController
   before_action :authenticate_user!
   before_action :set_main_nav_section
@@ -9,6 +11,9 @@ class SettingsController < ApplicationController
   end
 
   def show
+    if @settings_section == "experiments"
+      session[:shared_secret] ||= SecureRandom.base64(12)
+    end
   end
 
   def update
@@ -53,6 +58,36 @@ class SettingsController < ApplicationController
     redirect_to check_your_email_path, notice: msg
   end
 
+  def set_nostr_pubkey
+    signed_event = nostr_event_params[:signed_event].to_h.symbolize_keys
+    is_valid_id  = NostrManager::ValidateId.call(signed_event)
+    is_valid_sig = NostrManager::VerifySignature.call(signed_event)
+    is_correct_content = signed_event[:content] == "Connect my public key to #{current_user.address} (confirmation #{session[:shared_secret]})"
+
+    unless is_valid_id && is_valid_sig && is_correct_content
+      flash[:alert] = "Public key could not be verified"
+      http_status :unprocessable_entity and return
+    end
+
+    pubkey_taken = User.all_except(current_user).where(
+      ou: current_user.ou, nostr_pubkey: signed_event[:pubkey]
+    ).any?
+
+    if pubkey_taken
+      flash[:alert] = "Public key already in use for a different account"
+      http_status :unprocessable_entity and return
+    end
+
+    current_user.update! nostr_pubkey: signed_event[:pubkey]
+    session[:shared_secret] = nil
+
+    flash[:success] = "Public key verification successful"
+    http_status :ok
+  rescue
+    flash[:alert] = "Public key could not be verified"
+    http_status :unprocessable_entity and return
+  end
+
   private
 
     def set_main_nav_section
@@ -61,7 +96,7 @@ class SettingsController < ApplicationController
 
     def set_settings_section
       @settings_section = params[:section]
-      allowed_sections = [:profile, :account, :lightning, :xmpp]
+      allowed_sections = [:profile, :account, :lightning, :xmpp, :experiments]
 
       unless allowed_sections.include?(@settings_section.to_sym)
         redirect_to setting_path(:profile)
@@ -82,4 +117,10 @@ class SettingsController < ApplicationController
     def email_params
       params.require(:user).permit(:email, :current_password)
     end
+
+    def nostr_event_params
+      params.permit(signed_event: [
+        :id, :pubkey, :created_at, :kind, :tags, :content, :sig
+      ])
+    end
 end
diff --git a/app/javascript/controllers/settings/nostr_pubkey_controller.js b/app/javascript/controllers/settings/nostr_pubkey_controller.js
new file mode 100644
index 0000000..4660326
--- /dev/null
+++ b/app/javascript/controllers/settings/nostr_pubkey_controller.js
@@ -0,0 +1,63 @@
+import { Controller } from "@hotwired/stimulus"
+import { bech32 } from "bech32"
+
+function hexToBytes (hex) {
+  let bytes = []
+  for (let c = 0; c < hex.length; c += 2) {
+    bytes.push(parseInt(hex.substr(c, 2), 16))
+  }
+  return bytes
+}
+
+// Connects to data-controller="settings--nostr-pubkey"
+export default class extends Controller {
+  static targets = [ "noExtension", "setPubkey", "pubkeyBech32Input" ]
+  static values  = { userAddress: String, pubkeyHex: String, sharedSecret: String }
+
+  connect () {
+    if (this.hasPubkeyHexValue && this.pubkeyHexValue.length > 0) {
+      this.pubkeyBech32InputTarget.value = this.pubkeyBech32
+    }
+
+    if (window.nostr) {
+      this.setPubkeyTarget.disabled = false
+    } else {
+      this.noExtensionTarget.classList.remove("hidden")
+    }
+  }
+
+  async setPubkey () {
+    this.setPubkeyTarget.disabled = true
+
+    try {
+      const signedEvent = await window.nostr.signEvent({
+        created_at: Math.floor(Date.now() / 1000),
+        kind: 1,
+        tags: [],
+        content: `Connect my public key to ${this.userAddressValue} (confirmation ${this.sharedSecretValue})`
+      })
+
+      const res = await fetch("/settings/set_nostr_pubkey", {
+        method: "POST", credentials: "include", headers: {
+          "Accept": "application/json", 'Content-Type': 'application/json',
+          "X-CSRF-Token": this.csrfToken
+        }, body: JSON.stringify({ signed_event: signedEvent })
+      });
+
+      window.location.reload()
+    } catch (error) {
+      console.warn('Unable to verify pubkey:', error.message)
+      this.setPubkeyTarget.disabled = false
+    }
+  }
+
+  get pubkeyBech32 () {
+    const words = bech32.toWords(hexToBytes(this.pubkeyHexValue))
+    return bech32.encode('npub', words)
+  }
+
+  get csrfToken () {
+    const element = document.head.querySelector('meta[name="csrf-token"]')
+    return element.getAttribute("content")
+  }
+}
diff --git a/app/models/user.rb b/app/models/user.rb
index 855fd0d..137589a 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -18,7 +18,7 @@ class User < ApplicationRecord
 
   has_many :accounts, through: :lndhub_user
 
-  validates_uniqueness_of :cn
+  validates_uniqueness_of :cn, scope: :ou
   validates_length_of :cn, minimum: 3
   validates_format_of :cn, with: /\A([a-z0-9\-])*\z/,
                            if: Proc.new{ |u| u.cn.present? },
@@ -36,8 +36,11 @@ class User < ApplicationRecord
   validates_length_of :display_name, minimum: 3, maximum: 35, allow_blank: true,
                                      if: -> { defined?(@display_name) }
 
-  scope :confirmed, -> { where.not(confirmed_at: nil) }
-  scope :pending,   -> { where(confirmed_at: nil) }
+  validates_uniqueness_of :nostr_pubkey, scope: :ou, allow_blank: true
+
+  scope :confirmed,  -> { where.not(confirmed_at: nil) }
+  scope :pending,    -> { where(confirmed_at: nil) }
+  scope :all_except, -> (user) { where.not(id: user) }
 
   has_encrypted :ln_login, :ln_password
 
diff --git a/app/services/nostr_manager/validate_id.rb b/app/services/nostr_manager/validate_id.rb
new file mode 100644
index 0000000..d184b75
--- /dev/null
+++ b/app/services/nostr_manager/validate_id.rb
@@ -0,0 +1,11 @@
+module NostrManager
+  class ValidateId < NostrManagerService
+    def initialize(event)
+      @event = Nostr::Event.new(**event)
+    end
+
+    def call
+      @event.id == Digest::SHA256.hexdigest(JSON.generate(@event.serialize))
+    end
+  end
+end
diff --git a/app/services/nostr_manager/verify_signature.rb b/app/services/nostr_manager/verify_signature.rb
new file mode 100644
index 0000000..63b0489
--- /dev/null
+++ b/app/services/nostr_manager/verify_signature.rb
@@ -0,0 +1,17 @@
+module NostrManager
+  class VerifySignature < NostrManagerService
+    def initialize(event)
+      @event = Nostr::Event.new(**event)
+    end
+
+    def call
+      Schnorr.check_sig!(
+        [@event.id].pack('H*'),
+        [@event.pubkey].pack('H*'),
+        [@event.sig].pack('H*')
+      )
+    rescue Schnorr::InvalidSignatureError
+      false
+    end
+  end
+end
diff --git a/app/services/nostr_manager_service.rb b/app/services/nostr_manager_service.rb
new file mode 100644
index 0000000..3376226
--- /dev/null
+++ b/app/services/nostr_manager_service.rb
@@ -0,0 +1,4 @@
+require "nostr"
+
+class NostrManagerService < ApplicationService
+end
diff --git a/app/views/icons/_science.html.erb b/app/views/icons/_science.html.erb
new file mode 100644
index 0000000..623f6c0
--- /dev/null
+++ b/app/views/icons/_science.html.erb
@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" height="48" viewBox="0 96 960 960" width="48" class="material-science <%= custom_class %>" fill="currentColor"><path d="M172 936q-41.777 0-59.388-39Q95 858 124 826l248-280V276h-52q-12.75 0-21.375-8.675-8.625-8.676-8.625-21.5 0-12.825 8.625-21.325T320 216h320q12.75 0 21.375 8.675 8.625 8.676 8.625 21.5 0 12.825-8.625 21.325T640 276h-52v270l248 280q29 32 11.388 71-17.611 39-59.388 39H172Zm-12-60h640L528 568V276h-96v292L160 876Zm318-300Z"/></svg>
diff --git a/app/views/settings/_experiments.html.erb b/app/views/settings/_experiments.html.erb
new file mode 100644
index 0000000..4318db5
--- /dev/null
+++ b/app/views/settings/_experiments.html.erb
@@ -0,0 +1,62 @@
+<section>
+  <h3>Nostr</h3>
+  <h4 class="mb-0">Public Key</h4>
+  <div data-controller="settings--nostr-pubkey"
+       data-settings--nostr-pubkey-user-address-value="<%= current_user.address %>"
+       data-settings--nostr-pubkey-shared-secret-value="<%= session[:shared_secret] %>"
+       data-settings--nostr-pubkey-pubkey-hex-value="<%= current_user.nostr_pubkey %>">
+
+    <p class="mt-2 <%= current_user.nostr_pubkey.present? ? "" : "hidden" %>">
+      <input type="text" class="w-full" value="<%= current_user.nostr_pubkey %>"
+             data-settings--nostr-pubkey-target="pubkeyBech32Input" disabled />
+    </p>
+
+    <% unless current_user.nostr_pubkey.present? %>
+    <p class="my-4">
+      If you use any apps on the Nostr network, you can verify your public key
+      with us in order to enable Nostr-specific features for your account.
+    </p>
+    <% end %>
+
+    <div data-settings--nostr-pubkey-target="noExtension"
+         class="hidden rounded-md bg-blue-50 p-4">
+      <div class="flex">
+        <div class="flex-shrink-0">
+          <svg class="h-5 w-5 text-blue-400" viewBox="0 0 20 20" fill="currentColor" aria-hidden="true">
+            <path fill-rule="evenodd" d="M18 10a8 8 0 11-16 0 8 8 0 0116 0zm-7-4a1 1 0 11-2 0 1 1 0 012 0zM9 9a.75.75 0 000 1.5h.253a.25.25 0 01.244.304l-.459 2.066A1.75 1.75 0 0010.747 15H11a.75.75 0 000-1.5h-.253a.25.25 0 01-.244-.304l.459-2.066A1.75 1.75 0 009.253 9H9z" clip-rule="evenodd" />
+          </svg>
+        </div>
+        <div class="ml-3">
+          <h3 class="mb-0 text-sm font-bold text-blue-800">
+            No browser extension found
+          </h3>
+          <div class="mt-2 mb-0 text-sm text-blue-800">
+            <p>
+              We recommend Alby, which you can also use for your Lightning
+              Wallet.
+            </p>
+          </div>
+          <div class="mt-4">
+            <div class="-mx-2 -my-1.5 flex">
+              <a href="https://getalby.com" target="_blank"
+                 class="rounded-md bg-blue-50 px-2 py-1.5 text-sm
+                        font-bold text-blue-800 hover:bg-blue-100
+                        focus:outline-none focus:ring-2 focus:ring-blue-600
+                        focus:ring-offset-2 focus:ring-offset-blue-50">
+                Get Alby
+              </a>
+            </div>
+          </div>
+        </div>
+      </div>
+    </div>
+
+    <p class="mt-8">
+      <button class="btn-md btn-gray" disabled
+              data-settings--nostr-pubkey-target="setPubkey"
+              data-action="settings--nostr-pubkey#setPubkey">
+        Get public key from browser extension
+      </button>
+    </p>
+  </div>
+</section>
diff --git a/app/views/shared/_sidenav_settings.html.erb b/app/views/shared/_sidenav_settings.html.erb
index ce2a527..aa30f60 100644
--- a/app/views/shared/_sidenav_settings.html.erb
+++ b/app/views/shared/_sidenav_settings.html.erb
@@ -18,3 +18,9 @@
   active: @settings_section.to_s == "lightning"
 ) %>
 <% end %>
+<% if Setting.nostr_enabled %>
+<%= render SidenavLinkComponent.new(
+  name: "Experiments", path: setting_path(:experiments), icon: "science",
+  active: @settings_section.to_s == "experiments"
+) %>
+<% end %>
diff --git a/config/routes.rb b/config/routes.rb
index 684f386..546d8ff 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -32,6 +32,7 @@ Rails.application.routes.draw do
     collection do
       post 'update_email'
       post 'reset_password'
+      post 'set_nostr_pubkey'
     end
   end
 
diff --git a/db/schema.rb b/db/schema.rb
index 28851e7..82260de 100644
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -50,6 +50,20 @@ ActiveRecord::Schema[7.0].define(version: 2023_05_23_120753) do
     t.index ["user_id"], name: "index_invitations_on_user_id"
   end
 
+  create_table "remote_storage_authorizations", force: :cascade do |t|
+    t.integer "user_id", null: false
+    t.string "token"
+    t.text "permissions", default: "--- []\n"
+    t.string "client_id"
+    t.string "redirect_uri"
+    t.string "app_name"
+    t.datetime "expire_at"
+    t.datetime "created_at", null: false
+    t.datetime "updated_at", null: false
+    t.index ["permissions"], name: "index_remote_storage_authorizations_on_permissions"
+    t.index ["user_id"], name: "index_remote_storage_authorizations_on_user_id"
+  end
+
   create_table "settings", force: :cascade do |t|
     t.string "var", null: false
     t.text "value"
@@ -70,15 +84,16 @@ ActiveRecord::Schema[7.0].define(version: 2023_05_23_120753) do
     t.datetime "confirmed_at", precision: nil
     t.datetime "confirmation_sent_at", precision: nil
     t.string "unconfirmed_email"
-    t.datetime "remember_created_at"
-    t.string "remember_token"
-    t.text "preferences"
     t.text "ln_login_ciphertext"
     t.text "ln_password_ciphertext"
     t.string "ln_account"
     t.string "nostr_pubkey"
+    t.datetime "remember_created_at"
+    t.string "remember_token"
+    t.text "preferences"
     t.index ["email"], name: "index_users_on_email", unique: true
     t.index ["reset_password_token"], name: "index_users_on_reset_password_token", unique: true
   end
 
+  add_foreign_key "remote_storage_authorizations", "users"
 end
diff --git a/spec/features/settings/experiments_spec.rb b/spec/features/settings/experiments_spec.rb
new file mode 100644
index 0000000..e87bd1f
--- /dev/null
+++ b/spec/features/settings/experiments_spec.rb
@@ -0,0 +1,22 @@
+require 'rails_helper'
+
+RSpec.describe 'Experimental Settings', type: :feature do
+  let(:user) { create :user, cn: 'jimmy', ou: 'kosmos.org' }
+
+  before do
+    login_as user, scope: :user
+  end
+
+  describe 'Adding a nostr pubkey' do
+    scenario 'Without nostr browser extension available' do
+      visit setting_path(:experiments)
+      expect(page).to have_content("No browser extension found")
+      expect(page).to have_css('button[data-settings--nostr-pubkey-target=setPubkey]:disabled')
+    end
+
+    # scenario 'Successfully saving a key' do
+    #   Note: Needs a more complex JS testing setup (maybe poltergeist), not
+    #   worth it for now
+    # end
+  end
+end
diff --git a/spec/requests/settings_spec.rb b/spec/requests/settings_spec.rb
new file mode 100644
index 0000000..8bd04ab
--- /dev/null
+++ b/spec/requests/settings_spec.rb
@@ -0,0 +1,104 @@
+require 'rails_helper'
+
+RSpec.describe "Settings", type: :request do
+  let(:user) { create :user, cn: 'mark', ou: 'kosmos.org' }
+
+  before do
+    login_as user, :scope => :user
+  end
+
+  describe "GET /settings/experiments" do
+    it "works" do
+      get setting_path(:experiments)
+      expect(response).to have_http_status(200)
+    end
+  end
+
+  describe "POST /settings/set_nostr_pubkey" do
+    before do
+      session_stub = { shared_secret: "rMjWEmvcvtTlQkMd" }
+      allow_any_instance_of(SettingsController).to receive(:session).and_return(session_stub)
+    end
+
+    context "With valid data" do
+      before do
+        post set_nostr_pubkey_settings_path, params: {
+          signed_event: {
+            id: "84f266bbd784551aaa9e35cb0aceb4ee59182a1dab9ab279d9e40dd56ecbbdd3",
+            pubkey: "07e188a1ff87ce171d517b8ed2bb7a31b1d3453a0db3b15379ec07b724d232f3",
+            created_at: 1678254161,
+            kind: 1,
+            content: "Connect my public key to mark@kosmos.org (confirmation rMjWEmvcvtTlQkMd)",
+            sig: "96796d420547d6e2c7be5de82a2ce7a48be99aac6415464a6081859ac1a9017305accc0228c630466a57d45ec1c3b456376eb538b76dfdaa2397e3258be02fdd"
+          }
+        }.to_json, headers: {
+          "CONTENT_TYPE" => "application/json",
+          "HTTP_ACCEPT" => "application/json"
+        }
+      end
+
+      it "returns a success status" do
+        expect(response).to have_http_status(200)
+      end
+
+      it "saves the pubkey" do
+        expect(user.nostr_pubkey).to eq("07e188a1ff87ce171d517b8ed2bb7a31b1d3453a0db3b15379ec07b724d232f3")
+      end
+    end
+
+    context "With wrong username" do
+      before do
+        post set_nostr_pubkey_settings_path, params: {
+          signed_event: {
+            id: "2e1e20ee762d6a5b5b30835eda9ca03146e4baf82490e53fd75794c08de08ac0",
+            pubkey: "07e188a1ff87ce171d517b8ed2bb7a31b1d3453a0db3b15379ec07b724d232f3",
+            created_at: 1678255391,
+            kind: 1,
+            content: "Connect my public key to admin@kosmos.org (confirmation rMjWEmvcvtTlQkMd)",
+            sig: "2ace19c9db892ac6383848721a3e08b13d90d689fdeac60d9633a623d3f08eb7e0d468f1b3e928d1ea979477c2ec46ee6cdb2d053ef2e4ed3c0630a51d249029"
+          }
+        }.to_json, headers: {
+          "CONTENT_TYPE" => "application/json",
+          "HTTP_ACCEPT" => "application/json"
+        }
+      end
+
+      it "returns a 422 status" do
+        expect(response).to have_http_status(422)
+      end
+
+      it "does not save the pubkey" do
+        expect(user.nostr_pubkey).to be_nil
+      end
+    end
+
+    context "With wrong shared secret" do
+      before do
+        session_stub = { shared_secret: "ho-chi-minh" }
+        allow_any_instance_of(SettingsController).to receive(:session).and_return(session_stub)
+
+        post set_nostr_pubkey_settings_path, params: {
+          signed_event: {
+            id: "84f266bbd784551aaa9e35cb0aceb4ee59182a1dab9ab279d9e40dd56ecbbdd3",
+            pubkey: "07e188a1ff87ce171d517b8ed2bb7a31b1d3453a0db3b15379ec07b724d232f3",
+            created_at: 1678254161,
+            kind: 1,
+            content: "Connect my public key to mark@kosmos.org (confirmation rMjWEmvcvtTlQkMd)",
+            sig: "96796d420547d6e2c7be5de82a2ce7a48be99aac6415464a6081859ac1a9017305accc0228c630466a57d45ec1c3b456376eb538b76dfdaa2397e3258be02fdd"
+          }
+        }.to_json, headers: {
+          "CONTENT_TYPE" => "application/json",
+          "HTTP_ACCEPT" => "application/json"
+        }
+      end
+
+      it "returns a 422 status" do
+        expect(response).to have_http_status(422)
+      end
+
+      it "does not save the pubkey" do
+        expect(user.nostr_pubkey).to be_nil
+      end
+    end
+  end
+end
diff --git a/vendor/javascript/.keep b/vendor/javascript/.keep
new file mode 100644
index 0000000..e69de29
diff --git a/vendor/javascript/bech32.js b/vendor/javascript/bech32.js
new file mode 100644
index 0000000..2e6c3ea
--- /dev/null
+++ b/vendor/javascript/bech32.js
@@ -0,0 +1,2 @@
+var e={};Object.defineProperty(e,"__esModule",{value:true});e.bech32m=e.bech32=void 0;const r="qpzry9x8gf2tvdw0s3jn54khce6mua7l";const t={};for(let e=0;e<r.length;e++){const o=r.charAt(e);t[o]=e}function polymodStep(e){const r=e>>25;return(33554431&e)<<5^996825010&-(r>>0&1)^642813549&-(r>>1&1)^513874426&-(r>>2&1)^1027748829&-(r>>3&1)^705979059&-(r>>4&1)}function prefixChk(e){let r=1;for(let t=0;t<e.length;++t){const o=e.charCodeAt(t);if(o<33||o>126)return"Invalid prefix ("+e+")";r=polymodStep(r)^o>>5}r=polymodStep(r);for(let t=0;t<e.length;++t){const o=e.charCodeAt(t);r=polymodStep(r)^31&o}return r}function convert(e,r,t,o){let n=0;let c=0;const s=(1<<t)-1;const f=[];for(let o=0;o<e.length;++o){n=n<<r|e[o];c+=r;while(c>=t){c-=t;f.push(n>>c&s)}}if(o)c>0&&f.push(n<<t-c&s);else{if(c>=r)return"Excess padding";if(n<<t-c&s)return"Non-zero padding"}return f}function toWords(e){return convert(e,8,5,true)}function fromWordsUnsafe(e){const r=convert(e,5,8,false);if(Array.isArray(r))return r}function fromWords(e){const r=convert(e,5,8,false);if(Array.isArray(r))return r;throw new Error(r)}function getLibraryFromEncoding(e){let o;o="bech32"===e?1:734539939;function encode(e,t,n){n=n||90;if(e.length+7+t.length>n)throw new TypeError("Exceeds length limit");e=e.toLowerCase();let c=prefixChk(e);if("string"===typeof c)throw new Error(c);let s=e+"1";for(let e=0;e<t.length;++e){const o=t[e];if(o>>5!==0)throw new Error("Non 5-bit word");c=polymodStep(c)^o;s+=r.charAt(o)}for(let e=0;e<6;++e)c=polymodStep(c);c^=o;for(let e=0;e<6;++e){const t=c>>5*(5-e)&31;s+=r.charAt(t)}return s}function __decode(e,r){r=r||90;if(e.length<8)return e+" too short";if(e.length>r)return"Exceeds length limit";const n=e.toLowerCase();const c=e.toUpperCase();if(e!==n&&e!==c)return"Mixed-case string "+e;e=n;const s=e.lastIndexOf("1");if(-1===s)return"No separator character for "+e;if(0===s)return"Missing prefix for "+e;const f=e.slice(0,s);const i=e.slice(s+1);if(i.length<6)return"Data too short";let d=prefixChk(f);if("string"===typeof d)return d;const l=[];for(let e=0;e<i.length;++e){const r=i.charAt(e);const o=t[r];if(void 0===o)return"Unknown character "+r;d=polymodStep(d)^o;e+6>=i.length||l.push(o)}return d!==o?"Invalid checksum for "+e:{prefix:f,words:l}}function decodeUnsafe(e,r){const t=__decode(e,r);if("object"===typeof t)return t}function decode(e,r){const t=__decode(e,r);if("object"===typeof t)return t;throw new Error(t)}return{decodeUnsafe:decodeUnsafe,decode:decode,encode:encode,toWords:toWords,fromWordsUnsafe:fromWordsUnsafe,fromWords:fromWords}}e.bech32=getLibraryFromEncoding("bech32");e.bech32m=getLibraryFromEncoding("bech32m");const o=e.__esModule,n=e.bech32m,c=e.bech32;export default e;export{o as __esModule,c as bech32,n as bech32m};
+
diff --git a/yarn.lock b/yarn.lock
index df131d2..e7395a2 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -4,7 +4,7 @@
 
 "@csstools/postcss-cascade-layers@^1.1.1":
   version "1.1.1"
-  resolved "https://registry.yarnpkg.com/@csstools/postcss-cascade-layers/-/postcss-cascade-layers-1.1.1.tgz#8a997edf97d34071dd2e37ea6022447dd9e795ad"
+  resolved "https://registry.npmjs.org/@csstools/postcss-cascade-layers/-/postcss-cascade-layers-1.1.1.tgz"
   integrity sha512-+KdYrpKC5TgomQr2DlZF4lDEpHcoxnj5IGddYYfBWJAKfj1JtuHUIqMa+E1pJJ+z3kvDViWMqyqPlG4Ja7amQA==
   dependencies:
     "@csstools/selector-specificity" "^2.0.2"
@@ -12,7 +12,7 @@
 
 "@csstools/postcss-color-function@^1.1.1":
   version "1.1.1"
-  resolved "https://registry.yarnpkg.com/@csstools/postcss-color-function/-/postcss-color-function-1.1.1.tgz#2bd36ab34f82d0497cfacdc9b18d34b5e6f64b6b"
+  resolved "https://registry.npmjs.org/@csstools/postcss-color-function/-/postcss-color-function-1.1.1.tgz"
   integrity sha512-Bc0f62WmHdtRDjf5f3e2STwRAl89N2CLb+9iAwzrv4L2hncrbDwnQD9PCq0gtAt7pOI2leIV08HIBUd4jxD8cw==
   dependencies:
     "@csstools/postcss-progressive-custom-properties" "^1.1.0"
@@ -20,21 +20,21 @@
 
 "@csstools/postcss-font-format-keywords@^1.0.1":
   version "1.0.1"
-  resolved "https://registry.yarnpkg.com/@csstools/postcss-font-format-keywords/-/postcss-font-format-keywords-1.0.1.tgz#677b34e9e88ae997a67283311657973150e8b16a"
+  resolved "https://registry.npmjs.org/@csstools/postcss-font-format-keywords/-/postcss-font-format-keywords-1.0.1.tgz"
   integrity sha512-ZgrlzuUAjXIOc2JueK0X5sZDjCtgimVp/O5CEqTcs5ShWBa6smhWYbS0x5cVc/+rycTDbjjzoP0KTDnUneZGOg==
   dependencies:
     postcss-value-parser "^4.2.0"
 
 "@csstools/postcss-hwb-function@^1.0.2":
   version "1.0.2"
-  resolved "https://registry.yarnpkg.com/@csstools/postcss-hwb-function/-/postcss-hwb-function-1.0.2.tgz#ab54a9fce0ac102c754854769962f2422ae8aa8b"
+  resolved "https://registry.npmjs.org/@csstools/postcss-hwb-function/-/postcss-hwb-function-1.0.2.tgz"
   integrity sha512-YHdEru4o3Rsbjmu6vHy4UKOXZD+Rn2zmkAmLRfPet6+Jz4Ojw8cbWxe1n42VaXQhD3CQUXXTooIy8OkVbUcL+w==
   dependencies:
     postcss-value-parser "^4.2.0"
 
 "@csstools/postcss-ic-unit@^1.0.1":
   version "1.0.1"
-  resolved "https://registry.yarnpkg.com/@csstools/postcss-ic-unit/-/postcss-ic-unit-1.0.1.tgz#28237d812a124d1a16a5acc5c3832b040b303e58"
+  resolved "https://registry.npmjs.org/@csstools/postcss-ic-unit/-/postcss-ic-unit-1.0.1.tgz"
   integrity sha512-Ot1rcwRAaRHNKC9tAqoqNZhjdYBzKk1POgWfhN4uCOE47ebGcLRqXjKkApVDpjifL6u2/55ekkpnFcp+s/OZUw==
   dependencies:
     "@csstools/postcss-progressive-custom-properties" "^1.1.0"
@@ -42,7 +42,7 @@
 
 "@csstools/postcss-is-pseudo-class@^2.0.7":
   version "2.0.7"
-  resolved "https://registry.yarnpkg.com/@csstools/postcss-is-pseudo-class/-/postcss-is-pseudo-class-2.0.7.tgz#846ae6c0d5a1eaa878fce352c544f9c295509cd1"
+  resolved "https://registry.npmjs.org/@csstools/postcss-is-pseudo-class/-/postcss-is-pseudo-class-2.0.7.tgz"
   integrity sha512-7JPeVVZHd+jxYdULl87lvjgvWldYu+Bc62s9vD/ED6/QTGjy0jy0US/f6BG53sVMTBJ1lzKZFpYmofBN9eaRiA==
   dependencies:
     "@csstools/selector-specificity" "^2.0.0"
@@ -50,21 +50,21 @@
 
 "@csstools/postcss-nested-calc@^1.0.0":
   version "1.0.0"
-  resolved "https://registry.yarnpkg.com/@csstools/postcss-nested-calc/-/postcss-nested-calc-1.0.0.tgz#d7e9d1d0d3d15cf5ac891b16028af2a1044d0c26"
+  resolved "https://registry.npmjs.org/@csstools/postcss-nested-calc/-/postcss-nested-calc-1.0.0.tgz"
   integrity sha512-JCsQsw1wjYwv1bJmgjKSoZNvf7R6+wuHDAbi5f/7MbFhl2d/+v+TvBTU4BJH3G1X1H87dHl0mh6TfYogbT/dJQ==
   dependencies:
     postcss-value-parser "^4.2.0"
 
 "@csstools/postcss-normalize-display-values@^1.0.1":
   version "1.0.1"
-  resolved "https://registry.yarnpkg.com/@csstools/postcss-normalize-display-values/-/postcss-normalize-display-values-1.0.1.tgz#15da54a36e867b3ac5163ee12c1d7f82d4d612c3"
+  resolved "https://registry.npmjs.org/@csstools/postcss-normalize-display-values/-/postcss-normalize-display-values-1.0.1.tgz"
   integrity sha512-jcOanIbv55OFKQ3sYeFD/T0Ti7AMXc9nM1hZWu8m/2722gOTxFg7xYu4RDLJLeZmPUVQlGzo4jhzvTUq3x4ZUw==
   dependencies:
     postcss-value-parser "^4.2.0"
 
 "@csstools/postcss-oklab-function@^1.1.1":
   version "1.1.1"
-  resolved "https://registry.yarnpkg.com/@csstools/postcss-oklab-function/-/postcss-oklab-function-1.1.1.tgz#88cee0fbc8d6df27079ebd2fa016ee261eecf844"
+  resolved "https://registry.npmjs.org/@csstools/postcss-oklab-function/-/postcss-oklab-function-1.1.1.tgz"
   integrity sha512-nJpJgsdA3dA9y5pgyb/UfEzE7W5Ka7u0CX0/HIMVBNWzWemdcTH3XwANECU6anWv/ao4vVNLTMxhiPNZsTK6iA==
   dependencies:
     "@csstools/postcss-progressive-custom-properties" "^1.1.0"
@@ -72,40 +72,40 @@
 
 "@csstools/postcss-progressive-custom-properties@^1.1.0", "@csstools/postcss-progressive-custom-properties@^1.3.0":
   version "1.3.0"
-  resolved "https://registry.yarnpkg.com/@csstools/postcss-progressive-custom-properties/-/postcss-progressive-custom-properties-1.3.0.tgz#542292558384361776b45c85226b9a3a34f276fa"
+  resolved "https://registry.npmjs.org/@csstools/postcss-progressive-custom-properties/-/postcss-progressive-custom-properties-1.3.0.tgz"
   integrity sha512-ASA9W1aIy5ygskZYuWams4BzafD12ULvSypmaLJT2jvQ8G0M3I8PRQhC0h7mG0Z3LI05+agZjqSR9+K9yaQQjA==
   dependencies:
     postcss-value-parser "^4.2.0"
 
 "@csstools/postcss-stepped-value-functions@^1.0.1":
   version "1.0.1"
-  resolved "https://registry.yarnpkg.com/@csstools/postcss-stepped-value-functions/-/postcss-stepped-value-functions-1.0.1.tgz#f8772c3681cc2befed695e2b0b1d68e22f08c4f4"
+  resolved "https://registry.npmjs.org/@csstools/postcss-stepped-value-functions/-/postcss-stepped-value-functions-1.0.1.tgz"
   integrity sha512-dz0LNoo3ijpTOQqEJLY8nyaapl6umbmDcgj4AD0lgVQ572b2eqA1iGZYTTWhrcrHztWDDRAX2DGYyw2VBjvCvQ==
   dependencies:
     postcss-value-parser "^4.2.0"
 
 "@csstools/postcss-text-decoration-shorthand@^1.0.0":
   version "1.0.0"
-  resolved "https://registry.yarnpkg.com/@csstools/postcss-text-decoration-shorthand/-/postcss-text-decoration-shorthand-1.0.0.tgz#ea96cfbc87d921eca914d3ad29340d9bcc4c953f"
+  resolved "https://registry.npmjs.org/@csstools/postcss-text-decoration-shorthand/-/postcss-text-decoration-shorthand-1.0.0.tgz"
   integrity sha512-c1XwKJ2eMIWrzQenN0XbcfzckOLLJiczqy+YvfGmzoVXd7pT9FfObiSEfzs84bpE/VqfpEuAZ9tCRbZkZxxbdw==
   dependencies:
     postcss-value-parser "^4.2.0"
 
 "@csstools/postcss-trigonometric-functions@^1.0.2":
   version "1.0.2"
-  resolved "https://registry.yarnpkg.com/@csstools/postcss-trigonometric-functions/-/postcss-trigonometric-functions-1.0.2.tgz#94d3e4774c36d35dcdc88ce091336cb770d32756"
+  resolved "https://registry.npmjs.org/@csstools/postcss-trigonometric-functions/-/postcss-trigonometric-functions-1.0.2.tgz"
   integrity sha512-woKaLO///4bb+zZC2s80l+7cm07M7268MsyG3M0ActXXEFi6SuhvriQYcb58iiKGbjwwIU7n45iRLEHypB47Og==
   dependencies:
     postcss-value-parser "^4.2.0"
 
 "@csstools/postcss-unset-value@^1.0.2":
   version "1.0.2"
-  resolved "https://registry.yarnpkg.com/@csstools/postcss-unset-value/-/postcss-unset-value-1.0.2.tgz#c99bb70e2cdc7312948d1eb41df2412330b81f77"
+  resolved "https://registry.npmjs.org/@csstools/postcss-unset-value/-/postcss-unset-value-1.0.2.tgz"
   integrity sha512-c8J4roPBILnelAsdLr4XOAR/GsTm0GJi4XpcfvoWk3U6KiTCqiFYc63KhRMQQX35jYMp4Ao8Ij9+IZRgMfJp1g==
 
 "@csstools/selector-specificity@^2.0.0", "@csstools/selector-specificity@^2.0.2":
   version "2.0.2"
-  resolved "https://registry.yarnpkg.com/@csstools/selector-specificity/-/selector-specificity-2.0.2.tgz#1bfafe4b7ed0f3e4105837e056e0a89b108ebe36"
+  resolved "https://registry.npmjs.org/@csstools/selector-specificity/-/selector-specificity-2.0.2.tgz"
   integrity sha512-IkpVW/ehM1hWKln4fCA3NzJU8KwD+kIOvPZA4cqxoJHtE21CCzjyp+Kxbu0i5I4tBNOlXPL9mjwnWlL0VEG4Fg==
 
 "@nodelib/fs.scandir@2.1.5":
@@ -131,14 +131,14 @@
 
 "@tailwindcss/forms@^0.5.3":
   version "0.5.3"
-  resolved "https://registry.yarnpkg.com/@tailwindcss/forms/-/forms-0.5.3.tgz#e4d7989686cbcaf416c53f1523df5225332a86e7"
+  resolved "https://registry.npmjs.org/@tailwindcss/forms/-/forms-0.5.3.tgz"
   integrity sha512-y5mb86JUoiUgBjY/o6FJSFZSEttfb3Q5gllE4xoKjAAD+vBrnIhE4dViwUuow3va8mpH4s9jyUbUbrRGoRdc2Q==
   dependencies:
     mini-svg-data-uri "^1.2.3"
 
 acorn-node@^1.8.2:
   version "1.8.2"
-  resolved "https://registry.yarnpkg.com/acorn-node/-/acorn-node-1.8.2.tgz#114c95d64539e53dede23de8b9d96df7c7ae2af8"
+  resolved "https://registry.npmjs.org/acorn-node/-/acorn-node-1.8.2.tgz"
   integrity sha512-8mt+fslDufLYntIoPAaIMUe/lrbrehIiwmR3t2k9LljIzoigEPF27eLk2hy8zSGzmR/ogr7zbRKINMo1u0yh5A==
   dependencies:
     acorn "^7.0.0"
@@ -165,12 +165,12 @@ anymatch@~3.1.2:
 
 arg@^5.0.2:
   version "5.0.2"
-  resolved "https://registry.yarnpkg.com/arg/-/arg-5.0.2.tgz#c81433cc427c92c4dcf4865142dbca6f15acd59c"
+  resolved "https://registry.npmjs.org/arg/-/arg-5.0.2.tgz"
   integrity sha512-PYjyFOLKQ9y57JvQ6QLo8dAgNqswh8M1RMJYdQduT6xbWSgK36P/Z/v+p888pM69jMMfS8Xd8F6I1kQ/I9HUGg==
 
 autoprefixer@^10.4.13:
   version "10.4.13"
-  resolved "https://registry.yarnpkg.com/autoprefixer/-/autoprefixer-10.4.13.tgz#b5136b59930209a321e9fa3dca2e7c4d223e83a8"
+  resolved "https://registry.npmjs.org/autoprefixer/-/autoprefixer-10.4.13.tgz"
   integrity sha512-49vKpMqcZYsJjwotvt4+h/BCjJVnhGwcLpDt5xkcaOG3eLrG/HUYLagrihYsQ+qrIBgIzX1Rw7a6L8I/ZA1Atg==
   dependencies:
     browserslist "^4.21.4"
@@ -194,7 +194,7 @@ braces@^3.0.1, braces@^3.0.2, braces@~3.0.2:
 
 browserslist@^4.21.4:
   version "4.21.4"
-  resolved "https://registry.yarnpkg.com/browserslist/-/browserslist-4.21.4.tgz#e7496bbc67b9e39dd0f98565feccdcb0d4ff6987"
+  resolved "https://registry.npmjs.org/browserslist/-/browserslist-4.21.4.tgz"
   integrity sha512-CBHJJdDmgjl3daYjN5Cp5kbTf1mUhZoS+beLklHIvkOWscs83YAhLlF3Wsh/lciQYAcbBJgTOD44VtG31ZM4Hw==
   dependencies:
     caniuse-lite "^1.0.30001400"
@@ -209,12 +209,12 @@ camelcase-css@^2.0.1:
 
 caniuse-lite@^1.0.30001400, caniuse-lite@^1.0.30001426:
   version "1.0.30001435"
-  resolved "https://registry.yarnpkg.com/caniuse-lite/-/caniuse-lite-1.0.30001435.tgz#502c93dbd2f493bee73a408fe98e98fb1dad10b2"
+  resolved "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001435.tgz"
   integrity sha512-kdCkUTjR+v4YAJelyiDTqiu82BDr4W4CP5sgTA0ZBmqn30XfS2ZghPLMowik9TPhS+psWJiUNxsqLyurDbmutA==
 
 chokidar@^3.5.3:
   version "3.5.3"
-  resolved "https://registry.yarnpkg.com/chokidar/-/chokidar-3.5.3.tgz#1cf37c8707b932bd1af1ae22c0432e2acd1903bd"
+  resolved "https://registry.npmjs.org/chokidar/-/chokidar-3.5.3.tgz"
   integrity sha512-Dr3sfKRP6oTcjf2JmUmFJfeVMvXBdegxB0iVQ5eb2V10uFJUCAS8OByZdVAyVb8xXNz3GjjTgj9kLWsZTqE6kw==
   dependencies:
     anymatch "~3.1.2"
@@ -234,26 +234,26 @@ color-name@^1.1.4:
 
 css-blank-pseudo@^3.0.3:
   version "3.0.3"
-  resolved "https://registry.yarnpkg.com/css-blank-pseudo/-/css-blank-pseudo-3.0.3.tgz#36523b01c12a25d812df343a32c322d2a2324561"
+  resolved "https://registry.npmjs.org/css-blank-pseudo/-/css-blank-pseudo-3.0.3.tgz"
   integrity sha512-VS90XWtsHGqoM0t4KpH053c4ehxZ2E6HtGI7x68YFV0pTo/QmkV/YFA+NnlvK8guxZVNWGQhVNJGC39Q8XF4OQ==
   dependencies:
     postcss-selector-parser "^6.0.9"
 
 css-has-pseudo@^3.0.4:
   version "3.0.4"
-  resolved "https://registry.yarnpkg.com/css-has-pseudo/-/css-has-pseudo-3.0.4.tgz#57f6be91ca242d5c9020ee3e51bbb5b89fc7af73"
+  resolved "https://registry.npmjs.org/css-has-pseudo/-/css-has-pseudo-3.0.4.tgz"
   integrity sha512-Vse0xpR1K9MNlp2j5w1pgWIJtm1a8qS0JwS9goFYcImjlHEmywP9VUF05aGBXzGpDJF86QXk4L0ypBmwPhGArw==
   dependencies:
     postcss-selector-parser "^6.0.9"
 
 css-prefers-color-scheme@^6.0.3:
   version "6.0.3"
-  resolved "https://registry.yarnpkg.com/css-prefers-color-scheme/-/css-prefers-color-scheme-6.0.3.tgz#ca8a22e5992c10a5b9d315155e7caee625903349"
+  resolved "https://registry.npmjs.org/css-prefers-color-scheme/-/css-prefers-color-scheme-6.0.3.tgz"
   integrity sha512-4BqMbZksRkJQx2zAjrokiGMd07RqOa2IxIrrN10lyBe9xhn9DEvjUK79J6jkeiv9D9hQFXKb6g1jwU62jziJZA==
 
 cssdb@^7.1.0:
   version "7.2.0"
-  resolved "https://registry.yarnpkg.com/cssdb/-/cssdb-7.2.0.tgz#f44bd4abc430f0ff7f4c64b8a1fb857a753f77a8"
+  resolved "https://registry.npmjs.org/cssdb/-/cssdb-7.2.0.tgz"
   integrity sha512-JYlIsE7eKHSi0UNuCyo96YuIDFqvhGgHw4Ck6lsN+DP0Tp8M64UTDT2trGbkMDqnCoEjks7CkS0XcjU0rkvBdg==
 
 cssesc@^3.0.0:
@@ -268,7 +268,7 @@ defined@^1.0.0:
 
 detective@^5.2.1:
   version "5.2.1"
-  resolved "https://registry.yarnpkg.com/detective/-/detective-5.2.1.tgz#6af01eeda11015acb0e73f933242b70f24f91034"
+  resolved "https://registry.npmjs.org/detective/-/detective-5.2.1.tgz"
   integrity sha512-v9XE1zRnz1wRtgurGu0Bs8uHKFSTdteYZNbIPFVhUZ39L/S79ppMpdmVOZAnoz1jfEFodc48n6MX483Xo3t1yw==
   dependencies:
     acorn-node "^1.8.2"
@@ -287,7 +287,7 @@ dlv@^1.1.3:
 
 electron-to-chromium@^1.4.251:
   version "1.4.284"
-  resolved "https://registry.yarnpkg.com/electron-to-chromium/-/electron-to-chromium-1.4.284.tgz#61046d1e4cab3a25238f6bf7413795270f125592"
+  resolved "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.4.284.tgz"
   integrity sha512-M8WEXFuKXMYMVr45fo8mq0wUrrJHheiKZf6BArTKk9ZBYCKJEOU5H8cdWgDT+qCVZf7Na4lVUaZsA+h6uA9+PA==
 
 escalade@^3.1.1:
@@ -297,7 +297,7 @@ escalade@^3.1.1:
 
 fast-glob@^3.2.12:
   version "3.2.12"
-  resolved "https://registry.yarnpkg.com/fast-glob/-/fast-glob-3.2.12.tgz#7f39ec99c2e6ab030337142da9e0c18f37afae80"
+  resolved "https://registry.npmjs.org/fast-glob/-/fast-glob-3.2.12.tgz"
   integrity sha512-DVj4CQIYYow0BlaelwK1pHl5n5cRSJfM60UA0zK891sVInoPri2Ekj7+e1CT3/3qxXenpI+nBBmQAcJPJgaj4w==
   dependencies:
     "@nodelib/fs.stat" "^2.0.2"
@@ -322,7 +322,7 @@ fill-range@^7.0.1:
 
 fraction.js@^4.2.0:
   version "4.2.0"
-  resolved "https://registry.yarnpkg.com/fraction.js/-/fraction.js-4.2.0.tgz#448e5109a313a3527f5a3ab2119ec4cf0e0e2950"
+  resolved "https://registry.npmjs.org/fraction.js/-/fraction.js-4.2.0.tgz"
   integrity sha512-MhLuK+2gUcnZe8ZHlaaINnQLl0xRIGRfcGk2yl8xoQAfHrSsL3rYu6FCmBdkdbhc9EPlwyGHewaRsvwRMJtAlA==
 
 fsevents@~2.3.2:
@@ -372,7 +372,7 @@ is-core-module@^2.8.1:
 
 is-core-module@^2.9.0:
   version "2.11.0"
-  resolved "https://registry.yarnpkg.com/is-core-module/-/is-core-module-2.11.0.tgz#ad4cb3e3863e814523c96f3f58d26cc570ff0144"
+  resolved "https://registry.npmjs.org/is-core-module/-/is-core-module-2.11.0.tgz"
   integrity sha512-RRjxlvLDkD1YJwDbroBHMb+cukurkDWNyHx7D3oNB5x9rb5ogcksMC5wHCadcXoo67gVr/+3GFySh3134zi6rw==
   dependencies:
     has "^1.0.3"
@@ -396,7 +396,7 @@ is-number@^7.0.0:
 
 lilconfig@^2.0.5, lilconfig@^2.0.6:
   version "2.0.6"
-  resolved "https://registry.yarnpkg.com/lilconfig/-/lilconfig-2.0.6.tgz#32a384558bd58af3d4c6e077dd1ad1d397bc69d4"
+  resolved "https://registry.npmjs.org/lilconfig/-/lilconfig-2.0.6.tgz"
   integrity sha512-9JROoBW7pobfsx+Sq2JsASvCo6Pfo6WWoUW79HuB1BCoBXD4PLWJPqDF6fNj67pqBYTbAHkE57M1kS/+L1neOg==
 
 merge2@^1.3.0:
@@ -414,7 +414,7 @@ micromatch@^4.0.4:
 
 micromatch@^4.0.5:
   version "4.0.5"
-  resolved "https://registry.yarnpkg.com/micromatch/-/micromatch-4.0.5.tgz#bc8999a7cbbf77cdc89f132f6e467051b49090c6"
+  resolved "https://registry.npmjs.org/micromatch/-/micromatch-4.0.5.tgz"
   integrity sha512-DMy+ERcEW2q8Z2Po+WNXuw3c5YaUSFjAO5GsJqfEl7UjvtIuFKO6ZrKvcItdy98dwFI2N1tg3zNIdKaQT+aNdA==
   dependencies:
     braces "^3.0.2"
@@ -427,17 +427,17 @@ mini-svg-data-uri@^1.2.3:
 
 minimist@^1.2.6:
   version "1.2.7"
-  resolved "https://registry.yarnpkg.com/minimist/-/minimist-1.2.7.tgz#daa1c4d91f507390437c6a8bc01078e7000c4d18"
+  resolved "https://registry.npmjs.org/minimist/-/minimist-1.2.7.tgz"
   integrity sha512-bzfL1YUZsP41gmu/qjrEk0Q6i2ix/cVeAhbCbqH9u3zYutS1cLg00qhrD0M2MVdCcx4Sc0UpP2eBWo9rotpq6g==
 
 nanoid@^3.3.4:
   version "3.3.4"
-  resolved "https://registry.yarnpkg.com/nanoid/-/nanoid-3.3.4.tgz#730b67e3cd09e2deacf03c027c81c9d9dbc5e8ab"
+  resolved "https://registry.npmjs.org/nanoid/-/nanoid-3.3.4.tgz"
   integrity sha512-MqBkQh/OHTS2egovRtLk45wEyNXwF+cokD+1YPf9u5VfJiRdAiRwB2froX5Co9Rh20xs4siNPm8naNotSD6RBw==
 
 node-releases@^2.0.6:
   version "2.0.6"
-  resolved "https://registry.yarnpkg.com/node-releases/-/node-releases-2.0.6.tgz#8a7088c63a55e493845683ebf3c828d8c51c5503"
+  resolved "https://registry.npmjs.org/node-releases/-/node-releases-2.0.6.tgz"
   integrity sha512-PiVXnNuFm5+iYkLBNeq5211hvO38y63T0i2KKh2KnUs3RpzJ+JtODFjkD8yjLwnDkTYF1eKXheUwdssR+NRZdg==
 
 normalize-path@^3.0.0, normalize-path@~3.0.0:
@@ -452,7 +452,7 @@ normalize-range@^0.1.2:
 
 object-hash@^3.0.0:
   version "3.0.0"
-  resolved "https://registry.yarnpkg.com/object-hash/-/object-hash-3.0.0.tgz#73f97f753e7baffc0e2cc9d6e079079744ac82e9"
+  resolved "https://registry.npmjs.org/object-hash/-/object-hash-3.0.0.tgz"
   integrity sha512-RSn9F68PjH9HqtltsSnqYC1XXoWe9Bju5+213R98cNGttag9q9yAOTzdbsqvIa7aNm5WffBZFpWYr2aWrklWAw==
 
 path-parse@^1.0.7:
@@ -477,70 +477,70 @@ pify@^2.3.0:
 
 postcss-attribute-case-insensitive@^5.0.2:
   version "5.0.2"
-  resolved "https://registry.yarnpkg.com/postcss-attribute-case-insensitive/-/postcss-attribute-case-insensitive-5.0.2.tgz#03d761b24afc04c09e757e92ff53716ae8ea2741"
+  resolved "https://registry.npmjs.org/postcss-attribute-case-insensitive/-/postcss-attribute-case-insensitive-5.0.2.tgz"
   integrity sha512-XIidXV8fDr0kKt28vqki84fRK8VW8eTuIa4PChv2MqKuT6C9UjmSKzen6KaWhWEoYvwxFCa7n/tC1SZ3tyq4SQ==
   dependencies:
     postcss-selector-parser "^6.0.10"
 
 postcss-clamp@^4.1.0:
   version "4.1.0"
-  resolved "https://registry.yarnpkg.com/postcss-clamp/-/postcss-clamp-4.1.0.tgz#7263e95abadd8c2ba1bd911b0b5a5c9c93e02363"
+  resolved "https://registry.npmjs.org/postcss-clamp/-/postcss-clamp-4.1.0.tgz"
   integrity sha512-ry4b1Llo/9zz+PKC+030KUnPITTJAHeOwjfAyyB60eT0AorGLdzp52s31OsPRHRf8NchkgFoG2y6fCfn1IV1Ow==
   dependencies:
     postcss-value-parser "^4.2.0"
 
 postcss-color-functional-notation@^4.2.4:
   version "4.2.4"
-  resolved "https://registry.yarnpkg.com/postcss-color-functional-notation/-/postcss-color-functional-notation-4.2.4.tgz#21a909e8d7454d3612d1659e471ce4696f28caec"
+  resolved "https://registry.npmjs.org/postcss-color-functional-notation/-/postcss-color-functional-notation-4.2.4.tgz"
   integrity sha512-2yrTAUZUab9s6CpxkxC4rVgFEVaR6/2Pipvi6qcgvnYiVqZcbDHEoBDhrXzyb7Efh2CCfHQNtcqWcIruDTIUeg==
   dependencies:
     postcss-value-parser "^4.2.0"
 
 postcss-color-hex-alpha@^8.0.4:
   version "8.0.4"
-  resolved "https://registry.yarnpkg.com/postcss-color-hex-alpha/-/postcss-color-hex-alpha-8.0.4.tgz#c66e2980f2fbc1a63f5b079663340ce8b55f25a5"
+  resolved "https://registry.npmjs.org/postcss-color-hex-alpha/-/postcss-color-hex-alpha-8.0.4.tgz"
   integrity sha512-nLo2DCRC9eE4w2JmuKgVA3fGL3d01kGq752pVALF68qpGLmx2Qrk91QTKkdUqqp45T1K1XV8IhQpcu1hoAQflQ==
   dependencies:
     postcss-value-parser "^4.2.0"
 
 postcss-color-rebeccapurple@^7.1.1:
   version "7.1.1"
-  resolved "https://registry.yarnpkg.com/postcss-color-rebeccapurple/-/postcss-color-rebeccapurple-7.1.1.tgz#63fdab91d878ebc4dd4b7c02619a0c3d6a56ced0"
+  resolved "https://registry.npmjs.org/postcss-color-rebeccapurple/-/postcss-color-rebeccapurple-7.1.1.tgz"
   integrity sha512-pGxkuVEInwLHgkNxUc4sdg4g3py7zUeCQ9sMfwyHAT+Ezk8a4OaaVZ8lIY5+oNqA/BXXgLyXv0+5wHP68R79hg==
   dependencies:
     postcss-value-parser "^4.2.0"
 
 postcss-custom-media@^8.0.2:
   version "8.0.2"
-  resolved "https://registry.yarnpkg.com/postcss-custom-media/-/postcss-custom-media-8.0.2.tgz#c8f9637edf45fef761b014c024cee013f80529ea"
+  resolved "https://registry.npmjs.org/postcss-custom-media/-/postcss-custom-media-8.0.2.tgz"
   integrity sha512-7yi25vDAoHAkbhAzX9dHx2yc6ntS4jQvejrNcC+csQJAXjj15e7VcWfMgLqBNAbOvqi5uIa9huOVwdHbf+sKqg==
   dependencies:
     postcss-value-parser "^4.2.0"
 
 postcss-custom-properties@^12.1.10:
   version "12.1.11"
-  resolved "https://registry.yarnpkg.com/postcss-custom-properties/-/postcss-custom-properties-12.1.11.tgz#d14bb9b3989ac4d40aaa0e110b43be67ac7845cf"
+  resolved "https://registry.npmjs.org/postcss-custom-properties/-/postcss-custom-properties-12.1.11.tgz"
   integrity sha512-0IDJYhgU8xDv1KY6+VgUwuQkVtmYzRwu+dMjnmdMafXYv86SWqfxkc7qdDvWS38vsjaEtv8e0vGOUQrAiMBLpQ==
   dependencies:
     postcss-value-parser "^4.2.0"
 
 postcss-custom-selectors@^6.0.3:
   version "6.0.3"
-  resolved "https://registry.yarnpkg.com/postcss-custom-selectors/-/postcss-custom-selectors-6.0.3.tgz#1ab4684d65f30fed175520f82d223db0337239d9"
+  resolved "https://registry.npmjs.org/postcss-custom-selectors/-/postcss-custom-selectors-6.0.3.tgz"
   integrity sha512-fgVkmyiWDwmD3JbpCmB45SvvlCD6z9CG6Ie6Iere22W5aHea6oWa7EM2bpnv2Fj3I94L3VbtvX9KqwSi5aFzSg==
   dependencies:
     postcss-selector-parser "^6.0.4"
 
 postcss-dir-pseudo-class@^6.0.5:
   version "6.0.5"
-  resolved "https://registry.yarnpkg.com/postcss-dir-pseudo-class/-/postcss-dir-pseudo-class-6.0.5.tgz#2bf31de5de76added44e0a25ecf60ae9f7c7c26c"
+  resolved "https://registry.npmjs.org/postcss-dir-pseudo-class/-/postcss-dir-pseudo-class-6.0.5.tgz"
   integrity sha512-eqn4m70P031PF7ZQIvSgy9RSJ5uI2171O/OO/zcRNYpJbvaeKFUlar1aJ7rmgiQtbm0FSPsRewjpdS0Oew7MPA==
   dependencies:
     postcss-selector-parser "^6.0.10"
 
 postcss-double-position-gradients@^3.1.2:
   version "3.1.2"
-  resolved "https://registry.yarnpkg.com/postcss-double-position-gradients/-/postcss-double-position-gradients-3.1.2.tgz#b96318fdb477be95997e86edd29c6e3557a49b91"
+  resolved "https://registry.npmjs.org/postcss-double-position-gradients/-/postcss-double-position-gradients-3.1.2.tgz"
   integrity sha512-GX+FuE/uBR6eskOK+4vkXgT6pDkexLokPaz/AbJna9s5Kzp/yl488pKPjhy0obB475ovfT1Wv8ho7U/cHNaRgQ==
   dependencies:
     "@csstools/postcss-progressive-custom-properties" "^1.1.0"
@@ -548,50 +548,50 @@ postcss-double-position-gradients@^3.1.2:
 
 postcss-env-function@^4.0.6:
   version "4.0.6"
-  resolved "https://registry.yarnpkg.com/postcss-env-function/-/postcss-env-function-4.0.6.tgz#7b2d24c812f540ed6eda4c81f6090416722a8e7a"
+  resolved "https://registry.npmjs.org/postcss-env-function/-/postcss-env-function-4.0.6.tgz"
   integrity sha512-kpA6FsLra+NqcFnL81TnsU+Z7orGtDTxcOhl6pwXeEq1yFPpRMkCDpHhrz8CFQDr/Wfm0jLiNQ1OsGGPjlqPwA==
   dependencies:
     postcss-value-parser "^4.2.0"
 
 postcss-flexbugs-fixes@^5.0.2:
   version "5.0.2"
-  resolved "https://registry.yarnpkg.com/postcss-flexbugs-fixes/-/postcss-flexbugs-fixes-5.0.2.tgz#2028e145313074fc9abe276cb7ca14e5401eb49d"
+  resolved "https://registry.npmjs.org/postcss-flexbugs-fixes/-/postcss-flexbugs-fixes-5.0.2.tgz"
   integrity sha512-18f9voByak7bTktR2QgDveglpn9DTbBWPUzSOe9g0N4WR/2eSt6Vrcbf0hmspvMI6YWGywz6B9f7jzpFNJJgnQ==
 
 postcss-focus-visible@^6.0.4:
   version "6.0.4"
-  resolved "https://registry.yarnpkg.com/postcss-focus-visible/-/postcss-focus-visible-6.0.4.tgz#50c9ea9afa0ee657fb75635fabad25e18d76bf9e"
+  resolved "https://registry.npmjs.org/postcss-focus-visible/-/postcss-focus-visible-6.0.4.tgz"
   integrity sha512-QcKuUU/dgNsstIK6HELFRT5Y3lbrMLEOwG+A4s5cA+fx3A3y/JTq3X9LaOj3OC3ALH0XqyrgQIgey/MIZ8Wczw==
   dependencies:
     postcss-selector-parser "^6.0.9"
 
 postcss-focus-within@^5.0.4:
   version "5.0.4"
-  resolved "https://registry.yarnpkg.com/postcss-focus-within/-/postcss-focus-within-5.0.4.tgz#5b1d2ec603195f3344b716c0b75f61e44e8d2e20"
+  resolved "https://registry.npmjs.org/postcss-focus-within/-/postcss-focus-within-5.0.4.tgz"
   integrity sha512-vvjDN++C0mu8jz4af5d52CB184ogg/sSxAFS+oUJQq2SuCe7T5U2iIsVJtsCp2d6R4j0jr5+q3rPkBVZkXD9fQ==
   dependencies:
     postcss-selector-parser "^6.0.9"
 
 postcss-font-variant@^5.0.0:
   version "5.0.0"
-  resolved "https://registry.yarnpkg.com/postcss-font-variant/-/postcss-font-variant-5.0.0.tgz#efd59b4b7ea8bb06127f2d031bfbb7f24d32fa66"
+  resolved "https://registry.npmjs.org/postcss-font-variant/-/postcss-font-variant-5.0.0.tgz"
   integrity sha512-1fmkBaCALD72CK2a9i468mA/+tr9/1cBxRRMXOUaZqO43oWPR5imcyPjXwuv7PXbCid4ndlP5zWhidQVVa3hmA==
 
 postcss-gap-properties@^3.0.5:
   version "3.0.5"
-  resolved "https://registry.yarnpkg.com/postcss-gap-properties/-/postcss-gap-properties-3.0.5.tgz#f7e3cddcf73ee19e94ccf7cb77773f9560aa2fff"
+  resolved "https://registry.npmjs.org/postcss-gap-properties/-/postcss-gap-properties-3.0.5.tgz"
   integrity sha512-IuE6gKSdoUNcvkGIqdtjtcMtZIFyXZhmFd5RUlg97iVEvp1BZKV5ngsAjCjrVy+14uhGBQl9tzmi1Qwq4kqVOg==
 
 postcss-image-set-function@^4.0.7:
   version "4.0.7"
-  resolved "https://registry.yarnpkg.com/postcss-image-set-function/-/postcss-image-set-function-4.0.7.tgz#08353bd756f1cbfb3b6e93182c7829879114481f"
+  resolved "https://registry.npmjs.org/postcss-image-set-function/-/postcss-image-set-function-4.0.7.tgz"
   integrity sha512-9T2r9rsvYzm5ndsBE8WgtrMlIT7VbtTfE7b3BQnudUqnBcBo7L758oc+o+pdj/dUV0l5wjwSdjeOH2DZtfv8qw==
   dependencies:
     postcss-value-parser "^4.2.0"
 
 postcss-import@^14.1.0:
   version "14.1.0"
-  resolved "https://registry.yarnpkg.com/postcss-import/-/postcss-import-14.1.0.tgz#a7333ffe32f0b8795303ee9e40215dac922781f0"
+  resolved "https://registry.npmjs.org/postcss-import/-/postcss-import-14.1.0.tgz"
   integrity sha512-flwI+Vgm4SElObFVPpTIT7SU7R3qk2L7PyduMcokiaVKuWv9d/U+Gm/QAd8NDLuykTWTkcrjOeD2Pp1rMeBTGw==
   dependencies:
     postcss-value-parser "^4.0.0"
@@ -600,7 +600,7 @@ postcss-import@^14.1.0:
 
 postcss-import@^15.0.1:
   version "15.0.1"
-  resolved "https://registry.yarnpkg.com/postcss-import/-/postcss-import-15.0.1.tgz#5887da24440ef259324d65e08343437a43ff92b1"
+  resolved "https://registry.npmjs.org/postcss-import/-/postcss-import-15.0.1.tgz"
   integrity sha512-UGlvk8EgT7Gm/Ndf9xZHnzr8xm8P54N8CBWLtcY5alP+YxlEge/Rv78etQyevZs3qWTE9If13+Bo6zATBrPOpA==
   dependencies:
     postcss-value-parser "^4.0.0"
@@ -609,7 +609,7 @@ postcss-import@^15.0.1:
 
 postcss-initial@^4.0.1:
   version "4.0.1"
-  resolved "https://registry.yarnpkg.com/postcss-initial/-/postcss-initial-4.0.1.tgz#529f735f72c5724a0fb30527df6fb7ac54d7de42"
+  resolved "https://registry.npmjs.org/postcss-initial/-/postcss-initial-4.0.1.tgz"
   integrity sha512-0ueD7rPqX8Pn1xJIjay0AZeIuDoF+V+VvMt/uOnn+4ezUKhZM/NokDeP6DwMNyIoYByuN/94IQnt5FEkaN59xQ==
 
 postcss-js@^4.0.0:
@@ -621,7 +621,7 @@ postcss-js@^4.0.0:
 
 postcss-lab-function@^4.2.1:
   version "4.2.1"
-  resolved "https://registry.yarnpkg.com/postcss-lab-function/-/postcss-lab-function-4.2.1.tgz#6fe4c015102ff7cd27d1bd5385582f67ebdbdc98"
+  resolved "https://registry.npmjs.org/postcss-lab-function/-/postcss-lab-function-4.2.1.tgz"
   integrity sha512-xuXll4isR03CrQsmxyz92LJB2xX9n+pZJ5jE9JgcnmsCammLyKdlzrBin+25dy6wIjfhJpKBAN80gsTlCgRk2w==
   dependencies:
     "@csstools/postcss-progressive-custom-properties" "^1.1.0"
@@ -629,7 +629,7 @@ postcss-lab-function@^4.2.1:
 
 postcss-load-config@^3.1.4:
   version "3.1.4"
-  resolved "https://registry.yarnpkg.com/postcss-load-config/-/postcss-load-config-3.1.4.tgz#1ab2571faf84bb078877e1d07905eabe9ebda855"
+  resolved "https://registry.npmjs.org/postcss-load-config/-/postcss-load-config-3.1.4.tgz"
   integrity sha512-6DiM4E7v4coTE4uzA8U//WhtPwyhiim3eyjEMFCnUpzbrkK9wJHgKDT2mR+HbtSrd/NubVaYTOpSpjUl8NQeRg==
   dependencies:
     lilconfig "^2.0.5"
@@ -637,24 +637,24 @@ postcss-load-config@^3.1.4:
 
 postcss-logical@^5.0.4:
   version "5.0.4"
-  resolved "https://registry.yarnpkg.com/postcss-logical/-/postcss-logical-5.0.4.tgz#ec75b1ee54421acc04d5921576b7d8db6b0e6f73"
+  resolved "https://registry.npmjs.org/postcss-logical/-/postcss-logical-5.0.4.tgz"
   integrity sha512-RHXxplCeLh9VjinvMrZONq7im4wjWGlRJAqmAVLXyZaXwfDWP73/oq4NdIp+OZwhQUMj0zjqDfM5Fj7qby+B4g==
 
 postcss-media-minmax@^5.0.0:
   version "5.0.0"
-  resolved "https://registry.yarnpkg.com/postcss-media-minmax/-/postcss-media-minmax-5.0.0.tgz#7140bddec173e2d6d657edbd8554a55794e2a5b5"
+  resolved "https://registry.npmjs.org/postcss-media-minmax/-/postcss-media-minmax-5.0.0.tgz"
   integrity sha512-yDUvFf9QdFZTuCUg0g0uNSHVlJ5X1lSzDZjPSFaiCWvjgsvu8vEVxtahPrLMinIDEEGnx6cBe6iqdx5YWz08wQ==
 
 postcss-nested@6.0.0, postcss-nested@^6.0.0:
   version "6.0.0"
-  resolved "https://registry.yarnpkg.com/postcss-nested/-/postcss-nested-6.0.0.tgz#1572f1984736578f360cffc7eb7dca69e30d1735"
+  resolved "https://registry.npmjs.org/postcss-nested/-/postcss-nested-6.0.0.tgz"
   integrity sha512-0DkamqrPcmkBDsLn+vQDIrtkSbNkv5AD/M322ySo9kqFkCIYklym2xEmWkwo+Y3/qZo34tzEPNUw4y7yMCdv5w==
   dependencies:
     postcss-selector-parser "^6.0.10"
 
 postcss-nesting@^10.2.0:
   version "10.2.0"
-  resolved "https://registry.yarnpkg.com/postcss-nesting/-/postcss-nesting-10.2.0.tgz#0b12ce0db8edfd2d8ae0aaf86427370b898890be"
+  resolved "https://registry.npmjs.org/postcss-nesting/-/postcss-nesting-10.2.0.tgz"
   integrity sha512-EwMkYchxiDiKUhlJGzWsD9b2zvq/r2SSubcRrgP+jujMXFzqvANLt16lJANC+5uZ6hjI7lpRmI6O8JIl+8l1KA==
   dependencies:
     "@csstools/selector-specificity" "^2.0.0"
@@ -662,31 +662,31 @@ postcss-nesting@^10.2.0:
 
 postcss-opacity-percentage@^1.1.2:
   version "1.1.2"
-  resolved "https://registry.yarnpkg.com/postcss-opacity-percentage/-/postcss-opacity-percentage-1.1.2.tgz#bd698bb3670a0a27f6d657cc16744b3ebf3b1145"
+  resolved "https://registry.npmjs.org/postcss-opacity-percentage/-/postcss-opacity-percentage-1.1.2.tgz"
   integrity sha512-lyUfF7miG+yewZ8EAk9XUBIlrHyUE6fijnesuz+Mj5zrIHIEw6KcIZSOk/elVMqzLvREmXB83Zi/5QpNRYd47w==
 
 postcss-overflow-shorthand@^3.0.4:
   version "3.0.4"
-  resolved "https://registry.yarnpkg.com/postcss-overflow-shorthand/-/postcss-overflow-shorthand-3.0.4.tgz#7ed6486fec44b76f0eab15aa4866cda5d55d893e"
+  resolved "https://registry.npmjs.org/postcss-overflow-shorthand/-/postcss-overflow-shorthand-3.0.4.tgz"
   integrity sha512-otYl/ylHK8Y9bcBnPLo3foYFLL6a6Ak+3EQBPOTR7luMYCOsiVTUk1iLvNf6tVPNGXcoL9Hoz37kpfriRIFb4A==
   dependencies:
     postcss-value-parser "^4.2.0"
 
 postcss-page-break@^3.0.4:
   version "3.0.4"
-  resolved "https://registry.yarnpkg.com/postcss-page-break/-/postcss-page-break-3.0.4.tgz#7fbf741c233621622b68d435babfb70dd8c1ee5f"
+  resolved "https://registry.npmjs.org/postcss-page-break/-/postcss-page-break-3.0.4.tgz"
   integrity sha512-1JGu8oCjVXLa9q9rFTo4MbeeA5FMe00/9C7lN4va606Rdb+HkxXtXsmEDrIraQ11fGz/WvKWa8gMuCKkrXpTsQ==
 
 postcss-place@^7.0.5:
   version "7.0.5"
-  resolved "https://registry.yarnpkg.com/postcss-place/-/postcss-place-7.0.5.tgz#95dbf85fd9656a3a6e60e832b5809914236986c4"
+  resolved "https://registry.npmjs.org/postcss-place/-/postcss-place-7.0.5.tgz"
   integrity sha512-wR8igaZROA6Z4pv0d+bvVrvGY4GVHihBCBQieXFY3kuSuMyOmEnnfFzHl/tQuqHZkfkIVBEbDvYcFfHmpSet9g==
   dependencies:
     postcss-value-parser "^4.2.0"
 
 postcss-preset-env@^7.8.3:
   version "7.8.3"
-  resolved "https://registry.yarnpkg.com/postcss-preset-env/-/postcss-preset-env-7.8.3.tgz#2a50f5e612c3149cc7af75634e202a5b2ad4f1e2"
+  resolved "https://registry.npmjs.org/postcss-preset-env/-/postcss-preset-env-7.8.3.tgz"
   integrity sha512-T1LgRm5uEVFSEF83vHZJV2z19lHg4yJuZ6gXZZkqVsqv63nlr6zabMH3l4Pc01FQCyfWVrh2GaUeCVy9Po+Aag==
   dependencies:
     "@csstools/postcss-cascade-layers" "^1.1.1"
@@ -741,26 +741,26 @@ postcss-preset-env@^7.8.3:
 
 postcss-pseudo-class-any-link@^7.1.6:
   version "7.1.6"
-  resolved "https://registry.yarnpkg.com/postcss-pseudo-class-any-link/-/postcss-pseudo-class-any-link-7.1.6.tgz#2693b221902da772c278def85a4d9a64b6e617ab"
+  resolved "https://registry.npmjs.org/postcss-pseudo-class-any-link/-/postcss-pseudo-class-any-link-7.1.6.tgz"
   integrity sha512-9sCtZkO6f/5ML9WcTLcIyV1yz9D1rf0tWc+ulKcvV30s0iZKS/ONyETvoWsr6vnrmW+X+KmuK3gV/w5EWnT37w==
   dependencies:
     postcss-selector-parser "^6.0.10"
 
 postcss-replace-overflow-wrap@^4.0.0:
   version "4.0.0"
-  resolved "https://registry.yarnpkg.com/postcss-replace-overflow-wrap/-/postcss-replace-overflow-wrap-4.0.0.tgz#d2df6bed10b477bf9c52fab28c568b4b29ca4319"
+  resolved "https://registry.npmjs.org/postcss-replace-overflow-wrap/-/postcss-replace-overflow-wrap-4.0.0.tgz"
   integrity sha512-KmF7SBPphT4gPPcKZc7aDkweHiKEEO8cla/GjcBK+ckKxiZslIu3C4GCRW3DNfL0o7yW7kMQu9xlZ1kXRXLXtw==
 
 postcss-selector-not@^6.0.1:
   version "6.0.1"
-  resolved "https://registry.yarnpkg.com/postcss-selector-not/-/postcss-selector-not-6.0.1.tgz#8f0a709bf7d4b45222793fc34409be407537556d"
+  resolved "https://registry.npmjs.org/postcss-selector-not/-/postcss-selector-not-6.0.1.tgz"
   integrity sha512-1i9affjAe9xu/y9uqWH+tD4r6/hDaXJruk8xn2x1vzxC2U3J3LKO3zJW4CyxlNhA56pADJ/djpEwpH1RClI2rQ==
   dependencies:
     postcss-selector-parser "^6.0.10"
 
 postcss-selector-parser@^6.0.10:
   version "6.0.11"
-  resolved "https://registry.yarnpkg.com/postcss-selector-parser/-/postcss-selector-parser-6.0.11.tgz#2e41dc39b7ad74046e1615185185cd0b17d0c8dc"
+  resolved "https://registry.npmjs.org/postcss-selector-parser/-/postcss-selector-parser-6.0.11.tgz"
   integrity sha512-zbARubNdogI9j7WY4nQJBiNqQf3sLS3wCP4WfOidu+p28LofJqDH1tcXypGrcmMHhDk2t9wGhCsYe/+szLTy1g==
   dependencies:
     cssesc "^3.0.0"
@@ -781,7 +781,7 @@ postcss-value-parser@^4.0.0, postcss-value-parser@^4.2.0:
 
 postcss@^8.4.18, postcss@^8.4.19:
   version "8.4.19"
-  resolved "https://registry.yarnpkg.com/postcss/-/postcss-8.4.19.tgz#61178e2add236b17351897c8bcc0b4c8ecab56fc"
+  resolved "https://registry.npmjs.org/postcss/-/postcss-8.4.19.tgz"
   integrity sha512-h+pbPsyhlYj6N2ozBmHhHrs9DzGmbaarbLvWipMRO7RLS+v4onj26MPFXA5OBYFxyqYhUJK456SwDcY9H2/zsA==
   dependencies:
     nanoid "^3.3.4"
@@ -823,7 +823,7 @@ resolve@^1.1.7:
 
 resolve@^1.22.1:
   version "1.22.1"
-  resolved "https://registry.yarnpkg.com/resolve/-/resolve-1.22.1.tgz#27cb2ebb53f91abb49470a928bba7558066ac177"
+  resolved "https://registry.npmjs.org/resolve/-/resolve-1.22.1.tgz"
   integrity sha512-nBpuuYuY5jFsli/JIs1oldw6fOQCBioohqWZg/2hiaOybXOft4lonv85uDOKXdf8rhyK159cxU5cDcK/NKk8zw==
   dependencies:
     is-core-module "^2.9.0"
@@ -854,7 +854,7 @@ supports-preserve-symlinks-flag@^1.0.0:
 
 tailwindcss@^3.2.4:
   version "3.2.4"
-  resolved "https://registry.yarnpkg.com/tailwindcss/-/tailwindcss-3.2.4.tgz#afe3477e7a19f3ceafb48e4b083e292ce0dc0250"
+  resolved "https://registry.npmjs.org/tailwindcss/-/tailwindcss-3.2.4.tgz"
   integrity sha512-AhwtHCKMtR71JgeYDaswmZXhPcW9iuI9Sp2LvZPo9upDZ7231ZJ7eA9RaURbhpXGVlrjX4cFNlB4ieTetEb7hQ==
   dependencies:
     arg "^5.0.2"
@@ -890,7 +890,7 @@ to-regex-range@^5.0.1:
 
 update-browserslist-db@^1.0.9:
   version "1.0.10"
-  resolved "https://registry.yarnpkg.com/update-browserslist-db/-/update-browserslist-db-1.0.10.tgz#0f54b876545726f17d00cd9a2561e6dade943ff3"
+  resolved "https://registry.npmjs.org/update-browserslist-db/-/update-browserslist-db-1.0.10.tgz"
   integrity sha512-OztqDenkfFkbSG+tRxBeAnCVPckDBcvibKd35yDONx6OU8N7sqgwc7rCbkJ/WcYtVRZ4ba68d6byhC21GFh7sQ==
   dependencies:
     escalade "^3.1.1"

From e8bbe6c713e025b3a546c8e736fe5d7b07bf3b16 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A2u=20Cao?= <raucao@kip.pe>
Date: Wed, 8 Mar 2023 16:43:59 +0700
Subject: [PATCH 38/47] Let user remove nostr pubkey from account

---
 app/assets/stylesheets/components/buttons.css |  4 ++
 app/controllers/settings_controller.rb        |  9 +++++
 app/views/settings/_experiments.html.erb      | 37 ++++++++++++++++---
 config/routes.rb                              |  1 +
 spec/features/settings/experiments_spec.rb    | 18 +++++++++
 5 files changed, 64 insertions(+), 5 deletions(-)

diff --git a/app/assets/stylesheets/components/buttons.css b/app/assets/stylesheets/components/buttons.css
index c1269ce..d8730db 100644
--- a/app/assets/stylesheets/components/buttons.css
+++ b/app/assets/stylesheets/components/buttons.css
@@ -14,6 +14,10 @@
     @apply py-1 px-2 text-sm;
   }
 
+  .btn-outline {
+    @apply border-2 border-gray-100 hover:bg-gray-100;
+  }
+
   .btn-icon {
     @apply px-3;
   }
diff --git a/app/controllers/settings_controller.rb b/app/controllers/settings_controller.rb
index 7a42a3e..f4168c3 100644
--- a/app/controllers/settings_controller.rb
+++ b/app/controllers/settings_controller.rb
@@ -88,6 +88,15 @@ class SettingsController < ApplicationController
     http_status :unprocessable_entity and return
   end
 
+  # DELETE /settings/nostr_pubkey
+  def remove_nostr_pubkey
+    current_user.update! nostr_pubkey: nil
+
+    redirect_to setting_path(:experiments), flash: {
+      success: 'Public key removed from account'
+    }
+  end
+
   private
 
     def set_main_nav_section
diff --git a/app/views/settings/_experiments.html.erb b/app/views/settings/_experiments.html.erb
index 4318db5..ef5bd4a 100644
--- a/app/views/settings/_experiments.html.erb
+++ b/app/views/settings/_experiments.html.erb
@@ -6,12 +6,37 @@
        data-settings--nostr-pubkey-shared-secret-value="<%= session[:shared_secret] %>"
        data-settings--nostr-pubkey-pubkey-hex-value="<%= current_user.nostr_pubkey %>">
 
-    <p class="mt-2 <%= current_user.nostr_pubkey.present? ? "" : "hidden" %>">
-      <input type="text" class="w-full" value="<%= current_user.nostr_pubkey %>"
-             data-settings--nostr-pubkey-target="pubkeyBech32Input" disabled />
+    <p class="<%= current_user.nostr_pubkey.present? ? '' : 'hidden' %> mt-2 flex gap-1">
+      <input type="text" value="<%= current_user.nostr_pubkey %>" disabled
+             data-settings--nostr-pubkey-target="pubkeyBech32Input"
+             name="nostr_public_key" class="relative grow" />
+      <%= link_to nostr_pubkey_settings_path,
+            class: 'btn-md btn-outline text-red-700 relative shrink-0',
+            data: { turbo_method: :delete, turbo_confirm: 'Are you sure?' } do %>
+        Remove
+      <% end %>
     </p>
 
-    <% unless current_user.nostr_pubkey.present? %>
+    <% if current_user.nostr_pubkey.present? %>
+    <div class="rounded-md bg-blue-50 p-4">
+      <div class="flex">
+        <div class="flex-shrink-0">
+          <svg class="h-5 w-5 text-blue-400" viewBox="0 0 20 20" fill="currentColor" aria-hidden="true">
+            <path fill-rule="evenodd" d="M18 10a8 8 0 11-16 0 8 8 0 0116 0zm-7-4a1 1 0 11-2 0 1 1 0 012 0zM9 9a.75.75 0 000 1.5h.253a.25.25 0 01.244.304l-.459 2.066A1.75 1.75 0 0010.747 15H11a.75.75 0 000-1.5h-.253a.25.25 0 01-.244-.304l.459-2.066A1.75 1.75 0 009.253 9H9z" clip-rule="evenodd" />
+          </svg>
+        </div>
+        <div class="ml-3 flex-1">
+          <p class="text-sm text-blue-800">
+            Your user address <strong><%= current_user.address %></strong> is
+            also a Nostr address now. Use your favorite Nostr app, or for
+            example <a href="http://metadata.nostr.com" target="_blank"
+              class="underline">metadata.nostr.com</a>, to add this
+            <strong>NIP-05</strong> address to your public profile.
+          </p>
+        </div>
+      </div>
+    </div>
+    <% else %>
     <p class="my-4">
       If you use any apps on the Nostr network, you can verify your public key
       with us in order to enable Nostr-specific features for your account.
@@ -51,12 +76,14 @@
       </div>
     </div>
 
+    <% unless current_user.nostr_pubkey.present? %>
     <p class="mt-8">
-      <button class="btn-md btn-gray" disabled
+      <button class="btn-md btn-gray w-full sm:w-auto" disabled
               data-settings--nostr-pubkey-target="setPubkey"
               data-action="settings--nostr-pubkey#setPubkey">
         Get public key from browser extension
       </button>
     </p>
+    <% end %>
   </div>
 </section>
diff --git a/config/routes.rb b/config/routes.rb
index 546d8ff..8668111 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -33,6 +33,7 @@ Rails.application.routes.draw do
       post 'update_email'
       post 'reset_password'
       post 'set_nostr_pubkey'
+      delete 'nostr_pubkey', to: 'settings#remove_nostr_pubkey'
     end
   end
 
diff --git a/spec/features/settings/experiments_spec.rb b/spec/features/settings/experiments_spec.rb
index e87bd1f..9931b35 100644
--- a/spec/features/settings/experiments_spec.rb
+++ b/spec/features/settings/experiments_spec.rb
@@ -19,4 +19,22 @@ RSpec.describe 'Experimental Settings', type: :feature do
     #   worth it for now
     # end
   end
+
+  context "With pubkey configured" do
+    before do
+      user.update! nostr_pubkey: "07e188a1ff87ce171d517b8ed2bb7a31b1d3453a0db3b15379ec07b724d232f3"
+    end
+
+    scenario 'Remove nostr pubkey from account' do
+      visit settings_experiments_path
+      expect(page).to have_field("nostr_public_key",
+        with: "07e188a1ff87ce171d517b8ed2bb7a31b1d3453a0db3b15379ec07b724d232f3",
+        disabled: true)
+
+      click_link "Remove"
+      expect(page).to_not have_field("nostr_public_key")
+      expect(page).to have_content("verify your public key")
+      expect(user.reload.nostr_pubkey).to be_nil
+    end
+  end
 end

From 9cf309aaa83fa5f16aa0bc31a0192ab132b77a79 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A2u=20Cao?= <raucao@kip.pe>
Date: Thu, 9 Mar 2023 11:10:09 +0700
Subject: [PATCH 39/47] Prevent mounting of checked-in vendored files

Mount bundle cache specifically on `vendor/cache` instead of all of
`vendor`, which prevents access to vendored javascript code for example.
---
 .drone.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.drone.yml b/.drone.yml
index 8694c49..eb43e96 100644
--- a/.drone.yml
+++ b/.drone.yml
@@ -12,7 +12,7 @@ steps:
     settings:
       restore: true
       mount:
-      - ./vendor
+      - ./vendor/cache
     when:
       branch:
         - master
@@ -37,7 +37,7 @@ steps:
     settings:
       rebuild: true
       mount:
-      - ./vendor
+      - ./vendor/cache
     when:
       branch:
         - master

From beaafa5d7edf9e3d0fa1114705a5f9570571da81 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A2u=20Cao?= <raucao@kip.pe>
Date: Sat, 11 Mar 2023 12:17:55 +0700
Subject: [PATCH 40/47] Make nostr pubkey unique globally

---
 app/models/user.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/models/user.rb b/app/models/user.rb
index 137589a..871c43f 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -36,7 +36,7 @@ class User < ApplicationRecord
   validates_length_of :display_name, minimum: 3, maximum: 35, allow_blank: true,
                                      if: -> { defined?(@display_name) }
 
-  validates_uniqueness_of :nostr_pubkey, scope: :ou, allow_blank: true
+  validates_uniqueness_of :nostr_pubkey, allow_blank: true
 
   scope :confirmed,  -> { where.not(confirmed_at: nil) }
   scope :pending,    -> { where(confirmed_at: nil) }

From 2cced696f58f480a970ded6ee183f4fdb8d148e5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A2u=20Cao?= <raucao@kip.pe>
Date: Sat, 18 Mar 2023 12:13:53 +0700
Subject: [PATCH 41/47] Don't try to access target when it doesn't exist

---
 .../controllers/settings/nostr_pubkey_controller.js           | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/app/javascript/controllers/settings/nostr_pubkey_controller.js b/app/javascript/controllers/settings/nostr_pubkey_controller.js
index 4660326..8d4d921 100644
--- a/app/javascript/controllers/settings/nostr_pubkey_controller.js
+++ b/app/javascript/controllers/settings/nostr_pubkey_controller.js
@@ -20,7 +20,9 @@ export default class extends Controller {
     }
 
     if (window.nostr) {
-      this.setPubkeyTarget.disabled = false
+      if (this.hasSetPubkeyTarget) {
+        this.setPubkeyTarget.disabled = false
+      }
     } else {
       this.noExtensionTarget.classList.remove("hidden")
     }

From c48538a1c607789faa975cb5f5e5fb3013499849 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A2u=20Cao?= <raucao@kip.pe>
Date: Sat, 18 Mar 2023 13:34:35 +0700
Subject: [PATCH 42/47] Add primary domain setting

---
 .env.example          | 5 +++--
 .env.test             | 2 ++
 app/models/setting.rb | 3 +++
 3 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/.env.example b/.env.example
index de85a10..fef8c93 100644
--- a/.env.example
+++ b/.env.example
@@ -1,3 +1,4 @@
+PRIMARY_DOMAIN=kosmos.org
 AKKOUNTS_DOMAIN=accounts.example.com
 
 SMTP_SERVER=smtp.example.com
@@ -9,13 +10,13 @@ SMTP_DOMAIN=example.com
 SMTP_AUTH_METHOD=plain
 SMTP_ENABLE_STARTTLS=auto
 
-REDIS_URL='redis://localhost:6379/1'
-
 LDAP_HOST=localhost
 LDAP_PORT=389
 LDAP_ADMIN_PASSWORD=passthebutter
 LDAP_SUFFIX='dc=kosmos,dc=org'
 
+REDIS_URL='redis://localhost:6379/1'
+
 WEBHOOKS_ALLOWED_IPS='10.1.1.163'
 
 DISCOURSE_PUBLIC_URL='https://community.kosmos.org'
diff --git a/.env.test b/.env.test
index 31947dd..92892e3 100644
--- a/.env.test
+++ b/.env.test
@@ -1,3 +1,5 @@
+PRIMARY_DOMAIN=kosmos.org
+
 DISCOURSE_PUBLIC_URL='http://discourse.example.com'
 DISCOURSE_CONNECT_SECRET='discourse_connect_ftw'
 
diff --git a/app/models/setting.rb b/app/models/setting.rb
index d25da65..1fee361 100644
--- a/app/models/setting.rb
+++ b/app/models/setting.rb
@@ -2,6 +2,9 @@
 class Setting < RailsSettings::Base
   cache_prefix { "v1" }
 
+  field :primary_domain, type: :string,
+    default: ENV["PRIMARY_DOMAIN"].presence
+
   field :accounts_domain, type: :string,
     default: ENV["AKKOUNTS_DOMAIN"].presence
 

From 34e4cec50302aec75ff9a514f3a802d79b57348c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A2u=20Cao?= <raucao@kip.pe>
Date: Sat, 18 Mar 2023 13:35:02 +0700
Subject: [PATCH 43/47] Add NIP-05 well-known endpoint

---
 app/controllers/well_known_controller.rb | 16 +++++++++
 config/routes.rb                         |  2 ++
 spec/requests/well_known_spec.rb         | 41 ++++++++++++++++++++++++
 3 files changed, 59 insertions(+)
 create mode 100644 app/controllers/well_known_controller.rb
 create mode 100644 spec/requests/well_known_spec.rb

diff --git a/app/controllers/well_known_controller.rb b/app/controllers/well_known_controller.rb
new file mode 100644
index 0000000..02eb02c
--- /dev/null
+++ b/app/controllers/well_known_controller.rb
@@ -0,0 +1,16 @@
+class WellKnownController < ApplicationController
+  def nostr
+    http_status :unprocessable_entity and return if params[:name].blank?
+    domain = request.headers["X-Forwarded-Host"].presence || Setting.primary_domain
+    @user = User.where(cn: params[:name], ou: domain).first
+    http_status :not_found and return if @user.nil? || @user.nostr_pubkey.blank?
+
+    respond_to do |format|
+      format.json do
+        render json: {
+          names: { "#{@user.cn}": @user.nostr_pubkey }
+        }.to_json
+      end
+    end
+  end
+end
diff --git a/config/routes.rb b/config/routes.rb
index 8668111..b454463 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -44,6 +44,8 @@ Rails.application.routes.draw do
   get 'keysend/:address', to: 'lnurlpay#keysend',
     as: 'lightning_address_keysend', constraints: { address: /[^\/]+/}
 
+  get '.well-known/nostr', to: 'well_known#nostr'
+
   post 'webhooks/lndhub', to: 'webhooks#lndhub'
 
   namespace :api do
diff --git a/spec/requests/well_known_spec.rb b/spec/requests/well_known_spec.rb
new file mode 100644
index 0000000..1a24a12
--- /dev/null
+++ b/spec/requests/well_known_spec.rb
@@ -0,0 +1,41 @@
+require 'rails_helper'
+
+RSpec.describe "Well-known URLs", type: :request do
+  describe "GET /nostr" do
+    context "without username param" do
+      it "returns a 422 status" do
+        get "/.well-known/nostr.json"
+        expect(response).to have_http_status(:unprocessable_entity)
+      end
+    end
+
+    context "non-existent user" do
+      it "returns a 404 status" do
+        get "/.well-known/nostr.json?name=bob"
+        expect(response).to have_http_status(:not_found)
+      end
+    end
+
+    context "user does not have a nostr pubkey configured" do
+      let(:user) { create :user, cn: 'spongebob', ou: 'kosmos.org' }
+
+      it "returns a 404 status" do
+        get "/.well-known/nostr.json?name=spongebob"
+        expect(response).to have_http_status(:not_found)
+      end
+    end
+
+    context "user with nostr pubkey" do
+      let(:user) { create :user, cn: 'bobdylan', ou: 'kosmos.org', nostr_pubkey: '438d35a6750d0dd6b75d032af8a768aad76b62f0c70ecb45f9c4d9e63540f7f4' }
+      before { user.save! }
+
+      it "returns a NIP-05 response" do
+        get "/.well-known/nostr.json?name=bobdylan"
+        expect(response).to have_http_status(:ok)
+        res = JSON.parse(response.body)
+        expect(res["names"].keys.size).to eq(1)
+        expect(res["names"]["bobdylan"]).to eq(user.nostr_pubkey)
+      end
+    end
+  end
+end

From 589e46bc6361dcaaff96fa949a91ccdf81ed97b4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A2u=20Cao?= <raucao@kip.pe>
Date: Sat, 18 Mar 2023 13:43:23 +0700
Subject: [PATCH 44/47] Replace hardcoded domains with primary domain setting

---
 app/controllers/admin/users_controller.rb | 2 +-
 app/controllers/signup_controller.rb      | 4 ++--
 app/controllers/webhooks_controller.rb    | 2 +-
 app/services/create_account.rb            | 2 +-
 app/views/admin/donations/_form.html.erb  | 2 +-
 app/views/devise/passwords/new.html.erb   | 2 +-
 app/views/devise/sessions/new.html.erb    | 2 +-
 app/views/signup/steps.html.erb           | 2 +-
 8 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/app/controllers/admin/users_controller.rb b/app/controllers/admin/users_controller.rb
index 7544f55..71cac46 100644
--- a/app/controllers/admin/users_controller.rb
+++ b/app/controllers/admin/users_controller.rb
@@ -4,7 +4,7 @@ class Admin::UsersController < Admin::BaseController
 
   def index
     ldap   = LdapService.new
-    @ou    = params[:ou] || "kosmos.org"
+    @ou    = params[:ou] || Setting.primary_domain
     @orgs  = ldap.fetch_organizations
     @pagy, @users = pagy(User.where(ou: @ou).order(cn: :asc))
 
diff --git a/app/controllers/signup_controller.rb b/app/controllers/signup_controller.rb
index bfbf02e..c21820b 100644
--- a/app/controllers/signup_controller.rb
+++ b/app/controllers/signup_controller.rb
@@ -88,7 +88,7 @@ class SignupController < ApplicationController
     if session[:new_user].present?
       @user = User.new(session[:new_user])
     else
-      @user = User.new(ou: "kosmos.org")
+      @user = User.new(ou: Setting.primary_domain)
     end
   end
 
@@ -98,7 +98,7 @@ class SignupController < ApplicationController
 
     CreateAccount.call(
       username: @user.cn,
-      domain: "kosmos.org",
+      domain: Setting.primary_domain,
       email: @user.email,
       password: @user.password,
       invitation: @invitation
diff --git a/app/controllers/webhooks_controller.rb b/app/controllers/webhooks_controller.rb
index 7025580..30470e1 100644
--- a/app/controllers/webhooks_controller.rb
+++ b/app/controllers/webhooks_controller.rb
@@ -30,7 +30,7 @@ class WebhooksController < ApplicationController
   def notify_xmpp(address, amt_sats, memo)
     payload = {
       type: "normal",
-      from: "kosmos.org", # TODO domain config
+      from: Setting.primary_domain,
       to: address,
       subject: "Sats received!",
       body: "#{helpers.number_with_delimiter amt_sats} sats received in your Lightning wallet:\n> #{memo}"
diff --git a/app/services/create_account.rb b/app/services/create_account.rb
index d3b949f..8c732cf 100644
--- a/app/services/create_account.rb
+++ b/app/services/create_account.rb
@@ -1,7 +1,7 @@
 class CreateAccount < ApplicationService
   def initialize(args)
     @username   = args[:username]
-    @domain     = args[:ou] || "kosmos.org"
+    @domain     = args[:ou] || Setting.primary_domain
     @email      = args[:email]
     @password   = args[:password]
     @invitation = args[:invitation]
diff --git a/app/views/admin/donations/_form.html.erb b/app/views/admin/donations/_form.html.erb
index b04562a..f780a2e 100644
--- a/app/views/admin/donations/_form.html.erb
+++ b/app/views/admin/donations/_form.html.erb
@@ -12,7 +12,7 @@
 
   <section class="sm:w-1/2 grid grid-cols-2 items-center gap-y-2">
     <%= form.label :user_id %>
-    <%= form.collection_select :user_id, User.where(ou: "kosmos.org").order(:cn), :id, :cn, {} %>
+    <%= form.collection_select :user_id, User.where(ou: Setting.primary_domain).order(:cn), :id, :cn, {} %>
 
     <%= form.label :amount_sats, "Amount BTC (sats)" %>
     <%= form.number_field :amount_sats %>
diff --git a/app/views/devise/passwords/new.html.erb b/app/views/devise/passwords/new.html.erb
index a0345f3..a20e563 100644
--- a/app/views/devise/passwords/new.html.erb
+++ b/app/views/devise/passwords/new.html.erb
@@ -10,7 +10,7 @@
       <p class="flex gap-2 items-center">
         <%= f.text_field :cn, autofocus: true, autocomplete: "username",
                               required: true, class: "relative grow"%>
-        <span class="relative shrink-0 text-gray-500">@ kosmos.org</span>
+        <span class="relative shrink-0 text-gray-500">@ <%= Setting.primary_domain %></span>
       </p>
     </div>
     <p>
diff --git a/app/views/devise/sessions/new.html.erb b/app/views/devise/sessions/new.html.erb
index 22ff5be..d3d02e0 100644
--- a/app/views/devise/sessions/new.html.erb
+++ b/app/views/devise/sessions/new.html.erb
@@ -14,7 +14,7 @@
       <p class="flex gap-2 items-center">
         <%= f.text_field :cn, autofocus: true, autocomplete: "username",
               required: true, class: "relative grow", tabindex: "1" %>
-        <span class="relative shrink-0 text-gray-500">@ kosmos.org</span>
+        <span class="relative shrink-0 text-gray-500">@ <%= Setting.primary_domain %></span>
       </p>
     </div>
     <p class="mb-8">
diff --git a/app/views/signup/steps.html.erb b/app/views/signup/steps.html.erb
index ffc8a23..0eeec71 100644
--- a/app/views/signup/steps.html.erb
+++ b/app/views/signup/steps.html.erb
@@ -10,7 +10,7 @@
           <%= f.text_field :cn, autofocus: true, autocomplete: "username",
                                 required: true, class: "relative grow text-xl"%>
           <span class="relative shrink-0 text-gray-500 md:text-xl">
-            @ kosmos.org
+            @ <%= Setting.primary_domain %>
           </span>
         </p>
       </div>

From a1be338ba1b32b575ca1ca54d31d2152300c568f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A2u=20Cao?= <raucao@kip.pe>
Date: Thu, 13 Apr 2023 14:43:26 +0200
Subject: [PATCH 45/47] Add hint for updating nostr profiles when pubkey is
 added

---
 app/views/settings/_experiments.html.erb | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/app/views/settings/_experiments.html.erb b/app/views/settings/_experiments.html.erb
index ef5bd4a..8cb0fdd 100644
--- a/app/views/settings/_experiments.html.erb
+++ b/app/views/settings/_experiments.html.erb
@@ -28,10 +28,10 @@
         <div class="ml-3 flex-1">
           <p class="text-sm text-blue-800">
             Your user address <strong><%= current_user.address %></strong> is
-            also a Nostr address now. Use your favorite Nostr app, or for
+            now also a Nostr address. Use your favorite Nostr app, or for
             example <a href="http://metadata.nostr.com" target="_blank"
-              class="underline">metadata.nostr.com</a>, to add this
-            <strong>NIP-05</strong> address to your public profile.
+              class="underline">metadata.nostr.com</a> to add or update the
+            <strong>NIP-05</strong> address in your public profile.
           </p>
         </div>
       </div>

From bfc0969829112c184f14deaaec0dd8c3f9b56fc6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A2u=20Cao?= <raucao@kip.pe>
Date: Tue, 2 May 2023 12:15:07 +0200
Subject: [PATCH 46/47] Improve wording

---
 app/views/settings/_experiments.html.erb | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/app/views/settings/_experiments.html.erb b/app/views/settings/_experiments.html.erb
index 8cb0fdd..ef5bd4a 100644
--- a/app/views/settings/_experiments.html.erb
+++ b/app/views/settings/_experiments.html.erb
@@ -28,10 +28,10 @@
         <div class="ml-3 flex-1">
           <p class="text-sm text-blue-800">
             Your user address <strong><%= current_user.address %></strong> is
-            now also a Nostr address. Use your favorite Nostr app, or for
+            also a Nostr address now. Use your favorite Nostr app, or for
             example <a href="http://metadata.nostr.com" target="_blank"
-              class="underline">metadata.nostr.com</a> to add or update the
-            <strong>NIP-05</strong> address in your public profile.
+              class="underline">metadata.nostr.com</a>, to add this
+            <strong>NIP-05</strong> address to your public profile.
           </p>
         </div>
       </div>

From 4551a14362a1d400c9108c148a996efe72211235 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A2u=20Cao?= <raucao@kip.pe>
Date: Fri, 16 Jun 2023 14:55:11 +0200
Subject: [PATCH 47/47] Fix path

---
 spec/features/settings/experiments_spec.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/spec/features/settings/experiments_spec.rb b/spec/features/settings/experiments_spec.rb
index 9931b35..d23ab25 100644
--- a/spec/features/settings/experiments_spec.rb
+++ b/spec/features/settings/experiments_spec.rb
@@ -26,7 +26,7 @@ RSpec.describe 'Experimental Settings', type: :feature do
     end
 
     scenario 'Remove nostr pubkey from account' do
-      visit settings_experiments_path
+      visit setting_path(:experiments)
       expect(page).to have_field("nostr_public_key",
         with: "07e188a1ff87ce171d517b8ed2bb7a31b1d3453a0db3b15379ec07b724d232f3",
         disabled: true)