0.9.0

Reviewed-on: #180

.drone.yml

@@ -17,7 +17,7 @@ steps:
       branch:
         - master
   - name: rspec
-    image: gitea.kosmos.org/kosmos/akkounts-ci:0.1.0
+    image: gitea.kosmos.org/kosmos/akkounts-ci:0.9.1
     environment:
       RAILS_ENV: test
       REDIS_URL: redis://redis:6379/0
@@ -28,6 +28,8 @@ steps:
       - bundle config set cache_path 'vendor/cache'
       - bundle config set with 'development test'
       - bundle install --jobs=3 --retry=3
+      - bundle exec rails db:create
+      - bundle exec rails db:migrate
       - yarn install
       - rake css:build
       - bundle exec rspec

.env.example

@@ -1,56 +1,64 @@
-PRIMARY_DOMAIN=kosmos.org
-AKKOUNTS_DOMAIN=accounts.example.com
+# PRIMARY_DOMAIN=kosmos.org
+# AKKOUNTS_DOMAIN=accounts.example.com
 
-SMTP_SERVER=smtp.example.com
-SMTP_PORT=587
-SMTP_LOGIN=accounts
-SMTP_PASSWORD=123abc
-SMTP_FROM_ADDRESS=accounts@example.com
-SMTP_DOMAIN=example.com
-SMTP_AUTH_METHOD=plain
-SMTP_ENABLE_STARTTLS=auto
+# SMTP_SERVER=smtp.example.com
+# SMTP_PORT=587
+# SMTP_LOGIN=accounts
+# SMTP_PASSWORD=123abc
+# SMTP_FROM_ADDRESS=accounts@example.com
+# SMTP_DOMAIN=example.com
+# SMTP_AUTH_METHOD=plain
+# SMTP_ENABLE_STARTTLS=auto
 
 # S3_ENABLED=true
 # S3_ENDPOINT=https://s3.kosmos.org
 # S3_REGION=garage
 # S3_BUCKET=akkounts-production
-# S3_ALIAS_HOST=accounts.s3.kosmos.org
+# S3_ALIAS_HOST=https://accounts.web.s3.kosmos.org
 # S3_ACCESS_KEY=123456abcdefg
 # S3_SECRET_KEY=123456789123456789123456789
 
-LDAP_HOST=localhost
-LDAP_PORT=389
-LDAP_ADMIN_PASSWORD=passthebutter
-LDAP_SUFFIX='dc=kosmos,dc=org'
+# LDAP_HOST=localhost
+# LDAP_PORT=389
+# LDAP_ADMIN_PASSWORD=passthebutter
+# LDAP_SUFFIX='dc=kosmos,dc=org'
 
-REDIS_URL='redis://localhost:6379/1'
+# REDIS_URL='redis://localhost:6379/1'
 
-WEBHOOKS_ALLOWED_IPS='10.1.1.163'
+# WEBHOOKS_ALLOWED_IPS='10.1.1.163'
 
-DISCOURSE_PUBLIC_URL='https://community.kosmos.org'
-DISCOURSE_CONNECT_SECRET='discourse_connect_ftw'
+#
+# Service Integrations
+#
 
-DRONECI_PUBLIC_URL='https://drone.kosmos.org'
+# BTCPAY_API_URL='http://localhost:23001/api/v1'
+# BTCPAY_STORE_ID=''
+# BTCPAY_AUTH_TOKEN=''
 
-GITEA_PUBLIC_URL='https://gitea.kosmos.org'
-MASTODON_PUBLIC_URL='https://kosmos.social'
-MEDIAWIKI_PUBLIC_URL='https://wiki.kosmos.org'
-RS_STORAGE_URL='https://storage.kosmos.org'
-RS_REDIS_URL='redis://localhost:6379/2'
+# DISCOURSE_PUBLIC_URL='https://community.kosmos.org'
+# DISCOURSE_CONNECT_SECRET='discourse_connect_ftw'
 
-EJABBERD_ADMIN_URL='https://xmpp.kosmos.org/admin'
-EJABBERD_API_URL='https://xmpp.kosmos.org/api'
+# DRONECI_PUBLIC_URL='https://drone.kosmos.org'
 
-BTCPAY_API_URL='http://localhost:23001/api/v1'
-BTCPAY_STORE_ID=''
-BTCPAY_AUTH_TOKEN=''
+# EJABBERD_ADMIN_URL='https://xmpp.kosmos.org/admin'
+# EJABBERD_API_URL='https://xmpp.kosmos.org/api'
 
-LNDHUB_API_URL='http://localhost:3023'
-LNDHUB_PUBLIC_URL='https://lndhub.kosmos.org'
-LNDHUB_PUBLIC_KEY='0123d3be18617f39cf645851e3ba63f51fc13f0bb09e3bb25e6fd4de556486d946'
-LNDHUB_ADMIN_UI=true
-LNDHUB_PG_HOST=localhost
-LNDHUB_PG_PORT=5432
-LNDHUB_PG_DATABASE=lndhub
-LNDHUB_PG_USERNAME=lndhub
-LNDHUB_PG_PASSWORD=''
+# GITEA_PUBLIC_URL='https://gitea.kosmos.org'
+
+# LNDHUB_API_URL='http://localhost:3023'
+# LNDHUB_PUBLIC_URL='https://lndhub.kosmos.org'
+# LNDHUB_PUBLIC_KEY='0123d3be18617f39cf645851e3ba63f51fc13f0bb09e3bb25e6fd4de556486d946'
+# LNDHUB_ADMIN_UI=true
+# LNDHUB_ADMIN_TOKEN=123456789
+# LNDHUB_PG_HOST=localhost
+# LNDHUB_PG_PORT=5432
+# LNDHUB_PG_DATABASE=lndhub
+# LNDHUB_PG_USERNAME=lndhub
+# LNDHUB_PG_PASSWORD=''
+
+# MASTODON_PUBLIC_URL='https://kosmos.social'
+
+# MEDIAWIKI_PUBLIC_URL='https://wiki.kosmos.org'
+
+# RS_STORAGE_URL='https://storage.kosmos.org'
+# RS_REDIS_URL='redis://localhost:6379/2'

.ruby-version

@@ -1 +1 @@
-2.7.2
+3.3.0

Dockerfile

@@ -1,10 +1,18 @@
 # syntax=docker/dockerfile:1
-FROM ruby:2.7.6
+FROM debian:bullseye-slim as base
 
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 
-RUN apt-get update -qq && apt-get install -y --no-install-recommends curl \
-      ldap-utils tini libvips
+# TODO Remove when upstream Ruby works properly on Apple silicon
+RUN apt update && apt install -y build-essential wget autoconf libpq-dev pkg-config
+RUN wget https://github.com/postmodern/ruby-install/releases/download/v0.9.3/ruby-install-0.9.3.tar.gz \
+  && tar -xzvf ruby-install-0.9.3.tar.gz \
+  && cd ruby-install-0.9.3/ \
+  && make install
+RUN ruby-install -p https://github.com/ruby/ruby/pull/9371.diff ruby 3.3.0
+ENV PATH="/opt/rubies/ruby-3.3.0/bin:${PATH}"
+
+RUN apt-get install -y --no-install-recommends curl ldap-utils tini libvips
 RUN curl -fsSL https://deb.nodesource.com/setup_lts.x | bash -
 RUN apt-get update && apt-get install -y nodejs
 

Gemfile

@@ -2,7 +2,7 @@ source 'https://rubygems.org'
 git_source(:github) { |repo| "https://github.com/#{repo}.git" }
 
 # Bundle edge Rails instead: gem 'rails', github: 'rails/rails'
-gem 'rails', '~> 7.0.2'
+gem 'rails', '~> 7.1'
 # Use Puma as the app server
 gem 'puma', '~> 4.1'
 # View components
@@ -22,7 +22,7 @@ gem 'jbuilder', '~> 2.7'
 # Use Redis adapter to run Action Cable in production
 # gem 'redis', '~> 4.0'
 # Use Active Model has_secure_password
-# gem 'bcrypt', '~> 3.1.7'
+gem 'bcrypt', '~> 3.1'
 
 # Configuration
 gem 'dotenv-rails'
@@ -61,20 +61,19 @@ gem "sentry-rails"
 # Services
 gem 'discourse_api'
 gem "lnurl"
-gem 'manifique', git: 'https://gitea.kosmos.org/5apps/manifique.git', branch: 'master'
-gem 'nostr', git: 'https://gitea.kosmos.org/kosmos/nostr-gem.git', branch: 'feature/ruby_2.7_compat'
+gem 'manifique'
+gem 'nostr'
 
 group :development, :test do
   # Use sqlite3 as the database for Active Record
-  gem 'sqlite3', '~> 1.4'
+  gem 'sqlite3', '~> 1.7.2'
   gem 'rspec-rails'
   gem 'rails-controller-testing'
-  gem "byebug", "~> 11.1"
 end
 
 group :development do
   # Access an interactive console on exception pages or by calling 'console' anywhere in the code.
-  gem 'web-console', '>= 3.3.0'
+  gem 'web-console', '~> 4.2'
   gem 'listen', '~> 3.2'
   gem 'letter_opener'
   gem 'letter_opener_web'
@@ -90,8 +89,8 @@ group :test do
 end
 
 group :production do
-  # Use postgresql as the database for Active Record
-  gem 'pg', '~> 1.2.3'
+  gem 'pg', '~> 1.5'
 end
+
 # Windows does not include zoneinfo files, so bundle the tzinfo-data gem
 gem 'tzinfo-data', platforms: [:mingw, :mswin, :x64_mingw, :jruby]

Gemfile.lock

@@ -1,141 +1,127 @@
-GIT
-  remote: https://gitea.kosmos.org/5apps/manifique.git
-  revision: 8d79113438ee7c3e4288f840a135622519cffd5c
-  branch: master
-  specs:
-    manifique (0.1.0)
-      faraday (~> 2.7.11)
-      faraday-follow_redirects (= 0.3.0)
-      nokogiri (~> 1.15.4)
-
-GIT
-  remote: https://gitea.kosmos.org/kosmos/nostr-gem.git
-  revision: 596529d9eb50d13b3f385245636698fccf37b442
-  branch: feature/ruby_2.7_compat
-  specs:
-    nostr (0.4.0)
-      bech32 (~> 1.3)
-      bip-schnorr (~> 0.4)
-      ecdsa (~> 1.2)
-      event_emitter (~> 0.2)
-      faye-websocket (~> 0.11)
-      json (~> 2.6)
-
 GEM
   remote: https://rubygems.org/
   specs:
-    actioncable (7.0.8)
-      actionpack (= 7.0.8)
-      activesupport (= 7.0.8)
+    actioncable (7.1.3)
+      actionpack (= 7.1.3)
+      activesupport (= 7.1.3)
       nio4r (~> 2.0)
       websocket-driver (>= 0.6.1)
-    actionmailbox (7.0.8)
-      actionpack (= 7.0.8)
-      activejob (= 7.0.8)
-      activerecord (= 7.0.8)
-      activestorage (= 7.0.8)
-      activesupport (= 7.0.8)
+      zeitwerk (~> 2.6)
+    actionmailbox (7.1.3)
+      actionpack (= 7.1.3)
+      activejob (= 7.1.3)
+      activerecord (= 7.1.3)
+      activestorage (= 7.1.3)
+      activesupport (= 7.1.3)
       mail (>= 2.7.1)
       net-imap
       net-pop
       net-smtp
-    actionmailer (7.0.8)
-      actionpack (= 7.0.8)
-      actionview (= 7.0.8)
-      activejob (= 7.0.8)
-      activesupport (= 7.0.8)
+    actionmailer (7.1.3)
+      actionpack (= 7.1.3)
+      actionview (= 7.1.3)
+      activejob (= 7.1.3)
+      activesupport (= 7.1.3)
       mail (~> 2.5, >= 2.5.4)
       net-imap
       net-pop
       net-smtp
-      rails-dom-testing (~> 2.0)
-    actionpack (7.0.8)
-      actionview (= 7.0.8)
-      activesupport (= 7.0.8)
-      rack (~> 2.0, >= 2.2.4)
+      rails-dom-testing (~> 2.2)
+    actionpack (7.1.3)
+      actionview (= 7.1.3)
+      activesupport (= 7.1.3)
+      nokogiri (>= 1.8.5)
+      racc
+      rack (>= 2.2.4)
+      rack-session (>= 1.0.1)
       rack-test (>= 0.6.3)
-      rails-dom-testing (~> 2.0)
-      rails-html-sanitizer (~> 1.0, >= 1.2.0)
-    actiontext (7.0.8)
-      actionpack (= 7.0.8)
-      activerecord (= 7.0.8)
-      activestorage (= 7.0.8)
-      activesupport (= 7.0.8)
+      rails-dom-testing (~> 2.2)
+      rails-html-sanitizer (~> 1.6)
+    actiontext (7.1.3)
+      actionpack (= 7.1.3)
+      activerecord (= 7.1.3)
+      activestorage (= 7.1.3)
+      activesupport (= 7.1.3)
       globalid (>= 0.6.0)
       nokogiri (>= 1.8.5)
-    actionview (7.0.8)
-      activesupport (= 7.0.8)
+    actionview (7.1.3)
+      activesupport (= 7.1.3)
       builder (~> 3.1)
-      erubi (~> 1.4)
-      rails-dom-testing (~> 2.0)
-      rails-html-sanitizer (~> 1.1, >= 1.2.0)
-    activejob (7.0.8)
-      activesupport (= 7.0.8)
+      erubi (~> 1.11)
+      rails-dom-testing (~> 2.2)
+      rails-html-sanitizer (~> 1.6)
+    activejob (7.1.3)
+      activesupport (= 7.1.3)
       globalid (>= 0.3.6)
-    activemodel (7.0.8)
-      activesupport (= 7.0.8)
-    activerecord (7.0.8)
-      activemodel (= 7.0.8)
-      activesupport (= 7.0.8)
-    activestorage (7.0.8)
-      actionpack (= 7.0.8)
-      activejob (= 7.0.8)
-      activerecord (= 7.0.8)
-      activesupport (= 7.0.8)
+    activemodel (7.1.3)
+      activesupport (= 7.1.3)
+    activerecord (7.1.3)
+      activemodel (= 7.1.3)
+      activesupport (= 7.1.3)
+      timeout (>= 0.4.0)
+    activestorage (7.1.3)
+      actionpack (= 7.1.3)
+      activejob (= 7.1.3)
+      activerecord (= 7.1.3)
+      activesupport (= 7.1.3)
       marcel (~> 1.0)
-      mini_mime (>= 1.1.0)
-    activesupport (7.0.8)
+    activesupport (7.1.3)
+      base64
+      bigdecimal
       concurrent-ruby (~> 1.0, >= 1.0.2)
+      connection_pool (>= 2.2.5)
+      drb
       i18n (>= 1.6, < 2)
       minitest (>= 5.1)
+      mutex_m
       tzinfo (~> 2.0)
-    addressable (2.8.5)
+    addressable (2.8.6)
       public_suffix (>= 2.0.2, < 6.0)
     ast (2.4.2)
-    aws-eventstream (1.2.0)
-    aws-partitions (1.839.0)
-    aws-sdk-core (3.185.1)
-      aws-eventstream (~> 1, >= 1.0.2)
+    aws-eventstream (1.3.0)
+    aws-partitions (1.886.0)
+    aws-sdk-core (3.191.0)
+      aws-eventstream (~> 1, >= 1.3.0)
       aws-partitions (~> 1, >= 1.651.0)
-      aws-sigv4 (~> 1.5)
+      aws-sigv4 (~> 1.8)
       jmespath (~> 1, >= 1.6.1)
-    aws-sdk-kms (1.72.0)
-      aws-sdk-core (~> 3, >= 3.184.0)
+    aws-sdk-kms (1.77.0)
+      aws-sdk-core (~> 3, >= 3.191.0)
       aws-sigv4 (~> 1.1)
-    aws-sdk-s3 (1.136.0)
-      aws-sdk-core (~> 3, >= 3.181.0)
+    aws-sdk-s3 (1.143.0)
+      aws-sdk-core (~> 3, >= 3.191.0)
       aws-sdk-kms (~> 1)
-      aws-sigv4 (~> 1.6)
-    aws-sigv4 (1.6.0)
+      aws-sigv4 (~> 1.8)
+    aws-sigv4 (1.8.0)
       aws-eventstream (~> 1, >= 1.0.2)
     backport (1.2.0)
-    base64 (0.1.1)
-    bcrypt (3.1.19)
+    base64 (0.2.0)
+    bcrypt (3.1.20)
     bech32 (1.4.2)
       thor (>= 1.1.0)
-    benchmark (0.2.1)
+    benchmark (0.3.0)
+    bigdecimal (3.1.6)
     bindex (0.8.1)
-    bip-schnorr (0.6.0)
+    bip-schnorr (0.7.0)
       ecdsa_ext (~> 0.5.0)
-    brow (0.4.1)
     builder (3.2.4)
-    byebug (11.1.3)
-    capybara (3.39.2)
+    capybara (3.40.0)
       addressable
       matrix
       mini_mime (>= 0.1.3)
-      nokogiri (~> 1.8)
+      nokogiri (~> 1.11)
       rack (>= 1.6.0)
       rack-test (>= 0.6.3)
       regexp_parser (>= 1.5, < 3.0)
       xpath (~> 3.2)
     chunky_png (1.4.0)
-    concurrent-ruby (1.2.2)
+    concurrent-ruby (1.2.3)
     connection_pool (2.4.1)
-    crack (0.4.5)
+    crack (0.4.6)
+      bigdecimal
       rexml
     crass (1.0.6)
-    cssbundling-rails (1.3.3)
+    cssbundling-rails (1.4.0)
       railties (>= 6.0.0)
     database_cleaner (2.0.2)
       database_cleaner-active_record (>= 2, < 3)
@@ -143,7 +129,7 @@ GEM
       activerecord (>= 5.a)
       database_cleaner-core (~> 2.0.0)
     database_cleaner-core (2.0.1)
-    date (3.3.3)
+    date (3.3.4)
     devise (4.9.3)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
@@ -153,7 +139,7 @@ GEM
     devise_ldap_authenticatable (0.8.7)
       devise (>= 3.4.1)
       net-ldap (>= 0.16.0)
-    diff-lcs (1.5.0)
+    diff-lcs (1.5.1)
     discourse_api (2.0.1)
       faraday (~> 2.7)
       faraday-follow_redirects
@@ -165,6 +151,8 @@ GEM
       railties (>= 3.2)
     down (5.4.1)
       addressable (~> 2.8)
+    drb (2.2.0)
+      ruby2_keywords
     e2mmap (0.1.0)
     ecdsa (1.2.0)
     ecdsa_ext (0.5.0)
@@ -174,58 +162,61 @@ GEM
       tzinfo
     event_emitter (0.2.6)
     eventmachine (1.2.7)
-    factory_bot (6.2.1)
+    factory_bot (6.4.6)
       activesupport (>= 5.0.0)
-    factory_bot_rails (6.2.0)
-      factory_bot (~> 6.2.0)
+    factory_bot_rails (6.4.3)
+      factory_bot (~> 6.4)
       railties (>= 5.0.0)
-    faker (3.2.1)
+    faker (3.2.3)
       i18n (>= 1.8.11, < 2)
-    faraday (2.7.11)
-      base64
-      faraday-net_http (>= 2.0, < 3.1)
-      ruby2_keywords (>= 0.0.4)
+    faraday (2.9.0)
+      faraday-net_http (>= 2.0, < 3.2)
     faraday-follow_redirects (0.3.0)
       faraday (>= 1, < 3)
     faraday-multipart (1.0.4)
       multipart-post (~> 2)
-    faraday-net_http (3.0.2)
+    faraday-net_http (3.1.0)
+      net-http
     faye-websocket (0.11.3)
       eventmachine (>= 0.12.0)
       websocket-driver (>= 0.5.1)
     ffi (1.16.3)
-    flipper (1.0.0)
-      brow (~> 0.4.1)
+    flipper (1.2.2)
       concurrent-ruby (< 2)
-    flipper-active_record (1.0.0)
+    flipper-active_record (1.2.2)
       activerecord (>= 4.2, < 8)
-      flipper (~> 1.0.0)
-    flipper-ui (1.0.0)
+      flipper (~> 1.2.2)
+    flipper-ui (1.2.2)
       erubi (>= 1.0.0, < 2.0.0)
-      flipper (~> 1.0.0)
+      flipper (~> 1.2.2)
       rack (>= 1.4, < 4)
       rack-protection (>= 1.5.3, <= 4.0.0)
       sanitize (< 7)
-    fugit (1.8.1)
+    fugit (1.9.0)
       et-orbi (~> 1, >= 1.2.7)
       raabro (~> 1.4)
     globalid (1.2.1)
       activesupport (>= 6.1)
-    hashdiff (1.0.1)
+    hashdiff (1.1.0)
     i18n (1.14.1)
       concurrent-ruby (~> 1.0)
     image_processing (1.12.2)
       mini_magick (>= 4.9.5, < 5)
       ruby-vips (>= 2.0.17, < 3)
-    importmap-rails (1.2.1)
+    importmap-rails (2.0.1)
       actionpack (>= 6.0.0)
+      activesupport (>= 6.0.0)
       railties (>= 6.0.0)
+    io-console (0.7.2)
+    irb (1.11.1)
+      rdoc
+      reline (>= 0.4.2)
     jaro_winkler (1.5.6)
     jbuilder (2.11.5)
       actionview (>= 5.0.0)
       activesupport (>= 5.0.0)
     jmespath (1.6.2)
-    json (2.6.3)
+    json (2.7.1)
     kramdown (2.4.0)
       rexml
     kramdown-parser-gfm (1.1.0)
@@ -245,8 +236,8 @@ GEM
       rb-inotify (~> 0.9, >= 0.9.10)
     lnurl (1.1.0)
       bech32 (~> 1.1)
-    lockbox (1.3.0)
-    loofah (2.21.4)
+    lockbox (1.3.2)
+    loofah (2.22.0)
       crass (~> 1.0.2)
       nokogiri (>= 1.12.0)
     mail (2.8.1)
@@ -254,59 +245,85 @@ GEM
       net-imap
       net-pop
       net-smtp
+    manifique (1.0.1)
+      faraday (~> 2.9.0)
+      faraday-follow_redirects (= 0.3.0)
+      nokogiri (~> 1.16.0)
     marcel (1.0.2)
     matrix (0.4.2)
     method_source (1.0.0)
     mini_magick (4.12.0)
     mini_mime (1.1.5)
-    minitest (5.20.0)
+    mini_portile2 (2.8.5)
+    minitest (5.21.2)
     multipart-post (2.3.0)
-    net-imap (0.3.7)
+    mutex_m (0.2.0)
+    net-http (0.4.1)
+      uri
+    net-imap (0.4.9.1)
       date
       net-protocol
-    net-ldap (0.18.0)
+    net-ldap (0.19.0)
     net-pop (0.1.2)
       net-protocol
-    net-protocol (0.2.1)
+    net-protocol (0.2.2)
       timeout
-    net-smtp (0.4.0)
+    net-smtp (0.4.0.1)
       net-protocol
-    nio4r (2.5.9)
-    nokogiri (1.15.4-arm64-darwin)
+    nio4r (2.7.0)
+    nokogiri (1.16.0)
+      mini_portile2 (~> 2.8.2)
       racc (~> 1.4)
-    nokogiri (1.15.4-x86_64-linux)
+    nokogiri (1.16.0-arm64-darwin)
       racc (~> 1.4)
+    nokogiri (1.16.0-x86_64-linux)
+      racc (~> 1.4)
+    nostr (0.5.0)
+      bech32 (~> 1.4)
+      bip-schnorr (~> 0.6)
+      ecdsa (~> 1.2)
+      event_emitter (~> 0.2)
+      faye-websocket (~> 0.11)
+      json (~> 2.6)
     orm_adapter (0.5.0)
-    pagy (6.1.0)
-    parallel (1.23.0)
-    parser (3.2.2.4)
+    pagy (6.4.3)
+    parallel (1.24.0)
+    parser (3.3.0.5)
       ast (~> 2.4.1)
       racc
-    pg (1.2.3)
-    public_suffix (5.0.3)
+    pg (1.5.4)
+    psych (5.1.2)
+      stringio
+    public_suffix (5.0.4)
     puma (4.3.12)
       nio4r (~> 2.0)
     raabro (1.4.0)
-    racc (1.7.1)
+    racc (1.7.3)
     rack (2.2.8)
-    rack-protection (3.1.0)
+    rack-protection (3.2.0)
+      base64 (>= 0.1.0)
       rack (~> 2.2, >= 2.2.4)
+    rack-session (1.0.2)
+      rack (< 3)
     rack-test (2.1.0)
       rack (>= 1.3)
-    rails (7.0.8)
-      actioncable (= 7.0.8)
-      actionmailbox (= 7.0.8)
-      actionmailer (= 7.0.8)
-      actionpack (= 7.0.8)
-      actiontext (= 7.0.8)
-      actionview (= 7.0.8)
-      activejob (= 7.0.8)
-      activemodel (= 7.0.8)
-      activerecord (= 7.0.8)
-      activestorage (= 7.0.8)
-      activesupport (= 7.0.8)
+    rackup (1.0.0)
+      rack (< 3)
+      webrick
+    rails (7.1.3)
+      actioncable (= 7.1.3)
+      actionmailbox (= 7.1.3)
+      actionmailer (= 7.1.3)
+      actionpack (= 7.1.3)
+      actiontext (= 7.1.3)
+      actionview (= 7.1.3)
+      activejob (= 7.1.3)
+      activemodel (= 7.1.3)
+      activerecord (= 7.1.3)
+      activestorage (= 7.1.3)
+      activesupport (= 7.1.3)
       bundler (>= 1.15.0)
-      railties (= 7.0.8)
+      railties (= 7.1.3)
     rails-controller-testing (1.0.5)
       actionpack (>= 5.0.1.rc1)
       actionview (>= 5.0.1.rc1)
@@ -321,21 +338,26 @@ GEM
     rails-settings-cached (2.8.3)
       activerecord (>= 5.0.0)
       railties (>= 5.0.0)
-    railties (7.0.8)
-      actionpack (= 7.0.8)
-      activesupport (= 7.0.8)
-      method_source
+    railties (7.1.3)
+      actionpack (= 7.1.3)
+      activesupport (= 7.1.3)
+      irb
+      rackup (>= 1.0.0)
       rake (>= 12.2)
-      thor (~> 1.0)
-      zeitwerk (~> 2.5)
+      thor (~> 1.0, >= 1.2.2)
+      zeitwerk (~> 2.6)
     rainbow (3.1.1)
-    rake (13.0.6)
+    rake (13.1.0)
     rb-fsevent (0.11.2)
     rb-inotify (0.10.1)
       ffi (~> 1.0)
     rbs (2.8.4)
+    rdoc (6.6.2)
+      psych (>= 4.0.0)
     redis (4.8.1)
-    regexp_parser (2.8.2)
+    regexp_parser (2.9.0)
+    reline (0.4.2)
+      io-console (~> 0.5)
     responders (3.1.1)
       actionpack (>= 5.2)
       railties (>= 5.2)
@@ -354,7 +376,7 @@ GEM
     rspec-mocks (3.12.6)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.12.0)
-    rspec-rails (6.0.3)
+    rspec-rails (6.1.1)
       actionpack (>= 6.1)
       activesupport (>= 6.1)
       railties (>= 6.1)
@@ -363,19 +385,18 @@ GEM
       rspec-mocks (~> 3.12)
       rspec-support (~> 3.12)
     rspec-support (3.12.1)
-    rubocop (1.57.1)
-      base64 (~> 0.1.1)
+    rubocop (1.60.2)
       json (~> 2.3)
       language_server-protocol (>= 3.17.0)
       parallel (~> 1.10)
-      parser (>= 3.2.2.4)
+      parser (>= 3.3.0.2)
       rainbow (>= 2.2.2, < 4.0)
       regexp_parser (>= 1.8, < 3.0)
       rexml (>= 3.2.5, < 4.0)
-      rubocop-ast (>= 1.28.1, < 2.0)
+      rubocop-ast (>= 1.30.0, < 2.0)
       ruby-progressbar (~> 1.7)
       unicode-display_width (>= 2.4.0, < 3.0)
-    rubocop-ast (1.29.0)
+    rubocop-ast (1.30.0)
       parser (>= 3.2.1.0)
     ruby-progressbar (1.13.0)
     ruby-vips (2.2.0)
@@ -386,10 +407,10 @@ GEM
     sanitize (6.1.0)
       crass (~> 1.0.2)
       nokogiri (>= 1.12.0)
-    sentry-rails (5.12.0)
+    sentry-rails (5.16.1)
       railties (>= 5.0)
-      sentry-ruby (~> 5.12.0)
-    sentry-ruby (5.12.0)
+      sentry-ruby (~> 5.16.1)
+    sentry-ruby (5.16.1)
       concurrent-ruby (~> 1.0, >= 1.0.2)
     sidekiq (6.5.12)
       connection_pool (>= 2.2.5, < 3)
@@ -399,7 +420,7 @@ GEM
       rufus-scheduler (~> 3.2)
       sidekiq (>= 6, < 8)
       tilt (>= 1.4.0)
-    solargraph (0.49.0)
+    solargraph (0.50.0)
       backport (~> 1.2)
       benchmark
       bundler (~> 2.0)
@@ -422,13 +443,16 @@ GEM
       actionpack (>= 5.2)
       activesupport (>= 5.2)
       sprockets (>= 3.0.0)
-    sqlite3 (1.6.7-arm64-darwin)
-    sqlite3 (1.6.7-x86_64-linux)
-    stimulus-rails (1.3.0)
+    sqlite3 (1.7.2)
+      mini_portile2 (~> 2.8.0)
+    sqlite3 (1.7.2-arm64-darwin)
+    sqlite3 (1.7.2-x86_64-linux)
+    stimulus-rails (1.3.3)
       railties (>= 6.0.0)
+    stringio (3.1.0)
     thor (1.3.0)
     tilt (2.3.0)
-    timeout (0.4.0)
+    timeout (0.4.1)
     turbo-rails (1.5.0)
       actionpack (>= 6.0.0)
       activejob (>= 6.0.0)
@@ -436,7 +460,8 @@ GEM
     tzinfo (2.0.6)
       concurrent-ruby (~> 1.0)
     unicode-display_width (2.5.0)
-    view_component (3.6.0)
+    uri (0.13.0)
+    view_component (3.10.0)
       activesupport (>= 5.2.0, < 8.0)
       concurrent-ruby (~> 1.0)
       method_source (~> 1.0)
@@ -451,6 +476,7 @@ GEM
       addressable (>= 2.8.0)
       crack (>= 0.3.2)
       hashdiff (>= 0.4.0, < 2.0.0)
+    webrick (1.8.1)
     websocket-driver (0.7.6)
       websocket-extensions (>= 0.1.0)
     websocket-extensions (0.1.5)
@@ -461,11 +487,12 @@ GEM
 
 PLATFORMS
   arm64-darwin-22
+  ruby
   x86_64-linux
 
 DEPENDENCIES
   aws-sdk-s3
-  byebug (~> 11.1)
+  bcrypt (~> 3.1)
   capybara
   cssbundling-rails
   database_cleaner
@@ -488,13 +515,13 @@ DEPENDENCIES
   listen (~> 3.2)
   lnurl
   lockbox
-  manifique!
+  manifique
   net-ldap
-  nostr!
+  nostr
   pagy (~> 6.0, >= 6.0.2)
-  pg (~> 1.2.3)
+  pg (~> 1.5)
   puma (~> 4.1)
-  rails (~> 7.0.2)
+  rails (~> 7.1)
   rails-controller-testing
   rails-settings-cached (~> 2.8.3)
   rqrcode (~> 2.0)
@@ -505,14 +532,14 @@ DEPENDENCIES
   sidekiq-scheduler
   solargraph
   sprockets-rails
-  sqlite3 (~> 1.4)
+  sqlite3 (~> 1.7.2)
   stimulus-rails
   turbo-rails
   tzinfo-data
   view_component
   warden
-  web-console (>= 3.3.0)
+  web-console (~> 4.2)
   webmock
 
 BUNDLED WITH
-   2.3.7
+   2.5.5

README.md

@@ -14,8 +14,10 @@ so:
 
 1. Make sure [Docker Compose is installed][1] and Docker is running (included in
    Docker Desktop)
-3. Run `docker compose up` and wait until 389ds announces its successful start
-   in the log output
+3. Run `docker compose up --build` and wait until all services have started
+   (389ds might take an extra minute to be ready). This will take a while when
+   running for the first time, so you might want to do something else in the
+   meantime.
 4. `docker-compose exec ldap dsconf localhost backend create --suffix="dc=kosmos,dc=org" --be-name="dev"`
 5. `docker compose run web rails ldap:setup`
 6. `docker compose run web rails db:setup`
@@ -28,38 +30,44 @@ have the password "user is user".
 
 ### Rails app
 
+_Note: when using Docker Compose, prefix the following commands with `docker-compose
+run web`._
+
 Installing dependencies:
 
     bundle install
     yarn install
 
-Setting up local database (SQLite):
+Migrating the local database (after schema changes):
 
-    bundle exec rails db:create
     bundle exec rails db:migrate
 
-Running the dev server and auto-building CSS files on change:
+Running the dev server, and auto-building CSS files on change _(automatic with Docker Compose)_:
 
     bin/dev
 
-Running the background workers (requires Redis):
+Running the background workers (requires Redis) _(automatic with Docker Compose)_:
 
     bundle exec sidekiq -C config/sidekiq.yml
 
-Running all specs:
+Running the test suite:
 
     bundle exec rspec
 
-### Docker (Compose)
+Running the test suite with Docker Compose requires overriding the Rails
+environment:
 
-There is a working Docker Compose config file, which define a number of services including
-an app server for Rails as well as a local 389ds (LDAP) server.
+    docker-compose run -e "RAILS_ENV=test" web rspec
 
-For Rails developers, you probably just want to start the LDAP server: `docker-compose up ldap`, 
-listening on port 389 on your machine. 
+### Docker Compose
 
-You can pick and choose your services adding them by name (listed in `docker-compose.yml`) at 
-the end of the docker compose command. eg. `docker compose up ldap redis`
+Services/containers are configured in `docker-compose.yml`.
+
+You can run services selectively, for example if you want to run the Rails app
+and test suite on the host machine. Just add the service names of the
+containers you want to run to the `up` command, like so:
+
+    docker-compose up ldap redis
 
 #### LDAP server
 
@@ -76,8 +84,24 @@ Now you can seed the back-end with data using this Rails task:
 The setup task will first delete any existing entries in the directory tree
 ("dc=kosmos,dc=org"), and then create our development entries.
 
-Note that all 389ds data is stored in `tmp/389ds`. So if you want to start over
-with a fresh installation, delete both that directory as well as the container.
+Note that all 389ds data is stored in the `389ds-data` volume. So if you want
+to start over with a fresh installation, delete both that volume as well as the
+container.
+
+#### Minio / remoteStorage
+
+If you want to run remoteStorage accounts locally, you will have to create the
+respective bucket first. With the `minio` container running (run by default
+when using Docker Compose), follow these steps:
+
+* `docker compose up web redis minio liquor-cabinet`
+* Head to http://localhost:9001 and log in with user `minioadmin`, password
+  `minioadmin`
+* Create a new bucket called `remotestorage` (or whatever you
+  change the `S3_BUCKET` config to)
+* Create a new key with ID "dev-key" and secret "123456789" (or whatever you
+  change `S3_ACCESS_KEY` and `S3_SECRET_KEY` to). Leave the policy field empty,
+  as it will automatically allow access to the bucket you created.
 
 ### Adding npm modules to use with Stimulus controllers
 

app/components/app_catalog/web_app_icon_component.html.erb

@@ -0,0 +1,5 @@
+<% if @image_url %>
+  <%= image_tag @image_url, class: "h-full w-full" %>
+<% else %>
+  <%= render partial: "icons/remotestorage", locals: { custom_class: "h-full w-full p-0.5 text-gray-200" } %>
+<% end %>

app/components/app_catalog/web_app_icon_component.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+module AppCatalog
+  class WebAppIconComponent < ViewComponent::Base
+    def initialize(web_app:)
+      if web_app&.icon&.attached?
+        @image_url = image_url_for(web_app.icon)
+      elsif web_app&.apple_touch_icon&.attached?
+        @image_url = image_url_for(web_app.apple_touch_icon)
+      end
+    end
+
+    def image_url_for(attachment)
+      if Setting.s3_enabled?
+        s3_image_url(attachment)
+      else
+        Rails.application.routes.url_helpers.rails_blob_path(attachment, only_path: true)
+      end
+    end
+  end
+end

app/components/dropdown_component.html.erb

@@ -0,0 +1,34 @@
+<div data-controller="dropdown" data-action="click->dropdown#toggle click@window->dropdown#hide">
+  <div class="relative inline-block">
+    <div role="button" tabindex="0" data-dropdown-target="button"
+         class="inline-block select-none">
+      <% if @size == :large %>
+      <span class="appearance-none flex items-center inline-block">
+        <span class="p-2 bg-gray-50 hover:bg-gray-100 rounded-full">
+          <%= render partial: "icons/#{@icon_name}",
+                     locals: { custom_class: "inline text-gray-500 h-6 w-6" } %>
+        </span>
+      </span>
+      <% elsif @size == :small %>
+      <span class="appearance-none flex items-center inline-block">
+        <span class="text-gray-500 hover:text-blue-600">
+          <%= render partial: "icons/#{@icon_name}",
+                     locals: { custom_class: "inline h-4 w-4" } %>
+        </span>
+      </span>
+      <% end %>
+    </div>
+    <div data-dropdown-target="menu"
+         data-transition-enter="transition ease-out duration-200"
+         data-transition-enter-from="opacity-0 translate-y-1"
+         data-transition-enter-to="opacity-100 translate-y-0"
+         data-transition-leave="transition ease-in duration-150"
+         data-transition-leave-from="opacity-100 translate-y-0"
+         data-transition-leave-to="opacity-0 translate-y-1"
+         class="hidden absolute top-4 right-0 z-10 mt-5 flex w-screen max-w-max">
+      <div class="bg-white shadow-lg rounded border overflow-hidden w-auto">
+        <%= content %>
+      </div>
+    </div>
+  </div>
+</div>

app/components/dropdown_component.rb

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+class DropdownComponent < ViewComponent::Base
+  def initialize(size: :large, icon_name: "kebap-menu")
+    @size = size.to_sym
+    @icon_name = icon_name
+  end
+end

app/components/dropdown_link_component.html.erb

@@ -0,0 +1,6 @@
+<%= link_to @href, class: @class, data: {
+      'dropdown-target': "menuItem",
+      'action': "keydown.up->dropdown#previousItem:prevent keydown.down->dropdown#nextItem:prevent"
+    } do %>
+  <%= content %>
+<% end %>

app/components/dropdown_link_component.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+class DropdownLinkComponent < ViewComponent::Base
+  def initialize(href:, separator: false, add_class: nil)
+    @href = href
+    @class = class_str(separator, add_class)
+  end
+
+  private
+
+  def class_str(separator, add_class)
+    str = "no-underline block px-5 py-3 text-sm text-gray-900 bg-white
+           hover:bg-gray-100 focus:bg-gray-100 whitespace-no-wrap"
+    str = "#{str} border-t" if separator
+    str = "#{str} #{add_class}" if add_class
+    str
+  end
+end

app/components/form_elements/fieldset_toggle_component.html.erb

@@ -5,7 +5,9 @@
       } : nil do %>
   <div class="flex flex-col">
     <label class="font-bold mb-1"><%= @title %></label>
+    <% if @description.present? %>
     <p class="text-gray-500"><%= @descripton %></p>
+    <% end %>
   </div>
   <div class="relative ml-4 inline-flex flex-shrink-0">
     <%= render FormElements::ToggleComponent.new(

app/components/form_elements/fieldset_toggle_component.rb

@@ -3,7 +3,7 @@
 module FormElements
   class FieldsetToggleComponent < ViewComponent::Base
     def initialize(tag: "li", form: nil, attribute: nil, field_name: nil,
-                   enabled: false, input_enabled: true, title:, description:)
+                   enabled: false, input_enabled: true, title:, description: nil)
       @tag = tag
       @form = form
       @attribute = attribute

app/components/modal_component.html.erb

@@ -18,9 +18,11 @@
       <div class="m-1 bg-white rounded shadow">
         <div class="p-8">
           <%= content %>
+          <% if @show_close_button %>
           <div class="flex justify-end items-center flex-wrap mt-6">
             <button class="btn-md btn-blue" data-action="click->modal#close:prevent">Close</button>
           </div>
+          <% end %>
         </div>
       </div>
     </div>

app/components/modal_component.rb

@@ -1,2 +1,5 @@
 class ModalComponent < ViewComponent::Base
+  def initialize(show_close_button: true)
+    @show_close_button = show_close_button
+  end
 end

app/components/rs_auth_component.html.erb

@@ -0,0 +1,26 @@
+<div class="flex items-center gap-4">
+  <div class="h-16 w-16 flex-none">
+    <%= render AppCatalog::WebAppIconComponent.new(web_app: @web_app) %>
+  </div>
+  <div class="flex-grow">
+    <h4 class="mb-1 text-lg font-bold">
+      <%= @web_app&.name || @auth.app_name %>
+    </h4>
+    <p class="text-sm text-gray-500">
+      <%= @auth.client_id %>
+    </p>
+  </div>
+  <%= render DropdownComponent.new do %>
+    <%= render DropdownLinkComponent.new(
+          href: launch_app_services_storage_rs_auth_url(@auth)
+        ) do %>
+      Launch app
+    <% end %>
+    <%= render DropdownLinkComponent.new(
+          href: revoke_services_storage_rs_auth_url(@auth),
+          separator: true, add_class: "text-red-700"
+        ) do %>
+      Revoke access
+    <% end %>
+  <% end %>
+</div>

app/components/rs_auth_component.rb

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+class RsAuthComponent < ViewComponent::Base
+  def initialize(auth:)
+    @auth = auth
+    @web_app = auth.web_app
+  end
+end

app/controllers/admin/settings/registrations_controller.rb

@@ -1,8 +1,8 @@
 class Admin::Settings::RegistrationsController < Admin::SettingsController
-  def index
+  def show
   end
 
-  def create
+  def update
     update_settings
 
     redirect_to admin_settings_registrations_path, flash: {

app/controllers/admin/settings/services_controller.rb

@@ -1,19 +1,32 @@
 class Admin::Settings::ServicesController < Admin::SettingsController
-  def index
-    @service = params[:s]
+  before_action :set_service, only: [:show, :update]
 
-    if @service.blank?
-      redirect_to admin_settings_services_path(params: { s: "btcpay" })
-    end
+  def index
+    redirect_to admin_settings_service_path("btcpay")
   end
 
-  def create
-    service = params.require(:service)
+  def show
+  end
 
+  def update
     update_settings
 
-    redirect_to admin_settings_services_path(params: { s: service }), flash: {
+    redirect_to admin_settings_service_path(@service), flash: {
       success: "Settings saved"
     }
   end
+
+  private
+
+    def set_subsection
+      @subsection = "services"
+    end
+
+    def set_service
+      @service = params[:service]
+
+      if @service.blank?
+        redirect_to admin_settings_services_path and return
+      end
+    end
 end

app/controllers/admin/settings_controller.rb

@@ -20,7 +20,7 @@ class Admin::SettingsController < Admin::BaseController
     end
 
     if @errors.any?
-      render :index and return
+      render :show and return
     end
 
     changed_keys.each do |key|

app/controllers/admin/users_controller.rb

@@ -1,11 +1,11 @@
 class Admin::UsersController < Admin::BaseController
-  before_action :set_user, only: [:show]
+  before_action :set_user, except: [:index]
   before_action :set_current_section
 
+  # GET /admin/users
   def index
     ldap   = LdapService.new
-    @ou    = params[:ou] || Setting.primary_domain
-    @orgs  = ldap.fetch_organizations
+    @ou    = Setting.primary_domain
     @pagy, @users = pagy(User.where(ou: @ou).order(cn: :asc))
 
     @stats = {
@@ -14,6 +14,7 @@ class Admin::UsersController < Admin::BaseController
     }
   end
 
+  # GET /admin/users/:username
   def show
     if Setting.lndhub_admin_enabled?
       @lndhub_user = @user.lndhub_user
@@ -21,14 +22,38 @@ class Admin::UsersController < Admin::BaseController
 
     @services_enabled = @user.services_enabled
 
-    @avatar = LdapManager::FetchAvatar.call(cn: @user.cn, ou: @user.ou)
+    @avatar = LdapManager::FetchAvatar.call(cn: @user.cn)
+  end
+
+  # POST /admin/users/:username/invitations
+  def create_invitations
+    amount = params[:amount].to_i
+    notify_user = ActiveRecord::Type::Boolean.new.cast(params[:notify_user])
+
+    CreateInvitations.call(user: @user, amount: amount, notify: notify_user)
+
+    redirect_to admin_user_path(@user.cn), flash: {
+      success: "Added #{amount} invitations to #{@user.cn}'s account"
+    }
+  end
+
+  # DELETE /admin/users/:username/invitations
+  def delete_invitations
+    invitations = @user.invitations.unused
+    amount = invitations.count
+
+    invitations.destroy_all
+
+    redirect_to admin_user_path(@user.cn), flash: {
+      success: "Removed #{amount} invitations from #{@user.cn}'s account"
+    }
   end
 
   private
 
   def set_user
-    address = params[:address].split("@")
-    @user = User.where(cn: address.first, ou: address.last).first
+    @user = User.find_by(cn: params[:username], ou: Setting.primary_domain)
+    http_status :not_found unless @user
   end
 
   def set_current_section

app/controllers/api/btcpay_controller.rb

@@ -1,5 +1,6 @@
 class Api::BtcpayController < Api::BaseController
   before_action :require_feature_enabled
+  before_action :set_cors_access_control_headers
 
   def onchain_btc_balance
     balance = BtcpayManager::FetchOnchainWalletBalance.call
@@ -26,4 +27,11 @@ class Api::BtcpayController < Api::BaseController
         http_status :not_found and return
       end
     end
+
+    def set_cors_access_control_headers
+      return unless Rails.env.development?
+      headers['Access-Control-Allow-Origin'] = "*"
+      headers['Access-Control-Allow-Headers'] = "*"
+      headers['Access-Control-Allow-Methods'] = "GET"
+    end
 end

app/controllers/lnurlpay_controller.rb

@@ -1,6 +1,6 @@
 class LnurlpayController < ApplicationController
-  before_action :check_feature_enabled
-  before_action :find_user_by_address
+  before_action :check_service_available
+  before_action :find_user
 
   MIN_SATS = 10
   MAX_SATS = 1_000_000
@@ -9,7 +9,7 @@ class LnurlpayController < ApplicationController
   def index
     render json: {
       status: "OK",
-      callback: "https://accounts.kosmos.org/lnurlpay/#{@user.address}/invoice",
+      callback: "https://#{Setting.accounts_domain}/lnurlpay/#{@user.cn}/invoice",
       tag: "payRequest",
       maxSendable: MAX_SATS * 1000, # msat
       minSendable: MIN_SATS * 1000, # msat
@@ -34,8 +34,8 @@ class LnurlpayController < ApplicationController
 
   def invoice
     amount = params[:amount].to_i / 1000 # msats
-    address = params[:address]
     comment = params[:comment] || ""
+    address = @user.address
 
     if !valid_amount?(amount)
       render json: { status: "ERROR", reason: "Invalid amount" }
@@ -69,9 +69,8 @@ class LnurlpayController < ApplicationController
 
   private
 
-  def find_user_by_address
-    address = params[:address].split("@")
-    @user = User.where(cn: address.first, ou: address.last).first
+  def find_user
+    @user = User.where(cn: params[:username], ou: Setting.primary_domain).first
     http_status :not_found if @user.nil?
   end
 
@@ -89,7 +88,7 @@ class LnurlpayController < ApplicationController
 
   private
 
-  def check_feature_enabled
+  def check_service_available
     http_status :not_found unless Setting.lndhub_enabled?
   end
 end

app/controllers/rs/oauth_controller.rb

@@ -3,8 +3,7 @@ class Rs::OauthController < ApplicationController
   before_action :authenticate_user!, only: :create
 
   def new
-    username, org  = params[:useraddress].split("@")
-    @user          = User.where(cn: username.downcase, ou: org).first
+    @user          = User.where(cn: params[:username].downcase, ou: Setting.primary_domain).first
     @scopes        = parse_scopes params[:scope]
     @redirect_uri  = params[:redirect_uri]
     @client_id     = params[:client_id]
@@ -22,7 +21,7 @@ class Rs::OauthController < ApplicationController
     unless current_user == @user
       sign_out :user
 
-      redirect_to new_rs_oauth_url(@user.address,
+      redirect_to new_rs_oauth_url(@user.cn,
                                    scope: params[:scope],
                                    redirect_uri: params[:redirect_uri],
                                    client_id: params[:client_id],
@@ -88,7 +87,7 @@ class Rs::OauthController < ApplicationController
       permissions: permissions,
       client_id: client_id,
       redirect_uri: redirect_uri,
-      app_name: client_id, #TODO use user-defined name
+      app_name: client_id,
       expire_at: expire_at
     )
 
@@ -96,29 +95,15 @@ class Rs::OauthController < ApplicationController
                 allow_other_host: true
   end
 
-  # GET /rs/oauth/token/:id/launch_app
-  def launch_app
-    auth = current_user.remote_storage_authorizations.find(params[:id])
-
-    redirect_to app_auth_url(auth), allow_other_host: true
-  end
-
   private
 
   def require_signed_in_with_username
     unless user_signed_in?
-      username, org = params[:useraddress].split("@")
       session[:user_return_to] = request.url
-      redirect_to new_user_session_path(cn: username, ou: org)
+      redirect_to new_user_session_path(cn: params[:username], ou: Setting.primary_domain)
     end
   end
 
-  def app_auth_url(auth)
-    url = "#{auth.url}#remotestorage=#{current_user.address}"
-    url += "&access_token=#{auth.token}"
-    url
-  end
-
   def hostname_of(uri)
     uri.gsub(/http(s)?:\/\//, "").split(":")[0].split("/")[0]
   end

app/controllers/services/email_controller.rb

@@ -0,0 +1,34 @@
+class Services::EmailController < Services::BaseController
+  before_action :authenticate_user!
+  before_action :require_service_available
+  before_action :require_feature_enabled
+
+  def show
+    ldap_entry = current_user.ldap_entry
+
+    @service_enabled = ldap_entry[:email_password].present?
+    @maildrop = ldap_entry[:email_maildrop]
+    @email_forwarding_active = @maildrop.present? &&
+                               @maildrop.split("@").first != current_user.cn
+  end
+
+  def new_password
+    if session[:new_email_password].present?
+      @new_password = session.delete(:new_email_password)
+    else
+      redirect_to setting_path(:email)
+    end
+  end
+
+  private
+
+    def require_service_available
+      http_status :not_found unless Setting.email_enabled?
+    end
+
+    def require_feature_enabled
+      unless Flipper.enabled?(:email, current_user)
+        http_status :forbidden
+      end
+    end
+end

app/controllers/services/remotestorage_controller.rb

@@ -1,23 +1,26 @@
 class Services::RemotestorageController < Services::BaseController
   before_action :authenticate_user!
-  before_action :require_feature_enabled
   before_action :require_service_available
+  before_action :require_feature_enabled
 
-  def dashboard
+  # Dashboard
+  def show
     # unless current_user.services_enabled.include?(:remotestorage)
     #   redirect_to service_remotestorage_info_path
     # end
+    @rs_auths = current_user.remote_storage_authorizations
+    # TODO sort by app name
   end
 
   private
 
+    def require_service_available
+      http_status :not_found unless Setting.remotestorage_enabled?
+    end
+
     def require_feature_enabled
       unless Flipper.enabled?(:remotestorage, current_user)
         http_status :forbidden
       end
     end
-
-    def require_service_available
-      http_status :not_found unless Setting.remotestorage_enabled?
-    end
 end

app/controllers/services/rs_auths_controller.rb

@@ -0,0 +1,42 @@
+class Services::RsAuthsController < Services::BaseController
+  before_action :authenticate_user!
+  before_action :require_feature_enabled
+  before_action :require_service_available
+  # before_action :require_service_enabled
+  before_action :find_rs_auth
+
+  def destroy
+    @auth.destroy!
+
+    respond_to do |format|
+      format.html do redirect_to services_storage_url, flash: {
+        success: 'App authorization revoked'
+      }
+      end
+      format.json { head :no_content }
+    end
+  end
+
+  def launch_app
+    launch_url = "#{@auth.launch_url}#remotestorage=#{current_user.address}&access_token=#{@auth.token}"
+
+    redirect_to launch_url, allow_other_host: true
+  end
+
+  private
+
+    def require_feature_enabled
+      unless Flipper.enabled?(:remotestorage, current_user)
+        http_status :forbidden
+      end
+    end
+
+    def require_service_available
+      http_status :not_found unless Setting.remotestorage_enabled?
+    end
+
+    def find_rs_auth
+      @auth = current_user.remote_storage_authorizations.find(params[:id])
+      http_status :not_found unless @auth.present?
+    end
+end

app/controllers/settings_controller.rb

@@ -1,10 +1,11 @@
-require 'securerandom'
+require "securerandom"
+require "bcrypt"
 
 class SettingsController < ApplicationController
   before_action :authenticate_user!
   before_action :set_main_nav_section
-  before_action :set_settings_section, only: [:show, :update, :update_email]
-  before_action :set_user, only: [:show, :update, :update_email]
+  before_action :set_settings_section, only: [:show, :update, :update_email, :reset_email_password]
+  before_action :set_user, only: [:show, :update, :update_email, :reset_email_password]
 
   def index
     redirect_to setting_path(:profile)
@@ -23,11 +24,11 @@ class SettingsController < ApplicationController
 
     if @user.save
       if @user.display_name && (@user.display_name != @user.ldap_entry[:display_name])
-        LdapManager::UpdateDisplayName.call(@user.dn, @user.display_name)
+        LdapManager::UpdateDisplayName.call(dn: @user.dn, display_name: @user.display_name)
       end
 
       if @user.avatar_new.present?
-        LdapManager::UpdateAvatar.call(@user.dn, @user.avatar_new)
+        LdapManager::UpdateAvatar.call(dn: @user.dn, file: @user.avatar_new)
       end
 
       redirect_to setting_path(@settings_section), flash: {
@@ -40,7 +41,7 @@ class SettingsController < ApplicationController
   end
 
   def update_email
-    if @user.valid_ldap_authentication?(email_params[:current_password])
+    if @user.valid_ldap_authentication?(security_params[:current_password])
       if @user.update email: email_params[:email]
         redirect_to setting_path(:account), flash: {
           notice: 'Please confirm your new address using the confirmation link we just sent you.'
@@ -56,6 +57,28 @@ class SettingsController < ApplicationController
     end
   end
 
+  def reset_email_password
+    @user.current_password = security_params[:current_password]
+
+    if @user.valid_ldap_authentication?(@user.current_password)
+      @user.current_password = nil
+      session[:new_email_password] = generate_email_password
+      hashed_password = hash_email_password(session[:new_email_password])
+      LdapManager::UpdateEmailPassword.call(dn: @user.dn, password_hash: hashed_password)
+
+      if @user.ldap_entry[:email_maildrop] != @user.address
+        LdapManager::UpdateEmailMaildrop.call(dn: @user.dn, address: @user.address)
+      end
+
+      redirect_to new_password_services_email_path
+    else
+      @validation_errors = {
+        current_password: [ "Wrong password. Try again!" ]
+      }
+      render :show, status: :forbidden
+    end
+  end
+
   def reset_password
     current_user.send_reset_password_instructions
     sign_out current_user
@@ -65,8 +88,8 @@ class SettingsController < ApplicationController
 
   def set_nostr_pubkey
     signed_event = nostr_event_params[:signed_event].to_h.symbolize_keys
-    is_valid_id  = NostrManager::ValidateId.call(signed_event)
-    is_valid_sig = NostrManager::VerifySignature.call(signed_event)
+    is_valid_id  = NostrManager::ValidateId.call(event: signed_event)
+    is_valid_sig = NostrManager::VerifySignature.call(event: signed_event)
     is_correct_content = signed_event[:content] == "Connect my public key to #{current_user.address} (confirmation #{session[:shared_secret]})"
 
     unless is_valid_id && is_valid_sig && is_correct_content
@@ -110,7 +133,10 @@ class SettingsController < ApplicationController
 
     def set_settings_section
       @settings_section = params[:section]
-      allowed_sections = [:profile, :account, :lightning, :xmpp, :experiments]
+      allowed_sections = [
+        :profile, :account, :xmpp, :email, :lightning, :remotestorage,
+        :experiments
+      ]
 
       unless allowed_sections.include?(@settings_section.to_sym)
         redirect_to setting_path(:profile)
@@ -124,12 +150,17 @@ class SettingsController < ApplicationController
     def user_params
       params.require(:user).permit(:display_name, :avatar, preferences: [
         :lightning_notify_sats_received,
+        :remotestorage_notify_auth_created,
         :xmpp_exchange_contacts_with_invitees
       ])
     end
 
     def email_params
-      params.require(:user).permit(:email, :current_password)
+      params.require(:user).permit(:email)
+    end
+
+    def security_params
+      params.require(:user).permit(:current_password)
     end
 
     def nostr_event_params
@@ -137,4 +168,14 @@ class SettingsController < ApplicationController
         :id, :pubkey, :created_at, :kind, :tags, :content, :sig
       ])
     end
+
+    def generate_email_password
+      characters = [('a'..'z'), ('A'..'Z'), (0..9)].map(&:to_a).flatten
+      SecureRandom.random_bytes(16).each_byte.map { |b| characters[b % characters.length] }.join
+    end
+
+    def hash_email_password(password)
+      salt = BCrypt::Engine.generate_salt
+      BCrypt::Engine.hash_secret(password, salt)
+    end
 end

app/controllers/signup_controller.rb

@@ -96,13 +96,13 @@ class SignupController < ApplicationController
     session[:new_user] = nil
     session[:validation_error] = nil
 
-    CreateAccount.call(
+    CreateAccount.call(account: {
       username: @user.cn,
       domain: Setting.primary_domain,
       email: @user.email,
       password: @user.password,
       invitation: @invitation
-    )
+    })
   end
 
   def set_context

app/controllers/webfinger_controller.rb

@@ -6,15 +6,19 @@ class WebfingerController < ApplicationController
   def show
     resource = params[:resource]
 
-    if resource && resource.match(/acct:\w+/)
-      useraddress = resource.split(":").last
-      username, org = useraddress.split("@")
-      username.downcase!
-      unless User.where(cn: username, ou: org).any?
+    if resource && @useraddress = resource.match(/acct:(.+)/)&.[](1)
+      @username, @org = @useraddress.split("@")
+
+      unless Rails.env.development?
+        # Allow different domains (e.g. localhost:3000) in development only
+        head 404 and return unless @org == Setting.primary_domain
+      end
+
+      unless User.where(cn: @username.downcase, ou: Setting.primary_domain).any?
         head 404 and return
       end
 
-      render json: webfinger(useraddress).to_json,
+      render json: webfinger.to_json,
              content_type: "application/jrd+json"
     else
       head 422 and return
@@ -23,19 +27,18 @@ class WebfingerController < ApplicationController
 
   private
 
-  def webfinger(useraddress)
+  def webfinger
     links = [];
 
-    links << remotestorage_link(useraddress) if Setting.remotestorage_enabled
+    # TODO check if storage service is enabled for user, not just globally
+    links << remotestorage_link if Setting.remotestorage_enabled
 
     { "links" => links }
   end
 
-  def remotestorage_link(useraddress)
-    # TODO use when OAuth routes are available
-    # auth_url = new_rs_oauth_url(useraddress)
-    auth_url = "https://example.com/rs/oauth"
-    storage_url = "#{Setting.rs_storage_url}/#{useraddress}"
+  def remotestorage_link
+    auth_url = new_rs_oauth_url(@username)
+    storage_url = "#{Setting.rs_storage_url}/#{@username}"
 
     {
       "rel" => "http://tools.ietf.org/id/draft-dejong-remotestorage",
@@ -51,7 +54,8 @@ class WebfingerController < ApplicationController
   end
 
   def allow_cross_origin_requests
-    headers['Access-Control-Allow-Origin'] = '*'
-    headers['Access-Control-Allow-Methods'] = 'GET, POST, PUT, OPTIONS'
+    return unless Rails.env.development?
+    headers['Access-Control-Allow-Origin'] = "*"
+    headers['Access-Control-Allow-Methods'] = "GET"
   end
 end

app/javascript/controllers/application.js

@@ -1,8 +1,9 @@
 import { Application } from "@hotwired/stimulus"
-import { Modal, Tabs } from "tailwindcss-stimulus-components"
+import { Dropdown, Modal, Tabs } from "tailwindcss-stimulus-components"
 
 const application = Application.start()
 
+application.register('dropdown', Dropdown)
 application.register('modal', Modal)
 application.register('tabs', Tabs)
 

app/javascript/controllers/settings/email/password_controller.js

@@ -0,0 +1,27 @@
+import { Controller } from "@hotwired/stimulus"
+
+export default class extends Controller {
+  static targets = [ "resetPasswordButton", "currentPasswordField" ]
+  static values = { validationFailed: Boolean }
+
+  connect () {
+    if (this.validationFailedValue) return;
+
+    this.element.querySelectorAll(".initial-hidden").forEach(el => {
+      el.classList.add("hidden");
+    })
+    this.element.querySelectorAll(".initial-visible").forEach(el => {
+      el.classList.remove("hidden");
+    })
+  }
+
+  showPasswordReset () {
+    this.element.querySelectorAll(".initial-visible").forEach(el => {
+      el.classList.add("hidden");
+    })
+    this.element.querySelectorAll(".initial-hidden").forEach(el => {
+      el.classList.remove("hidden");
+    })
+    this.currentPasswordFieldTarget.select();
+  }
+}

app/javascript/controllers/settings/nostr_pubkey_controller.js

@@ -1,13 +1,4 @@
 import { Controller } from "@hotwired/stimulus"
-import { bech32 } from "bech32"
-
-function hexToBytes (hex) {
-  let bytes = []
-  for (let c = 0; c < hex.length; c += 2) {
-    bytes.push(parseInt(hex.substr(c, 2), 16))
-  }
-  return bytes
-}
 
 // Connects to data-controller="settings--nostr-pubkey"
 export default class extends Controller {
@@ -15,10 +6,6 @@ export default class extends Controller {
   static values  = { userAddress: String, pubkeyHex: String, sharedSecret: String }
 
   connect () {
-    if (this.hasPubkeyHexValue && this.pubkeyHexValue.length > 0) {
-      this.pubkeyBech32InputTarget.value = this.pubkeyBech32
-    }
-
     if (window.nostr) {
       if (this.hasSetPubkeyTarget) {
         this.setPubkeyTarget.disabled = false
@@ -53,11 +40,6 @@ export default class extends Controller {
     }
   }
 
-  get pubkeyBech32 () {
-    const words = bech32.toWords(hexToBytes(this.pubkeyHexValue))
-    return bech32.encode('npub', words)
-  }
-
   get csrfToken () {
     const element = document.head.querySelector('meta[name="csrf-token"]')
     return element.getAttribute("content")

app/mailers/notification_mailer.rb

@@ -5,4 +5,22 @@ class NotificationMailer < ApplicationMailer
     @subject = "Sats received"
     mail to: @user.email, subject: @subject
   end
+
+  def remotestorage_auth_created
+    @user = params[:user]
+    @auth = params[:auth]
+    @permissions = @auth.permissions.map do |p|
+      access = p.split(":")[1] == 'r' ? 'read' : 'read/write'
+      directory = p.split(':')[0] == '' ? 'all folders and files' : p.split(':')[0]
+      "#{access} #{directory}"
+    end
+    @subject = "New app connected to your storage"
+    mail to: @user.email, subject: @subject
+  end
+
+  def new_invitations_available
+    @user = params[:user]
+    @subject = "New invitations added to your account"
+    mail to: @user.email, subject: @subject
+  end
 end

app/models/app_catalog/web_app.rb

@@ -1,13 +1,9 @@
 class AppCatalog::WebApp < ApplicationRecord
   store :metadata, coder: JSON
 
-  has_many :remote_storage_authorizations
-
-  has_one_attached :icon do |attachable|
-    attachable.variant :medium, resize_to_limit: [128,128]
-    attachable.variant :large,  resize_to_limit: [256,256]
-  end
+  has_many :remote_storage_authorizations, dependent: :destroy
 
+  has_one_attached :icon
   has_one_attached :apple_touch_icon
 
   validates :url, presence: true, uniqueness: true
@@ -15,6 +11,6 @@ class AppCatalog::WebApp < ApplicationRecord
                   if: Proc.new { |a| a.url.present? }
 
   def update_metadata
-    AppCatalogManager::UpdateMetadata.call(self)
+    AppCatalogManager::UpdateMetadata.call(app: self)
   end
 end

app/models/remote_storage_authorization.rb

@@ -2,7 +2,7 @@ class RemoteStorageAuthorization < ApplicationRecord
   belongs_to :user
   belongs_to :web_app, class_name: "AppCatalog::WebApp", optional: true
 
-  serialize :permissions
+  serialize :permissions unless Rails.env.production?
 
   validates_presence_of :permissions
   validates_presence_of :client_id
@@ -18,19 +18,34 @@ class RemoteStorageAuthorization < ApplicationRecord
   before_create  :store_token_in_redis
   before_create  :find_or_create_web_app
   after_create   :schedule_token_expiry
-  # after_create   :notify_user
+  after_create   :notify_user
   before_destroy :delete_token_from_redis
   after_destroy  :remove_token_expiry_job
 
   def url
-    # TODO use web app scope in addition to host
     uri = URI.parse self.redirect_uri
     "#{uri.scheme}://#{client_id}"
   end
 
+  def launch_url
+    return url unless web_app && web_app.metadata[:start_url].present?
+
+    start_url = web_app.metadata[:start_url]
+
+    if start_url.match("^https?:\/\/")
+      return start_url.start_with?(url) ? start_url : url
+    else
+      path = start_url.gsub(/^\.\.\//, "").gsub(/^\.\//, "").gsub(/^\//, "")
+      "#{url}/#{path}"
+    end
+  end
+
   def delete_token_from_redis
-    key = "rs:authorizations:#{user.address}:#{token}"
+    key = "authorizations:#{user.cn}:#{token}"
     redis.srem? key, redis.smembers(key)
+  rescue => e
+    Rails.logger.error e
+    Sentry.capture_exception(e) if Setting.sentry_enabled?
   end
 
   private
@@ -44,7 +59,7 @@ class RemoteStorageAuthorization < ApplicationRecord
     end
 
     def store_token_in_redis
-      redis.sadd "rs:authorizations:#{user.address}:#{token}", permissions
+      redis.sadd "authorizations:#{user.cn}:#{token}", permissions
     end
 
     def schedule_token_expiry
@@ -64,6 +79,7 @@ class RemoteStorageAuthorization < ApplicationRecord
     def find_or_create_web_app
       if looks_like_hosted_origin?
         web_app = AppCatalog::WebApp.find_or_create_by!(url: self.url)
+        web_app.update_metadata unless web_app.name.present?
         self.web_app = web_app
         self.app_name = web_app.name.presence || client_id
       else
@@ -77,4 +93,22 @@ class RemoteStorageAuthorization < ApplicationRecord
     rescue URI::InvalidURIError
       false
     end
+
+    def notify_user
+      notify = user.preferences[:remotestorage_notify_auth_created]
+
+      case notify
+      when "xmpp"
+        router = Router.new
+        payload = {
+          type: "normal", to: user.address,
+          from: Setting.xmpp_notifications_from_address,
+          body: "You have just granted '#{self.client_id}' access to your Kosmos Storage. Visit your Storage dashboard to check on your connected apps and revoke permissions anytime: #{router.services_storage_url}"
+        }
+        XmppSendMessageJob.perform_later(payload)
+      when "email"
+        NotificationMailer.with(user: user, auth: self)
+                          .remotestorage_auth_created.deliver_later
+      end
+    end
 end

app/models/setting.rb

@@ -15,6 +15,9 @@ class Setting < RailsSettings::Base
   field :redis_url, type: :string,
     default: ENV["REDIS_URL"] || "redis://localhost:6379/0"
 
+  field :s3_enabled, type: :boolean,
+    default: ENV["S3_ENABLED"] && ENV["S3_ENABLED"].to_s != "false"
+
   #
   # Registrations
   #
@@ -168,4 +171,30 @@ class Setting < RailsSettings::Base
 
   field :rs_redis_url, type: :string,
     default: ENV["RS_REDIS_URL"] || "redis://localhost:6379/1"
+
+
+  #
+  # E-Mail Service
+  #
+
+  field :email_enabled, type: :boolean,
+    default: ENV["EMAIL_SMTP_HOST"].present?
+
+  # field :email_smtp_host, type: :string,
+  #   default: ENV["EMAIL_SMTP_HOST"].presence
+  #
+  # field :email_smtp_port, type: :string,
+  #   default: ENV["EMAIL_SMTP_PORT"].presence || 587
+  #
+  # field :email_smtp_enable_starttls, type: :string,
+  #   default: ENV["EMAIL_SMTP_PORT"].presence || true
+  #
+  # field :email_auth_method, type: :string,
+  #   default: ENV["EMAIL_AUTH_METHOD"].presence || "plain"
+  #
+  # field :email_imap_host, type: :string,
+  #   default: ENV["EMAIL_IMAP_HOST"].presence
+  #
+  # field :email_imap_port, type: :string,
+  #   default: ENV["EMAIL_IMAP_PORT"].presence || 993
 end

app/models/user.rb

@@ -1,10 +1,13 @@
+require 'nostr'
+
 class User < ApplicationRecord
   include EmailValidatable
 
   attr_accessor :display_name
   attr_accessor :avatar_new
+  attr_accessor :current_password
 
-  serialize :preferences, UserPreferences
+  serialize :preferences, coder: UserPreferences
 
   #
   # Relations
@@ -38,7 +41,8 @@ class User < ApplicationRecord
                            message: "is invalid. Usernames need to start with a letter."
   # FIXME This needs a server restart to apply values
   validates_format_of :cn, without: /\A(#{Setting.reserved_usernames.join('|')})\z/i,
-                           message: "has already been taken"
+                           message: "has already been taken",
+                           unless: Proc.new{ |u| u.persisted? }
 
   validates_uniqueness_of :email
   validates :email, email: true
@@ -88,13 +92,14 @@ class User < ApplicationRecord
   def devise_after_confirmation
     if ldap_entry[:mail] != self.email
       # E-Mail update confirmed
-      LdapManager::UpdateEmail.call(self.dn, self.email)
+      LdapManager::UpdateEmail.call(dn: self.dn, address: self.email)
     else
-      # TODO Make configurable
       # E-Mail from signup confirmed (i.e. account activation)
+
+      # TODO Make configurable, only activate globally enabled services
       enable_service %w[ discourse gitea mediawiki xmpp ]
 
-      #TODO enable in development when we have easy setup of ejabberd etc.
+      # TODO enable in development when we have easy setup of ejabberd etc.
       return if Rails.env.development? || !Setting.ejabberd_enabled?
 
       XmppExchangeContactsJob.perform_later(inviter, self) if inviter.present?
@@ -159,7 +164,7 @@ class User < ApplicationRecord
   end
 
   def avatar
-    @avatar_base64 ||= LdapManager::FetchAvatar.call(cn: cn, ou: ou)
+    @avatar_base64 ||= LdapManager::FetchAvatar.call(cn: cn)
   end
 
   def services_enabled
@@ -184,6 +189,11 @@ class User < ApplicationRecord
     ldap.delete_attribute(dn,:service)
   end
 
+  def nostr_pubkey_bech32
+    return nil unless nostr_pubkey.present?
+    Nostr::PublicKey.new(nostr_pubkey).to_bech32
+  end
+
   private
 
     def ldap

app/services/app_catalog_manager/update_metadata.rb

@@ -3,7 +3,7 @@ require "down"
 
 module AppCatalogManager
   class UpdateMetadata < AppCatalogManagerService
-    def initialize(app)
+    def initialize(app:)
       @app = app
     end
 
@@ -18,14 +18,19 @@ module AppCatalogManager
         @app.metadata[prop] = metadata.send(prop) if prop
       end
 
-      if icon = metadata.select_icon(sizes: "256x256")
+      @app.save!
+
+      # TODO move icon downloads to separate, async job
+
+      if icon = metadata.select_icon(sizes: "256x256") ||
+         icon = metadata.select_icon(sizes: "192x192")
         attach_remote_image(:icon, icon)
+        # TODO elsif get whatever is available
       end
+
       if apple_touch_icon = metadata.select_icon(purpose: "apple-touch-icon")
         attach_remote_image(:apple_touch_icon, apple_touch_icon)
       end
-
-      @app.save!
     rescue Manifique::Error => e
       msg = "Fetching web app manifest failed for #{e.url}: #{e.type}"
       Rails.logger.warn(msg)
@@ -39,11 +44,20 @@ module AppCatalogManager
       else
         download_url = "#{@app.url}/#{icon["src"].gsub(/^\//,'')}"
       end
-      filename = "#{attachment_name}.png"
-      key = "web_apps/#{@app.id}/icons/#{attachment_name}.png"
+      filename = "#{attachment_name}-#{Time.now.to_i}.png"
+      key = "web_apps/#{@app.id}/icons/#{filename}"
 
-      tempfile = Down.download(download_url)
-      @app.send(attachment_name).attach(key: key, io: tempfile, filename: filename)
+      begin
+        tempfile = Down.download(download_url)
+        @app.send(attachment_name).attach(key: key, io: tempfile, filename: filename)
+      rescue Down::NotFound
+        msg = "Download of \"#{attachment_name}\" failed: NotFound error for #{download_url}"
+        Rails.logger.warn(msg)
+        Sentry.capture_message(msg)
+      rescue => e
+        Rails.logger.warn "Saving attachment \"#{attachment_name}\" failed: \"#{e.message}\""
+        Sentry.capture_exception(e) if Setting.sentry_enabled?
+      end
     end
   end
 end

app/services/application_service.rb

@@ -1,7 +1,7 @@
 class ApplicationService
   # This enables executing a service's `#call` method directly via
   # `MyService.call(args)`, without creating a class instance it first.
-  def self.call(*args, &block)
-    new(*args, &block).call
+  def self.call(**args, &block)
+    new(**args, &block).call
   end
 end

app/services/btcpay_manager/fetch_lightning_wallet_balance.rb

@@ -4,7 +4,7 @@ module BtcpayManager
       res = get "stores/#{store_id}/lightning/BTC/balance"
 
       {
-        balance: res["offchain"]["local"].to_i / 1000 # msats to sats
+        confirmed_balance: res["offchain"]["local"].to_i / 1000 # msats to sats
       }
     end
   end

app/services/create_account.rb

@@ -1,11 +1,11 @@
 class CreateAccount < ApplicationService
-  def initialize(args)
-    @username   = args[:username]
-    @domain     = args[:ou] || Setting.primary_domain
-    @email      = args[:email]
-    @password   = args[:password]
-    @invitation = args[:invitation]
-    @confirmed  = args[:confirmed]
+  def initialize(account:)
+    @username   = account[:username]
+    @domain     = account[:ou] || Setting.primary_domain
+    @email      = account[:email]
+    @password   = account[:password]
+    @invitation = account[:invitation]
+    @confirmed  = account[:confirmed]
   end
 
   def call

app/services/create_invitations.rb

@@ -0,0 +1,17 @@
+class CreateInvitations < ApplicationService
+  def initialize(user:, amount:, notify: true)
+    @user = user
+    @amount = amount
+    @notify = notify
+  end
+
+  def call
+    @amount.times do
+      Invitation.create(user: @user)
+    end
+
+    if @notify
+      NotificationMailer.with(user: @user).new_invitations_available.deliver_later
+    end
+  end
+end

app/services/ldap_manager/fetch_avatar.rb

@@ -1,12 +1,11 @@
 module LdapManager
   class FetchAvatar < LdapManagerService
-    def initialize(cn:, ou: nil)
+    def initialize(cn:)
       @cn = cn
-      @ou = ou
     end
 
     def call
-      treebase   = @ou ? "ou=#{@ou},cn=users,#{suffix}" : ldap_config["base"]
+      treebase   = ldap_config["base"]
       attributes = %w{ jpegPhoto }
       filter     = Net::LDAP::Filter.eq("cn", @cn)
 

app/services/ldap_manager/update_avatar.rb

@@ -2,7 +2,7 @@ require "image_processing/vips"
 
 module LdapManager
   class UpdateAvatar < LdapManagerService
-    def initialize(dn, file)
+    def initialize(dn:, file:)
       @dn = dn
       @img_data = process(file)
     end

app/services/ldap_manager/update_display_name.rb

@@ -1,6 +1,6 @@
 module LdapManager
   class UpdateDisplayName < LdapManagerService
-    def initialize(dn, display_name)
+    def initialize(dn:, display_name:)
       @dn = dn
       @display_name = display_name
     end

app/services/ldap_manager/update_email.rb

@@ -1,6 +1,6 @@
 module LdapManager
   class UpdateEmail < LdapManagerService
-    def initialize(dn, address)
+    def initialize(dn:, address:)
       @dn = dn
       @address = address
     end

app/services/ldap_manager/update_email_maildrop.rb

@@ -0,0 +1,12 @@
+module LdapManager
+  class UpdateEmailMaildrop < LdapManagerService
+    def initialize(dn:, address:)
+      @dn = dn
+      @address = address
+    end
+
+    def call
+      replace_attribute @dn, :mailRoutingAddress, @address
+    end
+  end
+end

app/services/ldap_manager/update_email_password.rb

@@ -0,0 +1,12 @@
+module LdapManager
+  class UpdateEmailPassword < LdapManagerService
+    def initialize(dn:, password_hash:)
+      @dn = dn
+      @password_hash = password_hash
+    end
+
+    def call
+      replace_attribute @dn, :mailpassword, @password_hash
+    end
+  end
+end

app/services/ldap_service.rb

@@ -50,8 +50,11 @@ class LdapService < ApplicationService
       treebase = ldap_config["base"]
     end
 
-    attributes = %w{dn cn uid mail displayName admin service}
-    filter     = Net::LDAP::Filter.eq("uid", args[:uid] || "*")
+    attributes = %w[
+      dn cn uid mail displayName admin service
+      mailRoutingAddress mailpassword
+    ]
+    filter = Net::LDAP::Filter.eq("uid", args[:uid] || "*")
 
     entries = ldap_client.search(base: treebase, filter: filter, attributes: attributes)
     entries.sort_by! { |e| e.cn[0] }
@@ -61,7 +64,9 @@ class LdapService < ApplicationService
         mail: e.try(:mail) ? e.mail.first : nil,
         display_name: e.try(:displayName) ? e.displayName.first : nil,
         admin: e.try(:admin) ? 'admin' : nil,
-        service: e.try(:service)
+        service: e.try(:service),
+        email_maildrop: e.try(:mailRoutingAddress),
+        email_password: e.try(:mailpassword)
       }
     end
   end

app/services/nostr_manager/validate_id.rb

@@ -1,6 +1,6 @@
 module NostrManager
   class ValidateId < NostrManagerService
-    def initialize(event)
+    def initialize(event:)
       @event = Nostr::Event.new(**event)
     end
 

app/services/nostr_manager/verify_signature.rb

@@ -1,6 +1,6 @@
 module NostrManager
   class VerifySignature < NostrManagerService
-    def initialize(event)
+    def initialize(event:)
       @event = Nostr::Event.new(**event)
     end
 

app/services/router.rb

@@ -0,0 +1,7 @@
+class Router
+  include Rails.application.routes.url_helpers
+
+  def self.default_url_options
+    ActionMailer::Base.default_url_options
+  end
+end

app/views/admin/app_catalog/web_apps/index.html.erb

@@ -41,7 +41,11 @@
                               target: "_blank", rel: "nofollow noopener",
                               class: "ks-text-link" %></td>
               <td class="hidden md:table-cell"><%= web_app.remote_storage_authorizations.count %></td>
-              <td class="hidden md:table-cell"><%= web_app.created_at %></td>
+              <td class="hidden md:table-cell">
+                <span title="<%= web_app.created_at %>" class="cursor-help">
+                  <%= time_ago_in_words web_app.created_at, include_seconds: false %> ago
+                </span>
+              </td>
             </tr>
           <% end %>
         </tbody>

app/views/admin/settings/registrations/show.html.erb

@@ -1,7 +1,7 @@
 <%= render HeaderComponent.new(title: "Settings") %>
 
 <%= render MainWithSidenavComponent.new(sidenav_partial: 'shared/admin_sidenav_settings') do %>
-  <%= form_for(Setting.new, url: admin_settings_registrations_path) do |f| %>
+  <%= form_for(Setting.new, url: admin_settings_registrations_path, method: :put) do |f| %>
     <section>
       <h3>Registrations</h3>
 

app/views/admin/settings/services/_email.html.erb

@@ -0,0 +1,16 @@
+<h3>E-Mail</h3>
+<ul role="list">
+  <%= render FormElements::FieldsetToggleComponent.new(
+    form: f,
+    attribute: :email_enabled,
+    enabled: Setting.email_enabled?,
+    title: "Enable E-Mail service integration",
+    description: "Enable/configure LDAP attributes for use with a mail server"
+  ) %>
+  <%# <% if Setting.email_enabled? %>
+  <%#   <%= render FormElements::FieldsetResettableSettingComponent.new(
+  <%#         key: :gitea_public_url,
+  <%#         title: "Public URL"
+  <%#       ) %>
+  <%# <% end %>
+</ul>

app/views/admin/settings/services/show.html.erb

@@ -1,9 +1,7 @@
 <%= render HeaderComponent.new(title: "Settings") %>
 
 <%= render MainWithSidenavComponent.new(sidenav_partial: 'shared/admin_sidenav_settings') do %>
-  <%= form_for(Setting.new, url: admin_settings_services_path) do |f| %>
-    <%= hidden_field_tag :service, @service %>
-
+  <%= form_for(Setting.new, url: admin_settings_service_path(@service), method: :put) do |f| %>
     <% if @errors && @errors.any? %>
       <section>
         <%= render partial: "admin/settings/errors", locals: { errors: @errors } %>

app/views/admin/users/_create_invitations.html.erb

@@ -0,0 +1,21 @@
+<h3>Add new invitations to <%= @user.cn %>'s account</h3>
+<%= form_with(url: invitations_admin_user_path, method: :post) do |form| %>
+  <ul role="list">
+    <%= render FormElements::FieldsetComponent.new(
+      positioning: :horizontal,
+      title: "Amount"
+    ) do %>
+      <%= form.select :amount, options_for_select([
+        ["3", "3"], ["5", "5"], ["10", "10"], ["20", "20"]
+      ]) %>
+    <% end %>
+    <%= render FormElements::FieldsetToggleComponent.new(
+      field_name: "notify_user",
+      enabled: true,
+      title: "Notify user via email"
+    ) %>
+  </ul>
+  <p class="pt-6 border-t border-gray-200 text-right">
+    <%= form.submit 'Add', class: "btn-md btn-blue w-full" %>
+  </p>
+<% end %>

app/views/admin/users/index.html.erb

@@ -1,4 +1,4 @@
-<%= render HeaderComponent.new(title: "Users: #{@ou}") %>
+<%= render HeaderComponent.new(title: "Users") %>
 
 <%= render MainSimpleComponent.new do %>
   <section>
@@ -16,19 +16,6 @@
     <% end %>
   </section>
 
-  <% if @orgs.length > 1 %>
-    <section>
-      <h3 class="hidden">Domains</h3>
-      <ul>
-        <% @orgs.each do |org| %>
-          <li class="inline-block">
-            <%= link_to org[:ou], admin_users_path(ou: org[:ou]), class: "ks-text-link" %>
-          </li>
-        <% end %>
-      </ul>
-    </section>
-  <% end %>
-
   <section>
     <table class="divided mb-8">
       <thead>
@@ -36,13 +23,12 @@
           <th>UID</th>
           <th>Status</th>
           <th>Roles</th>
-          <!-- <th>Password</th> -->
         </tr>
       </thead>
       <tbody>
         <% @users.each do |user| %>
         <tr>
-          <td><%= link_to(user.cn, admin_user_path(user.address), class: 'ks-text-link') %></td>
+          <td><%= link_to(user.cn, admin_user_path(user.cn), class: 'ks-text-link') %></td>
           <td><%= user.confirmed_at.nil? ? badge("pending", :yellow) : "" %></td>
           <td><%= user.is_admin? ? badge("admin", :red) : "" %></td>
         </tr>

app/views/admin/users/show.html.erb

@@ -1,4 +1,4 @@
-<%= render HeaderComponent.new(title: "User: #{@user.address}") %>
+<%= render HeaderComponent.new(title: "User: #{@user.cn}") %>
 
 <%= render MainSimpleComponent.new do %>
   <div class="mb-12 sm:flex sm:flex-row sm:gap-x-8">
@@ -42,8 +42,34 @@
           </tr>
           <tr>
             <th>Invitations available</th>
-            <td>
-              <%= @user.invitations.count %>
+            <td data-controller="modal" data-action="keydown.esc->modal#close">
+              <div class="flex justify-between">
+                <span>
+                  <%= @user.invitations.count %>
+                </span>
+                <span>
+                  <button id="add-invitations" data-action="click->modal#open">
+                    <%= render partial: "icons/plus-circle", locals: {
+                      custom_class: "text-green-600 hover:text-green-500 -mt-2 -mb-1 h-6 w-6 inline-block"
+                    } %>
+                  </button>
+                  <% if @user.invitations.unused.count > 0 %>
+                    <%= link_to invitations_admin_user_path(@user.cn),
+                      id: "remove-invitations", data: {
+                      turbo_method: :delete,
+                      turbo_confirm: "Delete all of #{@user.cn}'s available invitations?"
+                    } do %>
+                      <%= render partial: "icons/x-circle", locals: {
+                        custom_class: "text-red-600 hover:text-red-500 -mt-2 -mb-1 h-6 w-6 inline-block"
+                      } %>
+                    <% end %>
+                  <% end %>
+                </span>
+              </div>
+              <%= render ModalComponent.new(show_close_button: false) do %>
+                <%= render partial: "admin/users/create_invitations",
+                           locals: { user: @user } %>
+              <% end %>
             </td>
           </tr>
           <tr>
@@ -63,10 +89,12 @@
     </section>
 
     <section class="sm:flex-1 sm:pt-0">
+      <% if @avatar.present? %>
       <h3>LDAP<h3>
       <p>
         <img src="data:image/jpeg;base64,<%= @avatar %>" class="h-48 w-48" />
       </p>
+      <% end %>
       <!-- <h3>Actions</h3> -->
     </section>
   </div>

app/views/contributions/projects/index.html.erb

@@ -21,17 +21,17 @@
     </p>
     <p>
       A good way to get started is to join one of our
-      <a href="https://community.kosmos.org/t/kosmos-weekly-call/36" target="_blank" class="ks-text-link">weekly calls</a>
+      <a href="https://wiki.kosmos.org/Main_Page#Chat" target="_blank" class="ks-text-link">chat rooms</a>
       and introduce yourself. Alternatively, you can also ping us on any other
-      medium, or even just grab an open issue on
-      <a href="https://github.com/67P/" target="_blank" class="ks-text-link">GitHub</a>
-      or our
+      medium, or even just grab an open issue on our
       <a href="https://gitea.kosmos.org/kosmos/" target="_blank" class="ks-text-link">Gitea</a>
-      and dive right in (be sure to comment first, to prevent double efforts).
+      or on
+      <a href="https://github.com/67P/" target="_blank" class="ks-text-link">GitHub</a>
+      and dive right in.
     </p>
     <p class="mb-8">
       Last but not least, if you want to help by proposing new features or
-      services, head over to the
+      services, or by giving feedback on existing ones, head over to the
       <a href="https://community.kosmos.org/" target="_blank" class="ks-text-link">community forums</a>,
       where you can do just that.
     </p>
@@ -43,7 +43,7 @@
     </p>
     <p>
       We have run two 6-month trials so far, with the next trial period
-      starting sometime in Q1 2023. Watch your email for notifications about it!
+      starting sometime in Q1 2024. Watch your email for notifications about it!
     </p>
   </section>
 <% end %>

app/views/dashboard/index.html.erb

@@ -2,10 +2,6 @@
 
 <%= render MainSimpleComponent.new do %>
   <section>
-    <p class="mb-8">
-      Your Kosmos account and password currently give you access to these
-      services:
-    </p>
     <div class="services grid grid-cols-1 sm:grid-cols-2 gap-4 sm:gap-6">
       <% if Setting.ejabberd_enabled? %>
         <div class="border border-gray-300 rounded-md hover:border-gray-400
@@ -32,6 +28,17 @@
           <% end %>
         </div>
       <% end %>
+      <% if Setting.email_enabled? &&
+            Flipper.enabled?(:email, current_user) %>
+        <div class="border border-gray-300 rounded-md hover:border-gray-400">
+          <%= link_to services_email_path, class: "block h-full px-6 py-6 rounded-md" do %>
+            <h3 class="mb-3.5">E-Mail</h3>
+            <p class="text-gray-600">
+              A no-bullshit email account
+            </p>
+          <% end %>
+        </div>
+      <% end %>
       <% if Setting.discourse_enabled? %>
         <div class="border border-gray-300 rounded-md hover:border-gray-400
                     bg-[length:95%] bg-center bg-no-repeat
@@ -58,6 +65,18 @@
           <% end %>
         </div>
       <% end %>
+      <% if Setting.remotestorage_enabled? &&
+            Flipper.enabled?(:remotestorage, current_user) %>
+        <div class="border border-gray-300 rounded-md hover:border-gray-400">
+          <%= link_to services_storage_path,
+                class: "block h-full px-6 py-6 rounded-md" do %>
+            <h3 class="mb-3.5">Storage</h3>
+            <p class="text-gray-600">
+              Sync your data between apps and devices
+            </p>
+          <% end %>
+        </div>
+      <% end %>
       <% if Setting.gitea_enabled? %>
         <div class="border border-gray-300 rounded-md hover:border-gray-400
                     bg-cover bg-center bg-no-repeat
@@ -84,18 +103,6 @@
           <% end %>
         </div>
       <% end %>
-      <% if Setting.remotestorage_enabled? &&
-            Flipper.enabled?(:remotestorage, current_user) %>
-        <div class="border border-gray-300 rounded-md hover:border-gray-400">
-          <%= link_to services_storage_path,
-                class: "block h-full px-6 py-6 rounded-md" do %>
-            <h3 class="mb-3.5">Storage</h3>
-            <p class="text-gray-600">
-              Sync your data between apps and devices
-            </p>
-          <% end %>
-        </div>
-      <% end %>
       <% if Setting.mediawiki_enabled? %>
         <div class="border border-gray-300 rounded-md hover:border-gray-400
                     bg-cover bg-[center_top_-20px] bg-no-repeat

app/views/devise/sessions/new.html.erb

@@ -1,6 +1,7 @@
 <%
   # TODO remove when https://github.com/hotwired/turbo/issues/203 is fixed
-  enable_turbo = !session[:user_return_to] || !session[:user_return_to].match?('/discourse/connect')
+  enable_turbo = session[:user_return_to].blank? ||
+    ['/discourse/connect', '/rs/oauth'].none? { |s| session[:user_return_to].match(s) }
 %>
 
 <%= render HeaderCompactComponent.new(title: "Log in") %>

app/views/icons/_kebap-menu.html.erb

@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<svg width="800px" height="800px" viewBox="0 0 24 24" class="<%= custom_class %>" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
+    <title>Menu</title>
+    <g id="kebap-menu" stroke="none" stroke-width="1" fill="none" fill-rule="evenodd">
+      <rect id="Container" x="0" y="0" width="24" height="24"></rect>
+      <path d="M12,6 C12.5522847,6 13,5.55228475 13,5 C13,4.44771525 12.5522847,4 12,4 C11.4477153,4 11,4.44771525 11,5 C11,5.55228475 11.4477153,6 12,6 Z" stroke="#030819" stroke-width="2" stroke-linecap="round" stroke-dasharray="0,0"></path>
+      <path d="M12,13 C12.5522847,13 13,12.5522847 13,12 C13,11.4477153 12.5522847,11 12,11 C11.4477153,11 11,11.4477153 11,12 C11,12.5522847 11.4477153,13 12,13 Z" stroke="#030819" stroke-width="2" stroke-linecap="round" stroke-dasharray="0,0"></path>
+      <path d="M12,20 C12.5522847,20 13,19.5522847 13,19 C13,18.4477153 12.5522847,18 12,18 C11.4477153,18 11,18.4477153 11,19 C11,19.5522847 11.4477153,20 12,20 Z" stroke="#030819" stroke-width="2" stroke-linecap="round" stroke-dasharray="0,0"></path>
+    </g>
+</svg>

app/views/icons/_mail.html.erb

@@ -1 +1 @@
-<svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather feather-mail"><path d="M4 4h16c1.1 0 2 .9 2 2v12c0 1.1-.9 2-2 2H4c-1.1 0-2-.9-2-2V6c0-1.1.9-2 2-2z"></path><polyline points="22,6 12,13 2,6"></polyline></svg>
+<svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather feather-mail <%= custom_class %>"><path d="M4 4h16c1.1 0 2 .9 2 2v12c0 1.1-.9 2-2 2H4c-1.1 0-2-.9-2-2V6c0-1.1.9-2 2-2z"></path><polyline points="22,6 12,13 2,6"></polyline></svg>

app/views/icons/_plus-circle.html.erb

@@ -1 +1 @@
-<svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather feather-plus-circle"><circle cx="12" cy="12" r="10"></circle><line x1="12" y1="8" x2="12" y2="16"></line><line x1="8" y1="12" x2="16" y2="12"></line></svg>
+<svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather feather-plus-circle <%= custom_class %>"><circle cx="12" cy="12" r="10"></circle><line x1="12" y1="8" x2="12" y2="16"></line><line x1="8" y1="12" x2="16" y2="12"></line></svg>

app/views/icons/_remotestorage.html.erb

@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<svg width="24" height="24" class="icon-remotestorage <%= custom_class %>" clip-rule="evenodd" fill-rule="evenodd" image-rendering="optimizeQuality" shape-rendering="geometricPrecision" text-rendering="geometricPrecision" version="1.1" viewBox="0 0 250 249.9" xml:space="preserve" xmlns="http://www.w3.org/2000/svg">
+ <g transform="translate(-66.822 -.16484)">
+  <polygon id="polygon1" fill="currentColor" transform="matrix(.29308 0 0 .29308 83.528 -.028385)" points="228 181 370 100 511 181 652 263 370 425 87 263 87 263 0 213 0 213 0 311 0 378 0 427 0 476 86 525 185 582 370 689 554 582 653 525 653 590 653 592 370 754 0 542 0 640 185 747 370 853 554 747 739 640 739 525 739 476 739 427 739 378 653 427 370 589 86 427 86 361 185 418 370 524 554 418 653 361 739 311 739 213 554 107 370 0 185 107 58 180 144 230"/>
+ </g>
+</svg>

app/views/icons/_x-circle.html.erb

@@ -1 +1 @@
-<svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather feather-x-circle"><circle cx="12" cy="12" r="10"></circle><line x1="15" y1="9" x2="9" y2="15"></line><line x1="9" y1="9" x2="15" y2="15"></line></svg>
+<svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather feather-x-circle <%= custom_class %>"><circle cx="12" cy="12" r="10"></circle><line x1="15" y1="9" x2="9" y2="15"></line><line x1="9" y1="9" x2="15" y2="15"></line></svg>

app/views/layouts/application.html.erb

@@ -77,7 +77,7 @@
             </div>
             <div class="pt-4 pb-3 border-t border-gray-200/10">
               <div class="px-5 text-base font-normal text-white">
-                <%= current_user.address %></strong>
+                <%= current_user.address %>
               </div>
               <div class="mt-3 px-2 space-y-1">
                 <%= link_to "Log out", destroy_user_session_path,

app/views/notification_mailer/new_invitations_available.text.erb

@@ -0,0 +1,11 @@
+Hi <%= @user.display_name.presence || @user.cn %>,
+
+New invitations have just been added to your Kosmos account, so you can invite more people to our cooperative services:
+
+<%= invitations_url %>
+
+Have a nice day!
+
+---
+
+Tip: if you want to invite someone you're meeting in person, log into your account panel on a mobile device and let people scan the invitation QR code from theirs.

app/views/notification_mailer/remotestorage_auth_created.text.erb

@@ -0,0 +1,23 @@
+Hi <%= @user.display_name.presence || @user.cn %>,
+
+You have just granted '<%= @auth.client_id %>' access to your Kosmos Storage, with the following permissions:
+
+<% @permissions.each do |p| %>
+* <%= p %>
+<% end %>
+
+Visit your Storage dashboard to check on your connected apps and revoke permissions anytime:
+
+<%= services_storage_url %>
+
+Have fun!
+
+---
+
+You can disable email notifications for new app authorizations in your account settings:
+<%= setting_url(:remotestorage) %>
+<% if Setting.discourse_enabled %>
+
+If you have any questions, please visit our community forums:
+<%= Setting.discourse_public_url %>
+<% end %>

app/views/services/chat/show.html.erb

@@ -38,7 +38,7 @@
     <h3>Chat Apps</h3>
     <p>
       Use your account with many different apps, and on any devices you wish!
-      When opening an app for the first time, just enter your user address and
+      When opening an app for the first time, just enter your address and
       password to log in.
     </p>
   </section>

app/views/services/email/new_password.html.erb

@@ -0,0 +1,35 @@
+<%= render HeaderCompactComponent.new(title: "New E-Mail Password") %>
+
+<%= render MainCompactComponent.new do %>
+  <section data-controller="modal" data-action="keydown.esc->modal#close">
+    <p class="font-bold">
+      Your email password has been updated.
+    </p>
+    <p class="mb-8">
+      Please store the new one in a password manager or write it down somewhere:
+    </p>
+    <p data-controller="clipboard" class="flex gap-1 w-full mb-10">
+      <%= label_tag :new_password, 'New password', class: 'hidden' %>
+      <%= text_field_tag :new_password, @new_password, disabled: true, class: 'text-xl grow',
+            data: { "clipboard-target": "source"} %>
+      <button id="copy-new-password" class="btn-md btn-icon btn-outline shrink-0"
+              data-clipboard-target="trigger" data-action="clipboard#copy"
+              title="Copy to clipboard">
+        <span class="content-initial">
+          <%= render partial: "icons/copy", locals: { custom_class: "text-blue-600 h-4 w-4 inline" } %>
+        </span>
+        <span class="content-active hidden">
+          <%= render partial: "icons/check", locals: { custom_class: "text-blue-600 h-4 w-4 inline" } %>
+        </span>
+      </button>
+      <button class="btn-md btn-icon btn-outline shrink-0 w-auto"
+              data-action="click->modal#open" title="Show QR code">
+          <%= render partial: "icons/qr_code", locals: { custom_class: "text-blue-600 h-4 w-4 inline" } %>
+      </button>
+    </p>
+    <p class="mb-0">
+      <%= link_to "Done", services_email_path, class: "btn-md btn-blue w-full" %>
+    </p>
+    <%= render QrCodeModalComponent.new(qr_content: @new_password) %>
+  </section>
+<% end %>

app/views/services/email/show.html.erb

@@ -0,0 +1,128 @@
+<%= render HeaderComponent.new(title: "E-Mail") %>
+
+<%= render MainSimpleComponent.new do %>
+  <section>
+    <p class="mb-6">
+      Send and receive electronic mail.
+    </p>
+  </section>
+  <section data-controller="modal" data-action="keydown.esc->modal#close">
+    <h3>Your E-Mail Address</h3>
+    <p data-controller="clipboard" class="flex gap-1 sm:w-2/5">
+      <input type="text" id="user_address" class="grow"
+             value=<%= current_user.address %> disabled="disabled"
+             data-clipboard-target="source" />
+      <button id="copy-user-address" class="btn-md btn-icon btn-outline shrink-0"
+              data-clipboard-target="trigger" data-action="clipboard#copy"
+              title="Copy to clipboard">
+        <span class="content-initial">
+          <%= render partial: "icons/copy", locals: { custom_class: "text-blue-600 h-4 w-4 inline" } %>
+        </span>
+        <span class="content-active hidden">
+          <%= render partial: "icons/check", locals: { custom_class: "text-blue-600 h-4 w-4 inline" } %>
+        </span>
+      </button>
+      <button class="btn-md btn-icon btn-outline shrink-0 w-auto"
+              data-action="click->modal#open" title="Show QR code">
+          <%= render partial: "icons/qr_code", locals: { custom_class: "text-blue-600 h-4 w-4 inline" } %>
+      </button>
+    </p>
+    <%= render QrCodeModalComponent.new(qr_content: current_user.address) %>
+  </section>
+  <section>
+    <h3>E-Mail Password</h3>
+    <p>
+      Your email password is different from your main account password. You can
+      reset your email password in the
+      <%= link_to "email settings", setting_path(:email), class: "ks-text-link" %>.
+    </p>
+  </section>
+  <section>
+    <h3>Recommended Apps</h3>
+    <div data-controller="tabs"
+         data-tabs-active-tab-class="-mb-px border-gray-200 border-l border-t border-r rounded-t text-indigo-600 hover:text-indigo-600"
+         data-tabs-inactive-tab-class="text-gray-500 hover:text-gray-700"
+         class="mb-12">
+      <select data-action="tabs#change" data-tabs-target="select"
+              class="block w-full mb-8 sm:hidden">
+        <optgroup label="Mobile">
+          <option>Android</option>
+        </optgroup>
+        <optgroup label="Desktop">
+          <option>Linux</option>
+          <option>Windows</option>
+          <option>macOS</option>
+        </optgroup>
+      </select>
+      <ul class="hidden sm:flex list-reset mb-8 border-gray-200 border-b">
+        <li class="mr-2" data-tabs-target="tab" data-action="click->tabs#change:prevent">
+          <a href="#" class="bg-white inline-block py-2 px-4 font-semibold no-underline">
+            Android
+          </a>
+        </li>
+        <li class="mr-2" data-tabs-target="tab" data-action="click->tabs#change:prevent">
+          <a href="#" class="bg-white inline-block py-2 px-4 font-semibold no-underline">
+            Linux
+          </a>
+        </li>
+        <li class="mr-2" data-tabs-target="tab" data-action="click->tabs#change:prevent">
+          <a href="#" class="bg-white inline-block py-2 px-4 font-semibold no-underline">
+            Windows
+          </a>
+        </li>
+        <li class="mr-2" data-tabs-target="tab" data-action="click->tabs#change:prevent">
+          <a href="#" class="bg-white inline-block py-2 px-4 font-semibold no-underline">
+            macOS
+          </a>
+        </li>
+      </ul>
+
+      <div id="apps-android" class="hidden grid grid-cols-1 gap-6"
+           data-tabs-target="panel">
+        <%= render AppInfoComponent.new(
+          name: "K-9 Mail",
+          description: "Soon to become Thunderbird Mobile",
+          icon_path: "/img/logos/icon_k9-mail.png",
+          links: [
+            ["Website", "https://k9mail.app"],
+            ["Google Play", "https://play.google.com/store/apps/details?id=com.fsck.k9"],
+            ["F-Droid", "https://f-droid.org/en/packages/com.fsck.k9/"],
+          ]
+        ) %>
+      </div>
+      <div id="apps-linux" class="hidden grid grid-cols-1 gap-6"
+           data-tabs-target="panel">
+        <%= render AppInfoComponent.new(
+          name: "Thunderbird",
+          description: "The most popular open-source email app",
+          icon_path: "/img/logos/icon_thunderbird.png",
+          links: [
+            ["Website", "https://www.thunderbird.net"]
+          ]
+        ) %>
+      </div>
+      <div id="apps-windows" class="hidden grid grid-cols-1 gap-6"
+           data-tabs-target="panel">
+        <%= render AppInfoComponent.new(
+          name: "Thunderbird",
+          description: "The most popular open-source email app",
+          icon_path: "/img/logos/icon_thunderbird.png",
+          links: [
+            ["Website", "https://www.thunderbird.net"]
+          ]
+        ) %>
+      </div>
+      <div id="apps-mac" class="hidden grid grid-cols-1 gap-6"
+           data-tabs-target="panel">
+        <%= render AppInfoComponent.new(
+          name: "Thunderbird",
+          description: "The most popular open-source email app",
+          icon_path: "/img/logos/icon_thunderbird.png",
+          links: [
+            ["Website", "https://www.thunderbird.net"]
+          ]
+        ) %>
+      </div>
+    </div>
+  </section>
+<% end %>

app/views/services/remotestorage/dashboard.html.erb

@@ -1,7 +0,0 @@
-<%= render HeaderComponent.new(title: "Storage") %>
-
-<%= render MainSimpleComponent.new do %>
-  <section>
-    <h3>Feature enabled</h3>
-  </section>
-<% end %>

app/views/services/remotestorage/show.html.erb

@@ -0,0 +1,16 @@
+<%= render HeaderComponent.new(title: "Storage") %>
+
+<%= render MainSimpleComponent.new do %>
+  <section>
+    <h3 class="mb-10">Connected Apps</h3>
+    <% if @rs_auths.any? %>
+    <div class="w-full grid grid-cols-1 sm:grid-cols-2 lg:grid-cols-3 gap-y-10 gap-x-12">
+    <% @rs_auths.each do |auth| %>
+      <%= render RsAuthComponent.new(auth: auth) %>
+    <% end %>
+    </div>
+    <% else %>
+    <p>No apps connected yet.</p>
+    <% end %>
+  </section>
+<% end %>

app/views/settings/_email.html.erb

@@ -0,0 +1,34 @@
+<%= tag.section data: {
+      controller: "settings--email--password",
+      "settings--email--password-validation-failed-value": @validation_errors.present?
+    } do %>
+  <h3>E-Mail Password</h3>
+  <%= form_for(@user, url: reset_email_password_settings_path, method: "post") do |f| %>
+    <%= hidden_field_tag :section, "email" %>
+    <p class="mb-8">
+      Use the following button to generate a new email password:
+    </p>
+    <p class="hidden initial-visible">
+      <button type="button" id="edit-email" class="btn-md btn-gray"
+              data-settings--email--password-target="resetPasswordButton"
+              data-action="settings--email--password#showPasswordReset">
+        Reset email password
+      </button>
+    </p>
+    <div class="initial-hidden">
+      <p class="mt-4 mb-2">
+        <%= f.label :current_password, 'Current account password', class: 'font-bold' %>
+      </p>
+      <p class="sm:w-3/5">
+        <%= f.password_field :current_password, class: "w-full", required: true,
+              data: { 'settings--email--password-target': "currentPasswordField" } %>
+      </p>
+      <% if @validation_errors.present? && @validation_errors[:current_password].present? %>
+        <p class="error-msg"><%= @validation_errors[:current_password].first %></p>
+      <% end %>
+      <p class="mt-6">
+        <%= f.submit "Create new email password", class: "btn-md btn-blue w-full md:w-auto" %>
+      </p>
+    </div>
+  <% end %>
+<% end %>

app/views/settings/_experiments.html.erb

@@ -7,7 +7,7 @@
        data-settings--nostr-pubkey-pubkey-hex-value="<%= current_user.nostr_pubkey %>">
 
     <p class="<%= current_user.nostr_pubkey.present? ? '' : 'hidden' %> mt-2 flex gap-1">
-      <input type="text" value="<%= current_user.nostr_pubkey %>" disabled
+      <input type="text" value="<%= current_user.nostr_pubkey_bech32 %>" disabled
              data-settings--nostr-pubkey-target="pubkeyBech32Input"
              name="nostr_public_key" class="relative grow" />
       <%= link_to nostr_pubkey_settings_path,

app/views/settings/_profile.html.erb

@@ -31,6 +31,7 @@
       <% end %>
     <% end %>
 
+    <% if Flipper.enabled?(:avatar_upload, current_user) %>
     <label class="block">
       <p class="font-bold mb-1">
         Avatar
@@ -56,6 +57,7 @@
         </div>
       </div>
     </label>
+    <% end %>
 
     <p class="mt-8 pt-6 border-t border-gray-200 text-right">
       <%= f.submit 'Save', class: "btn-md btn-blue w-full md:w-auto" %>

app/views/settings/_remotestorage.html.erb

@@ -0,0 +1,25 @@
+<%= form_for @user, url: setting_path(:remotestorage), html: { :method => :put } do |f| %>
+<section>
+  <h3>Notifications</h3>
+  <ul role="list">
+    <%= render FormElements::FieldsetComponent.new(
+      positioning: :horizontal,
+      title: "New connection authorized",
+      description: "Notify me when my storage is connected to a new app"
+    ) do %>
+      <% f.fields_for :preferences do |p| %>
+        <%= p.select :remotestorage_notify_auth_created, options_for_select([
+          ["off", "disabled"],
+          ["Chat (Jabber)", "xmpp"], # TODO make DRY, check for XMPP enabled
+          ["E-Mail", "email"]
+        ], selected: @user.preferences[:remotestorage_notify_auth_created]) %>
+      <% end %>
+    <% end %>
+  </ul>
+</section>
+<section>
+  <p class="pt-6 border-t border-gray-200 text-right">
+    <%= f.submit 'Save', class: "btn-md btn-blue w-full md:w-auto" %>
+  </p>
+</section>
+<% end %>

app/views/shared/_admin_sidenav_settings.html.erb

@@ -4,9 +4,9 @@
 ) %>
 <%= render SidenavLinkComponent.new(
   name: "Services", path: admin_settings_services_path, icon: "grid",
-  active: current_page?(admin_settings_services_path)
+  active: controller_name == "services"
 ) %>
-<% if current_page?(admin_settings_services_path) %>
+<% if controller_name == "services" %>
   <%= render partial: "shared/admin_sidenav_settings_services"  %>
 <% end %>
 <%= render SidenavLinkComponent.new(

app/views/shared/_admin_sidenav_settings_services.html.erb

@@ -1,70 +1,77 @@
 <%= render SidenavLinkComponent.new(
   level: 2,
   name: "BTCPay",
-  path: admin_settings_services_path(params: { s: "btcpay" }),
+  path: admin_settings_service_path("btcpay"),
   text_icon: Setting.btcpay_enabled? ? "◉" : "○",
-  active: current_page?(admin_settings_services_path(params: { s: "btcpay" })),
+  active: current_page?(admin_settings_service_path("btcpay")),
 ) %>
 <%= render SidenavLinkComponent.new(
   level: 2,
   name: "Discourse",
-  path: admin_settings_services_path(params: { s: "discourse" }),
+  path: admin_settings_service_path("discourse"),
   text_icon: Setting.discourse_enabled? ? "◉" : "○",
-  active: current_page?(admin_settings_services_path(params: { s: "discourse" })),
+  active: current_page?(admin_settings_service_path("discourse")),
 ) %>
 <%= render SidenavLinkComponent.new(
   level: 2,
   name: "Drone CI",
-  path: admin_settings_services_path(params: { s: "droneci" }),
+  path: admin_settings_service_path("droneci"),
   text_icon: Setting.droneci_enabled? ? "◉" : "○",
-  active: current_page?(admin_settings_services_path(params: { s: "droneci" })),
+  active: current_page?(admin_settings_service_path("droneci")),
+) %>
+<%= render SidenavLinkComponent.new(
+  level: 2,
+  name: "E-Mail",
+  path: admin_settings_service_path("email"),
+  text_icon: Setting.email_enabled? ? "◉" : "○",
+  active: current_page?(admin_settings_services_path(params: { s: "email" })),
 ) %>
 <%= render SidenavLinkComponent.new(
   level: 2,
   name: "ejabberd",
-  path: admin_settings_services_path(params: { s: "ejabberd" }),
+  path: admin_settings_service_path("ejabberd"),
   text_icon: Setting.ejabberd_enabled? ? "◉" : "○",
-  active: current_page?(admin_settings_services_path(params: { s: "ejabberd" })),
+  active: current_page?(admin_settings_service_path("ejabberd")),
 ) %>
 <%= render SidenavLinkComponent.new(
   level: 2,
   name: "Gitea",
-  path: admin_settings_services_path(params: { s: "gitea" }),
+  path: admin_settings_service_path("gitea"),
   text_icon: Setting.gitea_enabled? ? "◉" : "○",
-  active: current_page?(admin_settings_services_path(params: { s: "gitea" })),
+  active: current_page?(admin_settings_service_path("gitea")),
 ) %>
 <%= render SidenavLinkComponent.new(
   level: 2,
   name: "LNDHub",
-  path: admin_settings_services_path(params: { s: "lndhub" }),
+  path: admin_settings_service_path("lndhub"),
   text_icon: Setting.lndhub_enabled? ? "◉" : "○",
-  active: current_page?(admin_settings_services_path(params: { s: "lndhub" })),
+  active: current_page?(admin_settings_service_path("lndhub")),
 ) %>
 <%= render SidenavLinkComponent.new(
   level: 2,
   name: "Mastodon",
-  path: admin_settings_services_path(params: { s: "mastodon" }),
+  path: admin_settings_service_path("mastodon"),
   text_icon: Setting.mastodon_enabled? ? "◉" : "○",
-  active: current_page?(admin_settings_services_path(params: { s: "mastodon" })),
+  active: current_page?(admin_settings_service_path("mastodon")),
 ) %>
 <%= render SidenavLinkComponent.new(
   level: 2,
   name: "MediaWiki",
-  path: admin_settings_services_path(params: { s: "mediawiki" }),
+  path: admin_settings_service_path("mediawiki"),
   text_icon: Setting.mediawiki_enabled? ? "◉" : "○",
-  active: current_page?(admin_settings_services_path(params: { s: "mediawiki" })),
+  active: current_page?(admin_settings_service_path("mediawiki")),
 ) %>
 <%= render SidenavLinkComponent.new(
   level: 2,
   name: "Nostr",
-  path: admin_settings_services_path(params: { s: "nostr" }),
+  path: admin_settings_service_path("nostr"),
   text_icon: Setting.nostr_enabled? ? "◉" : "○",
-  active: current_page?(admin_settings_services_path(params: { s: "nostr" })),
+  active: current_page?(admin_settings_service_path("nostr")),
 ) %>
 <%= render SidenavLinkComponent.new(
   level: 2,
   name: "RemoteStorage",
-  path: admin_settings_services_path(params: { s: "remotestorage" }),
+  path: admin_settings_service_path("remotestorage"),
   text_icon: Setting.remotestorage_enabled? ? "◉" : "○",
-  active: current_page?(admin_settings_services_path(params: { s: "remotestorage" })),
+  active: current_page?(admin_settings_service_path("remotestorage")),
 ) %>

app/views/shared/_sidenav_settings.html.erb

@@ -12,12 +12,26 @@
   active: @settings_section.to_s == "xmpp"
 ) %>
 <% end %>
+<% if Setting.email_enabled? &&
+      Flipper.enabled?(:email, current_user) %>
+<%= render SidenavLinkComponent.new(
+  name: "E-Mail", path: setting_path(:email), icon: "mail",
+  active: @settings_section.to_s == "email"
+) %>
+<% end %>
 <% if Setting.lndhub_enabled %>
 <%= render SidenavLinkComponent.new(
   name: "Lightning", path: setting_path(:lightning), icon: "zap",
   active: @settings_section.to_s == "lightning"
 ) %>
 <% end %>
+<% if Setting.remotestorage_enabled? &&
+      Flipper.enabled?(:remotestorage, current_user) %>
+<%= render SidenavLinkComponent.new(
+  name: "Storage", path: setting_path(:remotestorage), icon: "remotestorage",
+  active: @settings_section.to_s == "remotestorage"
+) %>
+<% end %>
 <% if Setting.nostr_enabled %>
 <%= render SidenavLinkComponent.new(
   name: "Experiments", path: setting_path(:experiments), icon: "science",

app/views/shared/status_bad_request.html.erb

@@ -1,4 +1,4 @@
-<%= render HeaderCompactComponent.new(title: "404") %>
+<%= render HeaderCompactComponent.new(title: "400") %>
 
 <%= render MainCompactComponent.new do %>
   <h2>Bad request</h2>

ci/Dockerfile

@@ -1,4 +1,10 @@
 # syntax=docker/dockerfile:1
-FROM guildeducation/rails:2.7.2-14.20.0
+FROM ruby:3.3.0
 
-RUN apt-get update -qq && apt-get install -y --no-install-recommends ldap-utils libvips
+SHELL ["/bin/bash", "-o", "pipefail", "-c"]
+
+RUN apt-get update -qq && apt-get install -y --no-install-recommends curl \
+      ldap-utils tini libvips
+RUN curl -fsSL https://deb.nodesource.com/setup_lts.x | bash -
+RUN apt-get update && apt-get install -y nodejs
+RUN npm install -g yarn

config/application.rb

@@ -42,7 +42,5 @@ module Akkounts
 
     config.active_job.queue_adapter = :sidekiq
     config.action_mailer.deliver_later_queue_name = nil # use "default" queue
-
-    config.active_record.legacy_connection_handling = false
   end
 end

config/default_preferences.yml

@@ -1,2 +1,3 @@
 lightning_notify_sats_received: disabled # or xmpp, email
+remotestorage_notify_auth_created: email # or xmpp, email
 xmpp_exchange_contacts_with_invitees: true

config/environments/development.rb

@@ -69,9 +69,9 @@ Rails.application.configure do
   config.action_mailer.default_url_options = { host: "localhost:3000", protocol: "http" }
 
   # Allow requests from any IP
-  config.web_console.whiny_requests = false
+  config.web_console.permissions = '0.0.0.0/0'
 
-  if ENV["S3_ENABLED"]
+  if ENV["S3_ENABLED"] && ENV["S3_ENABLED"].to_s != "false"
     config.active_storage.service = :s3
   else
     config.active_storage.service = :local

config/environments/production.rb

@@ -110,7 +110,7 @@ Rails.application.configure do
   # Set this to true and configure the email server for immediate delivery to raise delivery errors.
   config.action_mailer.raise_delivery_errors = true
 
-  if ENV["S3_ENABLED"]
+  if ENV["S3_ENABLED"] && ENV["S3_ENABLED"].to_s != "false"
     config.active_storage.service = :s3
   else
     config.active_storage.service = :local

config/environments/test.rb

@@ -26,7 +26,7 @@ Rails.application.configure do
   config.cache_store = :null_store
 
   # Raise exceptions instead of rendering exception templates.
-  config.action_dispatch.show_exceptions = false
+  config.action_dispatch.show_exceptions = :none
 
   # Disable request forgery protection in test environment.
   config.action_controller.allow_forgery_protection = false
@@ -52,10 +52,9 @@ Rails.application.configure do
 
   config.active_job.queue_adapter = :test
 
-  if ENV["S3_ENABLED"]
+  if ENV["S3_ENABLED"] && ENV["S3_ENABLED"].to_s != "false"
     config.active_storage.service = :s3
   else
-    # Store attachments on the local disk (in ./tmp)
-    config.active_storage.service = :test
+    config.active_storage.service = :local
   end
 end

config/importmap.rb

@@ -5,5 +5,4 @@ pin "@hotwired/turbo-rails", to: "turbo.min.js", preload: true
 pin "@hotwired/stimulus", to: "stimulus.min.js", preload: true
 pin "@hotwired/stimulus-loading", to: "stimulus-loading.js", preload: true
 pin_all_from "app/javascript/controllers", under: "controllers"
-pin "bech32" # @2.0.0
 pin "tailwindcss-stimulus-components" # @4.0.3

config/initializers/devise.rb

@@ -325,3 +325,10 @@ Devise.setup do |config|
   # changed. Defaults to true, so a user is signed in automatically after changing a password.
   # config.sign_in_after_change_password = true
 end
+
+# https://github.com/heartcombo/devise/issues/5644
+class Devise::SecretKeyFinder
+  def find
+    @application.secret_key_base
+  end
+end

config/routes.rb

@@ -19,10 +19,16 @@ Rails.application.routes.draw do
   resources :invitations, only: ['index', 'show', 'create', 'destroy']
 
   namespace :services do
-    get 'storage', to: 'remotestorage#dashboard'
-
     resource :chat, only: [:show], controller: 'chat'
 
+    resource :mastodon, only: [:show], controller: 'mastodon'
+
+    resource :email, only: [:show], controller: 'email' do
+      member do
+        get 'new_password'
+      end
+    end
+
     resources :lightning, only: [:index] do
       collection do
         get 'transactions'
@@ -30,26 +36,32 @@ Rails.application.routes.draw do
       end
     end
 
-    resource :mastodon, only: [:show], controller: 'mastodon'
+    resource :storage, controller: 'remotestorage', only: [:show] do
+      resources :rs_auths, only: [:destroy] do
+        member do
+          get :revoke, to: 'rs_auths#destroy'
+          get :launch_app
+        end
+      end
+    end
   end
 
   resources :settings, param: 'section', only: ['index', 'show', 'update'] do
     collection do
       post 'update_email'
       post 'reset_password'
+      post 'reset_email_password'
       post 'set_nostr_pubkey'
       delete 'nostr_pubkey', to: 'settings#remove_nostr_pubkey'
     end
   end
 
-  get 'lnurlpay/:address', to: 'lnurlpay#index',
-    as: 'lightning_address', constraints: { address: /[^\/]+/}
-  get 'lnurlpay/:address/invoice', to: 'lnurlpay#invoice',
-    as: 'lnurlpay_invoice', constraints: { address: /[^\/]+/}
-  get 'keysend/:address', to: 'lnurlpay#keysend',
-    as: 'lightning_address_keysend', constraints: { address: /[^\/]+/}
-
+  get '.well-known/webfinger', to: 'webfinger#show'
   get '.well-known/nostr', to: 'well_known#nostr'
+  get '.well-known/lnurlp/:username', to: 'lnurlpay#index', as: 'lightning_address'
+  get '.well-known/keysend/:username', to: 'lnurlpay#keysend', as: 'lightning_address_keysend'
+
+  get 'lnurlpay/:username/invoice', to: 'lnurlpay#invoice', as: 'lnurlpay_invoice'
 
   post 'webhooks/lndhub', to: 'webhooks#lndhub'
 
@@ -61,9 +73,19 @@ Rails.application.routes.draw do
   namespace :admin do
     root to: 'dashboard#index'
 
-    resources 'users', param: 'address', only: ['index', 'show'], constraints: { address: /.*/ }
+    resources 'users', param: 'username', only: ['index', 'show'] do
+      member do
+        post 'invitations', to: 'users#create_invitations'
+        delete 'invitations', to: 'users#delete_invitations'
+      end
+    end
+
+    # post 'users/:username/invitations', to: 'users#create_invitations'
+
     get 'invitations', to: 'invitations#index'
+
     resources :donations
+
     get 'lightning', to: 'lightning#index'
 
     namespace :app_catalog do
@@ -71,20 +93,17 @@ Rails.application.routes.draw do
     end
 
     namespace :settings do
-      resources 'registrations', only: ['index', 'create']
-      resources 'services', only: ['index', 'create']
+      resource 'registrations', only: ['show', 'update']
+      resources 'services', param: 'service', only: ['index', 'show', 'update']
     end
   end
 
   namespace :rs do
     resource :oauth, only: [:new, :create], path_names: {
-      new: ':useraddress', create: ':useraddress'
-    }, controller: 'oauth', constraints: { useraddress: /[^\/]+/}
-    get 'oauth/token/:id/launch_app' => 'oauth#launch_app', as: :launch_app
+      new: ':username', create: ':username'
+    }, controller: 'oauth'
   end
 
-  get '.well-known/webfinger', to: 'webfinger#show'
-
   namespace :discourse do
     get "connect", to: 'sso#connect'
   end
@@ -100,4 +119,8 @@ Rails.application.routes.draw do
   end
 
   root to: 'dashboard#index'
+
+  direct :s3_image do |blob|
+    File.join(ENV['S3_ALIAS_HOST'], blob.key)
+  end
 end

config/storage.yml

@@ -1,12 +1,12 @@
 local:
   service: Disk
-  root: <%= Rails.root.join("storage") %>
+  root: <%= ENV["ACTIVE_STORAGE_PATH"] || Rails.root.join("storage") %>
 
 test:
   service: Disk
   root: <%= Rails.root.join("tmp/storage") %>
 
-<% if ENV["S3_ENABLED"] %>
+<% if ENV["S3_ENABLED"] && ENV["S3_ENABLED"].to_s != "false" %>
 s3:
   service: S3
   endpoint: <%= ENV["S3_ENDPOINT"] %>

db/migrate/20240207080515_change_flipper_gates_value_to_text.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+class ChangeFlipperGatesValueToText < ActiveRecord::Migration[7.1]
+  def up
+    # Ensure this incremental update migration is idempotent
+    return unless connection.column_exists? :flipper_gates, :value, :string
+
+    if index_exists? :flipper_gates, [:feature_key, :key, :value]
+      remove_index :flipper_gates, [:feature_key, :key, :value]
+    end
+    change_column :flipper_gates, :value, :text
+    add_index :flipper_gates, [:feature_key, :key, :value], unique: true, length: { value: 255 }
+  end
+
+  def down
+    change_column :flipper_gates, :value, :string
+  end
+end

db/schema.rb

@@ -10,12 +10,12 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema[7.0].define(version: 2023_10_24_104909) do
+ActiveRecord::Schema[7.1].define(version: 2024_02_16_124640) do
   create_table "active_storage_attachments", force: :cascade do |t|
     t.string "name", null: false
     t.string "record_type", null: false
-    t.bigint "record_id", null: false
-    t.bigint "blob_id", null: false
+    t.integer "record_id", null: false
+    t.integer "blob_id", null: false
     t.datetime "created_at", null: false
     t.index ["blob_id"], name: "index_active_storage_attachments_on_blob_id"
     t.index ["record_type", "record_id", "name", "blob_id"], name: "index_active_storage_attachments_uniqueness", unique: true
@@ -34,7 +34,7 @@ ActiveRecord::Schema[7.0].define(version: 2023_10_24_104909) do
   end
 
   create_table "active_storage_variant_records", force: :cascade do |t|
-    t.bigint "blob_id", null: false
+    t.integer "blob_id", null: false
     t.string "variation_digest", null: false
     t.index ["blob_id", "variation_digest"], name: "index_active_storage_variant_records_uniqueness", unique: true
   end
@@ -50,12 +50,17 @@ ActiveRecord::Schema[7.0].define(version: 2023_10_24_104909) do
   create_table "donations", force: :cascade do |t|
     t.integer "user_id"
     t.integer "amount_sats"
-    t.integer "amount_eur"
-    t.integer "amount_usd"
+    t.integer "fiat_amount"
     t.string "public_name"
     t.datetime "created_at", null: false
     t.datetime "updated_at", null: false
     t.datetime "paid_at", precision: nil
+    t.string "fiat_currency", default: "USD"
+    t.string "donation_method"
+    t.string "payment_method"
+    t.string "btcpay_invoice_id"
+    t.string "payment_status"
+    t.index ["payment_status"], name: "index_donations_on_payment_status"
     t.index ["user_id"], name: "index_donations_on_user_id"
   end
 
@@ -69,7 +74,7 @@ ActiveRecord::Schema[7.0].define(version: 2023_10_24_104909) do
   create_table "flipper_gates", force: :cascade do |t|
     t.string "feature_key", null: false
     t.string "key", null: false
-    t.string "value"
+    t.text "value"
     t.datetime "created_at", null: false
     t.datetime "updated_at", null: false
     t.index ["feature_key", "key", "value"], name: "index_flipper_gates_on_feature_key_and_key_and_value", unique: true

db/seeds.rb

@@ -3,10 +3,10 @@ require 'sidekiq/testing'
 ldap = LdapService.new
 
 Sidekiq::Testing.inline! do
-  CreateAccount.call(
+  CreateAccount.call(account: {
     username: "admin", domain: "kosmos.org", email: "admin@example.com",
     password: "admin is admin", confirmed: true
-  )
+  })
 
   ldap.add_attribute "cn=admin,ou=kosmos.org,cn=users,dc=kosmos,dc=org", :admin, "true"
 
@@ -15,9 +15,9 @@ Sidekiq::Testing.inline! do
     email = Faker::Internet.unique.email
     next if username.length < 3
 
-    CreateAccount.call(
+    CreateAccount.call(account: {
       username: username, domain: "kosmos.org", email: email,
       password: "user is user", confirmed: true
-    )
+    })
   end
 end

docker-compose.yml

@@ -2,7 +2,7 @@ services:
   ldap:
     image: 4teamwork/389ds:latest
     volumes:
-      - ./tmp/389ds:/data
+      - 389ds-data:/data
     networks:
       - external_network
       - internal_network
@@ -16,11 +16,12 @@ services:
     restart: always
     image: redis:7-alpine
     networks:
+      - external_network
       - internal_network
     healthcheck:
       test: ['CMD', 'redis-cli', 'ping']
     volumes:
-      - ./tmp/redis:/data
+      - redis-data:/data
 
   web:
     build: .
@@ -37,12 +38,15 @@ services:
     environment:
       RAILS_ENV: development
       PRIMARY_DOMAIN: kosmos.org
-      REDIS_URL: redis://redis:6379/0
-      RS_REDIS_URL: redis://redis:6379/1
       LDAP_HOST: ldap
       LDAP_PORT: 3389
       LDAP_ADMIN_PASSWORD: passthebutter
       LDAP_USE_TLS: "false"
+      REDIS_URL: redis://redis:6379/0
+      ACTIVE_STORAGE_PATH: "/akkounts/tmp/attachments"
+      RS_REDIS_URL: redis://redis:6379/1
+      RS_STORAGE_URL: "http://localhost:4567"
+      S3_ENABLED: false
     depends_on:
       - ldap
       - redis
@@ -57,18 +61,52 @@ services:
     environment:
       RAILS_ENV: development
       PRIMARY_DOMAIN: kosmos.org
-      REDIS_URL: redis://redis:6379/0
-      RS_REDIS_URL: redis://redis:6379/1
       LDAP_HOST: ldap
       LDAP_PORT: 3389
       LDAP_ADMIN_PASSWORD: passthebutter
       LDAP_USE_TLS: "false"
       LAUNCHY_DRY_RUN: true
       BROWSER: /dev/null
+      REDIS_URL: redis://redis:6379/0
+      RS_REDIS_URL: redis://redis:6379/1
+      RS_STORAGE_URL: "http://localhost:4567"
+      S3_ENABLED: false
     depends_on:
       - ldap
       - redis
 
+  minio:
+    image: quay.io/minio/minio:latest
+    command: "server /data --console-address ':9001'"
+    networks:
+      - external_network
+      - internal_network
+    ports:
+      - "9000:9000"
+      - "9001:9001"
+    volumes:
+      - minio-data:/data
+
+  liquor-cabinet:
+    image: gitea.kosmos.org/5apps/liquor-cabinet:2.0.0-rc.1
+    networks:
+      - external_network
+      - internal_network
+    ports:
+      - "4567:4567"
+    environment:
+      RACK_ENV: staging
+      REDIS_HOST: redis
+      REDIS_PORT: 6379
+      REDIS_DB: 1
+      S3_ENDPOINT: http://minio:9000
+      S3_ACCESS_KEY: dev-key
+      S3_SECRET_KEY: 123456789
+      S3_BUCKET: remotestorage
+    depends_on:
+      - minio
+      - redis
+
   # phpldapadmin:
   #   image: osixia/phpldapadmin:0.9.0
   #   ports:
@@ -82,3 +120,11 @@ networks:
   external_network:
   internal_network:
     internal: true
+
+volumes:
+  389ds-data:
+    driver: local
+  minio-data:
+    driver: local
+  redis-data:
+    driver: local