Merge branch 'develop' into 'remove-avatar-header'

# Conflicts: # CHANGELOG.md
2019-06-23 03:25:50 +00:00 · 2019-06-23 03:25:50 +00:00 · a0c65bbd6c
commit a0c65bbd6c
parent 1452a96ad6 72f365df07
237 changed files with 8534 additions and 2226 deletions
--- a/test/web/activity_pub/activity_pub_controller_test.exs
+++ b/test/web/activity_pub/activity_pub_controller_test.exs
@ -11,6 +11,7 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubControllerTest do
  alias Pleroma.User
  alias Pleroma.Web.ActivityPub.ObjectView
  alias Pleroma.Web.ActivityPub.UserView
+  alias Pleroma.Web.ActivityPub.Utils

  setup_all do
    Tesla.Mock.mock_global(fn env -> apply(HttpRequestMock, :request, [env]) end)
@ -234,13 +235,17 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubControllerTest do
  end

  describe "/users/:nickname/inbox" do
-    test "it inserts an incoming activity into the database", %{conn: conn} do
-      user = insert(:user)
-
+    setup do
      data =
        File.read!("test/fixtures/mastodon-post-activity.json")
        |> Poison.decode!()
-        |> Map.put("bcc", [user.ap_id])
+
+      [data: data]
+    end
+
+    test "it inserts an incoming activity into the database", %{conn: conn, data: data} do
+      user = insert(:user)
+      data = Map.put(data, "bcc", [user.ap_id])

      conn =
        conn
@ -253,16 +258,15 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubControllerTest do
      assert Activity.get_by_ap_id(data["id"])
    end

-    test "it accepts messages from actors that are followed by the user", %{conn: conn} do
+    test "it accepts messages from actors that are followed by the user", %{
+      conn: conn,
+      data: data
+    } do
      recipient = insert(:user)
      actor = insert(:user, %{ap_id: "http://mastodon.example.org/users/actor"})

      {:ok, recipient} = User.follow(recipient, actor)

-      data =
-        File.read!("test/fixtures/mastodon-post-activity.json")
-        |> Poison.decode!()
-
      object =
        data["object"]
        |> Map.put("attributedTo", actor.ap_id)
@ -309,13 +313,9 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubControllerTest do
      assert response(conn, 200) =~ note_activity.data["object"]["content"]
    end

-    test "it clears `unreachable` federation status of the sender", %{conn: conn} do
+    test "it clears `unreachable` federation status of the sender", %{conn: conn, data: data} do
      user = insert(:user)
-
-      data =
-        File.read!("test/fixtures/mastodon-post-activity.json")
-        |> Poison.decode!()
-        |> Map.put("bcc", [user.ap_id])
+      data = Map.put(data, "bcc", [user.ap_id])

      sender_host = URI.parse(data["actor"]).host
      Instances.set_consistently_unreachable(sender_host)
@ -330,6 +330,47 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubControllerTest do
      assert "ok" == json_response(conn, 200)
      assert Instances.reachable?(sender_host)
    end
+
+    test "it removes all follower collections but actor's", %{conn: conn} do
+      [actor, recipient] = insert_pair(:user)
+
+      data =
+        File.read!("test/fixtures/activitypub-client-post-activity.json")
+        |> Poison.decode!()
+
+      object = Map.put(data["object"], "attributedTo", actor.ap_id)
+
+      data =
+        data
+        |> Map.put("id", Utils.generate_object_id())
+        |> Map.put("actor", actor.ap_id)
+        |> Map.put("object", object)
+        |> Map.put("cc", [
+          recipient.follower_address,
+          actor.follower_address
+        ])
+        |> Map.put("to", [
+          recipient.ap_id,
+          recipient.follower_address,
+          "https://www.w3.org/ns/activitystreams#Public"
+        ])
+
+      conn
+      |> assign(:valid_signature, true)
+      |> put_req_header("content-type", "application/activity+json")
+      |> post("/users/#{recipient.nickname}/inbox", data)
+      |> json_response(200)
+
+      activity = Activity.get_by_ap_id(data["id"])
+
+      assert activity.id
+      assert actor.follower_address in activity.recipients
+      assert actor.follower_address in activity.data["cc"]
+
+      refute recipient.follower_address in activity.recipients
+      refute recipient.follower_address in activity.data["cc"]
+      refute recipient.follower_address in activity.data["to"]
+    end
  end

  describe "/users/:nickname/outbox" do
--- a/test/web/activity_pub/activity_pub_test.exs
+++ b/test/web/activity_pub/activity_pub_test.exs
@ -1186,4 +1186,33 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubTest do
  def data_uri do
    File.read!("test/fixtures/avatar_data_uri")
  end
+
+  describe "fetch_activities_bounded" do
+    test "fetches private posts for followed users" do
+      user = insert(:user)
+
+      {:ok, activity} =
+        CommonAPI.post(user, %{
+          "status" => "thought I looked cute might delete later :3",
+          "visibility" => "private"
+        })
+
+      [result] = ActivityPub.fetch_activities_bounded([user.follower_address], [])
+      assert result.id == activity.id
+    end
+
+    test "fetches only public posts for other users" do
+      user = insert(:user)
+      {:ok, activity} = CommonAPI.post(user, %{"status" => "#cofe", "visibility" => "public"})
+
+      {:ok, _private_activity} =
+        CommonAPI.post(user, %{
+          "status" => "why is tenshi eating a corndog so cute?",
+          "visibility" => "private"
+        })
+
+      [result] = ActivityPub.fetch_activities_bounded([], [user.follower_address])
+      assert result.id == activity.id
+    end
+  end
 end
--- a/test/web/activity_pub/mrf/anti_link_spam_policy_test.exs
+++ b/test/web/activity_pub/mrf/anti_link_spam_policy_test.exs
@ -0,0 +1,140 @@
+# Pleroma: A lightweight social networking server
+# Copyright © 2019 Pleroma Authors <https://pleroma.social/>
+# SPDX-License-Identifier: AGPL-3.0-only
+
+defmodule Pleroma.Web.ActivityPub.MRF.AntiLinkSpamPolicyTest do
+  use Pleroma.DataCase
+  import Pleroma.Factory
+
+  alias Pleroma.Web.ActivityPub.MRF.AntiLinkSpamPolicy
+
+  @linkless_message %{
+    "type" => "Create",
+    "object" => %{
+      "content" => "hi world!"
+    }
+  }
+
+  @linkful_message %{
+    "type" => "Create",
+    "object" => %{
+      "content" => "<a href='https://example.com'>hi world!</a>"
+    }
+  }
+
+  @response_message %{
+    "type" => "Create",
+    "object" => %{
+      "name" => "yes",
+      "type" => "Answer"
+    }
+  }
+
+  describe "with new user" do
+    test "it allows posts without links" do
+      user = insert(:user)
+
+      assert user.info.note_count == 0
+
+      message =
+        @linkless_message
+        |> Map.put("actor", user.ap_id)
+
+      {:ok, _message} = AntiLinkSpamPolicy.filter(message)
+    end
+
+    test "it disallows posts with links" do
+      user = insert(:user)
+
+      assert user.info.note_count == 0
+
+      message =
+        @linkful_message
+        |> Map.put("actor", user.ap_id)
+
+      {:reject, _} = AntiLinkSpamPolicy.filter(message)
+    end
+  end
+
+  describe "with old user" do
+    test "it allows posts without links" do
+      user = insert(:user, info: %{note_count: 1})
+
+      assert user.info.note_count == 1
+
+      message =
+        @linkless_message
+        |> Map.put("actor", user.ap_id)
+
+      {:ok, _message} = AntiLinkSpamPolicy.filter(message)
+    end
+
+    test "it allows posts with links" do
+      user = insert(:user, info: %{note_count: 1})
+
+      assert user.info.note_count == 1
+
+      message =
+        @linkful_message
+        |> Map.put("actor", user.ap_id)
+
+      {:ok, _message} = AntiLinkSpamPolicy.filter(message)
+    end
+  end
+
+  describe "with followed new user" do
+    test "it allows posts without links" do
+      user = insert(:user, info: %{follower_count: 1})
+
+      assert user.info.follower_count == 1
+
+      message =
+        @linkless_message
+        |> Map.put("actor", user.ap_id)
+
+      {:ok, _message} = AntiLinkSpamPolicy.filter(message)
+    end
+
+    test "it allows posts with links" do
+      user = insert(:user, info: %{follower_count: 1})
+
+      assert user.info.follower_count == 1
+
+      message =
+        @linkful_message
+        |> Map.put("actor", user.ap_id)
+
+      {:ok, _message} = AntiLinkSpamPolicy.filter(message)
+    end
+  end
+
+  describe "with unknown actors" do
+    test "it rejects posts without links" do
+      message =
+        @linkless_message
+        |> Map.put("actor", "http://invalid.actor")
+
+      {:reject, _} = AntiLinkSpamPolicy.filter(message)
+    end
+
+    test "it rejects posts with links" do
+      message =
+        @linkful_message
+        |> Map.put("actor", "http://invalid.actor")
+
+      {:reject, _} = AntiLinkSpamPolicy.filter(message)
+    end
+  end
+
+  describe "with contentless-objects" do
+    test "it does not reject them or error out" do
+      user = insert(:user, info: %{note_count: 1})
+
+      message =
+        @response_message
+        |> Map.put("actor", user.ap_id)
+
+      {:ok, _message} = AntiLinkSpamPolicy.filter(message)
+    end
+  end
+end
--- a/test/web/activity_pub/mrf/simple_policy_test.exs
+++ b/test/web/activity_pub/mrf/simple_policy_test.exs
@ -145,6 +145,24 @@ defmodule Pleroma.Web.ActivityPub.MRF.SimplePolicyTest do

      assert SimplePolicy.filter(local_message) == {:ok, local_message}
    end
+
+    test "has a matching host but only as:Public in to" do
+      {_actor, ftl_message} = build_ftl_actor_and_message()
+
+      ftl_message_actor_host =
+        ftl_message
+        |> Map.fetch!("actor")
+        |> URI.parse()
+        |> Map.fetch!(:host)
+
+      ftl_message = Map.put(ftl_message, "cc", [])
+
+      Config.put([:mrf_simple, :federated_timeline_removal], [ftl_message_actor_host])
+
+      assert {:ok, ftl_message} = SimplePolicy.filter(ftl_message)
+      refute "https://www.w3.org/ns/activitystreams#Public" in ftl_message["to"]
+      assert "https://www.w3.org/ns/activitystreams#Public" in ftl_message["cc"]
+    end
  end

  defp build_ftl_actor_and_message do
--- a/test/web/activity_pub/mrf/subchain_policy_test.exs
+++ b/test/web/activity_pub/mrf/subchain_policy_test.exs
@ -0,0 +1,32 @@
+# Pleroma: A lightweight social networking server
+# Copyright © 2017-2019 Pleroma Authors <https://pleroma.social/>
+# SPDX-License-Identifier: AGPL-3.0-only
+
+defmodule Pleroma.Web.ActivityPub.MRF.SubchainPolicyTest do
+  use Pleroma.DataCase
+
+  alias Pleroma.Web.ActivityPub.MRF.DropPolicy
+  alias Pleroma.Web.ActivityPub.MRF.SubchainPolicy
+
+  @message %{
+    "actor" => "https://banned.com",
+    "type" => "Create",
+    "object" => %{"content" => "hi"}
+  }
+
+  test "it matches and processes subchains when the actor matches a configured target" do
+    Pleroma.Config.put([:mrf_subchain, :match_actor], %{
+      ~r/^https:\/\/banned.com/s => [DropPolicy]
+    })
+
+    {:reject, _} = SubchainPolicy.filter(@message)
+  end
+
+  test "it doesn't match and process subchains when the actor doesn't match a configured target" do
+    Pleroma.Config.put([:mrf_subchain, :match_actor], %{
+      ~r/^https:\/\/borked.com/s => [DropPolicy]
+    })
+
+    {:ok, _message} = SubchainPolicy.filter(@message)
+  end
+end
--- a/test/web/activity_pub/transmogrifier/follow_handling_test.exs
+++ b/test/web/activity_pub/transmogrifier/follow_handling_test.exs
@ -0,0 +1,143 @@
+# Pleroma: A lightweight social networking server
+# Copyright © 2017-2018 Pleroma Authors <https://pleroma.social/>
+# SPDX-License-Identifier: AGPL-3.0-only
+
+defmodule Pleroma.Web.ActivityPub.Transmogrifier.FollowHandlingTest do
+  use Pleroma.DataCase
+  alias Pleroma.Activity
+  alias Pleroma.Repo
+  alias Pleroma.User
+  alias Pleroma.Web.ActivityPub.Transmogrifier
+  alias Pleroma.Web.ActivityPub.Utils
+
+  import Pleroma.Factory
+  import Ecto.Query
+
+  setup_all do
+    Tesla.Mock.mock_global(fn env -> apply(HttpRequestMock, :request, [env]) end)
+    :ok
+  end
+
+  describe "handle_incoming" do
+    test "it works for incoming follow requests" do
+      user = insert(:user)
+
+      data =
+        File.read!("test/fixtures/mastodon-follow-activity.json")
+        |> Poison.decode!()
+        |> Map.put("object", user.ap_id)
+
+      {:ok, %Activity{data: data, local: false} = activity} = Transmogrifier.handle_incoming(data)
+
+      assert data["actor"] == "http://mastodon.example.org/users/admin"
+      assert data["type"] == "Follow"
+      assert data["id"] == "http://mastodon.example.org/users/admin#follows/2"
+
+      activity = Repo.get(Activity, activity.id)
+      assert activity.data["state"] == "accept"
+      assert User.following?(User.get_cached_by_ap_id(data["actor"]), user)
+    end
+
+    test "with locked accounts, it does not create a follow or an accept" do
+      user = insert(:user, info: %{locked: true})
+
+      data =
+        File.read!("test/fixtures/mastodon-follow-activity.json")
+        |> Poison.decode!()
+        |> Map.put("object", user.ap_id)
+
+      {:ok, %Activity{data: data, local: false}} = Transmogrifier.handle_incoming(data)
+
+      assert data["state"] == "pending"
+
+      refute User.following?(User.get_cached_by_ap_id(data["actor"]), user)
+
+      accepts =
+        from(
+          a in Activity,
+          where: fragment("?->>'type' = ?", a.data, "Accept")
+        )
+        |> Repo.all()
+
+      assert length(accepts) == 0
+    end
+
+    test "it works for follow requests when you are already followed, creating a new accept activity" do
+      # This is important because the remote might have the wrong idea about the
+      # current follow status. This can lead to instance A thinking that x@A is
+      # followed by y@B, but B thinks they are not. In this case, the follow can
+      # never go through again because it will never get an Accept.
+      user = insert(:user)
+
+      data =
+        File.read!("test/fixtures/mastodon-follow-activity.json")
+        |> Poison.decode!()
+        |> Map.put("object", user.ap_id)
+
+      {:ok, %Activity{local: false}} = Transmogrifier.handle_incoming(data)
+
+      accepts =
+        from(
+          a in Activity,
+          where: fragment("?->>'type' = ?", a.data, "Accept")
+        )
+        |> Repo.all()
+
+      assert length(accepts) == 1
+
+      data =
+        File.read!("test/fixtures/mastodon-follow-activity.json")
+        |> Poison.decode!()
+        |> Map.put("id", String.replace(data["id"], "2", "3"))
+        |> Map.put("object", user.ap_id)
+
+      {:ok, %Activity{local: false}} = Transmogrifier.handle_incoming(data)
+
+      accepts =
+        from(
+          a in Activity,
+          where: fragment("?->>'type' = ?", a.data, "Accept")
+        )
+        |> Repo.all()
+
+      assert length(accepts) == 2
+    end
+
+    test "it rejects incoming follow requests from blocked users when deny_follow_blocked is enabled" do
+      Pleroma.Config.put([:user, :deny_follow_blocked], true)
+
+      user = insert(:user)
+      {:ok, target} = User.get_or_fetch("http://mastodon.example.org/users/admin")
+
+      {:ok, user} = User.block(user, target)
+
+      data =
+        File.read!("test/fixtures/mastodon-follow-activity.json")
+        |> Poison.decode!()
+        |> Map.put("object", user.ap_id)
+
+      {:ok, %Activity{data: %{"id" => id}}} = Transmogrifier.handle_incoming(data)
+
+      %Activity{} = activity = Activity.get_by_ap_id(id)
+
+      assert activity.data["state"] == "reject"
+    end
+
+    test "it works for incoming follow requests from hubzilla" do
+      user = insert(:user)
+
+      data =
+        File.read!("test/fixtures/hubzilla-follow-activity.json")
+        |> Poison.decode!()
+        |> Map.put("object", user.ap_id)
+        |> Utils.normalize_params()
+
+      {:ok, %Activity{data: data, local: false}} = Transmogrifier.handle_incoming(data)
+
+      assert data["actor"] == "https://hubzilla.example.org/channel/kaniini"
+      assert data["type"] == "Follow"
+      assert data["id"] == "https://hubzilla.example.org/channel/kaniini#follows/2"
+      assert User.following?(User.get_cached_by_ap_id(data["actor"]), user)
+    end
+  end
+end
--- a/test/web/activity_pub/transmogrifier_test.exs
+++ b/test/web/activity_pub/transmogrifier_test.exs
@ -11,11 +11,11 @@ defmodule Pleroma.Web.ActivityPub.TransmogrifierTest do
  alias Pleroma.User
  alias Pleroma.Web.ActivityPub.ActivityPub
  alias Pleroma.Web.ActivityPub.Transmogrifier
-  alias Pleroma.Web.ActivityPub.Utils
  alias Pleroma.Web.OStatus
  alias Pleroma.Web.Websub.WebsubClientSubscription

  import Pleroma.Factory
+  import ExUnit.CaptureLog
  alias Pleroma.Web.CommonAPI

  setup_all do
@ -61,6 +61,24 @@ defmodule Pleroma.Web.ActivityPub.TransmogrifierTest do
      assert returned_object.data["inReplyToAtomUri"] == "https://shitposter.club/notice/2827873"
    end

+    test "it does not crash if the object in inReplyTo can't be fetched" do
+      data =
+        File.read!("test/fixtures/mastodon-post-activity.json")
+        |> Poison.decode!()
+
+      object =
+        data["object"]
+        |> Map.put("inReplyTo", "https://404.site/whatever")
+
+      data =
+        data
+        |> Map.put("object", object)
+
+      assert capture_log(fn ->
+               {:ok, _returned_activity} = Transmogrifier.handle_incoming(data)
+             end) =~ "[error] Couldn't fetch \"\"https://404.site/whatever\"\", error: nil"
+    end
+
    test "it works for incoming notices" do
      data = File.read!("test/fixtures/mastodon-post-activity.json") |> Poison.decode!()

@ -113,6 +131,55 @@ defmodule Pleroma.Web.ActivityPub.TransmogrifierTest do
      assert Enum.at(object.data["tag"], 2) == "moo"
    end

+    test "it works for incoming questions" do
+      data = File.read!("test/fixtures/mastodon-question-activity.json") |> Poison.decode!()
+
+      {:ok, %Activity{local: false} = activity} = Transmogrifier.handle_incoming(data)
+
+      object = Object.normalize(activity)
+
+      assert Enum.all?(object.data["oneOf"], fn choice ->
+               choice["name"] in [
+                 "Dunno",
+                 "Everyone knows that!",
+                 "25 char limit is dumb",
+                 "I can't even fit a funny"
+               ]
+             end)
+    end
+
+    test "it rewrites Note votes to Answers and increments vote counters on question activities" do
+      user = insert(:user)
+
+      {:ok, activity} =
+        CommonAPI.post(user, %{
+          "status" => "suya...",
+          "poll" => %{"options" => ["suya", "suya.", "suya.."], "expires_in" => 10}
+        })
+
+      object = Object.normalize(activity)
+
+      data =
+        File.read!("test/fixtures/mastodon-vote.json")
+        |> Poison.decode!()
+        |> Kernel.put_in(["to"], user.ap_id)
+        |> Kernel.put_in(["object", "inReplyTo"], object.data["id"])
+        |> Kernel.put_in(["object", "to"], user.ap_id)
+
+      {:ok, %Activity{local: false} = activity} = Transmogrifier.handle_incoming(data)
+      answer_object = Object.normalize(activity)
+      assert answer_object.data["type"] == "Answer"
+      object = Object.get_by_ap_id(object.data["id"])
+
+      assert Enum.any?(
+               object.data["oneOf"],
+               fn
+                 %{"name" => "suya..", "replies" => %{"totalItems" => 1}} -> true
+                 _ -> false
+               end
+             )
+    end
+
    test "it works for incoming notices with contentMap" do
      data =
        File.read!("test/fixtures/mastodon-post-activity-contentmap.json") |> Poison.decode!()
@ -199,59 +266,6 @@ defmodule Pleroma.Web.ActivityPub.TransmogrifierTest do
      assert object_data["cc"] == to
    end

-    test "it works for incoming follow requests" do
-      user = insert(:user)
-
-      data =
-        File.read!("test/fixtures/mastodon-follow-activity.json")
-        |> Poison.decode!()
-        |> Map.put("object", user.ap_id)
-
-      {:ok, %Activity{data: data, local: false}} = Transmogrifier.handle_incoming(data)
-
-      assert data["actor"] == "http://mastodon.example.org/users/admin"
-      assert data["type"] == "Follow"
-      assert data["id"] == "http://mastodon.example.org/users/admin#follows/2"
-      assert User.following?(User.get_cached_by_ap_id(data["actor"]), user)
-    end
-
-    test "it rejects incoming follow requests from blocked users when deny_follow_blocked is enabled" do
-      Pleroma.Config.put([:user, :deny_follow_blocked], true)
-
-      user = insert(:user)
-      {:ok, target} = User.get_or_fetch("http://mastodon.example.org/users/admin")
-
-      {:ok, user} = User.block(user, target)
-
-      data =
-        File.read!("test/fixtures/mastodon-follow-activity.json")
-        |> Poison.decode!()
-        |> Map.put("object", user.ap_id)
-
-      {:ok, %Activity{data: %{"id" => id}}} = Transmogrifier.handle_incoming(data)
-
-      %Activity{} = activity = Activity.get_by_ap_id(id)
-
-      assert activity.data["state"] == "reject"
-    end
-
-    test "it works for incoming follow requests from hubzilla" do
-      user = insert(:user)
-
-      data =
-        File.read!("test/fixtures/hubzilla-follow-activity.json")
-        |> Poison.decode!()
-        |> Map.put("object", user.ap_id)
-        |> Utils.normalize_params()
-
-      {:ok, %Activity{data: data, local: false}} = Transmogrifier.handle_incoming(data)
-
-      assert data["actor"] == "https://hubzilla.example.org/channel/kaniini"
-      assert data["type"] == "Follow"
-      assert data["id"] == "https://hubzilla.example.org/channel/kaniini#follows/2"
-      assert User.following?(User.get_cached_by_ap_id(data["actor"]), user)
-    end
-
    test "it works for incoming likes" do
      user = insert(:user)
      {:ok, activity} = CommonAPI.post(user, %{"status" => "hello"})
@ -505,7 +519,10 @@ defmodule Pleroma.Web.ActivityPub.TransmogrifierTest do
        data
        |> Map.put("object", object)

-      :error = Transmogrifier.handle_incoming(data)
+      assert capture_log(fn ->
+               :error = Transmogrifier.handle_incoming(data)
+             end) =~
+               "[error] Could not decode user at fetch http://mastodon.example.org/users/gargron, {:error, {:error, :nxdomain}}"

      assert Activity.get_by_id(activity.id)
    end
@ -1209,4 +1226,85 @@ defmodule Pleroma.Web.ActivityPub.TransmogrifierTest do
      {:ok, _} = Transmogrifier.prepare_outgoing(activity.data)
    end
  end
+
+  test "Rewrites Answers to Notes" do
+    user = insert(:user)
+
+    {:ok, poll_activity} =
+      CommonAPI.post(user, %{
+        "status" => "suya...",
+        "poll" => %{"options" => ["suya", "suya.", "suya.."], "expires_in" => 10}
+      })
+
+    poll_object = Object.normalize(poll_activity)
+    # TODO: Replace with CommonAPI vote creation when implemented
+    data =
+      File.read!("test/fixtures/mastodon-vote.json")
+      |> Poison.decode!()
+      |> Kernel.put_in(["to"], user.ap_id)
+      |> Kernel.put_in(["object", "inReplyTo"], poll_object.data["id"])
+      |> Kernel.put_in(["object", "to"], user.ap_id)
+
+    {:ok, %Activity{local: false} = activity} = Transmogrifier.handle_incoming(data)
+    {:ok, data} = Transmogrifier.prepare_outgoing(activity.data)
+
+    assert data["object"]["type"] == "Note"
+  end
+
+  describe "fix_explicit_addressing" do
+    setup do
+      user = insert(:user)
+      [user: user]
+    end
+
+    test "moves non-explicitly mentioned actors to cc", %{user: user} do
+      explicitly_mentioned_actors = [
+        "https://pleroma.gold/users/user1",
+        "https://pleroma.gold/user2"
+      ]
+
+      object = %{
+        "actor" => user.ap_id,
+        "to" => explicitly_mentioned_actors ++ ["https://social.beepboop.ga/users/dirb"],
+        "cc" => [],
+        "tag" =>
+          Enum.map(explicitly_mentioned_actors, fn href ->
+            %{"type" => "Mention", "href" => href}
+          end)
+      }
+
+      fixed_object = Transmogrifier.fix_explicit_addressing(object)
+      assert Enum.all?(explicitly_mentioned_actors, &(&1 in fixed_object["to"]))
+      refute "https://social.beepboop.ga/users/dirb" in fixed_object["to"]
+      assert "https://social.beepboop.ga/users/dirb" in fixed_object["cc"]
+    end
+
+    test "does not move actor's follower collection to cc", %{user: user} do
+      object = %{
+        "actor" => user.ap_id,
+        "to" => [user.follower_address],
+        "cc" => []
+      }
+
+      fixed_object = Transmogrifier.fix_explicit_addressing(object)
+      assert user.follower_address in fixed_object["to"]
+      refute user.follower_address in fixed_object["cc"]
+    end
+
+    test "removes recipient's follower collection from cc", %{user: user} do
+      recipient = insert(:user)
+
+      object = %{
+        "actor" => user.ap_id,
+        "to" => [recipient.ap_id, "https://www.w3.org/ns/activitystreams#Public"],
+        "cc" => [user.follower_address, recipient.follower_address]
+      }
+
+      fixed_object = Transmogrifier.fix_explicit_addressing(object)
+
+      assert user.follower_address in fixed_object["cc"]
+      refute recipient.follower_address in fixed_object["cc"]
+      refute recipient.follower_address in fixed_object["to"]
+    end
+  end
 end
--- a/test/web/activity_pub/utils_test.exs
+++ b/test/web/activity_pub/utils_test.exs
@ -1,6 +1,8 @@
 defmodule Pleroma.Web.ActivityPub.UtilsTest do
  use Pleroma.DataCase
  alias Pleroma.Activity
+  alias Pleroma.Object
+  alias Pleroma.Repo
  alias Pleroma.User
  alias Pleroma.Web.ActivityPub.ActivityPub
  alias Pleroma.Web.ActivityPub.Utils
@ -204,4 +206,93 @@ defmodule Pleroma.Web.ActivityPub.UtilsTest do
             ]
           }
  end
+
+  describe "get_existing_votes" do
+    test "fetches existing votes" do
+      user = insert(:user)
+      other_user = insert(:user)
+
+      {:ok, activity} =
+        CommonAPI.post(user, %{
+          "status" => "How do I pronounce LaTeX?",
+          "poll" => %{
+            "options" => ["laytekh", "lahtekh", "latex"],
+            "expires_in" => 20,
+            "multiple" => true
+          }
+        })
+
+      object = Object.normalize(activity)
+      {:ok, votes, object} = CommonAPI.vote(other_user, object, [0, 1])
+      assert Enum.sort(Utils.get_existing_votes(other_user.ap_id, object)) == Enum.sort(votes)
+    end
+
+    test "fetches only Create activities" do
+      user = insert(:user)
+      other_user = insert(:user)
+
+      {:ok, activity} =
+        CommonAPI.post(user, %{
+          "status" => "Are we living in a society?",
+          "poll" => %{
+            "options" => ["yes", "no"],
+            "expires_in" => 20
+          }
+        })
+
+      object = Object.normalize(activity)
+      {:ok, [vote], object} = CommonAPI.vote(other_user, object, [0])
+      vote_object = Object.normalize(vote)
+      {:ok, _activity, _object} = ActivityPub.like(user, vote_object)
+      [fetched_vote] = Utils.get_existing_votes(other_user.ap_id, object)
+      assert fetched_vote.id == vote.id
+    end
+  end
+
+  describe "update_follow_state_for_all/2" do
+    test "updates the state of all Follow activities with the same actor and object" do
+      user = insert(:user, info: %{locked: true})
+      follower = insert(:user)
+
+      {:ok, follow_activity} = ActivityPub.follow(follower, user)
+      {:ok, follow_activity_two} = ActivityPub.follow(follower, user)
+
+      data =
+        follow_activity_two.data
+        |> Map.put("state", "accept")
+
+      cng = Ecto.Changeset.change(follow_activity_two, data: data)
+
+      {:ok, follow_activity_two} = Repo.update(cng)
+
+      {:ok, follow_activity_two} =
+        Utils.update_follow_state_for_all(follow_activity_two, "accept")
+
+      assert Repo.get(Activity, follow_activity.id).data["state"] == "accept"
+      assert Repo.get(Activity, follow_activity_two.id).data["state"] == "accept"
+    end
+  end
+
+  describe "update_follow_state/2" do
+    test "updates the state of the given follow activity" do
+      user = insert(:user, info: %{locked: true})
+      follower = insert(:user)
+
+      {:ok, follow_activity} = ActivityPub.follow(follower, user)
+      {:ok, follow_activity_two} = ActivityPub.follow(follower, user)
+
+      data =
+        follow_activity_two.data
+        |> Map.put("state", "accept")
+
+      cng = Ecto.Changeset.change(follow_activity_two, data: data)
+
+      {:ok, follow_activity_two} = Repo.update(cng)
+
+      {:ok, follow_activity_two} = Utils.update_follow_state(follow_activity_two, "reject")
+
+      assert Repo.get(Activity, follow_activity.id).data["state"] == "pending"
+      assert Repo.get(Activity, follow_activity_two.id).data["state"] == "reject"
+    end
+  end
 end
--- a/test/web/activity_pub/visibilty_test.exs
+++ b/test/web/activity_pub/visibilty_test.exs
@ -1,6 +1,7 @@
 defmodule Pleroma.Web.ActivityPub.VisibilityTest do
  use Pleroma.DataCase

+  alias Pleroma.Activity
  alias Pleroma.Web.ActivityPub.Visibility
  alias Pleroma.Web.CommonAPI
  import Pleroma.Factory
@ -117,4 +118,50 @@ defmodule Pleroma.Web.ActivityPub.VisibilityTest do
    assert Visibility.get_visibility(direct) == "direct"
    assert Visibility.get_visibility(unlisted) == "unlisted"
  end
+
+  test "get_visibility with directMessage flag" do
+    assert Visibility.get_visibility(%{data: %{"directMessage" => true}}) == "direct"
+  end
+
+  describe "entire_thread_visible_for_user?/2" do
+    test "returns false if not found activity", %{user: user} do
+      refute Visibility.entire_thread_visible_for_user?(%Activity{}, user)
+    end
+
+    test "returns true if activity hasn't 'Create' type", %{user: user} do
+      activity = insert(:like_activity)
+      assert Visibility.entire_thread_visible_for_user?(activity, user)
+    end
+
+    test "returns false when invalid recipients", %{user: user} do
+      author = insert(:user)
+
+      activity =
+        insert(:note_activity,
+          note:
+            insert(:note,
+              user: author,
+              data: %{"to" => ["test-user"]}
+            )
+        )
+
+      refute Visibility.entire_thread_visible_for_user?(activity, user)
+    end
+
+    test "returns true if user following to author" do
+      author = insert(:user)
+      user = insert(:user, following: [author.ap_id])
+
+      activity =
+        insert(:note_activity,
+          note:
+            insert(:note,
+              user: author,
+              data: %{"to" => [user.ap_id]}
+            )
+        )
+
+      assert Visibility.entire_thread_visible_for_user?(activity, user)
+    end
+  end
 end
--- a/test/web/admin_api/admin_api_controller_test.exs
+++ b/test/web/admin_api/admin_api_controller_test.exs
@ -437,27 +437,31 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIControllerTest do
      user = insert(:user, local: false, tags: ["foo", "bar"])
      conn = get(conn, "/api/pleroma/admin/users?page=1")

+      users =
+        [
+          %{
+            "deactivated" => admin.info.deactivated,
+            "id" => admin.id,
+            "nickname" => admin.nickname,
+            "roles" => %{"admin" => true, "moderator" => false},
+            "local" => true,
+            "tags" => []
+          },
+          %{
+            "deactivated" => user.info.deactivated,
+            "id" => user.id,
+            "nickname" => user.nickname,
+            "roles" => %{"admin" => false, "moderator" => false},
+            "local" => false,
+            "tags" => ["foo", "bar"]
+          }
+        ]
+        |> Enum.sort_by(& &1["nickname"])
+
      assert json_response(conn, 200) == %{
               "count" => 2,
               "page_size" => 50,
-               "users" => [
-                 %{
-                   "deactivated" => admin.info.deactivated,
-                   "id" => admin.id,
-                   "nickname" => admin.nickname,
-                   "roles" => %{"admin" => true, "moderator" => false},
-                   "local" => true,
-                   "tags" => []
-                 },
-                 %{
-                   "deactivated" => user.info.deactivated,
-                   "id" => user.id,
-                   "nickname" => user.nickname,
-                   "roles" => %{"admin" => false, "moderator" => false},
-                   "local" => false,
-                   "tags" => ["foo", "bar"]
-                 }
-               ]
+               "users" => users
             }
    end

@ -659,35 +663,39 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIControllerTest do
        |> assign(:user, admin)
        |> get("/api/pleroma/admin/users?filters=local")

+      users =
+        [
+          %{
+            "deactivated" => user.info.deactivated,
+            "id" => user.id,
+            "nickname" => user.nickname,
+            "roles" => %{"admin" => false, "moderator" => false},
+            "local" => true,
+            "tags" => []
+          },
+          %{
+            "deactivated" => admin.info.deactivated,
+            "id" => admin.id,
+            "nickname" => admin.nickname,
+            "roles" => %{"admin" => true, "moderator" => false},
+            "local" => true,
+            "tags" => []
+          },
+          %{
+            "deactivated" => false,
+            "id" => old_admin.id,
+            "local" => true,
+            "nickname" => old_admin.nickname,
+            "roles" => %{"admin" => true, "moderator" => false},
+            "tags" => []
+          }
+        ]
+        |> Enum.sort_by(& &1["nickname"])
+
      assert json_response(conn, 200) == %{
               "count" => 3,
               "page_size" => 50,
-               "users" => [
-                 %{
-                   "deactivated" => user.info.deactivated,
-                   "id" => user.id,
-                   "nickname" => user.nickname,
-                   "roles" => %{"admin" => false, "moderator" => false},
-                   "local" => true,
-                   "tags" => []
-                 },
-                 %{
-                   "deactivated" => admin.info.deactivated,
-                   "id" => admin.id,
-                   "nickname" => admin.nickname,
-                   "roles" => %{"admin" => true, "moderator" => false},
-                   "local" => true,
-                   "tags" => []
-                 },
-                 %{
-                   "deactivated" => false,
-                   "id" => old_admin.id,
-                   "local" => true,
-                   "nickname" => old_admin.nickname,
-                   "roles" => %{"admin" => true, "moderator" => false},
-                   "tags" => []
-                 }
-               ]
+               "users" => users
             }
    end

@ -698,27 +706,31 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIControllerTest do

      conn = get(conn, "/api/pleroma/admin/users?filters=is_admin")

+      users =
+        [
+          %{
+            "deactivated" => false,
+            "id" => admin.id,
+            "nickname" => admin.nickname,
+            "roles" => %{"admin" => true, "moderator" => false},
+            "local" => admin.local,
+            "tags" => []
+          },
+          %{
+            "deactivated" => false,
+            "id" => second_admin.id,
+            "nickname" => second_admin.nickname,
+            "roles" => %{"admin" => true, "moderator" => false},
+            "local" => second_admin.local,
+            "tags" => []
+          }
+        ]
+        |> Enum.sort_by(& &1["nickname"])
+
      assert json_response(conn, 200) == %{
               "count" => 2,
               "page_size" => 50,
-               "users" => [
-                 %{
-                   "deactivated" => false,
-                   "id" => admin.id,
-                   "nickname" => admin.nickname,
-                   "roles" => %{"admin" => true, "moderator" => false},
-                   "local" => admin.local,
-                   "tags" => []
-                 },
-                 %{
-                   "deactivated" => false,
-                   "id" => second_admin.id,
-                   "nickname" => second_admin.nickname,
-                   "roles" => %{"admin" => true, "moderator" => false},
-                   "local" => second_admin.local,
-                   "tags" => []
-                 }
-               ]
+               "users" => users
             }
    end

@ -753,27 +765,31 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIControllerTest do

      conn = get(conn, "/api/pleroma/admin/users?tags[]=first&tags[]=second")

+      users =
+        [
+          %{
+            "deactivated" => false,
+            "id" => user1.id,
+            "nickname" => user1.nickname,
+            "roles" => %{"admin" => false, "moderator" => false},
+            "local" => user1.local,
+            "tags" => ["first"]
+          },
+          %{
+            "deactivated" => false,
+            "id" => user2.id,
+            "nickname" => user2.nickname,
+            "roles" => %{"admin" => false, "moderator" => false},
+            "local" => user2.local,
+            "tags" => ["second"]
+          }
+        ]
+        |> Enum.sort_by(& &1["nickname"])
+
      assert json_response(conn, 200) == %{
               "count" => 2,
               "page_size" => 50,
-               "users" => [
-                 %{
-                   "deactivated" => false,
-                   "id" => user1.id,
-                   "nickname" => user1.nickname,
-                   "roles" => %{"admin" => false, "moderator" => false},
-                   "local" => user1.local,
-                   "tags" => ["first"]
-                 },
-                 %{
-                   "deactivated" => false,
-                   "id" => user2.id,
-                   "nickname" => user2.nickname,
-                   "roles" => %{"admin" => false, "moderator" => false},
-                   "local" => user2.local,
-                   "tags" => ["second"]
-                 }
-               ]
+               "users" => users
             }
    end

@ -1276,4 +1292,176 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIControllerTest do
      assert json_response(conn, :bad_request) == "Could not delete"
    end
  end
+
+  describe "GET /api/pleroma/admin/config" do
+    setup %{conn: conn} do
+      admin = insert(:user, info: %{is_admin: true})
+
+      %{conn: assign(conn, :user, admin)}
+    end
+
+    test "without any settings in db", %{conn: conn} do
+      conn = get(conn, "/api/pleroma/admin/config")
+
+      assert json_response(conn, 200) == %{"configs" => []}
+    end
+
+    test "with settings in db", %{conn: conn} do
+      config1 = insert(:config)
+      config2 = insert(:config)
+
+      conn = get(conn, "/api/pleroma/admin/config")
+
+      %{
+        "configs" => [
+          %{
+            "key" => key1,
+            "value" => _
+          },
+          %{
+            "key" => key2,
+            "value" => _
+          }
+        ]
+      } = json_response(conn, 200)
+
+      assert key1 == config1.key
+      assert key2 == config2.key
+    end
+  end
+
+  describe "POST /api/pleroma/admin/config" do
+    setup %{conn: conn} do
+      admin = insert(:user, info: %{is_admin: true})
+
+      temp_file = "config/test.exported_from_db.secret.exs"
+
+      on_exit(fn ->
+        Application.delete_env(:pleroma, :key1)
+        Application.delete_env(:pleroma, :key2)
+        Application.delete_env(:pleroma, :key3)
+        Application.delete_env(:pleroma, :key4)
+        Application.delete_env(:pleroma, :keyaa1)
+        Application.delete_env(:pleroma, :keyaa2)
+        :ok = File.rm(temp_file)
+      end)
+
+      dynamic = Pleroma.Config.get([:instance, :dynamic_configuration])
+
+      Pleroma.Config.put([:instance, :dynamic_configuration], true)
+
+      on_exit(fn ->
+        Pleroma.Config.put([:instance, :dynamic_configuration], dynamic)
+      end)
+
+      %{conn: assign(conn, :user, admin)}
+    end
+
+    test "create new config setting in db", %{conn: conn} do
+      conn =
+        post(conn, "/api/pleroma/admin/config", %{
+          configs: [
+            %{key: "key1", value: "value1"},
+            %{
+              key: "key2",
+              value: %{
+                "nested_1" => "nested_value1",
+                "nested_2" => [
+                  %{"nested_22" => "nested_value222"},
+                  %{"nested_33" => %{"nested_44" => "nested_444"}}
+                ]
+              }
+            },
+            %{
+              key: "key3",
+              value: [
+                %{"nested_3" => ":nested_3", "nested_33" => "nested_33"},
+                %{"nested_4" => ":true"}
+              ]
+            },
+            %{
+              key: "key4",
+              value: %{"nested_5" => ":upload", "endpoint" => "https://example.com"}
+            }
+          ]
+        })
+
+      assert json_response(conn, 200) == %{
+               "configs" => [
+                 %{
+                   "key" => "key1",
+                   "value" => "value1"
+                 },
+                 %{
+                   "key" => "key2",
+                   "value" => [
+                     %{"nested_1" => "nested_value1"},
+                     %{
+                       "nested_2" => [
+                         %{"nested_22" => "nested_value222"},
+                         %{"nested_33" => %{"nested_44" => "nested_444"}}
+                       ]
+                     }
+                   ]
+                 },
+                 %{
+                   "key" => "key3",
+                   "value" => [
+                     [%{"nested_3" => "nested_3"}, %{"nested_33" => "nested_33"}],
+                     %{"nested_4" => true}
+                   ]
+                 },
+                 %{
+                   "key" => "key4",
+                   "value" => [%{"endpoint" => "https://example.com"}, %{"nested_5" => "upload"}]
+                 }
+               ]
+             }
+
+      assert Application.get_env(:pleroma, :key1) == "value1"
+
+      assert Application.get_env(:pleroma, :key2) == [
+               nested_1: "nested_value1",
+               nested_2: [
+                 [nested_22: "nested_value222"],
+                 [nested_33: [nested_44: "nested_444"]]
+               ]
+             ]
+
+      assert Application.get_env(:pleroma, :key3) == [
+               [nested_3: :nested_3, nested_33: "nested_33"],
+               [nested_4: true]
+             ]
+
+      assert Application.get_env(:pleroma, :key4) == [
+               endpoint: "https://example.com",
+               nested_5: :upload
+             ]
+    end
+
+    test "update config setting & delete", %{conn: conn} do
+      config1 = insert(:config, key: "keyaa1")
+      config2 = insert(:config, key: "keyaa2")
+
+      conn =
+        post(conn, "/api/pleroma/admin/config", %{
+          configs: [
+            %{key: config1.key, value: "another_value"},
+            %{key: config2.key, delete: "true"}
+          ]
+        })
+
+      assert json_response(conn, 200) == %{
+               "configs" => [
+                 %{
+                   "key" => config1.key,
+                   "value" => "another_value"
+                 }
+               ]
+             }
+
+      assert Application.get_env(:pleroma, :keyaa1) == "another_value"
+      refute Application.get_env(:pleroma, :keyaa2)
+    end
+  end
 end
--- a/test/web/admin_api/config_test.exs
+++ b/test/web/admin_api/config_test.exs
@ -0,0 +1,183 @@
+defmodule Pleroma.Web.AdminAPI.ConfigTest do
+  use Pleroma.DataCase, async: true
+  import Pleroma.Factory
+  alias Pleroma.Web.AdminAPI.Config
+
+  test "get_by_key/1" do
+    config = insert(:config)
+    insert(:config)
+
+    assert config == Config.get_by_key(config.key)
+  end
+
+  test "create/1" do
+    {:ok, config} = Config.create(%{key: "some_key", value: "some_value"})
+    assert config == Config.get_by_key("some_key")
+  end
+
+  test "update/1" do
+    config = insert(:config)
+    {:ok, updated} = Config.update(config, %{value: "some_value"})
+    loaded = Config.get_by_key(config.key)
+    assert loaded == updated
+  end
+
+  test "update_or_create/1" do
+    config = insert(:config)
+    key2 = "another_key"
+
+    params = [
+      %{key: key2, value: "another_value"},
+      %{key: config.key, value: "new_value"}
+    ]
+
+    assert Repo.all(Config) |> length() == 1
+
+    Enum.each(params, &Config.update_or_create(&1))
+
+    assert Repo.all(Config) |> length() == 2
+
+    config1 = Config.get_by_key(config.key)
+    config2 = Config.get_by_key(key2)
+
+    assert config1.value == Config.transform("new_value")
+    assert config2.value == Config.transform("another_value")
+  end
+
+  test "delete/1" do
+    config = insert(:config)
+    {:ok, _} = Config.delete(config.key)
+    refute Config.get_by_key(config.key)
+  end
+
+  describe "transform/1" do
+    test "string" do
+      binary = Config.transform("value as string")
+      assert binary == :erlang.term_to_binary("value as string")
+      assert Config.from_binary(binary) == "value as string"
+    end
+
+    test "list of modules" do
+      binary = Config.transform(["Pleroma.Repo", "Pleroma.Activity"])
+      assert binary == :erlang.term_to_binary([Pleroma.Repo, Pleroma.Activity])
+      assert Config.from_binary(binary) == [Pleroma.Repo, Pleroma.Activity]
+    end
+
+    test "list of strings" do
+      binary = Config.transform(["string1", "string2"])
+      assert binary == :erlang.term_to_binary(["string1", "string2"])
+      assert Config.from_binary(binary) == ["string1", "string2"]
+    end
+
+    test "map" do
+      binary =
+        Config.transform(%{
+          "types" => "Pleroma.PostgresTypes",
+          "telemetry_event" => ["Pleroma.Repo.Instrumenter"],
+          "migration_lock" => ""
+        })
+
+      assert binary ==
+               :erlang.term_to_binary(
+                 telemetry_event: [Pleroma.Repo.Instrumenter],
+                 types: Pleroma.PostgresTypes
+               )
+
+      assert Config.from_binary(binary) == [
+               telemetry_event: [Pleroma.Repo.Instrumenter],
+               types: Pleroma.PostgresTypes
+             ]
+    end
+
+    test "complex map with nested integers, lists and atoms" do
+      binary =
+        Config.transform(%{
+          "uploader" => "Pleroma.Uploaders.Local",
+          "filters" => ["Pleroma.Upload.Filter.Dedupe"],
+          "link_name" => ":true",
+          "proxy_remote" => ":false",
+          "proxy_opts" => %{
+            "redirect_on_failure" => ":false",
+            "max_body_length" => "i:1048576",
+            "http" => %{
+              "follow_redirect" => ":true",
+              "pool" => ":upload"
+            }
+          }
+        })
+
+      assert binary ==
+               :erlang.term_to_binary(
+                 filters: [Pleroma.Upload.Filter.Dedupe],
+                 link_name: true,
+                 proxy_opts: [
+                   http: [
+                     follow_redirect: true,
+                     pool: :upload
+                   ],
+                   max_body_length: 1_048_576,
+                   redirect_on_failure: false
+                 ],
+                 proxy_remote: false,
+                 uploader: Pleroma.Uploaders.Local
+               )
+
+      assert Config.from_binary(binary) ==
+               [
+                 filters: [Pleroma.Upload.Filter.Dedupe],
+                 link_name: true,
+                 proxy_opts: [
+                   http: [
+                     follow_redirect: true,
+                     pool: :upload
+                   ],
+                   max_body_length: 1_048_576,
+                   redirect_on_failure: false
+                 ],
+                 proxy_remote: false,
+                 uploader: Pleroma.Uploaders.Local
+               ]
+    end
+
+    test "keyword" do
+      binary =
+        Config.transform(%{
+          "level" => ":warn",
+          "meta" => [":all"],
+          "webhook_url" => "https://hooks.slack.com/services/YOUR-KEY-HERE"
+        })
+
+      assert binary ==
+               :erlang.term_to_binary(
+                 level: :warn,
+                 meta: [:all],
+                 webhook_url: "https://hooks.slack.com/services/YOUR-KEY-HERE"
+               )
+
+      assert Config.from_binary(binary) == [
+               level: :warn,
+               meta: [:all],
+               webhook_url: "https://hooks.slack.com/services/YOUR-KEY-HERE"
+             ]
+    end
+
+    test "complex map with sigil" do
+      binary =
+        Config.transform(%{
+          federated_timeline_removal: [],
+          reject: [~r/comp[lL][aA][iI][nN]er/],
+          replace: []
+        })
+
+      assert binary ==
+               :erlang.term_to_binary(
+                 federated_timeline_removal: [],
+                 reject: [~r/comp[lL][aA][iI][nN]er/],
+                 replace: []
+               )
+
+      assert Config.from_binary(binary) ==
+               [federated_timeline_removal: [], reject: [~r/comp[lL][aA][iI][nN]er/], replace: []]
+    end
+  end
+end
--- a/test/web/admin_api/views/report_view_test.exs
+++ b/test/web/admin_api/views/report_view_test.exs
@ -0,0 +1,98 @@
+# Pleroma: A lightweight social networking server
+# Copyright © 2017-2019 Pleroma Authors <https://pleroma.social/>
+# SPDX-License-Identifier: AGPL-3.0-only
+
+defmodule Pleroma.Web.AdminAPI.ReportViewTest do
+  use Pleroma.DataCase
+  import Pleroma.Factory
+  alias Pleroma.Web.AdminAPI.ReportView
+  alias Pleroma.Web.CommonAPI
+  alias Pleroma.Web.MastodonAPI.AccountView
+  alias Pleroma.Web.MastodonAPI.StatusView
+
+  test "renders a report" do
+    user = insert(:user)
+    other_user = insert(:user)
+
+    {:ok, activity} = CommonAPI.report(user, %{"account_id" => other_user.id})
+
+    expected = %{
+      content: nil,
+      actor: AccountView.render("account.json", %{user: user}),
+      account: AccountView.render("account.json", %{user: other_user}),
+      statuses: [],
+      state: "open",
+      id: activity.id
+    }
+
+    result =
+      ReportView.render("show.json", %{report: activity})
+      |> Map.delete(:created_at)
+
+    assert result == expected
+  end
+
+  test "includes reported statuses" do
+    user = insert(:user)
+    other_user = insert(:user)
+    {:ok, activity} = CommonAPI.post(other_user, %{"status" => "toot"})
+
+    {:ok, report_activity} =
+      CommonAPI.report(user, %{"account_id" => other_user.id, "status_ids" => [activity.id]})
+
+    expected = %{
+      content: nil,
+      actor: AccountView.render("account.json", %{user: user}),
+      account: AccountView.render("account.json", %{user: other_user}),
+      statuses: [StatusView.render("status.json", %{activity: activity})],
+      state: "open",
+      id: report_activity.id
+    }
+
+    result =
+      ReportView.render("show.json", %{report: report_activity})
+      |> Map.delete(:created_at)
+
+    assert result == expected
+  end
+
+  test "renders report's state" do
+    user = insert(:user)
+    other_user = insert(:user)
+
+    {:ok, activity} = CommonAPI.report(user, %{"account_id" => other_user.id})
+    {:ok, activity} = CommonAPI.update_report_state(activity.id, "closed")
+    assert %{state: "closed"} = ReportView.render("show.json", %{report: activity})
+  end
+
+  test "renders report description" do
+    user = insert(:user)
+    other_user = insert(:user)
+
+    {:ok, activity} =
+      CommonAPI.report(user, %{
+        "account_id" => other_user.id,
+        "comment" => "posts are too good for this instance"
+      })
+
+    assert %{content: "posts are too good for this instance"} =
+             ReportView.render("show.json", %{report: activity})
+  end
+
+  test "sanitizes report description" do
+    user = insert(:user)
+    other_user = insert(:user)
+
+    {:ok, activity} =
+      CommonAPI.report(user, %{
+        "account_id" => other_user.id,
+        "comment" => ""
+      })
+
+    data = Map.put(activity.data, "content", "<script> alert('hecked :D:D:D:D:D:D:D') </script>")
+    activity = Map.put(activity, :data, data)
+
+    refute "<script> alert('hecked :D:D:D:D:D:D:D') </script>" ==
+             ReportView.render("show.json", %{report: activity})[:content]
+  end
+end
--- a/test/web/common_api/common_api_test.exs
+++ b/test/web/common_api/common_api_test.exs
@ -7,6 +7,7 @@ defmodule Pleroma.Web.CommonAPITest do
  alias Pleroma.Activity
  alias Pleroma.Object
  alias Pleroma.User
+  alias Pleroma.Web.ActivityPub.ActivityPub
  alias Pleroma.Web.CommonAPI

  import Pleroma.Factory
@ -56,6 +57,25 @@ defmodule Pleroma.Web.CommonAPITest do
  end

  describe "posting" do
+    test "it supports explicit addressing" do
+      user = insert(:user)
+      user_two = insert(:user)
+      user_three = insert(:user)
+      user_four = insert(:user)
+
+      {:ok, activity} =
+        CommonAPI.post(user, %{
+          "status" =>
+            "Hey, I think @#{user_three.nickname} is ugly. @#{user_four.nickname} is alright though.",
+          "to" => [user_two.nickname, user_four.nickname, "nonexistent"]
+        })
+
+      assert user.ap_id in activity.recipients
+      assert user_two.ap_id in activity.recipients
+      assert user_four.ap_id in activity.recipients
+      refute user_three.ap_id in activity.recipients
+    end
+
    test "it filters out obviously bad tags when accepting a post as HTML" do
      user = insert(:user)

@ -320,4 +340,46 @@ defmodule Pleroma.Web.CommonAPITest do
      assert User.showing_reblogs?(muter, muted) == true
    end
  end
+
+  describe "accept_follow_request/2" do
+    test "after acceptance, it sets all existing pending follow request states to 'accept'" do
+      user = insert(:user, info: %{locked: true})
+      follower = insert(:user)
+      follower_two = insert(:user)
+
+      {:ok, follow_activity} = ActivityPub.follow(follower, user)
+      {:ok, follow_activity_two} = ActivityPub.follow(follower, user)
+      {:ok, follow_activity_three} = ActivityPub.follow(follower_two, user)
+
+      assert follow_activity.data["state"] == "pending"
+      assert follow_activity_two.data["state"] == "pending"
+      assert follow_activity_three.data["state"] == "pending"
+
+      {:ok, _follower} = CommonAPI.accept_follow_request(follower, user)
+
+      assert Repo.get(Activity, follow_activity.id).data["state"] == "accept"
+      assert Repo.get(Activity, follow_activity_two.id).data["state"] == "accept"
+      assert Repo.get(Activity, follow_activity_three.id).data["state"] == "pending"
+    end
+
+    test "after rejection, it sets all existing pending follow request states to 'reject'" do
+      user = insert(:user, info: %{locked: true})
+      follower = insert(:user)
+      follower_two = insert(:user)
+
+      {:ok, follow_activity} = ActivityPub.follow(follower, user)
+      {:ok, follow_activity_two} = ActivityPub.follow(follower, user)
+      {:ok, follow_activity_three} = ActivityPub.follow(follower_two, user)
+
+      assert follow_activity.data["state"] == "pending"
+      assert follow_activity_two.data["state"] == "pending"
+      assert follow_activity_three.data["state"] == "pending"
+
+      {:ok, _follower} = CommonAPI.reject_follow_request(follower, user)
+
+      assert Repo.get(Activity, follow_activity.id).data["state"] == "reject"
+      assert Repo.get(Activity, follow_activity_two.id).data["state"] == "reject"
+      assert Repo.get(Activity, follow_activity_three.id).data["state"] == "pending"
+    end
+  end
 end
--- a/test/web/common_api/common_api_utils_test.exs
+++ b/test/web/common_api/common_api_utils_test.exs
@ -5,10 +5,15 @@
 defmodule Pleroma.Web.CommonAPI.UtilsTest do
  alias Pleroma.Builders.UserBuilder
  alias Pleroma.Object
+  alias Pleroma.Web.CommonAPI
  alias Pleroma.Web.CommonAPI.Utils
  alias Pleroma.Web.Endpoint
  use Pleroma.DataCase

+  import Pleroma.Factory
+
+  @public_address "https://www.w3.org/ns/activitystreams#Public"
+
  test "it adds attachment links to a given text and attachment set" do
    name =
      "Sakura%20Mana%20%E2%80%93%20Turned%20on%20by%20a%20Senior%20OL%20with%20a%20Temptating%20Tight%20Skirt-s%20Full%20Hipline%20and%20Panty%20Shot-%20Beautiful%20Thick%20Thighs-%20and%20Erotic%20Ass-%20-2015-%20--%20Oppaitime%208-28-2017%206-50-33%20PM.png"
@ -214,4 +219,132 @@ defmodule Pleroma.Web.CommonAPI.UtilsTest do
      assert Utils.date_to_asctime(nil) == expected
    end
  end
+
+  describe "get_to_and_cc" do
+    test "for public posts, not a reply" do
+      user = insert(:user)
+      mentioned_user = insert(:user)
+      mentions = [mentioned_user.ap_id]
+
+      {to, cc} = Utils.get_to_and_cc(user, mentions, nil, "public")
+
+      assert length(to) == 2
+      assert length(cc) == 1
+
+      assert @public_address in to
+      assert mentioned_user.ap_id in to
+      assert user.follower_address in cc
+    end
+
+    test "for public posts, a reply" do
+      user = insert(:user)
+      mentioned_user = insert(:user)
+      third_user = insert(:user)
+      {:ok, activity} = CommonAPI.post(third_user, %{"status" => "uguu"})
+      mentions = [mentioned_user.ap_id]
+
+      {to, cc} = Utils.get_to_and_cc(user, mentions, activity, "public")
+
+      assert length(to) == 3
+      assert length(cc) == 1
+
+      assert @public_address in to
+      assert mentioned_user.ap_id in to
+      assert third_user.ap_id in to
+      assert user.follower_address in cc
+    end
+
+    test "for unlisted posts, not a reply" do
+      user = insert(:user)
+      mentioned_user = insert(:user)
+      mentions = [mentioned_user.ap_id]
+
+      {to, cc} = Utils.get_to_and_cc(user, mentions, nil, "unlisted")
+
+      assert length(to) == 2
+      assert length(cc) == 1
+
+      assert @public_address in cc
+      assert mentioned_user.ap_id in to
+      assert user.follower_address in to
+    end
+
+    test "for unlisted posts, a reply" do
+      user = insert(:user)
+      mentioned_user = insert(:user)
+      third_user = insert(:user)
+      {:ok, activity} = CommonAPI.post(third_user, %{"status" => "uguu"})
+      mentions = [mentioned_user.ap_id]
+
+      {to, cc} = Utils.get_to_and_cc(user, mentions, activity, "unlisted")
+
+      assert length(to) == 3
+      assert length(cc) == 1
+
+      assert @public_address in cc
+      assert mentioned_user.ap_id in to
+      assert third_user.ap_id in to
+      assert user.follower_address in to
+    end
+
+    test "for private posts, not a reply" do
+      user = insert(:user)
+      mentioned_user = insert(:user)
+      mentions = [mentioned_user.ap_id]
+
+      {to, cc} = Utils.get_to_and_cc(user, mentions, nil, "private")
+
+      assert length(to) == 2
+      assert length(cc) == 0
+
+      assert mentioned_user.ap_id in to
+      assert user.follower_address in to
+    end
+
+    test "for private posts, a reply" do
+      user = insert(:user)
+      mentioned_user = insert(:user)
+      third_user = insert(:user)
+      {:ok, activity} = CommonAPI.post(third_user, %{"status" => "uguu"})
+      mentions = [mentioned_user.ap_id]
+
+      {to, cc} = Utils.get_to_and_cc(user, mentions, activity, "private")
+
+      assert length(to) == 3
+      assert length(cc) == 0
+
+      assert mentioned_user.ap_id in to
+      assert third_user.ap_id in to
+      assert user.follower_address in to
+    end
+
+    test "for direct posts, not a reply" do
+      user = insert(:user)
+      mentioned_user = insert(:user)
+      mentions = [mentioned_user.ap_id]
+
+      {to, cc} = Utils.get_to_and_cc(user, mentions, nil, "direct")
+
+      assert length(to) == 1
+      assert length(cc) == 0
+
+      assert mentioned_user.ap_id in to
+    end
+
+    test "for direct posts, a reply" do
+      user = insert(:user)
+      mentioned_user = insert(:user)
+      third_user = insert(:user)
+      {:ok, activity} = CommonAPI.post(third_user, %{"status" => "uguu"})
+      mentions = [mentioned_user.ap_id]
+
+      {to, cc} = Utils.get_to_and_cc(user, mentions, activity, "direct")
+
+      assert length(to) == 2
+      assert length(cc) == 0
+
+      assert mentioned_user.ap_id in to
+      assert third_user.ap_id in to
+    end
+  end
 end
--- a/test/web/mastodon_api/account_view_test.exs
+++ b/test/web/mastodon_api/account_view_test.exs
@ -19,9 +19,18 @@ defmodule Pleroma.Web.MastodonAPI.AccountViewTest do
      ]
    }

+    background_image = %{
+      "url" => [%{"href" => "https://example.com/images/asuka_hospital.png"}]
+    }
+
    user =
      insert(:user, %{
-        info: %{note_count: 5, follower_count: 3, source_data: source_data},
+        info: %{
+          note_count: 5,
+          follower_count: 3,
+          source_data: source_data,
+          background: background_image
+        },
        nickname: "shp@shitposter.club",
        name: ":karjalanpiirakka: shp",
        bio: "<script src=\"invalid-html\"></script><span>valid html</span>",
@ -60,6 +69,7 @@ defmodule Pleroma.Web.MastodonAPI.AccountViewTest do
        pleroma: %{}
      },
      pleroma: %{
+        background_image: "https://example.com/images/asuka_hospital.png",
        confirmation_pending: false,
        tags: [],
        is_admin: false,
@ -67,7 +77,8 @@ defmodule Pleroma.Web.MastodonAPI.AccountViewTest do
        hide_favorites: true,
        hide_followers: false,
        hide_follows: false,
-        relationship: %{}
+        relationship: %{},
+        skip_thread_containment: false
      }
    }

@ -78,10 +89,10 @@ defmodule Pleroma.Web.MastodonAPI.AccountViewTest do
    user = insert(:user)

    notification_settings = %{
-      "remote" => true,
-      "local" => true,
      "followers" => true,
-      "follows" => true
+      "follows" => true,
+      "non_follows" => true,
+      "non_followers" => true
    }

    privacy = user.info.default_scope
@ -125,6 +136,7 @@ defmodule Pleroma.Web.MastodonAPI.AccountViewTest do
        pleroma: %{}
      },
      pleroma: %{
+        background_image: nil,
        confirmation_pending: false,
        tags: [],
        is_admin: false,
@ -132,7 +144,8 @@ defmodule Pleroma.Web.MastodonAPI.AccountViewTest do
        hide_favorites: true,
        hide_followers: false,
        hide_follows: false,
-        relationship: %{}
+        relationship: %{},
+        skip_thread_containment: false
      }
    }

@ -214,6 +227,7 @@ defmodule Pleroma.Web.MastodonAPI.AccountViewTest do
        pleroma: %{}
      },
      pleroma: %{
+        background_image: nil,
        confirmation_pending: false,
        tags: [],
        is_admin: false,
@ -233,10 +247,32 @@ defmodule Pleroma.Web.MastodonAPI.AccountViewTest do
          domain_blocking: false,
          showing_reblogs: true,
          endorsed: false
-        }
+        },
+        skip_thread_containment: false
      }
    }

    assert expected == AccountView.render("account.json", %{user: user, for: other_user})
  end
+
+  test "returns the settings store if the requesting user is the represented user and it's requested specifically" do
+    user = insert(:user, %{info: %User.Info{pleroma_settings_store: %{fe: "test"}}})
+
+    result =
+      AccountView.render("account.json", %{user: user, for: user, with_pleroma_settings: true})
+
+    assert result.pleroma.settings_store == %{:fe => "test"}
+
+    result = AccountView.render("account.json", %{user: user, with_pleroma_settings: true})
+    assert result.pleroma[:settings_store] == nil
+
+    result = AccountView.render("account.json", %{user: user, for: user})
+    assert result.pleroma[:settings_store] == nil
+  end
+
+  test "sanitizes display names" do
+    user = insert(:user, name: "<marquee> username </marquee>")
+    result = AccountView.render("account.json", %{user: user})
+    refute result.display_name == "<marquee> username </marquee>"
+  end
 end
--- a/test/web/mastodon_api/mastodon_api_controller/update_credentials_test.exs
+++ b/test/web/mastodon_api/mastodon_api_controller/update_credentials_test.exs
@ -0,0 +1,304 @@
+# Pleroma: A lightweight social networking server
+# Copyright © 2017-2019 Pleroma Authors <https://pleroma.social/>
+# SPDX-License-Identifier: AGPL-3.0-only
+
+defmodule Pleroma.Web.MastodonAPI.MastodonAPIController.UpdateCredentialsTest do
+  alias Pleroma.Repo
+  alias Pleroma.User
+
+  use Pleroma.Web.ConnCase
+
+  import Pleroma.Factory
+
+  describe "updating credentials" do
+    test "sets user settings in a generic way", %{conn: conn} do
+      user = insert(:user)
+
+      res_conn =
+        conn
+        |> assign(:user, user)
+        |> patch("/api/v1/accounts/update_credentials", %{
+          "pleroma_settings_store" => %{
+            pleroma_fe: %{
+              theme: "bla"
+            }
+          }
+        })
+
+      assert user = json_response(res_conn, 200)
+      assert user["pleroma"]["settings_store"] == %{"pleroma_fe" => %{"theme" => "bla"}}
+
+      user = Repo.get(User, user["id"])
+
+      res_conn =
+        conn
+        |> assign(:user, user)
+        |> patch("/api/v1/accounts/update_credentials", %{
+          "pleroma_settings_store" => %{
+            masto_fe: %{
+              theme: "bla"
+            }
+          }
+        })
+
+      assert user = json_response(res_conn, 200)
+
+      assert user["pleroma"]["settings_store"] ==
+               %{
+                 "pleroma_fe" => %{"theme" => "bla"},
+                 "masto_fe" => %{"theme" => "bla"}
+               }
+
+      user = Repo.get(User, user["id"])
+
+      res_conn =
+        conn
+        |> assign(:user, user)
+        |> patch("/api/v1/accounts/update_credentials", %{
+          "pleroma_settings_store" => %{
+            masto_fe: %{
+              theme: "blub"
+            }
+          }
+        })
+
+      assert user = json_response(res_conn, 200)
+
+      assert user["pleroma"]["settings_store"] ==
+               %{
+                 "pleroma_fe" => %{"theme" => "bla"},
+                 "masto_fe" => %{"theme" => "blub"}
+               }
+    end
+
+    test "updates the user's bio", %{conn: conn} do
+      user = insert(:user)
+      user2 = insert(:user)
+
+      conn =
+        conn
+        |> assign(:user, user)
+        |> patch("/api/v1/accounts/update_credentials", %{
+          "note" => "I drink #cofe with @#{user2.nickname}"
+        })
+
+      assert user = json_response(conn, 200)
+
+      assert user["note"] ==
+               ~s(I drink <a class="hashtag" data-tag="cofe" href="http://localhost:4001/tag/cofe" rel="tag">#cofe</a> with <span class="h-card"><a data-user=") <>
+                 user2.id <>
+                 ~s(" class="u-url mention" href=") <>
+                 user2.ap_id <> ~s(">@<span>) <> user2.nickname <> ~s(</span></a></span>)
+    end
+
+    test "updates the user's locking status", %{conn: conn} do
+      user = insert(:user)
+
+      conn =
+        conn
+        |> assign(:user, user)
+        |> patch("/api/v1/accounts/update_credentials", %{locked: "true"})
+
+      assert user = json_response(conn, 200)
+      assert user["locked"] == true
+    end
+
+    test "updates the user's default scope", %{conn: conn} do
+      user = insert(:user)
+
+      conn =
+        conn
+        |> assign(:user, user)
+        |> patch("/api/v1/accounts/update_credentials", %{default_scope: "cofe"})
+
+      assert user = json_response(conn, 200)
+      assert user["source"]["privacy"] == "cofe"
+    end
+
+    test "updates the user's hide_followers status", %{conn: conn} do
+      user = insert(:user)
+
+      conn =
+        conn
+        |> assign(:user, user)
+        |> patch("/api/v1/accounts/update_credentials", %{hide_followers: "true"})
+
+      assert user = json_response(conn, 200)
+      assert user["pleroma"]["hide_followers"] == true
+    end
+
+    test "updates the user's skip_thread_containment option", %{conn: conn} do
+      user = insert(:user)
+
+      response =
+        conn
+        |> assign(:user, user)
+        |> patch("/api/v1/accounts/update_credentials", %{skip_thread_containment: "true"})
+        |> json_response(200)
+
+      assert response["pleroma"]["skip_thread_containment"] == true
+      assert refresh_record(user).info.skip_thread_containment
+    end
+
+    test "updates the user's hide_follows status", %{conn: conn} do
+      user = insert(:user)
+
+      conn =
+        conn
+        |> assign(:user, user)
+        |> patch("/api/v1/accounts/update_credentials", %{hide_follows: "true"})
+
+      assert user = json_response(conn, 200)
+      assert user["pleroma"]["hide_follows"] == true
+    end
+
+    test "updates the user's hide_favorites status", %{conn: conn} do
+      user = insert(:user)
+
+      conn =
+        conn
+        |> assign(:user, user)
+        |> patch("/api/v1/accounts/update_credentials", %{hide_favorites: "true"})
+
+      assert user = json_response(conn, 200)
+      assert user["pleroma"]["hide_favorites"] == true
+    end
+
+    test "updates the user's show_role status", %{conn: conn} do
+      user = insert(:user)
+
+      conn =
+        conn
+        |> assign(:user, user)
+        |> patch("/api/v1/accounts/update_credentials", %{show_role: "false"})
+
+      assert user = json_response(conn, 200)
+      assert user["source"]["pleroma"]["show_role"] == false
+    end
+
+    test "updates the user's no_rich_text status", %{conn: conn} do
+      user = insert(:user)
+
+      conn =
+        conn
+        |> assign(:user, user)
+        |> patch("/api/v1/accounts/update_credentials", %{no_rich_text: "true"})
+
+      assert user = json_response(conn, 200)
+      assert user["source"]["pleroma"]["no_rich_text"] == true
+    end
+
+    test "updates the user's name", %{conn: conn} do
+      user = insert(:user)
+
+      conn =
+        conn
+        |> assign(:user, user)
+        |> patch("/api/v1/accounts/update_credentials", %{"display_name" => "markorepairs"})
+
+      assert user = json_response(conn, 200)
+      assert user["display_name"] == "markorepairs"
+    end
+
+    test "updates the user's avatar", %{conn: conn} do
+      user = insert(:user)
+
+      new_avatar = %Plug.Upload{
+        content_type: "image/jpg",
+        path: Path.absname("test/fixtures/image.jpg"),
+        filename: "an_image.jpg"
+      }
+
+      conn =
+        conn
+        |> assign(:user, user)
+        |> patch("/api/v1/accounts/update_credentials", %{"avatar" => new_avatar})
+
+      assert user_response = json_response(conn, 200)
+      assert user_response["avatar"] != User.avatar_url(user)
+    end
+
+    test "updates the user's banner", %{conn: conn} do
+      user = insert(:user)
+
+      new_header = %Plug.Upload{
+        content_type: "image/jpg",
+        path: Path.absname("test/fixtures/image.jpg"),
+        filename: "an_image.jpg"
+      }
+
+      conn =
+        conn
+        |> assign(:user, user)
+        |> patch("/api/v1/accounts/update_credentials", %{"header" => new_header})
+
+      assert user_response = json_response(conn, 200)
+      assert user_response["header"] != User.banner_url(user)
+    end
+
+    test "updates the user's background", %{conn: conn} do
+      user = insert(:user)
+
+      new_header = %Plug.Upload{
+        content_type: "image/jpg",
+        path: Path.absname("test/fixtures/image.jpg"),
+        filename: "an_image.jpg"
+      }
+
+      conn =
+        conn
+        |> assign(:user, user)
+        |> patch("/api/v1/accounts/update_credentials", %{
+          "pleroma_background_image" => new_header
+        })
+
+      assert user_response = json_response(conn, 200)
+      assert user_response["pleroma"]["background_image"]
+    end
+
+    test "requires 'write' permission", %{conn: conn} do
+      token1 = insert(:oauth_token, scopes: ["read"])
+      token2 = insert(:oauth_token, scopes: ["write", "follow"])
+
+      for token <- [token1, token2] do
+        conn =
+          conn
+          |> put_req_header("authorization", "Bearer #{token.token}")
+          |> patch("/api/v1/accounts/update_credentials", %{})
+
+        if token == token1 do
+          assert %{"error" => "Insufficient permissions: write."} == json_response(conn, 403)
+        else
+          assert json_response(conn, 200)
+        end
+      end
+    end
+
+    test "updates profile emojos", %{conn: conn} do
+      user = insert(:user)
+
+      note = "*sips :blank:*"
+      name = "I am :firefox:"
+
+      conn =
+        conn
+        |> assign(:user, user)
+        |> patch("/api/v1/accounts/update_credentials", %{
+          "note" => note,
+          "display_name" => name
+        })
+
+      assert json_response(conn, 200)
+
+      conn =
+        conn
+        |> get("/api/v1/accounts/#{user.id}")
+
+      assert user = json_response(conn, 200)
+
+      assert user["note"] == note
+      assert user["display_name"] == name
+      assert [%{"shortcode" => "blank"}, %{"shortcode" => "firefox"}] = user["emojis"]
+    end
+  end
+end
--- a/test/web/mastodon_api/mastodon_api_controller_test.exs
+++ b/test/web/mastodon_api/mastodon_api_controller_test.exs
@ -148,6 +148,103 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIControllerTest do
    refute id == third_id
  end

+  describe "posting polls" do
+    test "posting a poll", %{conn: conn} do
+      user = insert(:user)
+      time = NaiveDateTime.utc_now()
+
+      conn =
+        conn
+        |> assign(:user, user)
+        |> post("/api/v1/statuses", %{
+          "status" => "Who is the #bestgrill?",
+          "poll" => %{"options" => ["Rei", "Asuka", "Misato"], "expires_in" => 420}
+        })
+
+      response = json_response(conn, 200)
+
+      assert Enum.all?(response["poll"]["options"], fn %{"title" => title} ->
+               title in ["Rei", "Asuka", "Misato"]
+             end)
+
+      assert NaiveDateTime.diff(NaiveDateTime.from_iso8601!(response["poll"]["expires_at"]), time) in 420..430
+      refute response["poll"]["expred"]
+    end
+
+    test "option limit is enforced", %{conn: conn} do
+      user = insert(:user)
+      limit = Pleroma.Config.get([:instance, :poll_limits, :max_options])
+
+      conn =
+        conn
+        |> assign(:user, user)
+        |> post("/api/v1/statuses", %{
+          "status" => "desu~",
+          "poll" => %{"options" => Enum.map(0..limit, fn _ -> "desu" end), "expires_in" => 1}
+        })
+
+      %{"error" => error} = json_response(conn, 422)
+      assert error == "Poll can't contain more than #{limit} options"
+    end
+
+    test "option character limit is enforced", %{conn: conn} do
+      user = insert(:user)
+      limit = Pleroma.Config.get([:instance, :poll_limits, :max_option_chars])
+
+      conn =
+        conn
+        |> assign(:user, user)
+        |> post("/api/v1/statuses", %{
+          "status" => "...",
+          "poll" => %{
+            "options" => [Enum.reduce(0..limit, "", fn _, acc -> acc <> "." end)],
+            "expires_in" => 1
+          }
+        })
+
+      %{"error" => error} = json_response(conn, 422)
+      assert error == "Poll options cannot be longer than #{limit} characters each"
+    end
+
+    test "minimal date limit is enforced", %{conn: conn} do
+      user = insert(:user)
+      limit = Pleroma.Config.get([:instance, :poll_limits, :min_expiration])
+
+      conn =
+        conn
+        |> assign(:user, user)
+        |> post("/api/v1/statuses", %{
+          "status" => "imagine arbitrary limits",
+          "poll" => %{
+            "options" => ["this post was made by pleroma gang"],
+            "expires_in" => limit - 1
+          }
+        })
+
+      %{"error" => error} = json_response(conn, 422)
+      assert error == "Expiration date is too soon"
+    end
+
+    test "maximum date limit is enforced", %{conn: conn} do
+      user = insert(:user)
+      limit = Pleroma.Config.get([:instance, :poll_limits, :max_expiration])
+
+      conn =
+        conn
+        |> assign(:user, user)
+        |> post("/api/v1/statuses", %{
+          "status" => "imagine arbitrary limits",
+          "poll" => %{
+            "options" => ["this post was made by pleroma gang"],
+            "expires_in" => limit + 1
+          }
+        })
+
+      %{"error" => error} = json_response(conn, 422)
+      assert error == "Expiration date is too far in the future"
+    end
+  end
+
  test "posting a sensitive status", %{conn: conn} do
    user = insert(:user)

@ -319,12 +416,13 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIControllerTest do
  test "Conversations", %{conn: conn} do
    user_one = insert(:user)
    user_two = insert(:user)
+    user_three = insert(:user)

    {:ok, user_two} = User.follow(user_two, user_one)

    {:ok, direct} =
      CommonAPI.post(user_one, %{
-        "status" => "Hi @#{user_two.nickname}!",
+        "status" => "Hi @#{user_two.nickname}, @#{user_three.nickname}!",
        "visibility" => "direct"
      })

@ -350,7 +448,10 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIControllerTest do
             }
           ] = response

+    account_ids = Enum.map(res_accounts, & &1["id"])
    assert length(res_accounts) == 2
+    assert user_two.id in account_ids
+    assert user_three.id in account_ids
    assert is_binary(res_id)
    assert unread == true
    assert res_last_status["id"] == direct.id
@ -443,7 +544,10 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIControllerTest do
      |> assign(:user, user)
      |> get("/api/v1/accounts/verify_credentials")

-    assert %{"id" => id, "source" => %{"privacy" => "public"}} = json_response(conn, 200)
+    response = json_response(conn, 200)
+
+    assert %{"id" => id, "source" => %{"privacy" => "public"}} = response
+    assert response["pleroma"]["chat_token"]
    assert id == to_string(user.id)
  end

@ -1417,6 +1521,82 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIControllerTest do
    end
  end

+  describe "media upload" do
+    setup do
+      upload_config = Pleroma.Config.get([Pleroma.Upload])
+      proxy_config = Pleroma.Config.get([:media_proxy])
+
+      on_exit(fn ->
+        Pleroma.Config.put([Pleroma.Upload], upload_config)
+        Pleroma.Config.put([:media_proxy], proxy_config)
+      end)
+
+      user = insert(:user)
+
+      conn =
+        build_conn()
+        |> assign(:user, user)
+
+      image = %Plug.Upload{
+        content_type: "image/jpg",
+        path: Path.absname("test/fixtures/image.jpg"),
+        filename: "an_image.jpg"
+      }
+
+      [conn: conn, image: image]
+    end
+
+    test "returns uploaded image", %{conn: conn, image: image} do
+      desc = "Description of the image"
+
+      media =
+        conn
+        |> post("/api/v1/media", %{"file" => image, "description" => desc})
+        |> json_response(:ok)
+
+      assert media["type"] == "image"
+      assert media["description"] == desc
+      assert media["id"]
+
+      object = Repo.get(Object, media["id"])
+      assert object.data["actor"] == User.ap_id(conn.assigns[:user])
+    end
+
+    test "returns proxied url when media proxy is enabled", %{conn: conn, image: image} do
+      Pleroma.Config.put([Pleroma.Upload, :base_url], "https://media.pleroma.social")
+
+      proxy_url = "https://cache.pleroma.social"
+      Pleroma.Config.put([:media_proxy, :enabled], true)
+      Pleroma.Config.put([:media_proxy, :base_url], proxy_url)
+
+      media =
+        conn
+        |> post("/api/v1/media", %{"file" => image})
+        |> json_response(:ok)
+
+      assert String.starts_with?(media["url"], proxy_url)
+    end
+
+    test "returns media url when proxy is enabled but media url is whitelisted", %{
+      conn: conn,
+      image: image
+    } do
+      media_url = "https://media.pleroma.social"
+      Pleroma.Config.put([Pleroma.Upload, :base_url], media_url)
+
+      Pleroma.Config.put([:media_proxy, :enabled], true)
+      Pleroma.Config.put([:media_proxy, :base_url], "https://cache.pleroma.social")
+      Pleroma.Config.put([:media_proxy, :whitelist], ["media.pleroma.social"])
+
+      media =
+        conn
+        |> post("/api/v1/media", %{"file" => image})
+        |> json_response(:ok)
+
+      assert String.starts_with?(media["url"], media_url)
+    end
+  end
+
  describe "locked accounts" do
    test "/api/v1/follow_requests works" do
      user = insert(:user, %{info: %User.Info{locked: true}})
@ -1526,32 +1706,6 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIControllerTest do
    assert id == user.id
  end

-  test "media upload", %{conn: conn} do
-    file = %Plug.Upload{
-      content_type: "image/jpg",
-      path: Path.absname("test/fixtures/image.jpg"),
-      filename: "an_image.jpg"
-    }
-
-    desc = "Description of the image"
-
-    user = insert(:user)
-
-    conn =
-      conn
-      |> assign(:user, user)
-      |> post("/api/v1/media", %{"file" => file, "description" => desc})
-
-    assert media = json_response(conn, 200)
-
-    assert media["type"] == "image"
-    assert media["description"] == desc
-    assert media["id"]
-
-    object = Repo.get(Object, media["id"])
-    assert object.data["actor"] == User.ap_id(user)
-  end
-
  test "mascot upload", %{conn: conn} do
    user = insert(:user)

@ -2080,104 +2234,6 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIControllerTest do
    end)
  end

-  test "account search", %{conn: conn} do
-    user = insert(:user)
-    user_two = insert(:user, %{nickname: "shp@shitposter.club"})
-    user_three = insert(:user, %{nickname: "shp@heldscal.la", name: "I love 2hu"})
-
-    results =
-      conn
-      |> assign(:user, user)
-      |> get("/api/v1/accounts/search", %{"q" => "shp"})
-      |> json_response(200)
-
-    result_ids = for result <- results, do: result["acct"]
-
-    assert user_two.nickname in result_ids
-    assert user_three.nickname in result_ids
-
-    results =
-      conn
-      |> assign(:user, user)
-      |> get("/api/v1/accounts/search", %{"q" => "2hu"})
-      |> json_response(200)
-
-    result_ids = for result <- results, do: result["acct"]
-
-    assert user_three.nickname in result_ids
-  end
-
-  test "search", %{conn: conn} do
-    user = insert(:user)
-    user_two = insert(:user, %{nickname: "shp@shitposter.club"})
-    user_three = insert(:user, %{nickname: "shp@heldscal.la", name: "I love 2hu"})
-
-    {:ok, activity} = CommonAPI.post(user, %{"status" => "This is about 2hu"})
-
-    {:ok, _activity} =
-      CommonAPI.post(user, %{
-        "status" => "This is about 2hu, but private",
-        "visibility" => "private"
-      })
-
-    {:ok, _} = CommonAPI.post(user_two, %{"status" => "This isn't"})
-
-    conn =
-      conn
-      |> get("/api/v1/search", %{"q" => "2hu"})
-
-    assert results = json_response(conn, 200)
-
-    [account | _] = results["accounts"]
-    assert account["id"] == to_string(user_three.id)
-
-    assert results["hashtags"] == []
-
-    [status] = results["statuses"]
-    assert status["id"] == to_string(activity.id)
-  end
-
-  test "search fetches remote statuses", %{conn: conn} do
-    capture_log(fn ->
-      conn =
-        conn
-        |> get("/api/v1/search", %{"q" => "https://shitposter.club/notice/2827873"})
-
-      assert results = json_response(conn, 200)
-
-      [status] = results["statuses"]
-      assert status["uri"] == "tag:shitposter.club,2017-05-05:noticeId=2827873:objectType=comment"
-    end)
-  end
-
-  test "search doesn't show statuses that it shouldn't", %{conn: conn} do
-    {:ok, activity} =
-      CommonAPI.post(insert(:user), %{
-        "status" => "This is about 2hu, but private",
-        "visibility" => "private"
-      })
-
-    capture_log(fn ->
-      conn =
-        conn
-        |> get("/api/v1/search", %{"q" => Object.normalize(activity).data["id"]})
-
-      assert results = json_response(conn, 200)
-
-      [] = results["statuses"]
-    end)
-  end
-
-  test "search fetches remote accounts", %{conn: conn} do
-    conn =
-      conn
-      |> get("/api/v1/search", %{"q" => "shp@social.heldscal.la", "resolve" => "true"})
-
-    assert results = json_response(conn, 200)
-    [account] = results["accounts"]
-    assert account["acct"] == "shp@social.heldscal.la"
-  end
-
  test "returns the favorites of a user", %{conn: conn} do
    user = insert(:user)
    other_user = insert(:user)
@ -2418,205 +2474,6 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIControllerTest do
    end
  end

-  describe "updating credentials" do
-    test "updates the user's bio", %{conn: conn} do
-      user = insert(:user)
-      user2 = insert(:user)
-
-      conn =
-        conn
-        |> assign(:user, user)
-        |> patch("/api/v1/accounts/update_credentials", %{
-          "note" => "I drink #cofe with @#{user2.nickname}"
-        })
-
-      assert user = json_response(conn, 200)
-
-      assert user["note"] ==
-               ~s(I drink <a class="hashtag" data-tag="cofe" href="http://localhost:4001/tag/cofe" rel="tag">#cofe</a> with <span class="h-card"><a data-user=") <>
-                 user2.id <>
-                 ~s(" class="u-url mention" href=") <>
-                 user2.ap_id <> ~s(">@<span>) <> user2.nickname <> ~s(</span></a></span>)
-    end
-
-    test "updates the user's locking status", %{conn: conn} do
-      user = insert(:user)
-
-      conn =
-        conn
-        |> assign(:user, user)
-        |> patch("/api/v1/accounts/update_credentials", %{locked: "true"})
-
-      assert user = json_response(conn, 200)
-      assert user["locked"] == true
-    end
-
-    test "updates the user's default scope", %{conn: conn} do
-      user = insert(:user)
-
-      conn =
-        conn
-        |> assign(:user, user)
-        |> patch("/api/v1/accounts/update_credentials", %{default_scope: "cofe"})
-
-      assert user = json_response(conn, 200)
-      assert user["source"]["privacy"] == "cofe"
-    end
-
-    test "updates the user's hide_followers status", %{conn: conn} do
-      user = insert(:user)
-
-      conn =
-        conn
-        |> assign(:user, user)
-        |> patch("/api/v1/accounts/update_credentials", %{hide_followers: "true"})
-
-      assert user = json_response(conn, 200)
-      assert user["pleroma"]["hide_followers"] == true
-    end
-
-    test "updates the user's hide_follows status", %{conn: conn} do
-      user = insert(:user)
-
-      conn =
-        conn
-        |> assign(:user, user)
-        |> patch("/api/v1/accounts/update_credentials", %{hide_follows: "true"})
-
-      assert user = json_response(conn, 200)
-      assert user["pleroma"]["hide_follows"] == true
-    end
-
-    test "updates the user's hide_favorites status", %{conn: conn} do
-      user = insert(:user)
-
-      conn =
-        conn
-        |> assign(:user, user)
-        |> patch("/api/v1/accounts/update_credentials", %{hide_favorites: "true"})
-
-      assert user = json_response(conn, 200)
-      assert user["pleroma"]["hide_favorites"] == true
-    end
-
-    test "updates the user's show_role status", %{conn: conn} do
-      user = insert(:user)
-
-      conn =
-        conn
-        |> assign(:user, user)
-        |> patch("/api/v1/accounts/update_credentials", %{show_role: "false"})
-
-      assert user = json_response(conn, 200)
-      assert user["source"]["pleroma"]["show_role"] == false
-    end
-
-    test "updates the user's no_rich_text status", %{conn: conn} do
-      user = insert(:user)
-
-      conn =
-        conn
-        |> assign(:user, user)
-        |> patch("/api/v1/accounts/update_credentials", %{no_rich_text: "true"})
-
-      assert user = json_response(conn, 200)
-      assert user["source"]["pleroma"]["no_rich_text"] == true
-    end
-
-    test "updates the user's name", %{conn: conn} do
-      user = insert(:user)
-
-      conn =
-        conn
-        |> assign(:user, user)
-        |> patch("/api/v1/accounts/update_credentials", %{"display_name" => "markorepairs"})
-
-      assert user = json_response(conn, 200)
-      assert user["display_name"] == "markorepairs"
-    end
-
-    test "updates the user's avatar", %{conn: conn} do
-      user = insert(:user)
-
-      new_avatar = %Plug.Upload{
-        content_type: "image/jpg",
-        path: Path.absname("test/fixtures/image.jpg"),
-        filename: "an_image.jpg"
-      }
-
-      conn =
-        conn
-        |> assign(:user, user)
-        |> patch("/api/v1/accounts/update_credentials", %{"avatar" => new_avatar})
-
-      assert user_response = json_response(conn, 200)
-      assert user_response["avatar"] != User.avatar_url(user)
-    end
-
-    test "updates the user's banner", %{conn: conn} do
-      user = insert(:user)
-
-      new_header = %Plug.Upload{
-        content_type: "image/jpg",
-        path: Path.absname("test/fixtures/image.jpg"),
-        filename: "an_image.jpg"
-      }
-
-      conn =
-        conn
-        |> assign(:user, user)
-        |> patch("/api/v1/accounts/update_credentials", %{"header" => new_header})
-
-      assert user_response = json_response(conn, 200)
-      assert user_response["header"] != User.banner_url(user)
-    end
-
-    test "requires 'write' permission", %{conn: conn} do
-      token1 = insert(:oauth_token, scopes: ["read"])
-      token2 = insert(:oauth_token, scopes: ["write", "follow"])
-
-      for token <- [token1, token2] do
-        conn =
-          conn
-          |> put_req_header("authorization", "Bearer #{token.token}")
-          |> patch("/api/v1/accounts/update_credentials", %{})
-
-        if token == token1 do
-          assert %{"error" => "Insufficient permissions: write."} == json_response(conn, 403)
-        else
-          assert json_response(conn, 200)
-        end
-      end
-    end
-
-    test "updates profile emojos", %{conn: conn} do
-      user = insert(:user)
-
-      note = "*sips :blank:*"
-      name = "I am :firefox:"
-
-      conn =
-        conn
-        |> assign(:user, user)
-        |> patch("/api/v1/accounts/update_credentials", %{
-          "note" => note,
-          "display_name" => name
-        })
-
-      assert json_response(conn, 200)
-
-      conn =
-        conn
-        |> get("/api/v1/accounts/#{user.id}")
-
-      assert user = json_response(conn, 200)
-
-      assert user["note"] == note
-      assert user["display_name"] == name
-      assert [%{"shortcode" => "blank"}, %{"shortcode" => "firefox"}] = user["emojis"]
-    end
-  end
-
  test "get instance information", %{conn: conn} do
    conn = get(conn, "/api/v1/instance")
    assert result = json_response(conn, 200)
@ -2635,7 +2492,8 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIControllerTest do
             "stats" => _,
             "thumbnail" => _,
             "languages" => _,
-             "registrations" => _
+             "registrations" => _,
+             "poll_limits" => _
           } = result

    assert email == from_config_email
@ -2781,33 +2639,50 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIControllerTest do
               |> post("/api/v1/statuses/#{activity_two.id}/pin")
               |> json_response(400)
    end
+  end

-    test "Status rich-media Card", %{conn: conn, user: user} do
+  describe "cards" do
+    setup do
      Pleroma.Config.put([:rich_media, :enabled], true)
+
+      on_exit(fn ->
+        Pleroma.Config.put([:rich_media, :enabled], false)
+      end)
+
+      user = insert(:user)
+      %{user: user}
+    end
+
+    test "returns rich-media card", %{conn: conn, user: user} do
      {:ok, activity} = CommonAPI.post(user, %{"status" => "http://example.com/ogp"})

+      card_data = %{
+        "image" => "http://ia.media-imdb.com/images/rock.jpg",
+        "provider_name" => "www.imdb.com",
+        "provider_url" => "http://www.imdb.com",
+        "title" => "The Rock",
+        "type" => "link",
+        "url" => "http://www.imdb.com/title/tt0117500/",
+        "description" =>
+          "Directed by Michael Bay. With Sean Connery, Nicolas Cage, Ed Harris, John Spencer.",
+        "pleroma" => %{
+          "opengraph" => %{
+            "image" => "http://ia.media-imdb.com/images/rock.jpg",
+            "title" => "The Rock",
+            "type" => "video.movie",
+            "url" => "http://www.imdb.com/title/tt0117500/",
+            "description" =>
+              "Directed by Michael Bay. With Sean Connery, Nicolas Cage, Ed Harris, John Spencer."
+          }
+        }
+      }
+
      response =
        conn
        |> get("/api/v1/statuses/#{activity.id}/card")
        |> json_response(200)

-      assert response == %{
-               "image" => "http://ia.media-imdb.com/images/rock.jpg",
-               "provider_name" => "www.imdb.com",
-               "provider_url" => "http://www.imdb.com",
-               "title" => "The Rock",
-               "type" => "link",
-               "url" => "http://www.imdb.com/title/tt0117500/",
-               "description" => nil,
-               "pleroma" => %{
-                 "opengraph" => %{
-                   "image" => "http://ia.media-imdb.com/images/rock.jpg",
-                   "title" => "The Rock",
-                   "type" => "video.movie",
-                   "url" => "http://www.imdb.com/title/tt0117500/"
-                 }
-               }
-             }
+      assert response == card_data

      # works with private posts
      {:ok, activity} =
@ -2819,9 +2694,33 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIControllerTest do
        |> get("/api/v1/statuses/#{activity.id}/card")
        |> json_response(200)

-      assert response_two == response
+      assert response_two == card_data
+    end

-      Pleroma.Config.put([:rich_media, :enabled], false)
+    test "replaces missing description with an empty string", %{conn: conn, user: user} do
+      {:ok, activity} = CommonAPI.post(user, %{"status" => "http://example.com/ogp-missing-data"})
+
+      response =
+        conn
+        |> get("/api/v1/statuses/#{activity.id}/card")
+        |> json_response(:ok)
+
+      assert response == %{
+               "type" => "link",
+               "title" => "Pleroma",
+               "description" => "",
+               "image" => nil,
+               "provider_name" => "pleroma.social",
+               "provider_url" => "https://pleroma.social",
+               "url" => "https://pleroma.social/",
+               "pleroma" => %{
+                 "opengraph" => %{
+                   "title" => "Pleroma",
+                   "type" => "website",
+                   "url" => "https://pleroma.social/"
+                 }
+               }
+             }
    end
  end

@ -2908,31 +2807,6 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIControllerTest do
    end
  end

-  test "flavours switching (Pleroma Extension)", %{conn: conn} do
-    user = insert(:user)
-
-    get_old_flavour =
-      conn
-      |> assign(:user, user)
-      |> get("/api/v1/pleroma/flavour")
-
-    assert "glitch" == json_response(get_old_flavour, 200)
-
-    set_flavour =
-      conn
-      |> assign(:user, user)
-      |> post("/api/v1/pleroma/flavour/vanilla")
-
-    assert "vanilla" == json_response(set_flavour, 200)
-
-    get_new_flavour =
-      conn
-      |> assign(:user, user)
-      |> post("/api/v1/pleroma/flavour/vanilla")
-
-    assert json_response(set_flavour, 200) == json_response(get_new_flavour, 200)
-  end
-
  describe "reports" do
    setup do
      reporter = insert(:user)
@ -3395,24 +3269,6 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIControllerTest do
  end

  describe "create account by app" do
-    setup do
-      enabled = Pleroma.Config.get([:app_account_creation, :enabled])
-      max_requests = Pleroma.Config.get([:app_account_creation, :max_requests])
-      interval = Pleroma.Config.get([:app_account_creation, :interval])
-
-      Pleroma.Config.put([:app_account_creation, :enabled], true)
-      Pleroma.Config.put([:app_account_creation, :max_requests], 5)
-      Pleroma.Config.put([:app_account_creation, :interval], 1)
-
-      on_exit(fn ->
-        Pleroma.Config.put([:app_account_creation, :enabled], enabled)
-        Pleroma.Config.put([:app_account_creation, :max_requests], max_requests)
-        Pleroma.Config.put([:app_account_creation, :interval], interval)
-      end)
-
-      :ok
-    end
-
    test "Account registration via Application", %{conn: conn} do
      conn =
        conn
@ -3515,7 +3371,127 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIControllerTest do
          agreement: true
        })

-      assert json_response(conn, 403) == %{"error" => "Rate limit exceeded."}
+      assert json_response(conn, :too_many_requests) == %{"error" => "Throttled"}
+    end
+  end
+
+  describe "GET /api/v1/polls/:id" do
+    test "returns poll entity for object id", %{conn: conn} do
+      user = insert(:user)
+
+      {:ok, activity} =
+        CommonAPI.post(user, %{
+          "status" => "Pleroma does",
+          "poll" => %{"options" => ["what Mastodon't", "n't what Mastodoes"], "expires_in" => 20}
+        })
+
+      object = Object.normalize(activity)
+
+      conn =
+        conn
+        |> assign(:user, user)
+        |> get("/api/v1/polls/#{object.id}")
+
+      response = json_response(conn, 200)
+      id = object.id
+      assert %{"id" => ^id, "expired" => false, "multiple" => false} = response
+    end
+
+    test "does not expose polls for private statuses", %{conn: conn} do
+      user = insert(:user)
+      other_user = insert(:user)
+
+      {:ok, activity} =
+        CommonAPI.post(user, %{
+          "status" => "Pleroma does",
+          "poll" => %{"options" => ["what Mastodon't", "n't what Mastodoes"], "expires_in" => 20},
+          "visibility" => "private"
+        })
+
+      object = Object.normalize(activity)
+
+      conn =
+        conn
+        |> assign(:user, other_user)
+        |> get("/api/v1/polls/#{object.id}")
+
+      assert json_response(conn, 404)
+    end
+  end
+
+  describe "POST /api/v1/polls/:id/votes" do
+    test "votes are added to the poll", %{conn: conn} do
+      user = insert(:user)
+      other_user = insert(:user)
+
+      {:ok, activity} =
+        CommonAPI.post(user, %{
+          "status" => "A very delicious sandwich",
+          "poll" => %{
+            "options" => ["Lettuce", "Grilled Bacon", "Tomato"],
+            "expires_in" => 20,
+            "multiple" => true
+          }
+        })
+
+      object = Object.normalize(activity)
+
+      conn =
+        conn
+        |> assign(:user, other_user)
+        |> post("/api/v1/polls/#{object.id}/votes", %{"choices" => [0, 1, 2]})
+
+      assert json_response(conn, 200)
+      object = Object.get_by_id(object.id)
+
+      assert Enum.all?(object.data["anyOf"], fn %{"replies" => %{"totalItems" => total_items}} ->
+               total_items == 1
+             end)
+    end
+
+    test "author can't vote", %{conn: conn} do
+      user = insert(:user)
+
+      {:ok, activity} =
+        CommonAPI.post(user, %{
+          "status" => "Am I cute?",
+          "poll" => %{"options" => ["Yes", "No"], "expires_in" => 20}
+        })
+
+      object = Object.normalize(activity)
+
+      assert conn
+             |> assign(:user, user)
+             |> post("/api/v1/polls/#{object.id}/votes", %{"choices" => [1]})
+             |> json_response(422) == %{"error" => "Poll's author can't vote"}
+
+      object = Object.get_by_id(object.id)
+
+      refute Enum.at(object.data["oneOf"], 1)["replies"]["totalItems"] == 1
+    end
+
+    test "does not allow multiple choices on a single-choice question", %{conn: conn} do
+      user = insert(:user)
+      other_user = insert(:user)
+
+      {:ok, activity} =
+        CommonAPI.post(user, %{
+          "status" => "The glass is",
+          "poll" => %{"options" => ["half empty", "half full"], "expires_in" => 20}
+        })
+
+      object = Object.normalize(activity)
+
+      assert conn
+             |> assign(:user, other_user)
+             |> post("/api/v1/polls/#{object.id}/votes", %{"choices" => [0, 1]})
+             |> json_response(422) == %{"error" => "Too many choices"}
+
+      object = Object.get_by_id(object.id)
+
+      refute Enum.any?(object.data["oneOf"], fn %{"replies" => %{"totalItems" => total_items}} ->
+               total_items == 1
+             end)
    end
  end
 end
--- a/test/web/mastodon_api/search_controller_test.exs
+++ b/test/web/mastodon_api/search_controller_test.exs
@ -0,0 +1,128 @@
+# Pleroma: A lightweight social networking server
+# Copyright © 2017-2019 Pleroma Authors <https://pleroma.social/>
+# SPDX-License-Identifier: AGPL-3.0-only
+
+defmodule Pleroma.Web.MastodonAPI.SearchControllerTest do
+  use Pleroma.Web.ConnCase
+
+  alias Pleroma.Object
+  alias Pleroma.Web.CommonAPI
+  import Pleroma.Factory
+  import ExUnit.CaptureLog
+  import Tesla.Mock
+
+  setup do
+    mock(fn env -> apply(HttpRequestMock, :request, [env]) end)
+    :ok
+  end
+
+  test "account search", %{conn: conn} do
+    user = insert(:user)
+    user_two = insert(:user, %{nickname: "shp@shitposter.club"})
+    user_three = insert(:user, %{nickname: "shp@heldscal.la", name: "I love 2hu"})
+
+    results =
+      conn
+      |> assign(:user, user)
+      |> get("/api/v1/accounts/search", %{"q" => "shp"})
+      |> json_response(200)
+
+    result_ids = for result <- results, do: result["acct"]
+
+    assert user_two.nickname in result_ids
+    assert user_three.nickname in result_ids
+
+    results =
+      conn
+      |> assign(:user, user)
+      |> get("/api/v1/accounts/search", %{"q" => "2hu"})
+      |> json_response(200)
+
+    result_ids = for result <- results, do: result["acct"]
+
+    assert user_three.nickname in result_ids
+  end
+
+  test "search", %{conn: conn} do
+    user = insert(:user)
+    user_two = insert(:user, %{nickname: "shp@shitposter.club"})
+    user_three = insert(:user, %{nickname: "shp@heldscal.la", name: "I love 2hu"})
+
+    {:ok, activity} = CommonAPI.post(user, %{"status" => "This is about 2hu"})
+
+    {:ok, _activity} =
+      CommonAPI.post(user, %{
+        "status" => "This is about 2hu, but private",
+        "visibility" => "private"
+      })
+
+    {:ok, _} = CommonAPI.post(user_two, %{"status" => "This isn't"})
+
+    conn =
+      conn
+      |> get("/api/v1/search", %{"q" => "2hu"})
+
+    assert results = json_response(conn, 200)
+
+    [account | _] = results["accounts"]
+    assert account["id"] == to_string(user_three.id)
+
+    assert results["hashtags"] == []
+
+    [status] = results["statuses"]
+    assert status["id"] == to_string(activity.id)
+  end
+
+  test "search fetches remote statuses", %{conn: conn} do
+    capture_log(fn ->
+      conn =
+        conn
+        |> get("/api/v1/search", %{"q" => "https://shitposter.club/notice/2827873"})
+
+      assert results = json_response(conn, 200)
+
+      [status] = results["statuses"]
+      assert status["uri"] == "tag:shitposter.club,2017-05-05:noticeId=2827873:objectType=comment"
+    end)
+  end
+
+  test "search doesn't show statuses that it shouldn't", %{conn: conn} do
+    {:ok, activity} =
+      CommonAPI.post(insert(:user), %{
+        "status" => "This is about 2hu, but private",
+        "visibility" => "private"
+      })
+
+    capture_log(fn ->
+      conn =
+        conn
+        |> get("/api/v1/search", %{"q" => Object.normalize(activity).data["id"]})
+
+      assert results = json_response(conn, 200)
+
+      [] = results["statuses"]
+    end)
+  end
+
+  test "search fetches remote accounts", %{conn: conn} do
+    user = insert(:user)
+
+    conn =
+      conn
+      |> assign(:user, user)
+      |> get("/api/v1/search", %{"q" => "shp@social.heldscal.la", "resolve" => "true"})
+
+    assert results = json_response(conn, 200)
+    [account] = results["accounts"]
+    assert account["acct"] == "shp@social.heldscal.la"
+  end
+
+  test "search doesn't fetch remote accounts if resolve is false", %{conn: conn} do
+    conn =
+      conn
+      |> get("/api/v1/search", %{"q" => "shp@social.heldscal.la", "resolve" => "false"})
+
+    assert results = json_response(conn, 200)
+    assert [] == results["accounts"]
+  end
+end
--- a/test/web/mastodon_api/status_view_test.exs
+++ b/test/web/mastodon_api/status_view_test.exs
@ -103,6 +103,7 @@ defmodule Pleroma.Web.MastodonAPI.StatusViewTest do
      muted: false,
      pinned: false,
      sensitive: false,
+      poll: nil,
      spoiler_text: HtmlSanitizeEx.basic_html(note.data["object"]["summary"]),
      visibility: "public",
      media_attachments: [],
@ -341,4 +342,106 @@ defmodule Pleroma.Web.MastodonAPI.StatusViewTest do
        StatusView.render("card.json", %{page_url: page_url, rich_media: card})
    end
  end
+
+  describe "poll view" do
+    test "renders a poll" do
+      user = insert(:user)
+
+      {:ok, activity} =
+        CommonAPI.post(user, %{
+          "status" => "Is Tenshi eating a corndog cute?",
+          "poll" => %{
+            "options" => ["absolutely!", "sure", "yes", "why are you even asking?"],
+            "expires_in" => 20
+          }
+        })
+
+      object = Object.normalize(activity)
+
+      expected = %{
+        emojis: [],
+        expired: false,
+        id: object.id,
+        multiple: false,
+        options: [
+          %{title: "absolutely!", votes_count: 0},
+          %{title: "sure", votes_count: 0},
+          %{title: "yes", votes_count: 0},
+          %{title: "why are you even asking?", votes_count: 0}
+        ],
+        voted: false,
+        votes_count: 0
+      }
+
+      result = StatusView.render("poll.json", %{object: object})
+      expires_at = result.expires_at
+      result = Map.delete(result, :expires_at)
+
+      assert result == expected
+
+      expires_at = NaiveDateTime.from_iso8601!(expires_at)
+      assert NaiveDateTime.diff(expires_at, NaiveDateTime.utc_now()) in 15..20
+    end
+
+    test "detects if it is multiple choice" do
+      user = insert(:user)
+
+      {:ok, activity} =
+        CommonAPI.post(user, %{
+          "status" => "Which Mastodon developer is your favourite?",
+          "poll" => %{
+            "options" => ["Gargron", "Eugen"],
+            "expires_in" => 20,
+            "multiple" => true
+          }
+        })
+
+      object = Object.normalize(activity)
+
+      assert %{multiple: true} = StatusView.render("poll.json", %{object: object})
+    end
+
+    test "detects emoji" do
+      user = insert(:user)
+
+      {:ok, activity} =
+        CommonAPI.post(user, %{
+          "status" => "What's with the smug face?",
+          "poll" => %{
+            "options" => [":blank: sip", ":blank::blank: sip", ":blank::blank::blank: sip"],
+            "expires_in" => 20
+          }
+        })
+
+      object = Object.normalize(activity)
+
+      assert %{emojis: [%{shortcode: "blank"}]} =
+               StatusView.render("poll.json", %{object: object})
+    end
+
+    test "detects vote status" do
+      user = insert(:user)
+      other_user = insert(:user)
+
+      {:ok, activity} =
+        CommonAPI.post(user, %{
+          "status" => "Which input devices do you use?",
+          "poll" => %{
+            "options" => ["mouse", "trackball", "trackpoint"],
+            "multiple" => true,
+            "expires_in" => 20
+          }
+        })
+
+      object = Object.normalize(activity)
+
+      {:ok, _, object} = CommonAPI.vote(other_user, object, [1, 2])
+
+      result = StatusView.render("poll.json", %{object: object, for: other_user})
+
+      assert result[:voted] == true
+      assert Enum.at(result[:options], 1)[:votes_count] == 1
+      assert Enum.at(result[:options], 2)[:votes_count] == 1
+    end
+  end
 end
--- a/test/web/node_info_test.exs
+++ b/test/web/node_info_test.exs
@ -7,6 +7,22 @@ defmodule Pleroma.Web.NodeInfoTest do

  import Pleroma.Factory

+  test "GET /.well-known/nodeinfo", %{conn: conn} do
+    links =
+      conn
+      |> get("/.well-known/nodeinfo")
+      |> json_response(200)
+      |> Map.fetch!("links")
+
+    Enum.each(links, fn link ->
+      href = Map.fetch!(link, "href")
+
+      conn
+      |> get(href)
+      |> json_response(200)
+    end)
+  end
+
  test "nodeinfo shows staff accounts", %{conn: conn} do
    moderator = insert(:user, %{local: true, info: %{is_moderator: true}})
    admin = insert(:user, %{local: true, info: %{is_admin: true}})
@ -32,70 +48,6 @@ defmodule Pleroma.Web.NodeInfoTest do
             result["metadata"]["restrictedNicknames"]
  end

-  test "returns 404 when federation is disabled", %{conn: conn} do
-    instance =
-      Application.get_env(:pleroma, :instance)
-      |> Keyword.put(:federating, false)
-
-    Application.put_env(:pleroma, :instance, instance)
-
-    conn
-    |> get("/.well-known/nodeinfo")
-    |> json_response(404)
-
-    conn
-    |> get("/nodeinfo/2.1.json")
-    |> json_response(404)
-
-    instance =
-      Application.get_env(:pleroma, :instance)
-      |> Keyword.put(:federating, true)
-
-    Application.put_env(:pleroma, :instance, instance)
-  end
-
-  test "returns 200 when federation is enabled", %{conn: conn} do
-    conn
-    |> get("/.well-known/nodeinfo")
-    |> json_response(200)
-
-    conn
-    |> get("/nodeinfo/2.1.json")
-    |> json_response(200)
-  end
-
-  test "returns 404 when federation is disabled (nodeinfo 2.0)", %{conn: conn} do
-    instance =
-      Application.get_env(:pleroma, :instance)
-      |> Keyword.put(:federating, false)
-
-    Application.put_env(:pleroma, :instance, instance)
-
-    conn
-    |> get("/.well-known/nodeinfo")
-    |> json_response(404)
-
-    conn
-    |> get("/nodeinfo/2.0.json")
-    |> json_response(404)
-
-    instance =
-      Application.get_env(:pleroma, :instance)
-      |> Keyword.put(:federating, true)
-
-    Application.put_env(:pleroma, :instance, instance)
-  end
-
-  test "returns 200 when federation is enabled (nodeinfo 2.0)", %{conn: conn} do
-    conn
-    |> get("/.well-known/nodeinfo")
-    |> json_response(200)
-
-    conn
-    |> get("/nodeinfo/2.0.json")
-    |> json_response(200)
-  end
-
  test "returns software.repository field in nodeinfo 2.1", %{conn: conn} do
    conn
    |> get("/.well-known/nodeinfo")
--- a/test/web/oauth/oauth_controller_test.exs
+++ b/test/web/oauth/oauth_controller_test.exs
@ -10,6 +10,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
  alias Pleroma.Registration
  alias Pleroma.Repo
  alias Pleroma.Web.OAuth.Authorization
+  alias Pleroma.Web.OAuth.OAuthController
  alias Pleroma.Web.OAuth.Token

  @oauth_config_path [:oauth2, :issue_new_refresh_token]
@ -49,7 +50,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
          %{
            "response_type" => "code",
            "client_id" => app.client_id,
-            "redirect_uri" => app.redirect_uris,
+            "redirect_uri" => OAuthController.default_redirect_uri(app),
            "scope" => "read"
          }
        )
@ -72,7 +73,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
            "authorization" => %{
              "scope" => "read follow",
              "client_id" => app.client_id,
-              "redirect_uri" => app.redirect_uris,
+              "redirect_uri" => OAuthController.default_redirect_uri(app),
              "state" => "a_state"
            }
          }
@ -98,11 +99,12 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
    test "with user-bound registration, GET /oauth/<provider>/callback redirects to `redirect_uri` with `code`",
         %{app: app, conn: conn} do
      registration = insert(:registration)
+      redirect_uri = OAuthController.default_redirect_uri(app)

      state_params = %{
        "scope" => Enum.join(app.scopes, " "),
        "client_id" => app.client_id,
-        "redirect_uri" => app.redirect_uris,
+        "redirect_uri" => redirect_uri,
        "state" => ""
      }

@ -121,7 +123,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
          )

        assert response = html_response(conn, 302)
-        assert redirected_to(conn) =~ ~r/#{app.redirect_uris}\?code=.+/
+        assert redirected_to(conn) =~ ~r/#{redirect_uri}\?code=.+/
      end
    end

@ -132,7 +134,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
      state_params = %{
        "scope" => "read write",
        "client_id" => app.client_id,
-        "redirect_uri" => app.redirect_uris,
+        "redirect_uri" => OAuthController.default_redirect_uri(app),
        "state" => "a_state"
      }

@ -165,7 +167,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
      state_params = %{
        "scope" => Enum.join(app.scopes, " "),
        "client_id" => app.client_id,
-        "redirect_uri" => app.redirect_uris,
+        "redirect_uri" => OAuthController.default_redirect_uri(app),
        "state" => ""
      }

@ -199,7 +201,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
            "authorization" => %{
              "scopes" => app.scopes,
              "client_id" => app.client_id,
-              "redirect_uri" => app.redirect_uris,
+              "redirect_uri" => OAuthController.default_redirect_uri(app),
              "state" => "a_state",
              "nickname" => nil,
              "email" => "john@doe.com"
@ -218,6 +220,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
           conn: conn
         } do
      registration = insert(:registration, user: nil, info: %{"nickname" => nil, "email" => nil})
+      redirect_uri = OAuthController.default_redirect_uri(app)

      conn =
        conn
@ -229,7 +232,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
            "authorization" => %{
              "scopes" => app.scopes,
              "client_id" => app.client_id,
-              "redirect_uri" => app.redirect_uris,
+              "redirect_uri" => redirect_uri,
              "state" => "a_state",
              "nickname" => "availablenick",
              "email" => "available@email.com"
@ -238,7 +241,36 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
        )

      assert response = html_response(conn, 302)
-      assert redirected_to(conn) =~ ~r/#{app.redirect_uris}\?code=.+/
+      assert redirected_to(conn) =~ ~r/#{redirect_uri}\?code=.+/
+    end
+
+    test "with unlisted `redirect_uri`, POST /oauth/register?op=register results in HTTP 401",
+         %{
+           app: app,
+           conn: conn
+         } do
+      registration = insert(:registration, user: nil, info: %{"nickname" => nil, "email" => nil})
+      unlisted_redirect_uri = "http://cross-site-request.com"
+
+      conn =
+        conn
+        |> put_session(:registration_id, registration.id)
+        |> post(
+          "/oauth/register",
+          %{
+            "op" => "register",
+            "authorization" => %{
+              "scopes" => app.scopes,
+              "client_id" => app.client_id,
+              "redirect_uri" => unlisted_redirect_uri,
+              "state" => "a_state",
+              "nickname" => "availablenick",
+              "email" => "available@email.com"
+            }
+          }
+        )
+
+      assert response = html_response(conn, 401)
    end

    test "with invalid params, POST /oauth/register?op=register renders registration_details page",
@ -254,7 +286,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
        "authorization" => %{
          "scopes" => app.scopes,
          "client_id" => app.client_id,
-          "redirect_uri" => app.redirect_uris,
+          "redirect_uri" => OAuthController.default_redirect_uri(app),
          "state" => "a_state",
          "nickname" => "availablenickname",
          "email" => "available@email.com"
@ -286,6 +318,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
         } do
      user = insert(:user, password_hash: Comeonin.Pbkdf2.hashpwsalt("testpassword"))
      registration = insert(:registration, user: nil)
+      redirect_uri = OAuthController.default_redirect_uri(app)

      conn =
        conn
@ -297,7 +330,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
            "authorization" => %{
              "scopes" => app.scopes,
              "client_id" => app.client_id,
-              "redirect_uri" => app.redirect_uris,
+              "redirect_uri" => redirect_uri,
              "state" => "a_state",
              "name" => user.nickname,
              "password" => "testpassword"
@ -306,7 +339,37 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
        )

      assert response = html_response(conn, 302)
-      assert redirected_to(conn) =~ ~r/#{app.redirect_uris}\?code=.+/
+      assert redirected_to(conn) =~ ~r/#{redirect_uri}\?code=.+/
+    end
+
+    test "with unlisted `redirect_uri`, POST /oauth/register?op=connect results in HTTP 401`",
+         %{
+           app: app,
+           conn: conn
+         } do
+      user = insert(:user, password_hash: Comeonin.Pbkdf2.hashpwsalt("testpassword"))
+      registration = insert(:registration, user: nil)
+      unlisted_redirect_uri = "http://cross-site-request.com"
+
+      conn =
+        conn
+        |> put_session(:registration_id, registration.id)
+        |> post(
+          "/oauth/register",
+          %{
+            "op" => "connect",
+            "authorization" => %{
+              "scopes" => app.scopes,
+              "client_id" => app.client_id,
+              "redirect_uri" => unlisted_redirect_uri,
+              "state" => "a_state",
+              "name" => user.nickname,
+              "password" => "testpassword"
+            }
+          }
+        )
+
+      assert response = html_response(conn, 401)
    end

    test "with invalid params, POST /oauth/register?op=connect renders registration_details page",
@ -322,7 +385,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
        "authorization" => %{
          "scopes" => app.scopes,
          "client_id" => app.client_id,
-          "redirect_uri" => app.redirect_uris,
+          "redirect_uri" => OAuthController.default_redirect_uri(app),
          "state" => "a_state",
          "name" => user.nickname,
          "password" => "wrong password"
@ -358,7 +421,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
          %{
            "response_type" => "code",
            "client_id" => app.client_id,
-            "redirect_uri" => app.redirect_uris,
+            "redirect_uri" => OAuthController.default_redirect_uri(app),
            "scope" => "read"
          }
        )
@ -378,7 +441,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
            "authorization" => %{
              "response_type" => "code",
              "client_id" => app.client_id,
-              "redirect_uri" => app.redirect_uris,
+              "redirect_uri" => OAuthController.default_redirect_uri(app),
              "scope" => "read"
            }
          }
@ -399,7 +462,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
          %{
            "response_type" => "code",
            "client_id" => app.client_id,
-            "redirect_uri" => app.redirect_uris,
+            "redirect_uri" => OAuthController.default_redirect_uri(app),
            "scope" => "read",
            "force_login" => "true"
          }
@ -408,7 +471,11 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
      assert html_response(conn, 200) =~ ~s(type="submit")
    end

-    test "redirects to app if user is already authenticated", %{app: app, conn: conn} do
+    test "with existing authentication and non-OOB `redirect_uri`, redirects to app with `token` and `state` params",
+         %{
+           app: app,
+           conn: conn
+         } do
      token = insert(:oauth_token, app_id: app.id)

      conn =
@ -419,12 +486,62 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
          %{
            "response_type" => "code",
            "client_id" => app.client_id,
-            "redirect_uri" => app.redirect_uris,
+            "redirect_uri" => OAuthController.default_redirect_uri(app),
+            "state" => "specific_client_state",
            "scope" => "read"
          }
        )

-      assert redirected_to(conn) == "https://redirect.url"
+      assert URI.decode(redirected_to(conn)) ==
+               "https://redirect.url?access_token=#{token.token}&state=specific_client_state"
+    end
+
+    test "with existing authentication and unlisted non-OOB `redirect_uri`, redirects without credentials",
+         %{
+           app: app,
+           conn: conn
+         } do
+      unlisted_redirect_uri = "http://cross-site-request.com"
+      token = insert(:oauth_token, app_id: app.id)
+
+      conn =
+        conn
+        |> put_session(:oauth_token, token.token)
+        |> get(
+          "/oauth/authorize",
+          %{
+            "response_type" => "code",
+            "client_id" => app.client_id,
+            "redirect_uri" => unlisted_redirect_uri,
+            "state" => "specific_client_state",
+            "scope" => "read"
+          }
+        )
+
+      assert redirected_to(conn) == unlisted_redirect_uri
+    end
+
+    test "with existing authentication and OOB `redirect_uri`, redirects to app with `token` and `state` params",
+         %{
+           app: app,
+           conn: conn
+         } do
+      token = insert(:oauth_token, app_id: app.id)
+
+      conn =
+        conn
+        |> put_session(:oauth_token, token.token)
+        |> get(
+          "/oauth/authorize",
+          %{
+            "response_type" => "code",
+            "client_id" => app.client_id,
+            "redirect_uri" => "urn:ietf:wg:oauth:2.0:oob",
+            "scope" => "read"
+          }
+        )
+
+      assert html_response(conn, 200) =~ "Authorization exists"
    end
  end

@ -432,6 +549,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
    test "redirects with oauth authorization" do
      user = insert(:user)
      app = insert(:oauth_app, scopes: ["read", "write", "follow"])
+      redirect_uri = OAuthController.default_redirect_uri(app)

      conn =
        build_conn()
@ -440,14 +558,14 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
            "name" => user.nickname,
            "password" => "test",
            "client_id" => app.client_id,
-            "redirect_uri" => app.redirect_uris,
+            "redirect_uri" => redirect_uri,
            "scope" => "read write",
            "state" => "statepassed"
          }
        })

      target = redirected_to(conn)
-      assert target =~ app.redirect_uris
+      assert target =~ redirect_uri

      query = URI.parse(target).query |> URI.query_decoder() |> Map.new()

@ -460,6 +578,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
    test "returns 401 for wrong credentials", %{conn: conn} do
      user = insert(:user)
      app = insert(:oauth_app)
+      redirect_uri = OAuthController.default_redirect_uri(app)

      result =
        conn
@ -468,7 +587,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
            "name" => user.nickname,
            "password" => "wrong",
            "client_id" => app.client_id,
-            "redirect_uri" => app.redirect_uris,
+            "redirect_uri" => redirect_uri,
            "state" => "statepassed",
            "scope" => Enum.join(app.scopes, " ")
          }
@ -477,7 +596,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do

      # Keep the details
      assert result =~ app.client_id
-      assert result =~ app.redirect_uris
+      assert result =~ redirect_uri

      # Error message
      assert result =~ "Invalid Username/Password"
@ -486,6 +605,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
    test "returns 401 for missing scopes", %{conn: conn} do
      user = insert(:user)
      app = insert(:oauth_app)
+      redirect_uri = OAuthController.default_redirect_uri(app)

      result =
        conn
@ -494,7 +614,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
            "name" => user.nickname,
            "password" => "test",
            "client_id" => app.client_id,
-            "redirect_uri" => app.redirect_uris,
+            "redirect_uri" => redirect_uri,
            "state" => "statepassed",
            "scope" => ""
          }
@ -503,7 +623,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do

      # Keep the details
      assert result =~ app.client_id
-      assert result =~ app.redirect_uris
+      assert result =~ redirect_uri

      # Error message
      assert result =~ "This action is outside the authorized scopes"
@ -512,6 +632,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
    test "returns 401 for scopes beyond app scopes", %{conn: conn} do
      user = insert(:user)
      app = insert(:oauth_app, scopes: ["read", "write"])
+      redirect_uri = OAuthController.default_redirect_uri(app)

      result =
        conn
@ -520,7 +641,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
            "name" => user.nickname,
            "password" => "test",
            "client_id" => app.client_id,
-            "redirect_uri" => app.redirect_uris,
+            "redirect_uri" => redirect_uri,
            "state" => "statepassed",
            "scope" => "read write follow"
          }
@ -529,7 +650,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do

      # Keep the details
      assert result =~ app.client_id
-      assert result =~ app.redirect_uris
+      assert result =~ redirect_uri

      # Error message
      assert result =~ "This action is outside the authorized scopes"
@ -548,7 +669,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
        |> post("/oauth/token", %{
          "grant_type" => "authorization_code",
          "code" => auth.token,
-          "redirect_uri" => app.redirect_uris,
+          "redirect_uri" => OAuthController.default_redirect_uri(app),
          "client_id" => app.client_id,
          "client_secret" => app.client_secret
        })
@ -602,7 +723,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
        |> post("/oauth/token", %{
          "grant_type" => "authorization_code",
          "code" => auth.token,
-          "redirect_uri" => app.redirect_uris
+          "redirect_uri" => OAuthController.default_redirect_uri(app)
        })

      assert %{"access_token" => token, "scope" => scope} = json_response(conn, 200)
@ -647,7 +768,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
        |> post("/oauth/token", %{
          "grant_type" => "authorization_code",
          "code" => auth.token,
-          "redirect_uri" => app.redirect_uris
+          "redirect_uri" => OAuthController.default_redirect_uri(app)
        })

      assert resp = json_response(conn, 400)
@ -726,7 +847,7 @@ defmodule Pleroma.Web.OAuth.OAuthControllerTest do
        |> post("/oauth/token", %{
          "grant_type" => "authorization_code",
          "code" => "Imobviouslyinvalid",
-          "redirect_uri" => app.redirect_uris,
+          "redirect_uri" => OAuthController.default_redirect_uri(app),
          "client_id" => app.client_id,
          "client_secret" => app.client_secret
        })
--- a/test/web/plugs/federating_plug_test.exs
+++ b/test/web/plugs/federating_plug_test.exs
@ -6,11 +6,7 @@ defmodule Pleroma.Web.FederatingPlugTest do
  use Pleroma.Web.ConnCase

  test "returns and halt the conn when federating is disabled" do
-    instance =
-      Application.get_env(:pleroma, :instance)
-      |> Keyword.put(:federating, false)
-
-    Application.put_env(:pleroma, :instance, instance)
+    Pleroma.Config.put([:instance, :federating], false)

    conn =
      build_conn()
@ -19,11 +15,7 @@ defmodule Pleroma.Web.FederatingPlugTest do
    assert conn.status == 404
    assert conn.halted

-    instance =
-      Application.get_env(:pleroma, :instance)
-      |> Keyword.put(:federating, true)
-
-    Application.put_env(:pleroma, :instance, instance)
+    Pleroma.Config.put([:instance, :federating], true)
  end

  test "does nothing when federating is enabled" do
--- a/test/web/rich_media/parser_test.exs
+++ b/test/web/rich_media/parser_test.exs
@ -44,6 +44,8 @@ defmodule Pleroma.Web.RichMedia.ParserTest do
              %{
                image: "http://ia.media-imdb.com/images/rock.jpg",
                title: "The Rock",
+                description:
+                  "Directed by Michael Bay. With Sean Connery, Nicolas Cage, Ed Harris, John Spencer.",
                type: "video.movie",
                url: "http://www.imdb.com/title/tt0117500/"
              }}
--- a/test/web/streamer_test.exs
+++ b/test/web/streamer_test.exs
@ -11,6 +11,62 @@ defmodule Pleroma.Web.StreamerTest do
  alias Pleroma.Web.Streamer
  import Pleroma.Factory

+  setup do
+    skip_thread_containment = Pleroma.Config.get([:instance, :skip_thread_containment])
+
+    on_exit(fn ->
+      Pleroma.Config.put([:instance, :skip_thread_containment], skip_thread_containment)
+    end)
+
+    :ok
+  end
+
+  describe "user streams" do
+    setup do
+      GenServer.start(Streamer, %{}, name: Streamer)
+
+      on_exit(fn ->
+        if pid = Process.whereis(Streamer) do
+          Process.exit(pid, :kill)
+        end
+      end)
+
+      user = insert(:user)
+      notify = insert(:notification, user: user, activity: build(:note_activity))
+      {:ok, %{user: user, notify: notify}}
+    end
+
+    test "it sends notify to in the 'user' stream", %{user: user, notify: notify} do
+      task =
+        Task.async(fn ->
+          assert_receive {:text, _}, 4_000
+        end)
+
+      Streamer.add_socket(
+        "user",
+        %{transport_pid: task.pid, assigns: %{user: user}}
+      )
+
+      Streamer.stream("user", notify)
+      Task.await(task)
+    end
+
+    test "it sends notify to in the 'user:notification' stream", %{user: user, notify: notify} do
+      task =
+        Task.async(fn ->
+          assert_receive {:text, _}, 4_000
+        end)
+
+      Streamer.add_socket(
+        "user:notification",
+        %{transport_pid: task.pid, assigns: %{user: user}}
+      )
+
+      Streamer.stream("user:notification", notify)
+      Task.await(task)
+    end
+  end
+
  test "it sends to public" do
    user = insert(:user)
    other_user = insert(:user)
@ -68,6 +124,74 @@ defmodule Pleroma.Web.StreamerTest do
    Task.await(task)
  end

+  describe "thread_containment" do
+    test "it doesn't send to user if recipients invalid and thread containment is enabled" do
+      Pleroma.Config.put([:instance, :skip_thread_containment], false)
+      author = insert(:user)
+      user = insert(:user, following: [author.ap_id])
+
+      activity =
+        insert(:note_activity,
+          note:
+            insert(:note,
+              user: author,
+              data: %{"to" => ["TEST-FFF"]}
+            )
+        )
+
+      task = Task.async(fn -> refute_receive {:text, _}, 1_000 end)
+      fake_socket = %{transport_pid: task.pid, assigns: %{user: user}}
+      topics = %{"public" => [fake_socket]}
+      Streamer.push_to_socket(topics, "public", activity)
+
+      Task.await(task)
+    end
+
+    test "it sends message if recipients invalid and thread containment is disabled" do
+      Pleroma.Config.put([:instance, :skip_thread_containment], true)
+      author = insert(:user)
+      user = insert(:user, following: [author.ap_id])
+
+      activity =
+        insert(:note_activity,
+          note:
+            insert(:note,
+              user: author,
+              data: %{"to" => ["TEST-FFF"]}
+            )
+        )
+
+      task = Task.async(fn -> assert_receive {:text, _}, 1_000 end)
+      fake_socket = %{transport_pid: task.pid, assigns: %{user: user}}
+      topics = %{"public" => [fake_socket]}
+      Streamer.push_to_socket(topics, "public", activity)
+
+      Task.await(task)
+    end
+
+    test "it sends message if recipients invalid and thread containment is enabled but user's thread containment is disabled" do
+      Pleroma.Config.put([:instance, :skip_thread_containment], false)
+      author = insert(:user)
+      user = insert(:user, following: [author.ap_id], info: %{skip_thread_containment: true})
+
+      activity =
+        insert(:note_activity,
+          note:
+            insert(:note,
+              user: author,
+              data: %{"to" => ["TEST-FFF"]}
+            )
+        )
+
+      task = Task.async(fn -> assert_receive {:text, _}, 1_000 end)
+      fake_socket = %{transport_pid: task.pid, assigns: %{user: user}}
+      topics = %{"public" => [fake_socket]}
+      Streamer.push_to_socket(topics, "public", activity)
+
+      Task.await(task)
+    end
+  end
+
  test "it doesn't send to blocked users" do
    user = insert(:user)
    blocked_user = insert(:user)
--- a/test/web/twitter_api/twitter_api_controller_test.exs
+++ b/test/web/twitter_api/twitter_api_controller_test.exs
@ -168,41 +168,25 @@ defmodule Pleroma.Web.TwitterAPI.ControllerTest do
    end

    test "returns 403 to unauthenticated request when the instance is not public", %{conn: conn} do
-      instance =
-        Application.get_env(:pleroma, :instance)
-        |> Keyword.put(:public, false)
-
-      Application.put_env(:pleroma, :instance, instance)
+      Pleroma.Config.put([:instance, :public], false)

      conn
      |> get("/api/statuses/public_timeline.json")
      |> json_response(403)

-      instance =
-        Application.get_env(:pleroma, :instance)
-        |> Keyword.put(:public, true)
-
-      Application.put_env(:pleroma, :instance, instance)
+      Pleroma.Config.put([:instance, :public], true)
    end

    test "returns 200 to authenticated request when the instance is not public",
         %{conn: conn, user: user} do
-      instance =
-        Application.get_env(:pleroma, :instance)
-        |> Keyword.put(:public, false)
-
-      Application.put_env(:pleroma, :instance, instance)
+      Pleroma.Config.put([:instance, :public], false)

      conn
      |> with_credentials(user.nickname, "test")
      |> get("/api/statuses/public_timeline.json")
      |> json_response(200)

-      instance =
-        Application.get_env(:pleroma, :instance)
-        |> Keyword.put(:public, true)
-
-      Application.put_env(:pleroma, :instance, instance)
+      Pleroma.Config.put([:instance, :public], true)
    end

    test "returns 200 to unauthenticated request when the instance is public", %{conn: conn} do
@ -238,41 +222,25 @@ defmodule Pleroma.Web.TwitterAPI.ControllerTest do
    setup [:valid_user]

    test "returns 403 to unauthenticated request when the instance is not public", %{conn: conn} do
-      instance =
-        Application.get_env(:pleroma, :instance)
-        |> Keyword.put(:public, false)
-
-      Application.put_env(:pleroma, :instance, instance)
+      Pleroma.Config.put([:instance, :public], false)

      conn
      |> get("/api/statuses/public_and_external_timeline.json")
      |> json_response(403)

-      instance =
-        Application.get_env(:pleroma, :instance)
-        |> Keyword.put(:public, true)
-
-      Application.put_env(:pleroma, :instance, instance)
+      Pleroma.Config.put([:instance, :public], true)
    end

    test "returns 200 to authenticated request when the instance is not public",
         %{conn: conn, user: user} do
-      instance =
-        Application.get_env(:pleroma, :instance)
-        |> Keyword.put(:public, false)
-
-      Application.put_env(:pleroma, :instance, instance)
+      Pleroma.Config.put([:instance, :public], false)

      conn
      |> with_credentials(user.nickname, "test")
      |> get("/api/statuses/public_and_external_timeline.json")
      |> json_response(200)

-      instance =
-        Application.get_env(:pleroma, :instance)
-        |> Keyword.put(:public, true)
-
-      Application.put_env(:pleroma, :instance, instance)
+      Pleroma.Config.put([:instance, :public], true)
    end

    test "returns 200 to unauthenticated request when the instance is public", %{conn: conn} do
@ -1564,7 +1532,7 @@ defmodule Pleroma.Web.TwitterAPI.ControllerTest do
          "hide_follows" => "false"
        })

-      user = Repo.get!(User, user.id)
+      user = refresh_record(user)
      assert user.info.hide_follows == false
      assert json_response(conn, 200) == UserView.render("user.json", %{user: user, for: user})
    end
@ -1617,6 +1585,29 @@ defmodule Pleroma.Web.TwitterAPI.ControllerTest do
      assert json_response(conn, 200) == UserView.render("user.json", %{user: user, for: user})
    end

+    test "it sets and un-sets skip_thread_containment", %{conn: conn} do
+      user = insert(:user)
+
+      response =
+        conn
+        |> assign(:user, user)
+        |> post("/api/account/update_profile.json", %{"skip_thread_containment" => "true"})
+        |> json_response(200)
+
+      assert response["pleroma"]["skip_thread_containment"] == true
+      user = refresh_record(user)
+      assert user.info.skip_thread_containment
+
+      response =
+        conn
+        |> assign(:user, user)
+        |> post("/api/account/update_profile.json", %{"skip_thread_containment" => "false"})
+        |> json_response(200)
+
+      assert response["pleroma"]["skip_thread_containment"] == false
+      refute refresh_record(user).info.skip_thread_containment
+    end
+
    test "it locks an account", %{conn: conn} do
      user = insert(:user)

--- a/test/web/twitter_api/twitter_api_test.exs
+++ b/test/web/twitter_api/twitter_api_test.exs
@ -116,8 +116,7 @@ defmodule Pleroma.Web.TwitterAPI.TwitterAPITest do
    {:ok, user, followed, _activity} = TwitterAPI.follow(user, %{"user_id" => followed.id})
    assert User.ap_followers(followed) in user.following

-    {:error, msg} = TwitterAPI.follow(user, %{"user_id" => followed.id})
-    assert msg == "Could not follow user: #{followed.nickname} is already on your list."
+    {:ok, _, _, _} = TwitterAPI.follow(user, %{"user_id" => followed.id})
  end

  test "Follow another user using screen_name" do
@ -132,8 +131,7 @@ defmodule Pleroma.Web.TwitterAPI.TwitterAPITest do
    followed = User.get_cached_by_ap_id(followed.ap_id)
    assert followed.info.follower_count == 1

-    {:error, msg} = TwitterAPI.follow(user, %{"screen_name" => followed.nickname})
-    assert msg == "Could not follow user: #{followed.nickname} is already on your list."
+    {:ok, _, _, _} = TwitterAPI.follow(user, %{"screen_name" => followed.nickname})
  end

  test "Unfollow another user using user_id" do
--- a/test/web/twitter_api/util_controller_test.exs
+++ b/test/web/twitter_api/util_controller_test.exs
@ -102,7 +102,6 @@ defmodule Pleroma.Web.TwitterAPI.UtilControllerTest do
      conn
      |> assign(:user, user)
      |> put("/api/pleroma/notification_settings", %{
-        "remote" => false,
        "followers" => false,
        "bar" => 1
      })
@ -110,8 +109,12 @@ defmodule Pleroma.Web.TwitterAPI.UtilControllerTest do

      user = Repo.get(User, user.id)

-      assert %{"remote" => false, "local" => true, "followers" => false, "follows" => true} ==
-               user.info.notification_settings
+      assert %{
+               "followers" => false,
+               "follows" => true,
+               "non_follows" => true,
+               "non_followers" => true
+             } == user.info.notification_settings
    end
  end

--- a/test/web/twitter_api/views/user_view_test.exs
+++ b/test/web/twitter_api/views/user_view_test.exs
@ -99,7 +99,8 @@ defmodule Pleroma.Web.TwitterAPI.UserViewTest do
      "fields" => [],
      "pleroma" => %{
        "confirmation_pending" => false,
-        "tags" => []
+        "tags" => [],
+        "skip_thread_containment" => false
      },
      "rights" => %{"admin" => false, "delete_others_notice" => false},
      "role" => "member"
@ -112,9 +113,11 @@ defmodule Pleroma.Web.TwitterAPI.UserViewTest do
    as_user = UserView.render("show.json", %{user: user, for: user})
    assert as_user["default_scope"] == user.info.default_scope
    assert as_user["no_rich_text"] == user.info.no_rich_text
+    assert as_user["pleroma"]["notification_settings"] == user.info.notification_settings
    as_stranger = UserView.render("show.json", %{user: user})
    refute as_stranger["default_scope"]
    refute as_stranger["no_rich_text"]
+    refute as_stranger["pleroma"]["notification_settings"]
  end

  test "A user for a given other follower", %{user: user} do
@ -152,7 +155,8 @@ defmodule Pleroma.Web.TwitterAPI.UserViewTest do
      "fields" => [],
      "pleroma" => %{
        "confirmation_pending" => false,
-        "tags" => []
+        "tags" => [],
+        "skip_thread_containment" => false
      },
      "rights" => %{"admin" => false, "delete_others_notice" => false},
      "role" => "member"
@ -197,7 +201,8 @@ defmodule Pleroma.Web.TwitterAPI.UserViewTest do
      "fields" => [],
      "pleroma" => %{
        "confirmation_pending" => false,
-        "tags" => []
+        "tags" => [],
+        "skip_thread_containment" => false
      },
      "rights" => %{"admin" => false, "delete_others_notice" => false},
      "role" => "member"
@ -279,7 +284,8 @@ defmodule Pleroma.Web.TwitterAPI.UserViewTest do
      "fields" => [],
      "pleroma" => %{
        "confirmation_pending" => false,
-        "tags" => []
+        "tags" => [],
+        "skip_thread_containment" => false
      },
      "rights" => %{"admin" => false, "delete_others_notice" => false},
      "role" => "member"
--- a/test/web/websub/websub_controller_test.exs
+++ b/test/web/websub/websub_controller_test.exs
@ -5,7 +5,6 @@
 defmodule Pleroma.Web.Websub.WebsubControllerTest do
  use Pleroma.Web.ConnCase
  import Pleroma.Factory
-  alias Pleroma.Activity
  alias Pleroma.Repo
  alias Pleroma.Web.Websub
  alias Pleroma.Web.Websub.WebsubClientSubscription
@ -52,7 +51,7 @@ defmodule Pleroma.Web.Websub.WebsubControllerTest do
  end

  describe "websub_incoming" do
-    test "handles incoming feed updates", %{conn: conn} do
+    test "accepts incoming feed updates", %{conn: conn} do
      websub = insert(:websub_client_subscription)
      doc = "some stuff"
      signature = Websub.sign(websub.secret, doc)
@ -64,8 +63,6 @@ defmodule Pleroma.Web.Websub.WebsubControllerTest do
        |> post("/push/subscriptions/#{websub.id}", doc)

      assert response(conn, 200) == "OK"
-
-      assert length(Repo.all(Activity)) == 1
    end

    test "rejects incoming feed updates with the wrong signature", %{conn: conn} do
@ -80,8 +77,6 @@ defmodule Pleroma.Web.Websub.WebsubControllerTest do
        |> post("/push/subscriptions/#{websub.id}", doc)

      assert response(conn, 500) == "Error"
-
-      assert Enum.empty?(Repo.all(Activity))
    end
  end
 end