Fix pages views when signed out

Already linked in the same paragraph

.drone.yml

@@ -17,7 +17,7 @@ steps:
       branch:
         - master
   - name: rspec
-    image: guildeducation/rails:2.7.2-14.20.0
+    image: gitea.kosmos.org/kosmos/akkounts-ci:0.9.1
     environment:
       RAILS_ENV: test
       REDIS_URL: redis://redis:6379/0
@@ -28,6 +28,8 @@ steps:
       - bundle config set cache_path 'vendor/cache'
       - bundle config set with 'development test'
       - bundle install --jobs=3 --retry=3
+      - bundle exec rails db:create
+      - bundle exec rails db:migrate
       - yarn install
       - rake css:build
       - bundle exec rspec

.env.example

@@ -1,46 +1,92 @@
-PRIMARY_DOMAIN=kosmos.org
-AKKOUNTS_DOMAIN=accounts.example.com
+# PRIMARY_DOMAIN=kosmos.org
+# AKKOUNTS_DOMAIN=accounts.example.com
 
-SMTP_SERVER=smtp.example.com
-SMTP_PORT=587
-SMTP_LOGIN=accounts
-SMTP_PASSWORD=123abc
-SMTP_FROM_ADDRESS=accounts@example.com
-SMTP_DOMAIN=example.com
-SMTP_AUTH_METHOD=plain
-SMTP_ENABLE_STARTTLS=auto
+# Generate this using `rails secret`
+# SECRET_KEY_BASE=
 
-LDAP_HOST=localhost
-LDAP_PORT=389
-LDAP_ADMIN_PASSWORD=passthebutter
-LDAP_SUFFIX='dc=kosmos,dc=org'
+# Generate these using `rails db:encryption:init`
+# (Optional, needed for LndHub integration)
+# ENCRYPTION_PRIMARY_KEY=
+# ENCRYPTION_KEY_DERIVATION_SALT=
 
-REDIS_URL='redis://localhost:6379/1'
+# The default backend is SQLite
+# DB_ADAPTER=postgresql
+# PG_HOST=localhost
+# PG_PORT=5432
+# PG_DATABASE=akkounts
+# PG_DATABASE_QUEUE=akkounts_queue
+# PG_USERNAME=akkounts
+# PG_PASSWORD=
 
-WEBHOOKS_ALLOWED_IPS='10.1.1.163'
+# SMTP_SERVER=smtp.example.com
+# SMTP_PORT=587
+# SMTP_LOGIN=accounts
+# SMTP_PASSWORD=123abc
+# SMTP_FROM_ADDRESS=accounts@example.com
+# SMTP_DOMAIN=example.com
+# SMTP_AUTH_METHOD=plain
+# SMTP_ENABLE_STARTTLS=auto
 
-DISCOURSE_PUBLIC_URL='https://community.kosmos.org'
-DISCOURSE_CONNECT_SECRET='discourse_connect_ftw'
+# S3_ENABLED=true
+# S3_ENDPOINT=https://s3.kosmos.org
+# S3_REGION=garage
+# S3_BUCKET=akkounts-production
+# S3_ALIAS_HOST=https://accounts.web.s3.kosmos.org
+# S3_ACCESS_KEY=123456abcdefg
+# S3_SECRET_KEY=123456789123456789123456789
 
-DRONECI_PUBLIC_URL='https://drone.kosmos.org'
+# LDAP_HOST=localhost
+# LDAP_PORT=389
+# LDAP_USE_TLS=false
+# LDAP_UID_ATTR=cn
+# LDAP_BASE="ou=kosmos.org,cn=users,dc=kosmos,dc=org"
+# LDAP_ADMIN_USER="cn=Directory Manager"
+# LDAP_ADMIN_PASSWORD=passthebutter
+# LDAP_SUFFIX="dc=kosmos,dc=org"
 
-GITEA_PUBLIC_URL='https://gitea.kosmos.org'
-MASTODON_PUBLIC_URL='https://kosmos.social'
-MEDIAWIKI_PUBLIC_URL='https://wiki.kosmos.org'
-RS_STORAGE_URL='https://storage.kosmos.org'
-RS_REDIS_URL='redis://localhost:6379/2'
+# REDIS_URL='redis://localhost:6379/1'
 
-EJABBERD_ADMIN_URL='https://xmpp.kosmos.org/admin'
-EJABBERD_API_URL='https://xmpp.kosmos.org/api'
+# WEBHOOKS_ALLOWED_IPS='10.1.1.163'
 
-BTCPAY_API_URL='http://localhost:23001/api/v1'
+#
+# Service Integrations
+# (sorted alphabetically by service name)
+#
 
-LNDHUB_API_URL='http://localhost:3023'
-LNDHUB_PUBLIC_URL='https://lndhub.kosmos.org'
-LNDHUB_PUBLIC_KEY='0123d3be18617f39cf645851e3ba63f51fc13f0bb09e3bb25e6fd4de556486d946'
-LNDHUB_ADMIN_UI=true
-LNDHUB_PG_HOST=localhost
-LNDHUB_PG_PORT=5432
-LNDHUB_PG_DATABASE=lndhub
-LNDHUB_PG_USERNAME=lndhub
-LNDHUB_PG_PASSWORD=''
+# BTCPAY_PUBLIC_URL='https://btcpay.example.com'
+# BTCPAY_API_URL='http://localhost:23001/api/v1'
+# BTCPAY_STORE_ID=''
+# BTCPAY_AUTH_TOKEN=''
+
+# DISCOURSE_PUBLIC_URL='https://community.kosmos.org'
+# DISCOURSE_CONNECT_SECRET='discourse_connect_ftw'
+
+# DRONECI_PUBLIC_URL='https://drone.kosmos.org'
+
+# EJABBERD_ADMIN_URL='https://xmpp.kosmos.org/admin'
+# EJABBERD_API_URL='https://xmpp.kosmos.org/api'
+
+# GITEA_PUBLIC_URL='https://gitea.kosmos.org'
+
+# LNDHUB_API_URL='http://localhost:3023'
+# LNDHUB_PUBLIC_URL='https://lndhub.kosmos.org'
+# LNDHUB_PUBLIC_KEY='0123d3be18617f39cf645851e3ba63f51fc13f0bb09e3bb25e6fd4de556486d946'
+# LNDHUB_ADMIN_UI=true
+# LNDHUB_ADMIN_TOKEN=123456789
+# LNDHUB_PG_HOST=localhost
+# LNDHUB_PG_PORT=5432
+# LNDHUB_PG_DATABASE=lndhub
+# LNDHUB_PG_USERNAME=lndhub
+# LNDHUB_PG_PASSWORD=''
+
+# MASTODON_PUBLIC_URL='https://kosmos.social'
+# MASTODON_ADDRESS_DOMAIN='https://kosmos.org'
+
+# MEDIAWIKI_PUBLIC_URL='https://wiki.kosmos.org'
+
+# NOSTR_PRIVATE_KEY='123456abcdef...'
+# NOSTR_PUBLIC_KEY='123456abcdef...'
+# NOSTR_RELAY_URL='wss://nostr.kosmos.org'
+
+# RS_STORAGE_URL='https://storage.kosmos.org'
+# RS_REDIS_URL='redis://localhost:6379/2'

.env.test

@@ -1,19 +1,31 @@
 PRIMARY_DOMAIN=kosmos.org
+AKKOUNTS_DOMAIN=accounts.kosmos.org
+
+ENCRYPTION_PRIMARY_KEY=YhNLBgCFMAzw5dV3gISxnGrhNDMQwRdn
+ENCRYPTION_KEY_DERIVATION_SALT=h28g16MRZ1sghF2jTCos1DiLZXUswinR
 
 REDIS_URL='redis://localhost:6379/0'
 
+BTCPAY_PUBLIC_URL='https://btcpay.example.com'
+BTCPAY_API_URL='http://btcpay.example.com/api/v1'
+BTCPAY_STORE_ID='123456'
+
 DISCOURSE_PUBLIC_URL='http://discourse.example.com'
 DISCOURSE_CONNECT_SECRET='discourse_connect_ftw'
 
 EJABBERD_API_URL='http://xmpp.example.com/api'
 
-BTCPAY_API_URL='http://btcpay.example.com/api/v1'
+MASTODON_PUBLIC_URL='http://example.social'
 
 LNDHUB_API_URL='http://localhost:3026'
 LNDHUB_PUBLIC_URL='https://lndhub.kosmos.org'
 LNDHUB_PUBLIC_KEY='024cd3be18617f39cf645851e3ba63f51fc13f0bb09e3bb25e6fd4de556486d946'
 
-RS_STORAGE_URL='https://storage.kosmos.org'
+NOSTR_PRIVATE_KEY='7c3ef7e448505f0615137af38569d01807d3b05b5005d5ecf8aaafcd40323cea'
+NOSTR_PUBLIC_KEY='bdd76ce2934b2f591f9fad2ebe9da18f20d2921de527494ba00eeaa0a0efadcf'
+
 RS_REDIS_URL='redis://localhost:6379/1'
+RS_STORAGE_URL='https://storage.kosmos.org'
+RS_AKKOUNTS_DOMAIN=localhost
 
 WEBHOOKS_ALLOWED_IPS='10.1.1.23'

.gitignore

@@ -23,6 +23,7 @@
 !/tmp/pids/
 !/tmp/pids/.keep
 
+/storage
 
 /public/assets
 .byebug_history
@@ -36,6 +37,7 @@
 /yarn-error.log
 yarn-debug.log*
 .yarn-integrity
+bun.lock
 
 # Ignore local dotenv config file
 .env
@@ -46,3 +48,6 @@ dump.rdb
 
 /app/assets/builds/*
 !/app/assets/builds/.keep
+
+# Ignore generated ctags
+*.tags

.ruby-version

@@ -1 +1 @@
-2.7.2
+3.3.0

Dockerfile

@@ -1,10 +1,11 @@
 # syntax=docker/dockerfile:1
-FROM ruby:2.7.6
+FROM ruby:3.3.4
 
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 
 RUN apt-get update -qq && apt-get install -y --no-install-recommends curl \
-      ldap-utils tini
+      ldap-utils tini libvips
+
 RUN curl -fsSL https://deb.nodesource.com/setup_lts.x | bash -
 RUN apt-get update && apt-get install -y nodejs
 

Gemfile

@@ -2,13 +2,13 @@ source 'https://rubygems.org'
 git_source(:github) { |repo| "https://github.com/#{repo}.git" }
 
 # Bundle edge Rails instead: gem 'rails', github: 'rails/rails'
-gem 'rails', '~> 7.0.2'
+gem 'rails', '~> 8.0'
 # Use Puma as the app server
-gem 'puma', '~> 4.1'
+gem 'puma', '~> 6.6'
 # View components
 gem "view_component"
-# Separate dependency since Rails 7.0
-gem 'sprockets-rails'
+# Asset bundler
+gem 'propshaft'
 # Allows custom JS build tasks to integrate with the asset pipeline
 gem 'cssbundling-rails'
 # Use JavaScript with ESM import maps [https://github.com/rails/importmap-rails]
@@ -19,17 +19,12 @@ gem "turbo-rails"
 gem "stimulus-rails"
 # Build JSON APIs with ease. Read more: https://github.com/rails/jbuilder
 gem 'jbuilder', '~> 2.7'
-# Use Redis adapter to run Action Cable in production
-# gem 'redis', '~> 4.0'
 # Use Active Model has_secure_password
-# gem 'bcrypt', '~> 3.1.7'
+gem 'bcrypt', '~> 3.1'
 
 # Configuration
 gem 'dotenv-rails'
 
-# Security
-gem 'lockbox'
-
 # Authentication
 gem 'warden'
 gem 'devise', '~> 4.9.0'
@@ -37,19 +32,26 @@ gem 'devise_ldap_authenticatable'
 gem 'net-ldap'
 
 # Utilities
+gem 'aasm'
+gem "image_processing", "~> 1.12.2"
 gem "rqrcode", "~> 2.0"
 gem 'rails-settings-cached', '~> 2.8.3'
 gem 'pagy', '~> 6.0', '>= 6.0.2'
 gem 'flipper'
 gem 'flipper-active_record'
 gem 'flipper-ui'
+gem 'gpgme', '~> 2.0.24'
+gem 'zbase32', '~> 0.1.1'
+gem 'kramdown'
 
 # HTTP requests
 gem 'faraday'
+gem 'down'
+gem 'aws-sdk-s3', require: false
 
 # Background/scheduled jobs
-gem 'sidekiq', '< 7'
-gem 'sidekiq-scheduler'
+gem 'solid_queue'
+gem "mission_control-jobs"
 
 # Monitoring
 gem "sentry-ruby"
@@ -58,19 +60,20 @@ gem "sentry-rails"
 # Services
 gem 'discourse_api'
 gem "lnurl"
-gem 'nostr', git: 'https://gitea.kosmos.org/kosmos/nostr-gem.git', branch: 'feature/ruby_2.7_compat'
+gem 'manifique', '~> 1.1.0'
+gem 'nostr', '~> 0.6.0'
+gem "redis", "~> 5.4"
 
 group :development, :test do
   # Use sqlite3 as the database for Active Record
-  gem 'sqlite3', '~> 1.4'
+  gem 'sqlite3', '>= 2.1'
   gem 'rspec-rails'
   gem 'rails-controller-testing'
-  gem "byebug", "~> 11.1"
 end
 
 group :development do
   # Access an interactive console on exception pages or by calling 'console' anywhere in the code.
-  gem 'web-console', '>= 3.3.0'
+  gem 'web-console', '~> 4.2'
   gem 'listen', '~> 3.2'
   gem 'letter_opener'
   gem 'letter_opener_web'
@@ -86,8 +89,8 @@ group :test do
 end
 
 group :production do
-  # Use postgresql as the database for Active Record
-  gem 'pg', '~> 1.2.3'
+  gem 'pg', '~> 1.5'
 end
+
 # Windows does not include zoneinfo files, so bundle the tzinfo-data gem
 gem 'tzinfo-data', platforms: [:mingw, :mswin, :x64_mingw, :jruby]

Gemfile.lock

@@ -1,122 +1,139 @@
-GIT
-  remote: https://gitea.kosmos.org/kosmos/nostr-gem.git
-  revision: 596529d9eb50d13b3f385245636698fccf37b442
-  branch: feature/ruby_2.7_compat
-  specs:
-    nostr (0.4.0)
-      bech32 (~> 1.3)
-      bip-schnorr (~> 0.4)
-      ecdsa (~> 1.2)
-      event_emitter (~> 0.2)
-      faye-websocket (~> 0.11)
-      json (~> 2.6)
-
 GEM
   remote: https://rubygems.org/
   specs:
-    actioncable (7.0.5)
-      actionpack (= 7.0.5)
-      activesupport (= 7.0.5)
+    aasm (5.5.0)
+      concurrent-ruby (~> 1.0)
+    actioncable (8.0.2)
+      actionpack (= 8.0.2)
+      activesupport (= 8.0.2)
       nio4r (~> 2.0)
       websocket-driver (>= 0.6.1)
-    actionmailbox (7.0.5)
-      actionpack (= 7.0.5)
-      activejob (= 7.0.5)
-      activerecord (= 7.0.5)
-      activestorage (= 7.0.5)
-      activesupport (= 7.0.5)
-      mail (>= 2.7.1)
-      net-imap
-      net-pop
-      net-smtp
-    actionmailer (7.0.5)
-      actionpack (= 7.0.5)
-      actionview (= 7.0.5)
-      activejob (= 7.0.5)
-      activesupport (= 7.0.5)
-      mail (~> 2.5, >= 2.5.4)
-      net-imap
-      net-pop
-      net-smtp
-      rails-dom-testing (~> 2.0)
-    actionpack (7.0.5)
-      actionview (= 7.0.5)
-      activesupport (= 7.0.5)
-      rack (~> 2.0, >= 2.2.4)
+      zeitwerk (~> 2.6)
+    actionmailbox (8.0.2)
+      actionpack (= 8.0.2)
+      activejob (= 8.0.2)
+      activerecord (= 8.0.2)
+      activestorage (= 8.0.2)
+      activesupport (= 8.0.2)
+      mail (>= 2.8.0)
+    actionmailer (8.0.2)
+      actionpack (= 8.0.2)
+      actionview (= 8.0.2)
+      activejob (= 8.0.2)
+      activesupport (= 8.0.2)
+      mail (>= 2.8.0)
+      rails-dom-testing (~> 2.2)
+    actionpack (8.0.2)
+      actionview (= 8.0.2)
+      activesupport (= 8.0.2)
+      nokogiri (>= 1.8.5)
+      rack (>= 2.2.4)
+      rack-session (>= 1.0.1)
       rack-test (>= 0.6.3)
-      rails-dom-testing (~> 2.0)
-      rails-html-sanitizer (~> 1.0, >= 1.2.0)
-    actiontext (7.0.5)
-      actionpack (= 7.0.5)
-      activerecord (= 7.0.5)
-      activestorage (= 7.0.5)
-      activesupport (= 7.0.5)
+      rails-dom-testing (~> 2.2)
+      rails-html-sanitizer (~> 1.6)
+      useragent (~> 0.16)
+    actiontext (8.0.2)
+      actionpack (= 8.0.2)
+      activerecord (= 8.0.2)
+      activestorage (= 8.0.2)
+      activesupport (= 8.0.2)
       globalid (>= 0.6.0)
       nokogiri (>= 1.8.5)
-    actionview (7.0.5)
-      activesupport (= 7.0.5)
+    actionview (8.0.2)
+      activesupport (= 8.0.2)
       builder (~> 3.1)
-      erubi (~> 1.4)
-      rails-dom-testing (~> 2.0)
-      rails-html-sanitizer (~> 1.1, >= 1.2.0)
-    activejob (7.0.5)
-      activesupport (= 7.0.5)
+      erubi (~> 1.11)
+      rails-dom-testing (~> 2.2)
+      rails-html-sanitizer (~> 1.6)
+    activejob (8.0.2)
+      activesupport (= 8.0.2)
       globalid (>= 0.3.6)
-    activemodel (7.0.5)
-      activesupport (= 7.0.5)
-    activerecord (7.0.5)
-      activemodel (= 7.0.5)
-      activesupport (= 7.0.5)
-    activestorage (7.0.5)
-      actionpack (= 7.0.5)
-      activejob (= 7.0.5)
-      activerecord (= 7.0.5)
-      activesupport (= 7.0.5)
+    activemodel (8.0.2)
+      activesupport (= 8.0.2)
+    activerecord (8.0.2)
+      activemodel (= 8.0.2)
+      activesupport (= 8.0.2)
+      timeout (>= 0.4.0)
+    activestorage (8.0.2)
+      actionpack (= 8.0.2)
+      activejob (= 8.0.2)
+      activerecord (= 8.0.2)
+      activesupport (= 8.0.2)
       marcel (~> 1.0)
-      mini_mime (>= 1.1.0)
-    activesupport (7.0.5)
-      concurrent-ruby (~> 1.0, >= 1.0.2)
+    activesupport (8.0.2)
+      base64
+      benchmark (>= 0.3)
+      bigdecimal
+      concurrent-ruby (~> 1.0, >= 1.3.1)
+      connection_pool (>= 2.2.5)
+      drb
       i18n (>= 1.6, < 2)
+      logger (>= 1.4.2)
       minitest (>= 5.1)
-      tzinfo (~> 2.0)
-    addressable (2.8.4)
-      public_suffix (>= 2.0.2, < 6.0)
-    ast (2.4.2)
+      securerandom (>= 0.3)
+      tzinfo (~> 2.0, >= 2.0.5)
+      uri (>= 0.13.1)
+    addressable (2.8.7)
+      public_suffix (>= 2.0.2, < 7.0)
+    ast (2.4.3)
+    aws-eventstream (1.3.2)
+    aws-partitions (1.1092.0)
+    aws-sdk-core (3.222.2)
+      aws-eventstream (~> 1, >= 1.3.0)
+      aws-partitions (~> 1, >= 1.992.0)
+      aws-sigv4 (~> 1.9)
+      base64
+      jmespath (~> 1, >= 1.6.1)
+      logger
+    aws-sdk-kms (1.99.0)
+      aws-sdk-core (~> 3, >= 3.216.0)
+      aws-sigv4 (~> 1.5)
+    aws-sdk-s3 (1.183.0)
+      aws-sdk-core (~> 3, >= 3.216.0)
+      aws-sdk-kms (~> 1)
+      aws-sigv4 (~> 1.5)
+    aws-sigv4 (1.11.0)
+      aws-eventstream (~> 1, >= 1.0.2)
     backport (1.2.0)
-    bcrypt (3.1.18)
-    bech32 (1.3.0)
+    base64 (0.2.0)
+    bcrypt (3.1.20)
+    bech32 (1.5.0)
       thor (>= 1.1.0)
-    benchmark (0.2.1)
+    benchmark (0.4.0)
+    bigdecimal (3.1.9)
     bindex (0.8.1)
-    bip-schnorr (0.6.0)
+    bip-schnorr (0.7.0)
       ecdsa_ext (~> 0.5.0)
-    builder (3.2.4)
-    byebug (11.1.3)
-    capybara (3.39.2)
+    builder (3.3.0)
+    capybara (3.40.0)
       addressable
       matrix
       mini_mime (>= 0.1.3)
-      nokogiri (~> 1.8)
+      nokogiri (~> 1.11)
       rack (>= 1.6.0)
       rack-test (>= 0.6.3)
       regexp_parser (>= 1.5, < 3.0)
       xpath (~> 3.2)
+    childprocess (5.1.0)
+      logger (~> 1.5)
     chunky_png (1.4.0)
-    concurrent-ruby (1.2.2)
-    connection_pool (2.4.1)
-    crack (0.4.5)
+    concurrent-ruby (1.3.4)
+    connection_pool (2.5.2)
+    crack (1.0.0)
+      bigdecimal
       rexml
     crass (1.0.6)
-    cssbundling-rails (1.1.2)
+    cssbundling-rails (1.4.3)
       railties (>= 6.0.0)
-    database_cleaner (2.0.2)
+    database_cleaner (2.1.0)
       database_cleaner-active_record (>= 2, < 3)
-    database_cleaner-active_record (2.1.0)
+    database_cleaner-active_record (2.2.0)
       activerecord (>= 5.a)
       database_cleaner-core (~> 2.0.0)
     database_cleaner-core (2.0.1)
-    date (3.3.3)
-    devise (4.9.2)
+    date (3.4.1)
+    devise (4.9.4)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
       railties (>= 4.1.0)
@@ -125,91 +142,112 @@ GEM
     devise_ldap_authenticatable (0.8.7)
       devise (>= 3.4.1)
       net-ldap (>= 0.16.0)
-    diff-lcs (1.5.0)
+    diff-lcs (1.6.1)
     discourse_api (2.0.1)
       faraday (~> 2.7)
       faraday-follow_redirects
       faraday-multipart
       rack (>= 1.6)
-    dotenv (2.8.1)
-    dotenv-rails (2.8.1)
-      dotenv (= 2.8.1)
-      railties (>= 3.2)
-    e2mmap (0.1.0)
+    dotenv (3.1.8)
+    dotenv-rails (3.1.8)
+      dotenv (= 3.1.8)
+      railties (>= 6.1)
+    down (5.4.2)
+      addressable (~> 2.8)
+    drb (2.2.1)
     ecdsa (1.2.0)
-    ecdsa_ext (0.5.0)
+    ecdsa_ext (0.5.1)
       ecdsa (~> 1.2.0)
-    erubi (1.12.0)
-    et-orbi (1.2.7)
+    erubi (1.13.1)
+    et-orbi (1.2.11)
       tzinfo
     event_emitter (0.2.6)
     eventmachine (1.2.7)
-    factory_bot (6.2.1)
-      activesupport (>= 5.0.0)
-    factory_bot_rails (6.2.0)
-      factory_bot (~> 6.2.0)
+    factory_bot (6.5.1)
+      activesupport (>= 6.1.0)
+    factory_bot_rails (6.4.4)
+      factory_bot (~> 6.5)
       railties (>= 5.0.0)
-    faker (3.2.0)
+    faker (3.5.1)
       i18n (>= 1.8.11, < 2)
-    faraday (2.7.6)
-      faraday-net_http (>= 2.0, < 3.1)
-      ruby2_keywords (>= 0.0.4)
+    faraday (2.9.2)
+      faraday-net_http (>= 2.0, < 3.2)
     faraday-follow_redirects (0.3.0)
       faraday (>= 1, < 3)
-    faraday-multipart (1.0.4)
-      multipart-post (~> 2)
-    faraday-net_http (3.0.2)
-    faye-websocket (0.11.2)
+    faraday-multipart (1.1.0)
+      multipart-post (~> 2.0)
+    faraday-net_http (3.1.1)
+      net-http
+    faye-websocket (0.11.3)
       eventmachine (>= 0.12.0)
       websocket-driver (>= 0.5.1)
-    ffi (1.15.5)
-    flipper (0.28.0)
+    ffi (1.17.2)
+    ffi (1.17.2-arm64-darwin)
+    ffi (1.17.2-x86_64-linux-gnu)
+    flipper (1.3.4)
       concurrent-ruby (< 2)
-    flipper-active_record (0.28.0)
-      activerecord (>= 4.2, < 8)
-      flipper (~> 0.28.0)
-    flipper-ui (0.28.0)
+    flipper-active_record (1.3.4)
+      activerecord (>= 4.2, < 9)
+      flipper (~> 1.3.4)
+    flipper-ui (1.3.4)
       erubi (>= 1.0.0, < 2.0.0)
-      flipper (~> 0.28.0)
-      rack (>= 1.4, < 3)
-      rack-protection (>= 1.5.3, <= 4.0.0)
-      sanitize (< 7)
-    fugit (1.8.1)
-      et-orbi (~> 1, >= 1.2.7)
+      flipper (~> 1.3.4)
+      rack (>= 1.4, < 4)
+      rack-protection (>= 1.5.3, < 5.0.0)
+      rack-session (>= 1.0.2, < 3.0.0)
+      sanitize (< 8)
+    fugit (1.11.1)
+      et-orbi (~> 1, >= 1.2.11)
       raabro (~> 1.4)
-    globalid (1.1.0)
-      activesupport (>= 5.0)
-    hashdiff (1.0.1)
-    i18n (1.14.1)
+    globalid (1.2.1)
+      activesupport (>= 6.1)
+    gpgme (2.0.24)
+      mini_portile2 (~> 2.7)
+    hashdiff (1.1.2)
+    i18n (1.14.7)
       concurrent-ruby (~> 1.0)
-    importmap-rails (1.1.6)
+    image_processing (1.12.2)
+      mini_magick (>= 4.9.5, < 5)
+      ruby-vips (>= 2.0.17, < 3)
+    importmap-rails (2.1.0)
       actionpack (>= 6.0.0)
+      activesupport (>= 6.0.0)
       railties (>= 6.0.0)
-    jaro_winkler (1.5.6)
-    jbuilder (2.11.5)
+    io-console (0.8.0)
+    irb (1.15.2)
+      pp (>= 0.6.0)
+      rdoc (>= 4.0.0)
+      reline (>= 0.4.2)
+    jaro_winkler (1.6.0)
+    jbuilder (2.13.0)
       actionview (>= 5.0.0)
       activesupport (>= 5.0.0)
-    json (2.6.3)
-    kramdown (2.4.0)
-      rexml
+    jmespath (1.6.2)
+    json (2.11.3)
+    kramdown (2.5.1)
+      rexml (>= 3.3.9)
     kramdown-parser-gfm (1.1.0)
       kramdown (~> 2.0)
-    launchy (2.5.2)
+    language_server-protocol (3.17.0.4)
+    launchy (3.1.1)
       addressable (~> 2.8)
-    letter_opener (1.8.1)
-      launchy (>= 2.2, < 3)
-    letter_opener_web (2.0.0)
-      actionmailer (>= 5.2)
-      letter_opener (~> 1.7)
-      railties (>= 5.2)
+      childprocess (~> 5.0)
+      logger (~> 1.6)
+    letter_opener (1.10.0)
+      launchy (>= 2.2, < 4)
+    letter_opener_web (3.0.0)
+      actionmailer (>= 6.1)
+      letter_opener (~> 1.9)
+      railties (>= 6.1)
       rexml
-    listen (3.8.0)
+    lint_roller (1.1.0)
+    listen (3.9.0)
       rb-fsevent (~> 0.10, >= 0.10.3)
       rb-inotify (~> 0.9, >= 0.9.10)
-    lnurl (1.0.1)
+    lnurl (1.1.1)
       bech32 (~> 1.1)
-    lockbox (1.2.0)
-    loofah (2.21.3)
+    logger (1.7.0)
+    loofah (2.24.0)
       crass (~> 1.0.2)
       nokogiri (>= 1.12.0)
     mail (2.8.1)
@@ -217,211 +255,282 @@ GEM
       net-imap
       net-pop
       net-smtp
-    marcel (1.0.2)
+    manifique (1.1.0)
+      faraday (~> 2.9.0)
+      faraday-follow_redirects (= 0.3.0)
+      nokogiri (~> 1.16.0)
+    marcel (1.0.4)
     matrix (0.4.2)
-    method_source (1.0.0)
-    mini_mime (1.1.2)
-    minitest (5.18.0)
-    multipart-post (2.3.0)
-    net-imap (0.3.6)
+    method_source (1.1.0)
+    mini_magick (4.13.2)
+    mini_mime (1.1.5)
+    mini_portile2 (2.8.8)
+    minitest (5.25.5)
+    mission_control-jobs (1.0.2)
+      actioncable (>= 7.1)
+      actionpack (>= 7.1)
+      activejob (>= 7.1)
+      activerecord (>= 7.1)
+      importmap-rails (>= 1.2.1)
+      irb (~> 1.13)
+      railties (>= 7.1)
+      stimulus-rails
+      turbo-rails
+    multipart-post (2.4.1)
+    net-http (0.6.0)
+      uri
+    net-imap (0.5.7)
       date
       net-protocol
-    net-ldap (0.18.0)
+    net-ldap (0.19.0)
     net-pop (0.1.2)
       net-protocol
-    net-protocol (0.2.1)
+    net-protocol (0.2.2)
       timeout
-    net-smtp (0.3.3)
+    net-smtp (0.5.1)
       net-protocol
-    nio4r (2.5.9)
-    nokogiri (1.15.2-arm64-darwin)
+    nio4r (2.7.4)
+    nokogiri (1.16.8)
+      mini_portile2 (~> 2.8.2)
       racc (~> 1.4)
-    nokogiri (1.15.2-x86_64-linux)
+    nokogiri (1.16.8-arm64-darwin)
       racc (~> 1.4)
+    nokogiri (1.16.8-x86_64-linux)
+      racc (~> 1.4)
+    nostr (0.6.0)
+      bech32 (~> 1.4)
+      bip-schnorr (~> 0.7)
+      ecdsa (~> 1.2)
+      event_emitter (~> 0.2)
+      faye-websocket (~> 0.11)
+      json (~> 2.6)
+    observer (0.1.2)
     orm_adapter (0.5.0)
-    pagy (6.0.4)
-    parallel (1.23.0)
-    parser (3.2.2.3)
+    ostruct (0.6.1)
+    pagy (6.5.0)
+    parallel (1.27.0)
+    parser (3.3.8.0)
       ast (~> 2.4.1)
       racc
-    pg (1.2.3)
-    public_suffix (5.0.1)
-    puma (4.3.12)
+    pg (1.5.9)
+    pp (0.6.2)
+      prettyprint
+    prettyprint (0.2.0)
+    prism (1.4.0)
+    propshaft (1.1.0)
+      actionpack (>= 7.0.0)
+      activesupport (>= 7.0.0)
+      rack
+      railties (>= 7.0.0)
+    psych (5.2.3)
+      date
+      stringio
+    public_suffix (6.0.1)
+    puma (6.6.0)
       nio4r (~> 2.0)
     raabro (1.4.0)
-    racc (1.7.1)
-    rack (2.2.7)
-    rack-protection (3.0.6)
-      rack
-    rack-test (2.1.0)
+    racc (1.8.1)
+    rack (2.2.13)
+    rack-protection (3.2.0)
+      base64 (>= 0.1.0)
+      rack (~> 2.2, >= 2.2.4)
+    rack-session (1.0.2)
+      rack (< 3)
+    rack-test (2.2.0)
       rack (>= 1.3)
-    rails (7.0.5)
-      actioncable (= 7.0.5)
-      actionmailbox (= 7.0.5)
-      actionmailer (= 7.0.5)
-      actionpack (= 7.0.5)
-      actiontext (= 7.0.5)
-      actionview (= 7.0.5)
-      activejob (= 7.0.5)
-      activemodel (= 7.0.5)
-      activerecord (= 7.0.5)
-      activestorage (= 7.0.5)
-      activesupport (= 7.0.5)
+    rackup (1.0.1)
+      rack (< 3)
+      webrick
+    rails (8.0.2)
+      actioncable (= 8.0.2)
+      actionmailbox (= 8.0.2)
+      actionmailer (= 8.0.2)
+      actionpack (= 8.0.2)
+      actiontext (= 8.0.2)
+      actionview (= 8.0.2)
+      activejob (= 8.0.2)
+      activemodel (= 8.0.2)
+      activerecord (= 8.0.2)
+      activestorage (= 8.0.2)
+      activesupport (= 8.0.2)
       bundler (>= 1.15.0)
-      railties (= 7.0.5)
+      railties (= 8.0.2)
     rails-controller-testing (1.0.5)
       actionpack (>= 5.0.1.rc1)
       actionview (>= 5.0.1.rc1)
       activesupport (>= 5.0.1.rc1)
-    rails-dom-testing (2.0.3)
-      activesupport (>= 4.2.0)
+    rails-dom-testing (2.2.0)
+      activesupport (>= 5.0.0)
+      minitest
       nokogiri (>= 1.6)
-    rails-html-sanitizer (1.6.0)
+    rails-html-sanitizer (1.6.2)
       loofah (~> 2.21)
-      nokogiri (~> 1.14)
+      nokogiri (>= 1.15.7, != 1.16.7, != 1.16.6, != 1.16.5, != 1.16.4, != 1.16.3, != 1.16.2, != 1.16.1, != 1.16.0.rc1, != 1.16.0)
     rails-settings-cached (2.8.3)
       activerecord (>= 5.0.0)
       railties (>= 5.0.0)
-    railties (7.0.5)
-      actionpack (= 7.0.5)
-      activesupport (= 7.0.5)
-      method_source
+    railties (8.0.2)
+      actionpack (= 8.0.2)
+      activesupport (= 8.0.2)
+      irb (~> 1.13)
+      rackup (>= 1.0.0)
       rake (>= 12.2)
-      thor (~> 1.0)
-      zeitwerk (~> 2.5)
+      thor (~> 1.0, >= 1.2.2)
+      zeitwerk (~> 2.6)
     rainbow (3.1.1)
-    rake (13.0.6)
+    rake (13.2.1)
     rb-fsevent (0.11.2)
-    rb-inotify (0.10.1)
+    rb-inotify (0.11.1)
       ffi (~> 1.0)
-    rbs (2.8.4)
-    redis (4.8.1)
-    regexp_parser (2.8.1)
-    responders (3.1.0)
+    rbs (3.9.2)
+      logger
+    rdoc (6.13.1)
+      psych (>= 4.0.0)
+    redis (5.4.0)
+      redis-client (>= 0.22.0)
+    redis-client (0.24.0)
+      connection_pool
+    regexp_parser (2.10.0)
+    reline (0.6.1)
+      io-console (~> 0.5)
+    responders (3.1.1)
       actionpack (>= 5.2)
       railties (>= 5.2)
-    reverse_markdown (2.1.1)
+    reverse_markdown (3.0.0)
       nokogiri
-    rexml (3.2.5)
+    rexml (3.4.1)
     rqrcode (2.2.0)
       chunky_png (~> 1.0)
       rqrcode_core (~> 1.0)
     rqrcode_core (1.2.0)
-    rspec-core (3.12.2)
-      rspec-support (~> 3.12.0)
-    rspec-expectations (3.12.3)
+    rspec-core (3.13.3)
+      rspec-support (~> 3.13.0)
+    rspec-expectations (3.13.3)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.12.0)
-    rspec-mocks (3.12.5)
+      rspec-support (~> 3.13.0)
+    rspec-mocks (3.13.2)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.12.0)
-    rspec-rails (6.0.3)
-      actionpack (>= 6.1)
-      activesupport (>= 6.1)
-      railties (>= 6.1)
-      rspec-core (~> 3.12)
-      rspec-expectations (~> 3.12)
-      rspec-mocks (~> 3.12)
-      rspec-support (~> 3.12)
-    rspec-support (3.12.0)
-    rubocop (1.52.1)
+      rspec-support (~> 3.13.0)
+    rspec-rails (7.1.1)
+      actionpack (>= 7.0)
+      activesupport (>= 7.0)
+      railties (>= 7.0)
+      rspec-core (~> 3.13)
+      rspec-expectations (~> 3.13)
+      rspec-mocks (~> 3.13)
+      rspec-support (~> 3.13)
+    rspec-support (3.13.2)
+    rubocop (1.75.3)
       json (~> 2.3)
+      language_server-protocol (~> 3.17.0.2)
+      lint_roller (~> 1.1.0)
       parallel (~> 1.10)
-      parser (>= 3.2.2.3)
+      parser (>= 3.3.0.2)
       rainbow (>= 2.2.2, < 4.0)
-      regexp_parser (>= 1.8, < 3.0)
-      rexml (>= 3.2.5, < 4.0)
-      rubocop-ast (>= 1.28.0, < 2.0)
+      regexp_parser (>= 2.9.3, < 3.0)
+      rubocop-ast (>= 1.44.0, < 2.0)
       ruby-progressbar (~> 1.7)
-      unicode-display_width (>= 2.4.0, < 3.0)
-    rubocop-ast (1.29.0)
-      parser (>= 3.2.1.0)
+      unicode-display_width (>= 2.4.0, < 4.0)
+    rubocop-ast (1.44.1)
+      parser (>= 3.3.7.2)
+      prism (~> 1.4)
     ruby-progressbar (1.13.0)
-    ruby2_keywords (0.0.5)
-    rufus-scheduler (3.9.1)
-      fugit (~> 1.1, >= 1.1.6)
-    sanitize (6.0.1)
+    ruby-vips (2.2.3)
+      ffi (~> 1.12)
+      logger
+    sanitize (7.0.0)
       crass (~> 1.0.2)
-      nokogiri (>= 1.12.0)
-    sentry-rails (5.9.0)
+      nokogiri (>= 1.16.8)
+    securerandom (0.4.1)
+    sentry-rails (5.23.0)
       railties (>= 5.0)
-      sentry-ruby (~> 5.9.0)
-    sentry-ruby (5.9.0)
+      sentry-ruby (~> 5.23.0)
+    sentry-ruby (5.23.0)
+      bigdecimal
       concurrent-ruby (~> 1.0, >= 1.0.2)
-    sidekiq (6.5.9)
-      connection_pool (>= 2.2.5, < 3)
-      rack (~> 2.0)
-      redis (>= 4.5.0, < 5)
-    sidekiq-scheduler (5.0.3)
-      rufus-scheduler (~> 3.2)
-      sidekiq (>= 6, < 8)
-      tilt (>= 1.4.0)
-    solargraph (0.49.0)
+    solargraph (0.54.2)
       backport (~> 1.2)
-      benchmark
+      benchmark (~> 0.4)
       bundler (~> 2.0)
       diff-lcs (~> 1.4)
-      e2mmap
-      jaro_winkler (~> 1.5)
+      jaro_winkler (~> 1.6)
       kramdown (~> 2.3)
       kramdown-parser-gfm (~> 1.1)
+      logger (~> 1.6)
+      observer (~> 0.1)
+      ostruct (~> 0.6)
       parser (~> 3.0)
-      rbs (~> 2.0)
-      reverse_markdown (~> 2.0)
+      rbs (~> 3.3)
+      reverse_markdown (~> 3.0)
       rubocop (~> 1.38)
       thor (~> 1.0)
       tilt (~> 2.0)
       yard (~> 0.9, >= 0.9.24)
-    sprockets (4.2.0)
-      concurrent-ruby (~> 1.0)
-      rack (>= 2.2.4, < 4)
-    sprockets-rails (3.4.2)
-      actionpack (>= 5.2)
-      activesupport (>= 5.2)
-      sprockets (>= 3.0.0)
-    sqlite3 (1.6.3-arm64-darwin)
-    sqlite3 (1.6.3-x86_64-linux)
-    stimulus-rails (1.2.1)
-      railties (>= 6.0.0)
-    thor (1.2.2)
-    tilt (2.2.0)
-    timeout (0.3.2)
-    turbo-rails (1.4.0)
-      actionpack (>= 6.0.0)
-      activejob (>= 6.0.0)
+      yard-solargraph (~> 0.1)
+    solid_queue (1.1.5)
+      activejob (>= 7.1)
+      activerecord (>= 7.1)
+      concurrent-ruby (>= 1.3.1)
+      fugit (~> 1.11.0)
+      railties (>= 7.1)
+      thor (~> 1.3.1)
+    sqlite3 (2.6.0)
+      mini_portile2 (~> 2.8.0)
+    sqlite3 (2.6.0-arm64-darwin)
+    sqlite3 (2.6.0-x86_64-linux-gnu)
+    stimulus-rails (1.3.4)
       railties (>= 6.0.0)
+    stringio (3.1.7)
+    thor (1.3.2)
+    tilt (2.6.0)
+    timeout (0.4.3)
+    turbo-rails (2.0.13)
+      actionpack (>= 7.1.0)
+      railties (>= 7.1.0)
     tzinfo (2.0.6)
       concurrent-ruby (~> 1.0)
-    unicode-display_width (2.4.2)
-    view_component (3.2.0)
-      activesupport (>= 5.2.0, < 8.0)
-      concurrent-ruby (~> 1.0)
+    unicode-display_width (3.1.4)
+      unicode-emoji (~> 4.0, >= 4.0.4)
+    unicode-emoji (4.0.4)
+    uri (1.0.3)
+    useragent (0.16.11)
+    view_component (3.22.0)
+      activesupport (>= 5.2.0, < 8.1)
+      concurrent-ruby (= 1.3.4)
       method_source (~> 1.0)
     warden (1.2.9)
       rack (>= 2.0.9)
-    web-console (4.2.0)
+    web-console (4.2.1)
       actionview (>= 6.0.0)
       activemodel (>= 6.0.0)
       bindex (>= 0.4.0)
       railties (>= 6.0.0)
-    webmock (3.18.1)
+    webmock (3.25.1)
       addressable (>= 2.8.0)
       crack (>= 0.3.2)
       hashdiff (>= 0.4.0, < 2.0.0)
-    websocket-driver (0.7.5)
+    webrick (1.9.1)
+    websocket-driver (0.7.7)
+      base64
       websocket-extensions (>= 0.1.0)
     websocket-extensions (0.1.5)
     xpath (3.2.0)
       nokogiri (~> 1.8)
-    yard (0.9.34)
-    zeitwerk (2.6.8)
+    yard (0.9.37)
+    yard-solargraph (0.1.0)
+      yard (~> 0.9)
+    zbase32 (0.1.1)
+    zeitwerk (2.7.2)
 
 PLATFORMS
   arm64-darwin-22
+  ruby
   x86_64-linux
 
 DEPENDENCIES
-  byebug (~> 11.1)
+  aasm
+  aws-sdk-s3
+  bcrypt (~> 3.1)
   capybara
   cssbundling-rails
   database_cleaner
@@ -429,43 +538,49 @@ DEPENDENCIES
   devise_ldap_authenticatable
   discourse_api
   dotenv-rails
+  down
   factory_bot_rails
   faker
   faraday
   flipper
   flipper-active_record
   flipper-ui
+  gpgme (~> 2.0.24)
+  image_processing (~> 1.12.2)
   importmap-rails
   jbuilder (~> 2.7)
+  kramdown
   letter_opener
   letter_opener_web
   listen (~> 3.2)
   lnurl
-  lockbox
+  manifique (~> 1.1.0)
+  mission_control-jobs
   net-ldap
-  nostr!
+  nostr (~> 0.6.0)
   pagy (~> 6.0, >= 6.0.2)
-  pg (~> 1.2.3)
-  puma (~> 4.1)
-  rails (~> 7.0.2)
+  pg (~> 1.5)
+  propshaft
+  puma (~> 6.6)
+  rails (~> 8.0)
   rails-controller-testing
   rails-settings-cached (~> 2.8.3)
+  redis (~> 5.4)
   rqrcode (~> 2.0)
   rspec-rails
   sentry-rails
   sentry-ruby
-  sidekiq (< 7)
-  sidekiq-scheduler
   solargraph
-  sprockets-rails
-  sqlite3 (~> 1.4)
+  solid_queue
+  sqlite3 (>= 2.1)
   stimulus-rails
   turbo-rails
   tzinfo-data
   view_component
   warden
-  web-console (>= 3.3.0)
+  web-console (~> 4.2)
   webmock
+  zbase32 (~> 0.1.1)
 
 BUNDLED WITH
-   2.3.7
+   2.5.5

README.md

@@ -14,8 +14,10 @@ so:
 
 1. Make sure [Docker Compose is installed][1] and Docker is running (included in
    Docker Desktop)
-3. Run `docker compose up` and wait until 389ds announces its successful start
-   in the log output
+3. Run `docker compose up --build` and wait until all services have started
+   (389ds might take an extra minute to be ready). This will take a while when
+   running for the first time, so you might want to do something else in the
+   meantime.
 4. `docker-compose exec ldap dsconf localhost backend create --suffix="dc=kosmos,dc=org" --be-name="dev"`
 5. `docker compose run web rails ldap:setup`
 6. `docker compose run web rails db:setup`
@@ -28,38 +30,44 @@ have the password "user is user".
 
 ### Rails app
 
+_Note: when using Docker Compose, prefix the following commands with `docker-compose
+run web`._
+
 Installing dependencies:
 
     bundle install
     yarn install
 
-Setting up local database (SQLite):
+Migrating the local database (after schema changes):
 
-    bundle exec rails db:create
     bundle exec rails db:migrate
 
-Running the dev server and auto-building CSS files on change:
+Running the dev server, and auto-building CSS files on change _(automatic with Docker Compose)_:
 
     bin/dev
 
-Running the background workers (requires Redis):
+Running the background workers (requires Redis) _(automatic with Docker Compose)_:
 
     bundle exec sidekiq -C config/sidekiq.yml
 
-Running all specs:
+Running the test suite:
 
     bundle exec rspec
 
-### Docker (Compose)
+Running the test suite with Docker Compose requires overriding the Rails
+environment:
 
-There is a working Docker Compose config file, which define a number of services including
-an app server for Rails as well as a local 389ds (LDAP) server.
+    docker-compose exec -e "RAILS_ENV=test" web rspec
 
-For Rails developers, you probably just want to start the LDAP server: `docker-compose up ldap`, 
-listening on port 389 on your machine. 
+### Docker Compose
 
-You can pick and choose your services adding them by name (listed in `docker-compose.yml`) at 
-the end of the docker compose command. eg. `docker compose up ldap redis`
+Services/containers are configured in `docker-compose.yml`.
+
+You can run services selectively, for example if you want to run the Rails app
+and test suite on the host machine. Just add the service names of the
+containers you want to run to the `up` command, like so:
+
+    docker-compose up ldap redis
 
 #### LDAP server
 
@@ -76,8 +84,24 @@ Now you can seed the back-end with data using this Rails task:
 The setup task will first delete any existing entries in the directory tree
 ("dc=kosmos,dc=org"), and then create our development entries.
 
-Note that all 389ds data is stored in `tmp/389ds`. So if you want to start over
-with a fresh installation, delete both that directory as well as the container.
+Note that all 389ds data is stored in the `389ds-data` volume. So if you want
+to start over with a fresh installation, delete both that volume as well as the
+container.
+
+#### Minio / remoteStorage
+
+If you want to run remoteStorage accounts locally, you will have to create the
+respective bucket first. With the `minio` container running (run by default
+when using Docker Compose), follow these steps:
+
+* `docker compose up web redis minio liquor-cabinet`
+* Head to http://localhost:9001 and log in with user `minioadmin`, password
+  `minioadmin`
+* Create a new bucket called `remotestorage` (or whatever you
+  change the `S3_BUCKET` config to)
+* Create a new key with ID "dev-key" and secret "123456789" (or whatever you
+  change `S3_ACCESS_KEY` and `S3_SECRET_KEY` to). Leave the policy field empty,
+  as it will automatically allow access to the bucket you created.
 
 ### Adding npm modules to use with Stimulus controllers
 
@@ -104,6 +128,7 @@ command:
 
 ### Front-end
 
+* [Icons](https://feathericons.com)
 * [Tailwind CSS](https://tailwindcss.com/)
 * [Sass](https://sass-lang.com/documentation)
 * [Stimulus](https://stimulus.hotwired.dev/handbook/)

app/assets/config/manifest.js

@@ -1,4 +0,0 @@
-//= link_tree ../images
-//= link_tree ../../javascript .js
-//= link_tree ../builds
-//= link_tree ../../../vendor/javascript .js

app/assets/stylesheets/application.tailwind.css

@@ -7,7 +7,6 @@
 @import "components/buttons";
 @import "components/dashboard_services";
 @import "components/forms";
-@import "components/links";
 @import "components/notifications";
 @import "components/pagination";
 @import "components/tables";

app/assets/stylesheets/components/base.css

@@ -6,6 +6,7 @@
   body {
     @apply leading-none bg-cover bg-fixed;
     background-image: linear-gradient(35deg, rgba(255,0,255,0.2) 0, rgba(13,79,153,0.8) 100%), url('/img/bg-1.jpg');
+    color: black;
   }
 
   body#admin {
@@ -32,6 +33,10 @@
     @apply pt-8 sm:pt-12;
   }
 
+  main section h3:not(:first-child) {
+    @apply mt-8;
+  }
+
   main section:first-of-type {
     @apply pt-0;
   }
@@ -55,4 +60,11 @@
   main ul li {
     @apply leading-6;
   }
+
+  main a:not(nav > *) {
+    @apply text-blue-600;
+    &:hover   { @apply underline; }
+    &:visited { @apply text-indigo-600; }
+    &:active  { @apply text-red-600; }
+  }
 }

app/assets/stylesheets/components/buttons.css

@@ -1,5 +1,15 @@
 @layer components {
+  .btn-text-dark          { @apply text-black; }
+  .btn-text-dark:hover    { @apply text-black no-underline; }
+  .btn-text-dark:visited  { @apply text-black; }
+  .btn-text-dark:active   { @apply text-black; }
+  .btn-text-light         { @apply text-white; }
+  .btn-text-light:hover   { @apply text-white no-underline; }
+  .btn-text-light:visited { @apply text-white; }
+  .btn-text-light:active  { @apply text-white; }
+
   .btn {
+    @apply btn-text-dark;
     @apply inline-block font-semibold rounded-md leading-none cursor-pointer text-center
            transition-colors duration-75 focus:outline-none focus:ring-4;
   }
@@ -28,15 +38,28 @@
   }
 
   .btn-blue {
-    @apply bg-blue-500 hover:bg-blue-600 text-white
+    @apply btn-text-light;
+    @apply bg-blue-500 hover:bg-blue-600
            focus:ring-blue-400 focus:ring-opacity-75;
   }
 
+  .btn-emerald {
+    @apply btn-text-light;
+    @apply bg-emerald-500 hover:bg-emerald-600
+           focus:ring-emerald-400 focus:ring-opacity-75;
+  }
+
   .btn-red {
-    @apply bg-red-600 hover:bg-red-700 text-white
+    @apply btn-text-light;
+    @apply bg-red-600 hover:bg-red-700
            focus:ring-red-500 focus:ring-opacity-75;
   }
 
+  .btn-outline-purple {
+    @apply border-2 border-purple-500 hover:bg-purple-100
+           focus:ring-purple-400 focus:ring-opacity-75;
+  }
+
   .btn:disabled {
     @apply bg-gray-100 hover:bg-gray-200 text-gray-400
            focus:ring-gray-300 focus:ring-opacity-75;

app/assets/stylesheets/components/dashboard_services.css

@@ -1,5 +1,5 @@
 @layer components {
   .services > div > a {
-    background-image: linear-gradient(110deg, rgba(255,255,255,0.99) 0, rgba(255,255,255,0.88) 100%);
+    background-image: linear-gradient(110deg, rgba(255,255,255,0.99) 20%, rgba(255,255,255,0.88) 100%);
   }
 }

app/assets/stylesheets/components/links.css

@@ -1,8 +0,0 @@
-@layer components {
-  .ks-text-link {
-    @apply text-blue-600;
-    &:hover   { @apply underline; }
-    &:visited { @apply text-indigo-600; }
-    &:active  { @apply text-red-600; }
-  }
-}

app/assets/stylesheets/components/pagination.css

@@ -34,7 +34,7 @@
   .pagy-nav .page a, .page.gap {
     @apply bg-white border-gray-300 text-gray-500 hover:bg-gray-100 relative
            inline-flex items-center border px-4 py-2 text-sm font-medium
-           focus:z-20;
+           no-underline focus:z-20;
   }
 
   .pagy-nav .page.active {

app/components/app_catalog/web_app_icon_component.html.erb

@@ -0,0 +1,5 @@
+<% if @image_url %>
+  <%= image_tag @image_url, class: "h-full w-full" %>
+<% else %>
+  <%= render partial: "icons/remotestorage", locals: { custom_class: "h-full w-full p-0.5 text-gray-200" } %>
+<% end %>

app/components/app_catalog/web_app_icon_component.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+module AppCatalog
+  class WebAppIconComponent < ViewComponent::Base
+    include ApplicationHelper
+
+    def initialize(web_app:)
+      if web_app&.icon&.attached?
+        @image_url = image_url_for(web_app.icon)
+      elsif web_app&.apple_touch_icon&.attached?
+        @image_url = image_url_for(web_app.apple_touch_icon)
+      end
+    end
+  end
+end

app/components/dropdown_component.html.erb

@@ -0,0 +1,34 @@
+<div data-controller="dropdown" data-action="click->dropdown#toggle click@window->dropdown#hide">
+  <div class="relative inline-block">
+    <div role="button" tabindex="0" data-dropdown-target="button"
+         class="inline-block select-none">
+      <% if @size == :large %>
+      <span class="appearance-none flex items-center inline-block">
+        <span class="p-2 bg-gray-50 hover:bg-gray-100 rounded-full">
+          <%= render partial: "icons/#{@icon_name}",
+                     locals: { custom_class: "inline text-gray-500 h-6 w-6" } %>
+        </span>
+      </span>
+      <% elsif @size == :small %>
+      <span class="appearance-none flex items-center inline-block">
+        <span class="text-gray-500 hover:text-blue-600">
+          <%= render partial: "icons/#{@icon_name}",
+                     locals: { custom_class: "inline h-4 w-4" } %>
+        </span>
+      </span>
+      <% end %>
+    </div>
+    <div data-dropdown-target="menu"
+         data-transition-enter="transition ease-out duration-200"
+         data-transition-enter-from="opacity-0 translate-y-1"
+         data-transition-enter-to="opacity-100 translate-y-0"
+         data-transition-leave="transition ease-in duration-150"
+         data-transition-leave-from="opacity-100 translate-y-0"
+         data-transition-leave-to="opacity-0 translate-y-1"
+         class="hidden absolute top-4 right-0 z-10 mt-5 flex w-screen max-w-max">
+      <div class="bg-white shadow-lg rounded border overflow-hidden w-auto">
+        <%= content %>
+      </div>
+    </div>
+  </div>
+</div>

app/components/dropdown_component.rb

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+class DropdownComponent < ViewComponent::Base
+  def initialize(size: :large, icon_name: "kebap-menu")
+    @size = size.to_sym
+    @icon_name = icon_name
+  end
+end

app/components/dropdown_link_component.html.erb

@@ -0,0 +1,6 @@
+<%= link_to @href, class: @class, target: @target, data: {
+      'dropdown-target': "menuItem",
+      'action': "keydown.up->dropdown#previousItem:prevent keydown.down->dropdown#nextItem:prevent"
+    } do %>
+  <%= content %>
+<% end %>

app/components/dropdown_link_component.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+class DropdownLinkComponent < ViewComponent::Base
+  def initialize(href:, open_in_new_tab: false, separator: false, add_class: nil)
+    @href = href
+    @target = open_in_new_tab ? "_blank" : nil
+    @class = class_str(separator, add_class)
+  end
+
+  private
+
+  def class_str(separator, add_class)
+    str = "no-underline block px-5 py-3 text-sm text-gray-900 bg-white
+           hover:bg-gray-100 focus:bg-gray-100 whitespace-no-wrap"
+    str = "#{str} border-t" if separator
+    str = "#{str} #{add_class}" if add_class
+    str
+  end
+end

app/components/edit_content_button_component.html.erb

@@ -0,0 +1,30 @@
+<div class="inline-block text-left" data-controller="modal" data-action="keydown.esc->modal#close">
+  <button class="btn-md btn-outline text-red-600" data-action="click->modal#open" title="Edit">
+    <%= content || "Edit" %>
+  </button>
+
+  <%= render ModalComponent.new(show_close_button: false) do %>
+    <%= form_with model: [:admin, @editable_content],
+                  html: { autocomplete: "off" } do |form| %>
+      <%= form.hidden_field :redirect_to, value: @redirect_to  %>
+      <p class="mb-2">
+        <%= form.label :content, @editable_content.key.capitalize, class: 'font-bold' %>
+      </p>
+      <% if @editable_content.rich_text %>
+        <p>
+          <%= form.textarea :content, class: "md:w-[56rem] md:h-[28rem]" %>
+        </p>
+        <p class="text-right">
+          <%= form.submit "Save", class: "ml-2 btn-md btn-blue" %>
+        </p>
+      <% else %>
+        <p class="">
+          <%= form.text_field :content, class: "w-80" %>
+        </p>
+        <p>
+          <%= form.submit "Save", class: "btn-md btn-blue w-full" %>
+        </p>
+      <% end %>
+    <% end %>
+  <% end %>
+</div>

app/components/edit_content_button_component.rb

@@ -0,0 +1,6 @@
+class EditContentButtonComponent < ViewComponent::Base
+  def initialize(context:, key:, rich_text: false, redirect_to: nil)
+    @editable_content = EditableContent.find_or_create_by(context:, key:, rich_text:)
+    @redirect_to = redirect_to
+  end
+end

app/components/editable_content_component.html.erb

@@ -0,0 +1,9 @@
+<% if @editable_content.has_content? %>
+  <% if @editable_content.rich_text %>
+    <%= helpers.markdown_to_html @editable_content.content %>
+  <% else %>
+    <%= @editable_content.content %>
+  <% end %>
+<% else %>
+  <%= @default %>
+<% end %>

app/components/editable_content_component.rb

@@ -0,0 +1,6 @@
+class EditableContentComponent < ViewComponent::Base
+  def initialize(context:, key:, rich_text: false, default: nil)
+    @editable_content = EditableContent.find_or_create_by(context:, key:, rich_text:)
+    @default = default
+  end
+end

app/components/form_elements/fieldset_resettable_setting_component.html.erb

@@ -6,6 +6,7 @@
     ) do %>
   <%= method("#{@type}_field").call :setting, @key,
     value: Setting.public_send(@key),
+    placeholder: @placeholder,
     data: {
       :'default-value' => Setting.get_field(@key)[:default]
     },

app/components/form_elements/fieldset_resettable_setting_component.rb

@@ -2,14 +2,15 @@
 
 module FormElements
   class FieldsetResettableSettingComponent < ViewComponent::Base
-    def initialize(tag: "li", key:, type: :text, title:, description: nil)
+    def initialize(tag: "li", key:, type: :text, title:, description: nil, placeholder: nil)
       @tag         = tag
       @positioning = :vertical
       @title       = title
-      @descripton  = description
+      @description  = description
       @key         = key.to_sym
       @type        = type
       @resettable  = is_resettable?(@key)
+      @placeholder = placeholder
     end
 
     def is_resettable?(key)

app/components/form_elements/fieldset_toggle_component.html.erb

@@ -5,7 +5,9 @@
       } : nil do %>
   <div class="flex flex-col">
     <label class="font-bold mb-1"><%= @title %></label>
-    <p class="text-gray-500"><%= @descripton %></p>
+    <% if @description.present? %>
+    <p class="text-gray-500"><%= @description %></p>
+    <% end %>
   </div>
   <div class="relative ml-4 inline-flex flex-shrink-0">
     <%= render FormElements::ToggleComponent.new(

app/components/form_elements/fieldset_toggle_component.rb

@@ -3,7 +3,7 @@
 module FormElements
   class FieldsetToggleComponent < ViewComponent::Base
     def initialize(tag: "li", form: nil, attribute: nil, field_name: nil,
-                   enabled: false, input_enabled: true, title:, description:)
+                   enabled: false, input_enabled: true, title:, description: nil)
       @tag = tag
       @form = form
       @attribute = attribute
@@ -12,7 +12,7 @@ module FormElements
       @enabled = enabled
       @input_enabled = input_enabled
       @title = title
-      @descripton = description
+      @description = description
       @button_text = @enabled ? "Switch off" : "Switch on"
     end
   end

app/components/main_compact_component.html.erb

@@ -1,4 +1,4 @@
-<main class="w-full max-w-xl mx-auto pb-12 px-4 sm:px-6 lg:px-8">
+<main class="w-full max-w-xl mx-auto px-4 sm:px-6 lg:px-8">
   <div class="bg-white rounded-lg shadow px-6 sm:px-12 py-8 sm:py-12">
     <%= content %>
   </div>

app/components/main_simple_component.html.erb

@@ -1,4 +1,4 @@
-<main class="w-full max-w-6xl mx-auto pb-12 px-4 md:px-6 lg:px-8">
+<main class="w-full max-w-6xl mx-auto px-4 md:px-6 lg:px-8">
   <div class="md:min-h-[50vh] bg-white rounded-lg shadow px-6 sm:px-12 py-8 sm:py-12">
     <%= content %>
   </div>

app/components/main_with_sidenav_component.html.erb

@@ -1,4 +1,4 @@
-<main class="w-full max-w-6xl mx-auto pb-12 px-4 md:px-6 lg:px-8">
+<main class="w-full max-w-6xl mx-auto px-4 md:px-6 lg:px-8">
   <div class="bg-white rounded-lg shadow">
     <div class="md:min-h-[50vh] divide-y divide-gray-200 lg:grid lg:grid-cols-12 lg:divide-y-0 lg:divide-x">
       <aside class="py-6 sm:py-8 lg:col-span-3">

app/components/main_with_tabnav_component.html.erb

@@ -1,5 +1,5 @@
-<main class="w-full max-w-6xl mx-auto pb-12 px-4 md:px-6 lg:px-8">
-  <div class="bg-white rounded-lg shadow">
+<main class="w-full max-w-6xl mx-auto px-4 md:px-6 lg:px-8">
+  <div class="md:min-h-[50vh] bg-white rounded-lg shadow">
     <div class="px-6 sm:px-12 pt-2 sm:pt-4">
       <%= render partial: @tabnav_partial %>
     </div>

app/components/modal_component.html.erb

@@ -12,15 +12,17 @@
 
     <!-- Modal Container -->
     <div data-modal-target="container"
-         class="max-h-screen w-auto max-w-lg relative
+         class="relative m-4 max-h-screen w-auto max-w-full
                 hidden animate-scale-in fixed inset-0 overflow-y-auto flex items-center justify-center">
       <!-- Modal Card -->
       <div class="m-1 bg-white rounded shadow">
         <div class="p-8">
           <%= content %>
+          <% if @show_close_button %>
           <div class="flex justify-end items-center flex-wrap mt-6">
             <button class="btn-md btn-blue" data-action="click->modal#close:prevent">Close</button>
           </div>
+          <% end %>
         </div>
       </div>
     </div>

app/components/modal_component.rb

@@ -1,2 +1,5 @@
 class ModalComponent < ViewComponent::Base
+  def initialize(show_close_button: true)
+    @show_close_button = show_close_button
+  end
 end

app/components/notification_component.rb

@@ -34,6 +34,8 @@ class NotificationComponent < ViewComponent::Base
       'alert-octagon'
     when 'alert'
       'alert-octagon'
+    when 'warning'
+      'alert-octagon'
     else
       'info'
     end

app/components/rs_auth_component.html.erb

@@ -0,0 +1,27 @@
+<div class="flex items-center gap-4">
+  <div class="h-16 w-16 flex-none">
+    <%= render AppCatalog::WebAppIconComponent.new(web_app: @web_app) %>
+  </div>
+  <div class="flex-grow">
+    <h4 class="mb-1 text-lg font-bold">
+      <%= @web_app&.name || @auth.app_name %>
+    </h4>
+    <p class="text-sm text-gray-500">
+      <%= @auth.client_id %>
+    </p>
+  </div>
+  <%= render DropdownComponent.new do %>
+    <%= render DropdownLinkComponent.new(
+          href: launch_app_services_storage_rs_auth_url(@auth),
+          open_in_new_tab: true
+        ) do %>
+      Launch app
+    <% end %>
+    <%= render DropdownLinkComponent.new(
+          href: revoke_services_storage_rs_auth_url(@auth),
+          separator: true, add_class: "text-red-700"
+        ) do %>
+      Revoke access
+    <% end %>
+  <% end %>
+</div>

app/components/rs_auth_component.rb

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+class RsAuthComponent < ViewComponent::Base
+  def initialize(auth:)
+    @auth = auth
+    @web_app = auth.web_app
+  end
+end

app/components/sidenav_link_component.html.erb

@@ -1,4 +1,8 @@
 <%= link_to @path, class: @link_class, title: (@disabled ? "Coming soon" : nil) do %>
+  <% if @icon.present? %>
   <%= render partial: "icons/#{@icon}", locals: { custom_class: @icon_class } %>
+  <% elsif @text_icon.present? %>
+  <span class="mr-3"><%= @text_icon %></span>
+  <% end %>
   <span class="truncate"><%= @name %></span>
 <% end %>

app/components/sidenav_link_component.rb

@@ -1,11 +1,13 @@
 # frozen_string_literal: true
 
 class SidenavLinkComponent < ViewComponent::Base
-  def initialize(name:, level: 1, path:, icon:, active: false, disabled: false)
+  def initialize(name:, level: 1, path:, icon: nil, text_icon: nil,
+                 active: false, disabled: false)
     @name = name
     @level = level
     @path = path
     @icon = icon
+    @text_icon = text_icon
     @active = active
     @disabled = disabled
     @link_class = class_names_link(path)
@@ -27,7 +29,7 @@ class SidenavLinkComponent < ViewComponent::Base
 
   def class_names_icon(path)
     if @active
-      "text-teal-500 group-hover:text-teal-500 flex-shrink-0 -ml-1 mr-3 h-6 w-6"
+      "text-teal-600 group-hover:text-teal-600 flex-shrink-0 -ml-1 mr-3 h-6 w-6"
     elsif @disabled
       "text-gray-300 group-hover:text-gray-300 flex-shrink-0 -ml-1 mr-3 h-6 w-6"
     else

app/controllers/admin/app_catalog/web_apps_controller.rb

@@ -0,0 +1,9 @@
+class Admin::AppCatalog::WebAppsController < Admin::AppCatalogController
+  def index
+    @pagy, @web_apps = pagy(AppCatalog::WebApp.order('created_at desc'))
+
+    @stats = {
+      known_apps: AppCatalog::WebApp.count
+    }
+  end
+end

app/controllers/admin/app_catalog_controller.rb

@@ -0,0 +1,9 @@
+class Admin::AppCatalogController < Admin::BaseController
+  before_action :set_current_section
+
+  private
+
+    def set_current_section
+      @current_section = :app_catalog
+    end
+end

app/controllers/admin/donations_controller.rb

@@ -3,18 +3,27 @@ class Admin::DonationsController < Admin::BaseController
   before_action :set_current_section, only: [:index, :show, :new, :edit]
 
   # GET /donations
-  # GET /donations.json
   def index
-    @pagy, @donations = pagy(Donation.all.order('created_at desc'))
+    @username = params[:username].presence
+
+    pending_scope   = Donation.incomplete.joins(:user).order('paid_at desc')
+    completed_scope = Donation.completed.joins(:user).order('paid_at desc')
+
+    if @username
+      pending_scope   = pending_scope.where(users: { cn: @username })
+      completed_scope = completed_scope.where(users: { cn: @username })
+    end
+
+    @pending_donations = pending_scope
+    @pagy, @donations  = pagy(completed_scope)
 
     @stats = {
-      overall_sats: @donations.all.sum("amount_sats"),
-      donor_count: Donation.distinct.count(:user_id)
+      overall_sats: completed_scope.sum("amount_sats"),
+      donor_count: completed_scope.distinct.count(:user_id)
     }
   end
 
   # GET /donations/1
-  # GET /donations/1.json
   def show
   end
 
@@ -28,54 +37,41 @@ class Admin::DonationsController < Admin::BaseController
   end
 
   # POST /donations
-  # POST /donations.json
   def create
     @donation = Donation.new(donation_params)
 
-    respond_to do |format|
-      if @donation.save
-        format.html do
-          redirect_to admin_donation_url(@donation), flash: {
-            success: 'Donation was successfully created.'
-          }
-        end
-        format.json { render :show, status: :created, location: @donation }
-      else
-        format.html { render :new, status: :unprocessable_entity }
-        format.json { render json: @donation.errors, status: :unprocessable_entity }
-      end
+    if @donation.paid_at == nil
+      @donation.errors.add(:paid_at, message: "is required")
+      render :new, status: :unprocessable_entity and return
+    end
+
+    if @donation.save
+      redirect_to admin_donation_url(@donation), flash: {
+        success: 'Donation was successfully created.'
+      }
+    else
+      render :new, status: :unprocessable_entity
     end
   end
 
-  # PATCH/PUT /donations/1
-  # PATCH/PUT /donations/1.json
+  # PUT /donations/1
   def update
-    respond_to do |format|
-      if @donation.update(donation_params)
-        format.html do
-          redirect_to admin_donation_url(@donation), flash: {
-            success: 'Donation was successfully updated.'
-          }
-        end
-        format.json { render :show, status: :ok, location: @donation }
-      else
-        format.html { render :edit, status: :unprocessable_entity }
-        format.json { render json: @donation.errors, status: :unprocessable_entity }
-      end
+    if @donation.update(donation_params)
+      redirect_to admin_donation_url(@donation), flash: {
+        success: 'Donation was successfully updated.'
+      }
+    else
+      render :edit, status: :unprocessable_entity
     end
   end
 
   # DELETE /donations/1
-  # DELETE /donations/1.json
   def destroy
     @donation.destroy
-    respond_to do |format|
-      format.html do redirect_to admin_donations_url, flash: {
-        success: 'Donation was successfully destroyed.'
-      }
-      end
-      format.json { head :no_content }
-    end
+
+    redirect_to admin_donations_url, flash: {
+      success: 'Donation was successfully destroyed.'
+    }
   end
 
   private
@@ -86,7 +82,10 @@ class Admin::DonationsController < Admin::BaseController
 
     # Only allow a list of trusted parameters through.
     def donation_params
-      params.require(:donation).permit(:user_id, :amount_sats, :amount_eur, :amount_usd, :public_name, :paid_at)
+      params.require(:donation).permit(
+        :user_id, :donation_method,
+        :amount_sats, :fiat_amount, :fiat_currency,
+        :public_name, :paid_at)
     end
 
     def set_current_section

app/controllers/admin/editable_contents_controller.rb

@@ -0,0 +1,45 @@
+class Admin::EditableContentsController < Admin::BaseController
+  before_action :set_content, only: [:show, :edit, :update]
+  before_action :set_current_section, only: [:index, :show, :edit]
+
+  def index
+    @path = params[:path].presence
+    scope = EditableContent.order(path: :asc)
+    scope = scope.where(path: @path) if @path
+    @pagy, @contents = pagy(scope)
+  end
+
+  def show
+  end
+
+  def edit
+  end
+
+  def update
+    return_to = params[:editable_content][:redirect_to].presence
+
+    if @editable_content.update(content_params)
+      if return_to
+        redirect_to return_to
+      else
+        render status: :ok
+      end
+    else
+      render :edit, status: :unprocessable_entity
+    end
+  end
+
+  private
+
+  def set_content
+    @editable_content = EditableContent.find(params[:id])
+  end
+
+  def content_params
+    params.require(:editable_content).permit(:path, :key, :lang, :content, :rich_text)
+  end
+
+  def set_current_section
+    @current_section = :content
+  end
+end

app/controllers/admin/invitations_controller.rb

@@ -1,12 +1,28 @@
 class Admin::InvitationsController < Admin::BaseController
+  before_action :set_current_section
+
   def index
-    @current_section = :invitations
-    @pagy, @invitations_used = pagy(Invitation.used.order('used_at desc'))
+    @username = params[:username].presence
+    accepted_scope = Invitation.used.order('used_at desc')
+    unused_scope = Invitation.unused
+
+    if @username
+      accepted_scope = accepted_scope.joins(:user).where(users: { cn: @username })
+      unused_scope = unused_scope.joins(:user).where(users: { cn: @username })
+    end
+
+    @pagy, @invitations_used = pagy(accepted_scope)
 
     @stats = {
-      available: Invitation.unused.count,
-      accepted: @invitations_used.length,
-      users_with_referrals: Invitation.used.distinct.count(:user_id)
+      available: unused_scope.count,
+      accepted: accepted_scope.count,
+      users_with_referrals: accepted_scope.distinct.count(:user_id)
     }
   end
+
+  private
+
+    def set_current_section
+      @current_section = :invitations
+    end
 end

app/controllers/admin/lightning_controller.rb

@@ -4,7 +4,7 @@ class Admin::LightningController < Admin::BaseController
   def index
     @current_section = :lightning
 
-    @users = User.pluck(:cn, :ou, :ln_account)
+    @users = User.pluck(:cn, :ou, :lndhub_username)
     @accounts = LndhubAccount.with_balances.order(balance: :desc).to_a
 
     @ln = {}

app/controllers/admin/settings/membership_controller.rb

@@ -0,0 +1,23 @@
+class Admin::Settings::MembershipController < Admin::SettingsController
+  def show
+  end
+
+  def update
+    update_settings
+
+    redirect_to admin_settings_membership_path, flash: {
+      success: "Settings saved"
+    }
+  end
+
+  private
+
+    def setting_params
+      params.require(:setting).permit([
+        :member_status_contributor,
+        :member_status_sustainer,
+        :user_index_show_contributors,
+        :user_index_show_sustainers
+      ])
+    end
+end

app/controllers/admin/settings/registrations_controller.rb

@@ -1,12 +1,20 @@
 class Admin::Settings::RegistrationsController < Admin::SettingsController
-  def index
+  def show
   end
 
-  def create
+  def update
     update_settings
 
     redirect_to admin_settings_registrations_path, flash: {
       success: "Settings saved"
     }
   end
+
+  private
+
+    def setting_params
+      params.require(:setting).permit([
+        :reserved_usernames, default_services: []
+      ])
+    end
 end

app/controllers/admin/settings/services_controller.rb

@@ -1,19 +1,32 @@
 class Admin::Settings::ServicesController < Admin::SettingsController
-  def index
-    @service = params[:s]
+  before_action :set_service, only: [:show, :update]
 
-    if @service.blank?
-      redirect_to admin_settings_services_path(params: { s: "discourse" })
-    end
+  def index
+    redirect_to admin_settings_service_path("btcpay")
   end
 
-  def create
-    service = params.require(:service)
+  def show
+  end
 
+  def update
     update_settings
 
-    redirect_to admin_settings_services_path(params: { s: service }), flash: {
+    redirect_to admin_settings_service_path(@service), flash: {
       success: "Settings saved"
     }
   end
+
+  private
+
+    def set_subsection
+      @subsection = "services"
+    end
+
+    def set_service
+      @service = params[:service]
+
+      if @service.blank?
+        redirect_to admin_settings_services_path and return
+      end
+    end
 end

app/controllers/admin/settings_controller.rb

@@ -9,22 +9,23 @@ class Admin::SettingsController < Admin::BaseController
     changed_keys = []
 
     setting_params.keys.each do |key|
-      next if setting_params[key].nil? ||
-              (Setting.send(key).to_s == setting_params[key].strip)
+      next if clean_param(key).nil? ||
+        (Setting.send(key).to_s == clean_param(key))
+
       changed_keys.push(key)
       setting = Setting.new(var: key)
-      setting.value = setting_params[key].strip
+      setting.value = clean_param(key)
       unless setting.valid?
         @errors.merge!(setting.errors)
       end
     end
 
     if @errors.any?
-      render :index and return
+      render :show and return
     end
 
     changed_keys.each do |key|
-      Setting.send("#{key}=", setting_params[key].strip)
+      Setting.send("#{key}=", clean_param(key))
     end
   end
 
@@ -37,4 +38,12 @@ class Admin::SettingsController < Admin::BaseController
     def setting_params
       params.require(:setting).permit(Setting.editable_keys.map(&:to_sym))
     end
+
+    def clean_param(key)
+      if Setting.get_field(key)[:type] == :string
+        setting_params[key].strip
+      else
+        setting_params[key]
+      end
+    end
 end

app/controllers/admin/users_controller.rb

@@ -1,32 +1,71 @@
 class Admin::UsersController < Admin::BaseController
-  before_action :set_user, only: [:show]
+  before_action :set_user, except: [:index]
   before_action :set_current_section
 
+  # GET /admin/users
   def index
-    ldap   = LdapService.new
-    @ou    = params[:ou] || Setting.primary_domain
-    @orgs  = ldap.fetch_organizations
-    @pagy, @users = pagy(User.where(ou: @ou).order(cn: :asc))
+    ldap = LdapService.new
+    ou   = Setting.primary_domain
+    @show_contributors = Setting.user_index_show_contributors
+    @show_sustainers = Setting.user_index_show_sustainers
+
+    @contributors = ldap.search_users(:memberStatus, :contributor, :cn) if @show_contributors
+    @sustainers   = ldap.search_users(:memberStatus, :sustainer, :cn) if @show_sustainers
+    @admins       = ldap.search_users(:admin, true, :cn)
+    @pagy, @users = pagy(User.where(ou: ou).order(cn: :asc))
 
     @stats = {
-      users_confirmed: User.where(ou: @ou).confirmed.count,
-      users_pending: User.where(ou: @ou).pending.count
+      users_confirmed: User.where(ou: ou).confirmed.count,
+      users_pending: User.where(ou: ou).pending.count
     }
+    @stats[:users_contributing] = @contributors.size if @show_contributors
+    @stats[:users_paying] = @sustainers.size if @show_sustainers
   end
 
+  # GET /admin/users/:username
   def show
+    @invitees = @user.invitees
+    @recent_invitees = @user.invitees.order(created_at: :desc).limit(5)
+    @more_invitees = (@invitees - @recent_invitees).count
+
     if Setting.lndhub_admin_enabled?
       @lndhub_user = @user.lndhub_user
     end
 
     @services_enabled = @user.services_enabled
+
+    @ldap_avatar = LdapManager::FetchAvatar.call(cn: @user.cn)
+  end
+
+  # POST /admin/users/:username/invitations
+  def create_invitations
+    amount = params[:amount].to_i
+    notify_user = ActiveRecord::Type::Boolean.new.cast(params[:notify_user])
+
+    UserManager::CreateInvitations.call(user: @user, amount: amount, notify: notify_user)
+
+    redirect_to admin_user_path(@user.cn), flash: {
+      success: "Added #{amount} invitations to #{@user.cn}'s account"
+    }
+  end
+
+  # DELETE /admin/users/:username/invitations
+  def delete_invitations
+    invitations = @user.invitations.unused
+    amount = invitations.count
+
+    invitations.destroy_all
+
+    redirect_to admin_user_path(@user.cn), flash: {
+      success: "Removed #{amount} invitations from #{@user.cn}'s account"
+    }
   end
 
   private
 
   def set_user
-    address = params[:address].split("@")
-    @user = User.where(cn: address.first, ou: address.last).first
+    @user = User.find_by(cn: params[:username], ou: Setting.primary_domain)
+    http_status :not_found unless @user
   end
 
   def set_current_section

app/controllers/api/btcpay_controller.rb

@@ -0,0 +1,37 @@
+class Api::BtcpayController < Api::BaseController
+  before_action :require_feature_enabled
+  before_action :set_cors_access_control_headers
+
+  def onchain_btc_balance
+    balance = BtcpayManager::FetchOnchainWalletBalance.call
+    render json: balance
+  rescue => error
+    Rails.logger.warn "Failed to fetch BTC wallet balance: #{error.message}"
+    render json: { error: 'Failed to fetch wallet balance' },
+           status: 500
+  end
+
+  def lightning_btc_balance
+    balance = BtcpayManager::FetchLightningWalletBalance.call
+    render json: balance
+  rescue => error
+    Rails.logger.warn "Failed to fetch BTC lightning balance: #{error.message}"
+    render json: { error: 'Failed to fetch wallet balance' },
+           status: 500
+  end
+
+  private
+
+    def require_feature_enabled
+      unless Setting.btcpay_publish_wallet_balances
+        http_status :not_found and return
+      end
+    end
+
+    def set_cors_access_control_headers
+      return unless Rails.env.development?
+      headers['Access-Control-Allow-Origin'] = "*"
+      headers['Access-Control-Allow-Headers'] = "*"
+      headers['Access-Control-Allow-Methods'] = "GET"
+    end
+end

app/controllers/api/kredits_controller.rb

@@ -1,13 +0,0 @@
-class Api::KreditsController < Api::BaseController
-
-  def onchain_btc_balance
-    btcpay = BtcPay.new
-    balance = btcpay.onchain_wallet_balance
-    render json: balance
-  rescue => error
-    Rails.logger.warn "Failed to fetch kredits BTC wallet balance: #{error.message}"
-    render json: { error: 'Failed to fetch wallet balance' },
-           status: 500
-  end
-
-end

app/controllers/application_controller.rb

@@ -37,4 +37,35 @@ class ApplicationController < ActionController::Base
       format.any  { head status }
     end
   end
+
+  def after_sign_in_path_for(user)
+    session[:user_return_to] || root_path
+  end
+
+  def lndhub_authenticate(options={})
+    if session[:ln_auth_token].present? && !options[:force_reauth]
+      @ln_auth_token = session[:ln_auth_token]
+    else
+      lndhub = Lndhub.new
+      auth_token = lndhub.authenticate(current_user)
+      session[:ln_auth_token] = auth_token
+      @ln_auth_token = auth_token
+    end
+  rescue => e
+    Sentry.capture_exception(e) if Setting.sentry_enabled?
+  end
+
+  def lndhub_fetch_balance
+    @balance = LndhubManager::FetchUserBalance.call(auth_token: @ln_auth_token)
+  rescue AuthError
+    lndhub_authenticate(force_reauth: true)
+    raise if @fetch_balance_retried
+    @fetch_balance_retried = true
+    lndhub_fetch_balance
+  end
+
+  def nostr_event_from_params
+    params.permit!
+    params[:signed_event].to_h.symbolize_keys
+  end
 end

app/controllers/avatars_controller.rb

@@ -0,0 +1,27 @@
+class AvatarsController < ApplicationController
+  def show
+    if user = User.find_by(cn: params[:username])
+      http_status :not_found and return unless user.avatar.attached?
+
+      sha256_hash = params[:hash]
+      format = params[:format]&.to_sym || :png
+      # size = params[:size]&.to_sym || :original
+
+      unless user.avatar.filename.to_s == "#{sha256_hash}.#{format}"
+        http_status :not_found and return
+      end
+
+      # TODO See note for avatar_variant in user model
+      # blob = if size == :original
+      #          user.avatar.blob
+      #        else
+      #          user.avatar_variant(size: size)&.blob
+      #        end
+
+      data = user.avatar.blob.download
+      send_data data, type: "image/#{format}", disposition: "inline"
+    else
+      http_status :not_found
+    end
+  end
+end

app/controllers/contributions/donations_controller.rb

@@ -1,10 +1,126 @@
 class Contributions::DonationsController < ApplicationController
-  before_action :authenticate_user!
+  include BtcpayHelper
 
-  # GET /donations
-  # GET /donations.json
+  before_action :authenticate_user!
+  before_action :set_donation_methods, only: [:index, :create]
+  before_action :require_donation_method_enabled, only: [:create]
+  before_action :validate_donation_params, only: [:create]
+  before_action :set_donation, only: [:confirm_btcpay]
+
+  # GET /contributions/donations
   def index
-    @donations = current_user.donations.completed
     @current_section = :contributions
+    @donations_completed = current_user.donations.completed.order('paid_at desc')
+    @donations_processing = current_user.donations.processing.order('created_at desc')
+
+    if Setting.lndhub_enabled?
+      begin
+        lndhub_authenticate
+        lndhub_fetch_balance
+      rescue
+        @balance = 0
+      end
+    end
   end
+
+  # POST /contributions/donations
+  def create
+    if params[:currency] == "sats"
+      fiat_amount = nil
+      fiat_currency = nil
+      amount_sats = params[:amount]
+    else
+      fiat_amount = params[:amount].to_i
+      fiat_currency = params[:currency]
+      amount_sats = nil
+    end
+
+    @donation = current_user.donations.create!(
+      donation_method: params[:donation_method],
+      payment_method: nil,
+      paid_at: nil,
+      amount_sats: amount_sats,
+      fiat_amount: (fiat_amount.nil? ? nil : fiat_amount * 100), # store in cents
+      fiat_currency: fiat_currency,
+      public_name: params[:public_name]
+    )
+
+    case params[:donation_method]
+    when "btcpay"
+      res = BtcpayManager::CreateInvoice.call(
+        amount: fiat_amount || (amount_sats.to_f / 100000000),
+        currency: fiat_currency || "BTC",
+        redirect_url: confirm_btcpay_contributions_donation_url(@donation)
+      )
+
+      @donation.update! btcpay_invoice_id: res["id"]
+
+      redirect_to btcpay_checkout_url(res["id"]), allow_other_host: true
+    else
+      redirect_to contributions_donations_url, flash: {
+        error: "Donation method currently not available"
+      }
+    end
+  end
+
+  def confirm_btcpay
+    redirect_to contributions_donations_url and return if @donation.completed?
+
+    invoice = BtcpayManager::FetchInvoice.call(invoice_id: @donation.btcpay_invoice_id)
+
+    if @donation.amount_sats.present?
+      # TODO make default fiat currency configurable and/or determine from user's
+      # i18n browser settings
+      @donation.fiat_currency = "EUR"
+      exchange_rate = BtcpayManager::FetchExchangeRate.call(fiat_currency: @donation.fiat_currency)
+      @donation.fiat_amount = (((@donation.amount_sats.to_f / 100000000) * exchange_rate) * 100).to_i
+    else
+      amt_str = invoice["paymentMethods"].first["amount"]
+      @donation.amount_sats = amt_str.tr(".","").sub(/0*$/, "").to_i
+    end
+
+    case invoice["status"]
+    when "Settled"
+      @donation.complete!
+      flash_message = { success: "Thank you!" }
+    when "Processing"
+      unless @donation.processing?
+        @donation.start_processing!
+        flash_message = { success: "Thank you! We will send you an email when the payment is confirmed." }
+        BtcpayCheckDonationJob.set(wait: 20.seconds).perform_later(@donation)
+      end
+    when "Expired"
+      flash_message = { warning: "The payment request for this donation has expired" }
+    else
+      flash_message = { warning: "Could not determine status of payment" }
+    end
+
+    redirect_to contributions_donations_url, flash: flash_message
+  end
+
+  private
+
+    def set_donation
+      @donation = current_user.donations.find_by(id: params[:id])
+      http_status :not_found unless @donation.present?
+    end
+
+    def set_donation_methods
+      @donation_methods = []
+      @donation_methods.push :btcpay if Setting.btcpay_enabled?
+      @donation_methods.push :lndhub if Setting.lndhub_enabled?
+      @donation_methods.push :opencollective if Setting.opencollective_enabled?
+    end
+
+    def require_donation_method_enabled
+      http_status :forbidden unless @donation_methods.include?(
+        params[:donation_method].to_sym
+      )
+    end
+
+    def validate_donation_params
+      if !%w[EUR USD sats].include?(params[:currency]) || (params[:amount].to_i <= 0)
+        http_status :unprocessable_entity
+      end
+    end
 end

app/controllers/contributions/other_controller.rb

@@ -0,0 +1,16 @@
+class Contributions::OtherController < ApplicationController
+  before_action :authenticate_user!
+  before_action :set_content_editing
+
+  # GET /contributions/other
+  def index
+    @current_section = :contributions
+  end
+
+  private
+
+    def set_content_editing
+      return unless params[:edit] && current_user.is_admin?
+      @edit_content = true
+    end
+end

app/controllers/contributions/projects_controller.rb

@@ -1,8 +0,0 @@
-class Contributions::ProjectsController < ApplicationController
-  before_action :authenticate_user!
-
-  # GET /contributions
-  def index
-    @current_section = :contributions
-  end
-end

app/controllers/discourse/sso_controller.rb

@@ -8,6 +8,9 @@ class Discourse::SsoController < ApplicationController
     sso.email = current_user.email
     sso.username = current_user.cn
     sso.name = current_user.display_name
+    if current_user.avatar.attached?
+      sso.avatar_url = helpers.image_url_for(current_user.avatar)
+    end
     sso.admin = current_user.is_admin?
     sso.sso_secret = secret
 

app/controllers/lnurlpay_controller.rb

@@ -1,23 +1,33 @@
 class LnurlpayController < ApplicationController
-  before_action :check_feature_enabled
-  before_action :find_user_by_address
+  before_action :check_service_available
+  before_action :find_user
+  before_action :set_cors_access_control_headers
 
   MIN_SATS = 10
   MAX_SATS = 1_000_000
   MAX_COMMENT_CHARS = 100
 
+  # GET /.well-known/lnurlp/:username
   def index
-    render json: {
+    res = {
       status: "OK",
-      callback: "https://accounts.kosmos.org/lnurlpay/#{@user.address}/invoice",
+      callback: "https://#{Setting.accounts_domain}/lnurlpay/#{@user.cn}/invoice",
       tag: "payRequest",
       maxSendable: MAX_SATS * 1000, # msat
       minSendable: MIN_SATS * 1000, # msat
       metadata: metadata(@user.address),
       commentAllowed: MAX_COMMENT_CHARS
     }
+
+    if Setting.nostr_enabled?
+      res[:allowsNostr] = true
+      res[:nostrPubkey] = Setting.nostr_public_key
+    end
+
+    render json: res
   end
 
+  # GET /.well-known/keysend/:username
   def keysend
     http_status :not_found and return unless Setting.lndhub_keysend_enabled?
 
@@ -27,69 +37,125 @@ class LnurlpayController < ApplicationController
       pubkey: Setting.lndhub_public_key,
       customData: [{
         customKey: "696969",
-        customValue: @user.ln_account
+        customValue: @user.lndhub_username
       }]
     }
   end
 
+  # GET /lnurlpay/:username/invoice
   def invoice
-    amount = params[:amount].to_i / 1000 # msats
-    address = params[:address]
+    amount = params[:amount].to_i / 1000 # msats to sats
     comment = params[:comment] || ""
+    address = @user.address
 
     if !valid_amount?(amount)
       render json: { status: "ERROR", reason: "Invalid amount" }
       return
     end
 
-    if !valid_comment?(comment)
-      render json: { status: "ERROR", reason: "Comment too long" }
-      return
+    if params[:nostr].present? && Setting.nostr_enabled?
+      handle_zap_request amount, params[:nostr], params[:lnurl]
+    else
+      handle_pay_request address, amount, comment
+    end
+  end
+
+  private
+
+    def set_cors_access_control_headers
+      headers['Access-Control-Allow-Origin'] = "*"
+      headers['Access-Control-Allow-Headers'] = "*"
+      headers['Access-Control-Allow-Methods'] = "GET"
     end
 
-    memo = "To #{address}"
-    memo = "#{memo}: \"#{comment}\"" if comment.present?
+    def check_service_available
+      http_status :not_found unless Setting.lndhub_enabled?
+    end
 
-    payment_request = @user.ln_create_invoice({
-      amount: amount, # we create invoices in sats
-      memo: memo,
-      description_hash: Digest::SHA2.hexdigest(metadata(address)),
-    })
+    def find_user
+      @user = User.where(cn: params[:username], ou: Setting.primary_domain).first
+      http_status :not_found if @user.nil?
+    end
 
-    render json: {
-      status: "OK",
-      successAction: {
-        tag: "message",
-        message: "Sats received. Thank you!"
-      },
-      routes: [],
-      pr: payment_request
-    }
-  end
+    def metadata(address)
+      "[[\"text/identifier\",\"#{address}\"],[\"text/plain\",\"Sats for #{address}\"]]"
+    end
 
-  private
+    def valid_amount?(amount_in_sats)
+      amount_in_sats <= MAX_SATS && amount_in_sats >= MIN_SATS
+    end
 
-  def find_user_by_address
-    address = params[:address].split("@")
-    @user = User.where(cn: address.first, ou: address.last).first
-    http_status :not_found if @user.nil?
-  end
+    def valid_comment?(comment)
+      comment.length <= MAX_COMMENT_CHARS
+    end
 
-  def metadata(address)
-    "[[\"text/identifier\", \"#{address}\"], [\"text/plain\", \"Send sats, receive thanks.\"]]"
-  end
+    def handle_pay_request(address, amount, comment)
+      if !valid_comment?(comment)
+        render json: { status: "ERROR", reason: "Comment too long" }
+        return
+      end
 
-  def valid_amount?(amount_in_sats)
-    amount_in_sats <= MAX_SATS && amount_in_sats >= MIN_SATS
-  end
+      desc = "To #{address}"
+      desc = "#{desc}: \"#{comment}\"" if comment.present?
 
-  def valid_comment?(comment)
-    comment.length <= MAX_COMMENT_CHARS
-  end
+      invoice = LndhubManager::CreateUserInvoice.call(
+        user: @user, payload: {
+          amount: amount, # sats
+          description: desc,
+          description_hash: Digest::SHA256.hexdigest(metadata(address)),
+        }
+      )
 
-  private
+      render json: {
+        status: "OK",
+        successAction: {
+          tag: "message",
+          message: "Sats received. Thank you!"
+        },
+        routes: [],
+        pr: invoice["payment_request"]
+      }
+    end
 
-  def check_feature_enabled
-    http_status :not_found unless Setting.lndhub_enabled?
-  end
+    def nostr_event_from_payload(nostr_param)
+      event_obj = JSON.parse(nostr_param).transform_keys(&:to_sym)
+      Nostr::Event.new(**event_obj)
+    rescue => e
+      return nil
+    end
+
+    def valid_zap_request?(amount, event, lnurl)
+      NostrManager::VerifyZapRequest.call(
+        amount: amount, event: event, lnurl: lnurl
+      )
+    end
+
+    def handle_zap_request(amount, nostr_param, lnurl_param)
+      event = nostr_event_from_payload(nostr_param)
+
+      unless event.present? && valid_zap_request?(amount*1000, event, lnurl_param)
+        render json: { status: "ERROR", reason: "Invalid zap request" }
+        return
+      end
+
+      # TODO might want to use the existing invoice and zap record if there are
+      # multiple calls with the same zap request
+
+      desc = "Zap for #{@user.address}"
+      desc = "#{desc}: \"#{event.content}\"" if event.content.present?
+
+      invoice = LndhubManager::CreateUserInvoice.call(
+        user: @user, payload: {
+          amount: amount, # sats
+          description: desc,
+          description_hash: Digest::SHA256.hexdigest(event.to_json),
+        }
+      )
+
+      @user.zaps.create! request: event,
+                         payment_request: invoice["payment_request"],
+                         amount: amount
+
+      render json: { status: "OK", pr: invoice["payment_request"] }
+    end
 end

app/controllers/pages_controller.rb

@@ -0,0 +1,9 @@
+class PagesController < ApplicationController
+  def privacy
+    @current_section = :privacy
+  end
+
+  def tos
+    @current_section = :tos
+  end
+end

app/controllers/rs/oauth_controller.rb

@@ -3,8 +3,7 @@ class Rs::OauthController < ApplicationController
   before_action :authenticate_user!, only: :create
 
   def new
-    username, org  = params[:useraddress].split("@")
-    @user          = User.where(cn: username.downcase, ou: org).first
+    @user          = User.where(cn: params[:username].downcase, ou: Setting.primary_domain).first
     @scopes        = parse_scopes params[:scope]
     @redirect_uri  = params[:redirect_uri]
     @client_id     = params[:client_id]
@@ -22,7 +21,7 @@ class Rs::OauthController < ApplicationController
     unless current_user == @user
       sign_out :user
 
-      redirect_to new_rs_oauth_url(@user.address,
+      redirect_to new_rs_oauth_url(@user.cn,
                                    scope: params[:scope],
                                    redirect_uri: params[:redirect_uri],
                                    client_id: params[:client_id],
@@ -88,7 +87,7 @@ class Rs::OauthController < ApplicationController
       permissions: permissions,
       client_id: client_id,
       redirect_uri: redirect_uri,
-      app_name: client_id, #TODO use user-defined name
+      app_name: client_id,
       expire_at: expire_at
     )
 
@@ -96,28 +95,15 @@ class Rs::OauthController < ApplicationController
                 allow_other_host: true
   end
 
-  # GET /rs/oauth/token/:id/launch_app
-  def launch_app
-    auth = current_user.remote_storage_authorizations.find(params[:id])
-
-    redirect_to app_auth_url(auth), allow_other_host: true
-  end
-
   private
 
   def require_signed_in_with_username
     unless user_signed_in?
-      username, org = params[:useraddress].split("@")
-      redirect_to new_user_session_path(cn: username, ou: org)
+      session[:user_return_to] = request.url
+      redirect_to new_user_session_path(cn: params[:username], ou: Setting.primary_domain)
     end
   end
 
-  def app_auth_url(auth)
-    url = "#{auth.url}#remotestorage=#{current_user.address}"
-    url += "&access_token=#{auth.token}"
-    url
-  end
-
   def hostname_of(uri)
     uri.gsub(/http(s)?:\/\//, "").split(":")[0].split("/")[0]
   end

app/controllers/services/chat_controller.rb

@@ -3,7 +3,7 @@ class Services::ChatController < Services::BaseController
   before_action :require_service_available
 
   def show
-    @service_enabled = current_user.services_enabled.include?(:xmpp)
+    @service_enabled = current_user.service_enabled?(:ejabberd)
   end
 
   private

app/controllers/services/email_controller.rb

@@ -0,0 +1,34 @@
+class Services::EmailController < Services::BaseController
+  before_action :authenticate_user!
+  before_action :require_service_available
+  before_action :require_feature_enabled
+
+  def show
+    ldap_entry = current_user.ldap_entry
+
+    @service_enabled = ldap_entry[:email_password].present?
+    @maildrop = ldap_entry[:email_maildrop]
+    @email_forwarding_active = @maildrop.present? &&
+                               @maildrop.split("@").first != current_user.cn
+  end
+
+  def new_password
+    if session[:new_email_password].present?
+      @new_password = session.delete(:new_email_password)
+    else
+      redirect_to setting_path(:email)
+    end
+  end
+
+  private
+
+    def require_service_available
+      http_status :not_found unless Setting.email_enabled?
+    end
+
+    def require_feature_enabled
+      unless Flipper.enabled?(:email, current_user)
+        http_status :forbidden
+      end
+    end
+end

app/controllers/services/lightning_controller.rb

@@ -2,13 +2,14 @@ require "rqrcode"
 require "lnurl"
 
 class Services::LightningController < ApplicationController
-  before_action :authenticate_user!
-  before_action :authenticate_with_lndhub
   before_action :set_current_section
-  before_action :fetch_balance
+  before_action :require_service_available
+  before_action :authenticate_user!
+  before_action :lndhub_authenticate
+  before_action :lndhub_fetch_balance
 
   def index
-    @wallet_setup_url = "lndhub://#{current_user.ln_account}:#{current_user.ln_password}@#{ENV['LNDHUB_PUBLIC_URL']}"
+    @wallet_setup_url = "lndhub://#{current_user.lndhub_username}:#{current_user.lndhub_password}@#{ENV['LNDHUB_PUBLIC_URL']}"
   end
 
   def transactions
@@ -55,32 +56,12 @@ class Services::LightningController < ApplicationController
 
   private
 
-  def authenticate_with_lndhub(options={})
-    if session[:ln_auth_token].present? && !options[:force_reauth]
-      @ln_auth_token = session[:ln_auth_token]
-    else
-      lndhub = Lndhub.new
-      auth_token = lndhub.authenticate(current_user)
-      session[:ln_auth_token] = auth_token
-      @ln_auth_token = auth_token
-    end
-  rescue => e
-    Sentry.capture_exception(e) if Setting.sentry_enabled?
-  end
-
   def set_current_section
     @current_section = :services
   end
 
-  def fetch_balance
-    lndhub = Lndhub.new
-    data = lndhub.balance @ln_auth_token
-    @balance = data["BTC"]["AvailableBalance"] rescue nil
-  rescue AuthError
-    authenticate_with_lndhub(force_reauth: true)
-    raise if @fetch_balance_retried
-    @fetch_balance_retried = true
-    fetch_balance
+  def require_service_available
+    http_status :not_found unless Setting.lndhub_enabled?
   end
 
   def fetch_transactions

app/controllers/services/mastodon_controller.rb

@@ -3,7 +3,7 @@ class Services::MastodonController < Services::BaseController
   before_action :require_service_available
 
   def show
-    @service_enabled = current_user.services_enabled.include?(:mastodon)
+    @service_enabled = current_user.service_enabled?(:mastodon)
   end
 
   private

app/controllers/services/remotestorage_controller.rb

@@ -1,23 +1,25 @@
 class Services::RemotestorageController < Services::BaseController
   before_action :authenticate_user!
-  before_action :require_feature_enabled
   before_action :require_service_available
+  before_action :require_feature_enabled
 
-  def dashboard
-    # unless current_user.services_enabled.include?(:remotestorage)
+  # Dashboard
+  def show
+    # unless current_user.service_enabled?(:remotestorage)
     #   redirect_to service_remotestorage_info_path
     # end
+    # @rs_apps_connected = current_user.remote_storage_authorizations.any?
   end
 
   private
 
+    def require_service_available
+      http_status :not_found unless Setting.remotestorage_enabled?
+    end
+
     def require_feature_enabled
       unless Flipper.enabled?(:remotestorage, current_user)
         http_status :forbidden
       end
     end
-
-    def require_service_available
-      http_status :not_found unless Setting.remotestorage_enabled?
-    end
 end

app/controllers/services/rs_auths_controller.rb

@@ -0,0 +1,51 @@
+class Services::RsAuthsController < Services::BaseController
+  before_action :authenticate_user!
+  before_action :require_feature_enabled
+  before_action :require_service_available
+  # before_action :require_service_enabled
+  before_action :find_rs_auth, only: [:destroy, :launch_app]
+
+  def index
+    @rs_auths = current_user.remote_storage_authorizations
+    # TODO sort by app name?
+  end
+
+  def destroy
+    @auth.destroy!
+
+    respond_to do |format|
+      format.html do redirect_to apps_services_storage_url, flash: {
+        success: 'App authorization revoked'
+      }
+      end
+      format.json { head :no_content }
+    end
+  end
+
+  def launch_app
+    user_address = Rails.env.development? ?
+      "#{current_user.cn}@localhost:3000" :
+      current_user.address
+
+    launch_url = "#{@auth.launch_url}#remotestorage=#{user_address}"
+
+    redirect_to launch_url, allow_other_host: true
+  end
+
+  private
+
+    def require_feature_enabled
+      unless Flipper.enabled?(:remotestorage, current_user)
+        http_status :forbidden
+      end
+    end
+
+    def require_service_available
+      http_status :not_found unless Setting.remotestorage_enabled?
+    end
+
+    def find_rs_auth
+      @auth = current_user.remote_storage_authorizations.find(params[:id])
+      http_status :not_found unless @auth.present?
+    end
+end

app/controllers/settings_controller.rb

@@ -1,28 +1,49 @@
-require 'securerandom'
+require "securerandom"
+require "bcrypt"
 
 class SettingsController < ApplicationController
   before_action :authenticate_user!
   before_action :set_main_nav_section
-  before_action :set_settings_section, only: [:show, :update, :update_email]
-  before_action :set_user, only: [:show, :update, :update_email]
+  before_action :set_settings_section, only: [:show, :update, :update_email, :reset_email_password]
+  before_action :set_user, only: [:show, :update, :update_email, :reset_email_password]
 
   def index
     redirect_to setting_path(:profile)
   end
 
   def show
-    if @settings_section == "experiments"
+    case @settings_section
+    when "lightning"
+      @notifications_enabled = @user.preferences[:lightning_notify_sats_received] != "disabled" ||
+                               @user.preferences[:lightning_notify_zap_received] != "disabled"
+    when "nostr"
       session[:shared_secret] ||= SecureRandom.base64(12)
     end
   end
 
+  # PUT /settings/:section
   def update
     @user.preferences.merge!(user_params[:preferences] || {})
     @user.display_name = user_params[:display_name]
+    @user.avatar_new   = user_params[:avatar_new]
+    @user.pgp_pubkey   = user_params[:pgp_pubkey]
 
     if @user.save
       if @user.display_name && (@user.display_name != @user.ldap_entry[:display_name])
-        LdapManager::UpdateDisplayName.call(@user.dn, user_params[:display_name])
+        LdapManager::UpdateDisplayName.call(dn: @user.dn, display_name: @user.display_name)
+      end
+
+      if @user.avatar_new.present?
+        if store_user_avatar
+          UserManager::UpdateAvatar.call(user: @user)
+        else
+          @validation_errors = @user.errors
+          render :show, status: :unprocessable_entity and return
+        end
+      end
+
+      if @user.pgp_pubkey && (@user.pgp_pubkey != @user.ldap_entry[:pgp_key])
+        UserManager::UpdatePgpKey.call(user: @user)
       end
 
       redirect_to setting_path(@settings_section), flash: {
@@ -34,8 +55,9 @@ class SettingsController < ApplicationController
     end
   end
 
+  # POST /settings/update_email
   def update_email
-    if @user.valid_ldap_authentication?(email_params[:current_password])
+    if @user.valid_ldap_authentication?(security_params[:current_password])
       if @user.update email: email_params[:email]
         redirect_to setting_path(:account), flash: {
           notice: 'Please confirm your new address using the confirmation link we just sent you.'
@@ -51,6 +73,30 @@ class SettingsController < ApplicationController
     end
   end
 
+  # POST /settings/reset_email_password
+  def reset_email_password
+    @user.current_password = security_params[:current_password]
+
+    if @user.valid_ldap_authentication?(@user.current_password)
+      @user.current_password = nil
+      session[:new_email_password] = generate_email_password
+      hashed_password = hash_email_password(session[:new_email_password])
+      LdapManager::UpdateEmailPassword.call(dn: @user.dn, password_hash: hashed_password)
+
+      if @user.ldap_entry[:email_maildrop] != @user.address
+        LdapManager::UpdateEmailMaildrop.call(dn: @user.dn, address: @user.address)
+      end
+
+      redirect_to new_password_services_email_path
+    else
+      @validation_errors = {
+        current_password: [ "Wrong password. Try again!" ]
+      }
+      render :show, status: :forbidden
+    end
+  end
+
+  # POST /settings/reset_password
   def reset_password
     current_user.send_reset_password_instructions
     sign_out current_user
@@ -58,41 +104,41 @@ class SettingsController < ApplicationController
     redirect_to check_your_email_path, notice: msg
   end
 
+  # POST /settings/set_nostr_pubkey
   def set_nostr_pubkey
-    signed_event = nostr_event_params[:signed_event].to_h.symbolize_keys
-    is_valid_id  = NostrManager::ValidateId.call(signed_event)
-    is_valid_sig = NostrManager::VerifySignature.call(signed_event)
-    is_correct_content = signed_event[:content] == "Connect my public key to #{current_user.address} (confirmation #{session[:shared_secret]})"
+    signed_event = Nostr::Event.new(**nostr_event_from_params)
 
-    unless is_valid_id && is_valid_sig && is_correct_content
+    is_valid_sig  = signed_event.verify_signature
+    is_valid_auth = NostrManager::VerifyAuth.call(
+      event: signed_event,
+      challenge: session[:shared_secret]
+    )
+
+    unless is_valid_sig && is_valid_auth
       flash[:alert] = "Public key could not be verified"
       http_status :unprocessable_entity and return
     end
 
-    pubkey_taken = User.all_except(current_user).where(
-      ou: current_user.ou, nostr_pubkey: signed_event[:pubkey]
-    ).any?
+    user_with_pubkey = LdapManager::FetchUserByNostrKey.call(pubkey: signed_event.pubkey)
 
-    if pubkey_taken
+    if user_with_pubkey.present? && (user_with_pubkey != current_user)
       flash[:alert] = "Public key already in use for a different account"
       http_status :unprocessable_entity and return
     end
 
-    current_user.update! nostr_pubkey: signed_event[:pubkey]
+    LdapManager::UpdateNostrKey.call(dn: current_user.dn, pubkey: signed_event.pubkey)
     session[:shared_secret] = nil
 
     flash[:success] = "Public key verification successful"
     http_status :ok
-  rescue
-    flash[:alert] = "Public key could not be verified"
-    http_status :unprocessable_entity and return
   end
 
   # DELETE /settings/nostr_pubkey
   def remove_nostr_pubkey
-    current_user.update! nostr_pubkey: nil
+    # TODO require current pubkey or password to delete
+    LdapManager::UpdateNostrKey.call(dn: current_user.dn, pubkey: nil)
 
-    redirect_to setting_path(:experiments), flash: {
+    redirect_to setting_path(:nostr), flash: {
       success: 'Public key removed from account'
     }
   end
@@ -105,7 +151,10 @@ class SettingsController < ApplicationController
 
     def set_settings_section
       @settings_section = params[:section]
-      allowed_sections = [:profile, :account, :lightning, :xmpp, :experiments]
+      allowed_sections = [
+        :profile, :account, :xmpp, :email,
+        :lightning, :remotestorage, :nostr
+      ]
 
       unless allowed_sections.include?(@settings_section.to_sym)
         redirect_to setting_path(:profile)
@@ -117,19 +166,53 @@ class SettingsController < ApplicationController
     end
 
     def user_params
-      params.require(:user).permit(:display_name, preferences: [
-        :lightning_notify_sats_received,
-        :xmpp_exchange_contacts_with_invitees
-      ])
+      params.require(:user).permit(
+        :display_name, :avatar_new, :pgp_pubkey,
+        preferences: UserPreferences.pref_keys
+      )
     end
 
     def email_params
-      params.require(:user).permit(:email, :current_password)
+      params.require(:user).permit(:email)
     end
 
-    def nostr_event_params
-      params.permit(signed_event: [
-        :id, :pubkey, :created_at, :kind, :tags, :content, :sig
-      ])
+    def security_params
+      params.require(:user).permit(:current_password)
+    end
+
+    def generate_email_password
+      characters = [('a'..'z'), ('A'..'Z'), (0..9)].map(&:to_a).flatten
+      SecureRandom.random_bytes(16).each_byte.map { |b| characters[b % characters.length] }.join
+    end
+
+    def hash_email_password(password)
+      salt = BCrypt::Engine.generate_salt
+      BCrypt::Engine.hash_secret(password, salt)
+    end
+
+    def store_user_avatar
+      io = @user.avatar_new.tempfile
+      img_data = UserManager::ProcessAvatar.call(io: io)
+      if img_data.blank?
+        @user.errors.add(:avatar, "failed to process file")
+        false
+      end
+      tempfile = Tempfile.create
+      tempfile.binmode
+      tempfile.write(img_data)
+      tempfile.rewind
+
+      hash = Digest::SHA256.hexdigest(img_data)
+      ext = @user.avatar_new.content_type == "image/png" ? "png" : "jpg"
+      filename = "#{hash}.#{ext}"
+
+      if filename == @user.avatar.filename.to_s
+        @user.errors.add(:avatar, "must be a new file/picture")
+        false
+      else
+        key = "users/#{@user.cn}/avatars/#{filename}"
+        @user.avatar.attach io: tempfile, key: key, filename: filename
+        @user.save
+      end
     end
 end

app/controllers/signup_controller.rb

@@ -96,13 +96,13 @@ class SignupController < ApplicationController
     session[:new_user] = nil
     session[:validation_error] = nil
 
-    CreateAccount.call(
+    UserManager::CreateAccount.call(account: {
       username: @user.cn,
       domain: Setting.primary_domain,
       email: @user.email,
       password: @user.password,
       invitation: @invitation
-    )
+    })
   end
 
   def set_context

app/controllers/users/sessions_controller.rb

@@ -0,0 +1,62 @@
+# frozen_string_literal: true
+
+class Users::SessionsController < Devise::SessionsController
+  # before_action :configure_sign_in_params, only: [:create]
+
+  # GET /resource/sign_in
+  def new
+    session[:shared_secret] = SecureRandom.base64(12)
+    super
+  end
+
+  # POST /resource/sign_in
+  # def create
+  #   super
+  # end
+
+  # DELETE /resource/sign_out
+  # def destroy
+  #   super
+  # end
+
+  # POST /users/nostr_login
+  def nostr_login
+    signed_event = Nostr::Event.new(**nostr_event_from_params)
+
+    is_valid_sig  = signed_event.verify_signature
+    is_valid_auth = NostrManager::VerifyAuth.call(
+      event: signed_event,
+      challenge: session[:shared_secret]
+    )
+
+    session[:shared_secret] = nil
+
+    unless is_valid_sig && is_valid_auth
+      flash[:alert] = "Login verification failed"
+      http_status :unauthorized and return
+    end
+
+    user = LdapManager::FetchUserByNostrKey.call(pubkey: signed_event.pubkey)
+
+    if user.present?
+      set_flash_message!(:notice, :signed_in)
+      sign_in("user", user)
+      render json: { redirect_url: after_sign_in_path_for(user) }, status: :ok
+    else
+      flash[:alert] = "Failed to find your account. Nostr login may be disabled."
+      http_status :unauthorized
+    end
+  end
+
+  protected
+
+    def set_flash_message(key, kind, options = {})
+      # Hide flash message after redirecting from a signin route while logged in
+      super unless key == :alert && kind == "already_authenticated"
+    end
+
+  # If you have extra params to permit, append them to the sanitizer.
+  # def configure_sign_in_params
+  #   devise_parameter_sanitizer.permit(:sign_in, keys: [:attribute])
+  # end
+end

app/controllers/web_key_directory_controller.rb

@@ -0,0 +1,43 @@
+class WebKeyDirectoryController < WellKnownController
+  before_action :allow_cross_origin_requests
+
+  # /.well-known/openpgpkey/hu/:hashed_username(.txt)?l=username
+  def show
+    if params[:l].blank?
+      # TODO store hashed username in db if existing implementations trigger
+      # this a lot
+      msg = "WKD request with \"l\" param omitted for hu: #{params[:hashed_username]}"
+      Sentry.capture_message(msg) if Setting.sentry_enabled?
+      http_status :bad_request and return
+    end
+
+    @user = User.find_by(cn: params[:l].downcase)
+
+    if @user.nil? ||
+       @user.pgp_pubkey.blank? ||
+       !@user.pgp_pubkey_contains_user_address?
+      http_status :not_found and return
+    end
+
+    if params[:hashed_username] != @user.wkd_hash
+      http_status :unprocessable_entity and return
+    end
+
+    respond_to do |format|
+      format.text do
+        response.headers['Content-Type'] = 'text/plain'
+        render plain: @user.pgp_pubkey
+      end
+
+      format.any do
+        key = @user.gnupg_key.export
+        send_data key, filename: "#{@user.wkd_hash}.pem",
+                       type: "application/octet-stream"
+      end
+    end
+  end
+
+  def policy
+    head :ok
+  end
+end

app/controllers/webfinger_controller.rb

@@ -1,20 +1,23 @@
-class WebfingerController < ApplicationController
+class WebfingerController < WellKnownController
   before_action :allow_cross_origin_requests, only: [:show]
 
-  layout false
-
   def show
     resource = params[:resource]
 
-    if resource && resource.match(/acct:\w+/)
-      useraddress = resource.split(":").last
-      username, org = useraddress.split("@")
-      username.downcase!
-      unless User.where(cn: username, ou: org).any?
+    if resource && @useraddress = resource.match(/acct:(.+)/)&.[](1)
+      @username, @domain = @useraddress.split("@")
+
+      unless Rails.env.development?
+        # Allow different domains (e.g. localhost:3000) in development only
+        head 404 and return unless @domain == Setting.primary_domain
+      end
+
+      unless @user = User.where(ou: Setting.primary_domain)
+                         .find_by(cn: @username.downcase)
         head 404 and return
       end
 
-      render json: webfinger(useraddress).to_json,
+      render json: webfinger.to_json,
              content_type: "application/jrd+json"
     else
       head 422 and return
@@ -23,24 +26,75 @@ class WebfingerController < ApplicationController
 
   private
 
-  def webfinger(useraddress)
-    links = [];
+  def webfinger
+    jrd = {
+      subject: "acct:#{@user.address}",
+      aliases: [],
+      links: []
+    }
 
-    links << remotestorage_link(useraddress) if Setting.remotestorage_enabled
+    if @user.avatar.attached?
+      jrd[:links] += avatar_link
+    end
 
-    { "links" => links }
+    if Setting.mastodon_enabled && @user.service_enabled?(:mastodon)
+      # https://docs.joinmastodon.org/spec/webfinger/
+      jrd[:aliases] += mastodon_aliases
+      jrd[:links] += mastodon_links
+    end
+
+    if Setting.remotestorage_enabled && @user.service_enabled?(:remotestorage)
+      # https://datatracker.ietf.org/doc/draft-dejong-remotestorage/
+      jrd[:links] << remotestorage_link
+    end
+
+    jrd
   end
 
-  def remotestorage_link(useraddress)
-    # TODO use when OAuth routes are available
-    # auth_url = new_rs_oauth_url(useraddress)
-    auth_url = "https://example.com/rs/oauth"
-    storage_url = "#{Setting.rs_storage_url}/#{useraddress}"
+  def avatar_link
+    [
+      {
+        rel: "http://webfinger.net/rel/avatar",
+        type: @user.avatar.content_type,
+        href: helpers.image_url_for(@user.avatar)
+      }
+    ]
+  end
+
+  def mastodon_aliases
+    [
+      "#{Setting.mastodon_public_url}/@#{@user.cn}",
+      "#{Setting.mastodon_public_url}/users/#{@user.cn}"
+    ]
+  end
+
+  def mastodon_links
+    [
+      {
+        rel: "http://webfinger.net/rel/profile-page",
+        type: "text/html",
+        href: "#{Setting.mastodon_public_url}/@#{@user.cn}"
+      },
+      {
+        rel: "self",
+        type: "application/activity+json",
+        href: "#{Setting.mastodon_public_url}/users/#{@user.cn}"
+      },
+      {
+        rel: "http://ostatus.org/schema/1.0/subscribe",
+        template: "#{Setting.mastodon_public_url}/authorize_interaction?uri={uri}"
+      }
+    ]
+  end
+
+  def remotestorage_link
+    auth_url = new_rs_oauth_url(@username, host: Setting.rs_accounts_domain)
+    storage_url = "#{Setting.rs_storage_url}/#{@username}"
 
     {
-      "rel" => "http://tools.ietf.org/id/draft-dejong-remotestorage",
-      "href" => storage_url,
-      "properties" => {
+      rel: "http://tools.ietf.org/id/draft-dejong-remotestorage",
+      href: storage_url,
+      properties: {
         "http://remotestorage.io/spec/version" => "draft-dejong-remotestorage-13",
         "http://tools.ietf.org/html/rfc6749#section-4.2" => auth_url,
         "http://tools.ietf.org/html/rfc6750#section-2.3" => nil, # access token via a HTTP query parameter
@@ -49,9 +103,4 @@ class WebfingerController < ApplicationController
       }
     }
   end
-
-  def allow_cross_origin_requests
-    headers['Access-Control-Allow-Origin'] = '*'
-    headers['Access-Control-Allow-Methods'] = 'GET, POST, PUT, OPTIONS'
-  end
 end

app/controllers/webhooks_controller.rb

@@ -2,45 +2,76 @@ class WebhooksController < ApplicationController
   skip_forgery_protection
 
   before_action :authorize_request
+  before_action :process_payload
 
   def lndhub
-    begin
-      payload = JSON.parse(request.body.read, symbolize_names: true)
-      head :no_content and return unless payload[:type] == "incoming"
-    rescue
-      head :unprocessable_entity and return
+    @user = User.find_by!(lndhub_username: @payload[:user_login])
+
+    if @zap = @user.zaps.find_by(payment_request: @payload[:payment_request])
+      settled_at = Time.parse(@payload[:settled_at])
+      zap_receipt = NostrManager::CreateZapReceipt.call(
+        zap: @zap,
+        paid_at: settled_at.to_i,
+        preimage: @payload[:preimage]
+      )
+      @zap.update! settled_at: settled_at, receipt: zap_receipt.to_h
+      NostrManager::PublishZapReceipt.call(zap: @zap)
     end
 
-    user = User.find_by!(ln_account: payload[:user_login])
-    notify = user.preferences[:lightning_notify_sats_received]
-    case notify
-    when "xmpp"
-      notify_xmpp(user.address, payload[:amount], payload[:memo])
-    when "email"
-      NotificationMailer.with(user: user, amount_sats: payload[:amount])
-                        .lightning_sats_received.deliver_later
-    end
+    send_notifications
 
     head :ok
   end
 
   private
 
-  # TODO refactor into mailer-like generic class/service
-  def notify_xmpp(address, amt_sats, memo)
-    payload = {
-      type: "normal",
-      from: Setting.primary_domain,
-      to: address,
-      subject: "Sats received!",
-      body: "#{helpers.number_with_delimiter amt_sats} sats received in your Lightning wallet:\n> #{memo}"
-    }
-    XmppSendMessageJob.perform_later(payload)
-  end
-
   def authorize_request
     if !ENV['WEBHOOKS_ALLOWED_IPS'].split(',').include?(request.remote_ip)
       head :forbidden and return
     end
   end
+
+  def process_payload
+    @payload = JSON.parse(request.body.read, symbolize_names: true)
+    unless @payload[:type] == "incoming" &&
+           @payload[:state] == "settled"
+      head :no_content and return
+    end
+  rescue
+    head :unprocessable_entity and return
+  end
+
+  def send_notifications
+    return if @payload[:amount] < @user.preferences[:lightning_notify_min_sats]
+
+    if @user.preferences[:lightning_notify_only_with_message]
+      return if @payload[:memo].blank?
+    end
+
+    target = @zap.present? ? @user.preferences[:lightning_notify_zap_received] :
+                             @user.preferences[:lightning_notify_sats_received]
+
+    case target
+    when "xmpp"
+      notify_xmpp
+    when "email"
+      notify_email
+    end
+  end
+
+  # TODO refactor into mailer-like generic class/service
+  def notify_xmpp
+    XmppSendMessageJob.perform_later({
+      type: "normal",
+      from: Setting.xmpp_notifications_from_address,
+      to: @user.address,
+      subject: "Sats received!",
+      body: "#{helpers.number_with_delimiter @payload[:amount]} sats received in your Lightning wallet:\n> #{@payload[:memo]}"
+    })
+  end
+
+  def notify_email
+    NotificationMailer.with(user: @user, amount_sats: @payload[:amount])
+                      .lightning_sats_received.deliver_later
+  end
 end

app/controllers/well_known_controller.rb

@@ -1,16 +1,47 @@
 class WellKnownController < ApplicationController
+  before_action :require_nostr_enabled, only: [ :nostr ]
+  before_action :allow_cross_origin_requests, only: [ :nostr ]
+
+  layout false
+
   def nostr
     http_status :unprocessable_entity and return if params[:name].blank?
     domain = request.headers["X-Forwarded-Host"].presence || Setting.primary_domain
-    @user = User.where(cn: params[:name], ou: domain).first
-    http_status :not_found and return if @user.nil? || @user.nostr_pubkey.blank?
+    relay_url = Setting.nostr_relay_url.presence
+
+    if params[:name] == "_"
+      if domain == Setting.primary_domain
+        # pubkey for the primary domain without a username (e.g. kosmos.org)
+        res = { names: { "_": Setting.nostr_public_key_primary_domain.presence || Setting.nostr_public_key } }
+      else
+        # pubkey for the akkounts domain without a username (e.g. accounts.kosmos.org)
+        res = { names: { "_": Setting.nostr_public_key } }
+      end
+
+      res[:relays] = { "_" => [ relay_url ] } if relay_url
+    else
+      @user = User.where(cn: params[:name], ou: domain).first
+      http_status :not_found and return if @user.nil? || @user.nostr_pubkey.blank?
+
+      res = { names: { @user.cn => @user.nostr_pubkey } }
+      res[:relays] = { @user.nostr_pubkey => [ relay_url ] } if relay_url
+    end
 
     respond_to do |format|
       format.json do
-        render json: {
-          names: { "#{@user.cn}": @user.nostr_pubkey }
-        }.to_json
+        render json: res.to_json
       end
     end
   end
+
+  private
+
+    def require_nostr_enabled
+      http_status :not_found unless Setting.nostr_enabled?
+    end
+
+    def allow_cross_origin_requests
+      headers['Access-Control-Allow-Origin'] = "*"
+      headers['Access-Control-Allow-Methods'] = "GET"
+    end
 end

app/helpers/application_helper.rb

@@ -1,10 +1,6 @@
 module ApplicationHelper
   include Pagy::Frontend
 
-  def sats_to_btc(sats)
-    sats.to_f / 100000000
-  end
-
   def main_nav_class(current_section, link_to_section)
     if current_section == link_to_section
       "bg-gray-900/50 text-white px-3 py-2 rounded-md font-medium text-base md:text-sm block md:inline-block"
@@ -18,4 +14,23 @@ module ApplicationHelper
   def badge(text, color)
     tag.span text, class: "inline-flex items-center rounded-full bg-#{color}-100 px-2.5 py-0.5 text-xs font-medium text-#{color}-800"
   end
+
+  def markdown_to_html(string)
+    raw Kramdown::Document.new(string, { input: "GFM" }).to_html
+  end
+
+  def image_url_for(attachment)
+    return s3_image_url(attachment) if Setting.s3_enabled?
+
+    if attachment.record.is_a?(User) && attachment.name == "avatar"
+      hash, format = attachment.blob.filename.to_s.split(".", 2)
+      user_avatar_url(
+        username: attachment.record.cn,
+        hash: hash,
+        format: format
+      )
+    else
+      Rails.application.routes.url_helpers.rails_blob_path(attachment, only_path: true)
+    end
+  end
 end

app/helpers/btcpay_helper.rb

@@ -0,0 +1,7 @@
+module BtcpayHelper
+
+  def btcpay_checkout_url(invoice_id)
+    "#{Setting.btcpay_public_url}/i/#{invoice_id}"
+  end
+
+end

app/helpers/dashboard_helper.rb

@@ -1,2 +0,0 @@
-module DashboardHelper
-end

app/helpers/donations_helper.rb

@@ -1,2 +0,0 @@
-module DonationsHelper
-end

app/helpers/invitations_helper.rb

@@ -1,2 +0,0 @@
-module InvitationsHelper
-end

app/helpers/lnurlpay_helper.rb

@@ -1,2 +0,0 @@
-module LnurlpayHelper
-end

app/helpers/services_helper.rb

@@ -0,0 +1,12 @@
+module ServicesHelper
+
+  def service_human_name(key, category = :external)
+    SERVICES[category][key][:name] || key.to_s
+  end
+
+  def service_display_name(key, category = :external)
+    SERVICES[category][key][:display_name] ||
+    service_human_name(key, category)
+  end
+
+end

app/helpers/settings_helper.rb

@@ -1,2 +0,0 @@
-module SettingsHelper
-end

app/helpers/signup_helper.rb

@@ -1,2 +0,0 @@
-module SignupHelper
-end

app/helpers/users_helper.rb

@@ -1,2 +0,0 @@
-module UsersHelper
-end

app/helpers/wallet_helper.rb

@@ -1,2 +0,0 @@
-module WalletHelper
-end

app/helpers/welcome_helper.rb

@@ -1,2 +0,0 @@
-module WelcomeHelper
-end

app/javascript/controllers/application.js

@@ -1,8 +1,9 @@
 import { Application } from "@hotwired/stimulus"
-import { Modal, Tabs } from "tailwindcss-stimulus-components"
+import { Dropdown, Modal, Tabs } from "tailwindcss-stimulus-components"
 
 const application = Application.start()
 
+application.register('dropdown', Dropdown)
 application.register('modal', Modal)
 application.register('tabs', Tabs)
 

app/javascript/controllers/nostr_login_controller.js

@@ -0,0 +1,53 @@
+import { Controller } from "@hotwired/stimulus"
+
+// Connects to data-controller="nostr-login"
+export default class extends Controller {
+  static targets = [ "loginForm", "loginButton" ]
+  static values  = { site: String, sharedSecret: String }
+
+  connect() {
+    if (window.nostr) {
+      this.loginButtonTarget.disabled = false
+      this.loginFormTarget.classList.remove("hidden")
+    }
+  }
+
+  async login () {
+    this.loginButtonTarget.disabled = true
+
+    try {
+      // Auth based on NIP-42
+      const signedEvent = await window.nostr.signEvent({
+        created_at: Math.floor(Date.now() / 1000),
+        kind: 22242,
+        tags: [
+          ["site", this.siteValue],
+          ["challenge", this.sharedSecretValue]
+        ],
+        content: ""
+      })
+
+      const res = await fetch("/users/nostr_login", {
+        method: "POST", credentials: "include", headers: {
+          "Accept": "application/json", 'Content-Type': 'application/json',
+          "X-CSRF-Token": this.csrfToken
+        }, body: JSON.stringify({ signed_event: signedEvent })
+      })
+
+      if (res.status === 200) {
+        res.json().then(r => { window.location.href = r.redirect_url })
+      } else {
+        window.location.reload()
+      }
+    } catch (error) {
+      console.warn('Unable to authenticate:', error.message)
+    } finally {
+      this.loginButtonTarget.disabled = false
+    }
+  }
+
+  get csrfToken () {
+    const element = document.head.querySelector('meta[name="csrf-token"]')
+    return element.getAttribute("content")
+  }
+}

app/javascript/controllers/settings/email/password_controller.js

@@ -0,0 +1,27 @@
+import { Controller } from "@hotwired/stimulus"
+
+export default class extends Controller {
+  static targets = [ "resetPasswordButton", "currentPasswordField" ]
+  static values = { validationFailed: Boolean }
+
+  connect () {
+    if (this.validationFailedValue) return;
+
+    this.element.querySelectorAll(".initial-hidden").forEach(el => {
+      el.classList.add("hidden");
+    })
+    this.element.querySelectorAll(".initial-visible").forEach(el => {
+      el.classList.remove("hidden");
+    })
+  }
+
+  showPasswordReset () {
+    this.element.querySelectorAll(".initial-visible").forEach(el => {
+      el.classList.add("hidden");
+    })
+    this.element.querySelectorAll(".initial-hidden").forEach(el => {
+      el.classList.remove("hidden");
+    })
+    this.currentPasswordFieldTarget.select();
+  }
+}

app/javascript/controllers/settings/nostr_pubkey_controller.js

@@ -1,24 +1,16 @@
 import { Controller } from "@hotwired/stimulus"
-import { bech32 } from "bech32"
-
-function hexToBytes (hex) {
-  let bytes = []
-  for (let c = 0; c < hex.length; c += 2) {
-    bytes.push(parseInt(hex.substr(c, 2), 16))
-  }
-  return bytes
-}
 
 // Connects to data-controller="settings--nostr-pubkey"
 export default class extends Controller {
   static targets = [ "noExtension", "setPubkey", "pubkeyBech32Input" ]
-  static values  = { userAddress: String, pubkeyHex: String, sharedSecret: String }
+  static values  = {
+    userAddress: String,
+    pubkeyHex: String,
+    site: String,
+    sharedSecret: String
+  }
 
   connect () {
-    if (this.hasPubkeyHexValue && this.pubkeyHexValue.length > 0) {
-      this.pubkeyBech32InputTarget.value = this.pubkeyBech32
-    }
-
     if (window.nostr) {
       if (this.hasSetPubkeyTarget) {
         this.setPubkeyTarget.disabled = false
@@ -32,11 +24,15 @@ export default class extends Controller {
     this.setPubkeyTarget.disabled = true
 
     try {
+      // Auth based on NIP-42
       const signedEvent = await window.nostr.signEvent({
         created_at: Math.floor(Date.now() / 1000),
-        kind: 1,
-        tags: [],
-        content: `Connect my public key to ${this.userAddressValue} (confirmation ${this.sharedSecretValue})`
+        kind: 22242,
+        tags: [
+          ["site", this.siteValue],
+          ["challenge", this.sharedSecretValue]
+        ],
+        content: ""
       })
 
       const res = await fetch("/settings/set_nostr_pubkey", {
@@ -53,11 +49,6 @@ export default class extends Controller {
     }
   }
 
-  get pubkeyBech32 () {
-    const words = bech32.toWords(hexToBytes(this.pubkeyHexValue))
-    return bech32.encode('npub', words)
-  }
-
   get csrfToken () {
     const element = document.head.querySelector('meta[name="csrf-token"]')
     return element.getAttribute("content")

app/jobs/btcpay_check_donation_job.rb

@@ -0,0 +1,26 @@
+class BtcpayCheckDonationJob < ApplicationJob
+  queue_as :default
+
+  def perform(donation)
+    return if donation.completed?
+
+    invoice = BtcpayManager::FetchInvoice.call(
+      invoice_id: donation.btcpay_invoice_id
+    )
+
+    case invoice["status"]
+    when "Settled"
+      donation.complete!
+
+      NotificationMailer.with(user: donation.user)
+                        .bitcoin_donation_confirmed
+                        .deliver_later
+    when "Processing"
+      re_enqueue_job(donation)
+    end
+  end
+
+  def re_enqueue_job(donation)
+    self.class.set(wait: 20.seconds).perform_later(donation)
+  end
+end

app/jobs/create_ldap_user_job.rb

@@ -1,10 +1,10 @@
 class CreateLdapUserJob < ApplicationJob
   queue_as :default
 
-  def perform(username, domain, email, hashed_pw)
+  def perform(username:, domain:, email:, hashed_pw:, confirmed: false)
     dn = "cn=#{username},ou=#{domain},cn=users,dc=kosmos,dc=org"
     attr = {
-      objectclass: ["top", "account", "person", "extensibleObject"],
+      objectclass: ["top", "account", "person", "inetOrgPerson", "extensibleObject"],
       cn: username,
       sn: username,
       uid: username,
@@ -12,6 +12,10 @@ class CreateLdapUserJob < ApplicationJob
       userPassword: hashed_pw
     }
 
+    if confirmed
+      attr[:serviceEnabled] = Setting.default_services
+    end
+
     ldap_client.add(dn: dn, attributes: attr)
   end
 

app/jobs/create_lndhub_account_job.rb

@@ -2,12 +2,12 @@ class CreateLndhubAccountJob < ApplicationJob
   queue_as :default
 
   def perform(user)
-    return if user.ln_account.present? && user.ln_password.present?
+    return if user.lndhub_username.present? && user.lndhub_password.present?
 
     lndhub = LndhubV2.new
     credentials = lndhub.create_account
 
-    user.update! ln_account: credentials["login"],
-                 ln_password: credentials["password"]
+    user.update! lndhub_username: credentials["login"],
+                 lndhub_password: credentials["password"]
   end
 end

app/jobs/nostr_publish_event_job.rb

@@ -0,0 +1,7 @@
+class NostrPublishEventJob < ApplicationJob
+  queue_as :nostr
+
+  def perform(event:, relay_url:)
+    NostrManager::PublishEvent.call(event: event, relay_url: relay_url)
+  end
+end

app/jobs/remote_storage_expire_authorization_job.rb

@@ -3,8 +3,6 @@ class RemoteStorageExpireAuthorizationJob < ApplicationJob
 
   def perform(rs_auth_id)
     rs_auth = RemoteStorageAuthorization.find rs_auth_id
-    return unless rs_auth.expire_at.nil? || rs_auth.expire_at <= DateTime.now
-
     rs_auth.destroy!
   end
 end

app/jobs/xmpp_exchange_contacts_job.rb

@@ -2,21 +2,6 @@ class XmppExchangeContactsJob < ApplicationJob
   queue_as :default
 
   def perform(inviter, invitee)
-    return unless inviter.services_enabled.include?("xmpp") &&
-                  invitee.services_enabled.include?("xmpp") &&
-                  inviter.preferences[:xmpp_exchange_contacts_with_invitees]
-
-    ejabberd = EjabberdApiClient.new
-
-    ejabberd.add_rosteritem({
-      "localuser": invitee.cn, "localhost": invitee.ou,
-      "user": inviter.cn, "host": inviter.ou,
-      "nick": inviter.cn, "group": Setting.ejabberd_buddy_roster, "subs": "both"
-    })
-    ejabberd.add_rosteritem({
-      "localuser": inviter.cn, "localhost": inviter.ou,
-      "user": invitee.cn, "host": invitee.ou,
-      "nick": invitee.cn, "group": Setting.ejabberd_buddy_roster, "subs": "both"
-    })
+    EjabberdManager::ExchangeContacts.call(inviter:, invitee:)
   end
 end

app/jobs/xmpp_send_message_job.rb

@@ -2,7 +2,6 @@ class XmppSendMessageJob < ApplicationJob
   queue_as :default
 
   def perform(payload)
-    ejabberd = EjabberdApiClient.new
-    ejabberd.send_message payload
+    EjabberdManager::SendMessage.call(payload:)
   end
 end

app/jobs/xmpp_set_avatar_job.rb

@@ -0,0 +1,7 @@
+class XmppSetAvatarJob < ApplicationJob
+  queue_as :default
+
+  def perform(user:, overwrite: false)
+    EjabberdManager::SetAvatar.call(user:, overwrite:)
+  end
+end