Merge branch 'develop' into update-oauth-template

2019-06-03 09:12:17 -05:00 · 2019-06-03 09:12:17 -05:00 · f4e2595592
commit f4e2595592
parent 3c4cab9be1 9789e000b0
290 changed files with 10822 additions and 2526 deletions
--- a/lib/pleroma/activity.ex
+++ b/lib/pleroma/activity.ex
@ -6,14 +6,19 @@ defmodule Pleroma.Activity do
  use Ecto.Schema

  alias Pleroma.Activity
+  alias Pleroma.Bookmark
  alias Pleroma.Notification
  alias Pleroma.Object
  alias Pleroma.Repo
+  alias Pleroma.ThreadMute
+  alias Pleroma.User

  import Ecto.Changeset
  import Ecto.Query

  @type t :: %__MODULE__{}
+  @type actor :: String.t()
+
  @primary_key {:id, Pleroma.FlakeId, autogenerate: true}

  # https://github.com/tootsuite/mastodon/blob/master/app/models/notification.rb#L19
@ -33,6 +38,9 @@ defmodule Pleroma.Activity do
    field(:local, :boolean, default: true)
    field(:actor, :string)
    field(:recipients, {:array, :string}, default: [])
+    field(:thread_muted?, :boolean, virtual: true)
+    # This is a fake relation, do not use outside of with_preloaded_bookmark/get_bookmark
+    has_one(:bookmark, Bookmark)
    has_many(:notifications, Notification, on_delete: :delete_all)

    # Attention: this is a fake relation, don't try to preload it blindly and expect it to work!
@ -54,23 +62,46 @@ defmodule Pleroma.Activity do
    timestamps()
  end

-  def with_preloaded_object(query) do
-    query
-    |> join(
-      :inner,
-      [activity],
-      o in Object,
+  def with_joined_object(query) do
+    join(query, :inner, [activity], o in Object,
      on:
        fragment(
          "(?->>'id') = COALESCE(?->'object'->>'id', ?->>'object')",
          o.data,
          activity.data,
          activity.data
-        )
+        ),
+      as: :object
    )
-    |> preload([activity, object], object: object)
  end

+  def with_preloaded_object(query) do
+    query
+    |> has_named_binding?(:object)
+    |> if(do: query, else: with_joined_object(query))
+    |> preload([activity, object: object], object: object)
+  end
+
+  def with_preloaded_bookmark(query, %User{} = user) do
+    from([a] in query,
+      left_join: b in Bookmark,
+      on: b.user_id == ^user.id and b.activity_id == a.id,
+      preload: [bookmark: b]
+    )
+  end
+
+  def with_preloaded_bookmark(query, _), do: query
+
+  def with_set_thread_muted_field(query, %User{} = user) do
+    from([a] in query,
+      left_join: tm in ThreadMute,
+      on: tm.user_id == ^user.id and tm.context == fragment("?->>'context'", a.data),
+      select: %Activity{a | thread_muted?: not is_nil(tm.id)}
+    )
+  end
+
+  def with_set_thread_muted_field(query, _), do: query
+
  def get_by_ap_id(ap_id) do
    Repo.one(
      from(
@ -80,9 +111,19 @@ defmodule Pleroma.Activity do
    )
  end

+  def get_bookmark(%Activity{} = activity, %User{} = user) do
+    if Ecto.assoc_loaded?(activity.bookmark) do
+      activity.bookmark
+    else
+      Bookmark.get(user.id, activity.id)
+    end
+  end
+
+  def get_bookmark(_, _), do: nil
+
  def change(struct, params \\ %{}) do
    struct
-    |> cast(params, [:data])
+    |> cast(params, [:data, :recipients])
    |> validate_required([:data])
    |> unique_constraint(:ap_id, name: :activities_unique_apid_index)
  end
@ -106,7 +147,10 @@ defmodule Pleroma.Activity do
  end

  def get_by_id(id) do
-    Repo.get(Activity, id)
+    Activity
+    |> where([a], a.id == ^id)
+    |> restrict_deactivated_users()
+    |> Repo.one()
  end

  def get_by_id_with_object(id) do
@ -174,6 +218,7 @@ defmodule Pleroma.Activity do

  def get_create_by_object_ap_id(ap_id) when is_binary(ap_id) do
    create_by_object_ap_id(ap_id)
+    |> restrict_deactivated_users()
    |> Repo.one()
  end

@ -260,4 +305,42 @@ defmodule Pleroma.Activity do
    |> where([s], s.actor == ^actor)
    |> Repo.all()
  end
+
+  def follow_requests_for_actor(%Pleroma.User{ap_id: ap_id}) do
+    from(
+      a in Activity,
+      where:
+        fragment(
+          "? ->> 'type' = 'Follow'",
+          a.data
+        ),
+      where:
+        fragment(
+          "? ->> 'state' = 'pending'",
+          a.data
+        ),
+      where:
+        fragment(
+          "coalesce((?)->'object'->>'id', (?)->>'object') = ?",
+          a.data,
+          a.data,
+          ^ap_id
+        )
+    )
+  end
+
+  @spec query_by_actor(actor()) :: Ecto.Query.t()
+  def query_by_actor(actor) do
+    from(a in Activity, where: a.actor == ^actor)
+  end
+
+  def restrict_deactivated_users(query) do
+    from(activity in query,
+      where:
+        fragment(
+          "? not in (SELECT ap_id FROM users WHERE info->'deactivated' @> 'true')",
+          activity.actor
+        )
+    )
+  end
 end
--- a/lib/pleroma/application.ex
+++ b/lib/pleroma/application.ex
@ -110,6 +110,7 @@ defmodule Pleroma.Application do
        hackney_pool_children() ++
        [
          worker(Pleroma.Web.Federator.RetryQueue, []),
+          worker(Pleroma.Web.OAuth.Token.CleanWorker, []),
          worker(Pleroma.Stats, []),
          worker(Task, [&Pleroma.Web.Push.init/0], restart: :temporary, id: :web_push_init),
          worker(Task, [&Pleroma.Web.Federator.init/0], restart: :temporary, id: :federator_init)
@ -131,19 +132,22 @@ defmodule Pleroma.Application do
  defp setup_instrumenters do
    require Prometheus.Registry

-    :ok =
-      :telemetry.attach(
-        "prometheus-ecto",
-        [:pleroma, :repo, :query],
-        &Pleroma.Repo.Instrumenter.handle_event/4,
-        %{}
-      )
+    if Application.get_env(:prometheus, Pleroma.Repo.Instrumenter) do
+      :ok =
+        :telemetry.attach(
+          "prometheus-ecto",
+          [:pleroma, :repo, :query],
+          &Pleroma.Repo.Instrumenter.handle_event/4,
+          %{}
+        )
+
+      Pleroma.Repo.Instrumenter.setup()
+    end

    Prometheus.Registry.register_collector(:prometheus_process_collector)
    Pleroma.Web.Endpoint.MetricsExporter.setup()
    Pleroma.Web.Endpoint.PipelineInstrumenter.setup()
    Pleroma.Web.Endpoint.Instrumenter.setup()
-    Pleroma.Repo.Instrumenter.setup()
  end

  def enabled_hackney_pools do
--- a/lib/pleroma/bbs/authenticator.ex
+++ b/lib/pleroma/bbs/authenticator.ex
@ -0,0 +1,16 @@
+defmodule Pleroma.BBS.Authenticator do
+  use Sshd.PasswordAuthenticator
+  alias Comeonin.Pbkdf2
+  alias Pleroma.User
+
+  def authenticate(username, password) do
+    username = to_string(username)
+    password = to_string(password)
+
+    with %User{} = user <- User.get_by_nickname(username) do
+      Pbkdf2.checkpw(password, user.password_hash)
+    else
+      _e -> false
+    end
+  end
+end
--- a/lib/pleroma/bbs/handler.ex
+++ b/lib/pleroma/bbs/handler.ex
@ -0,0 +1,146 @@
+defmodule Pleroma.BBS.Handler do
+  use Sshd.ShellHandler
+  alias Pleroma.Activity
+  alias Pleroma.Web.ActivityPub.ActivityPub
+  alias Pleroma.Web.CommonAPI
+
+  def on_shell(username, _pubkey, _ip, _port) do
+    :ok = IO.puts("Welcome to #{Pleroma.Config.get([:instance, :name])}!")
+    user = Pleroma.User.get_cached_by_nickname(to_string(username))
+    Logger.debug("#{inspect(user)}")
+    loop(run_state(user: user))
+  end
+
+  def on_connect(username, ip, port, method) do
+    Logger.debug(fn ->
+      """
+      Incoming SSH shell #{inspect(self())} requested for #{username} from #{inspect(ip)}:#{
+        inspect(port)
+      } using #{inspect(method)}
+      """
+    end)
+  end
+
+  def on_disconnect(username, ip, port) do
+    Logger.debug(fn ->
+      "Disconnecting SSH shell for #{username} from #{inspect(ip)}:#{inspect(port)}"
+    end)
+  end
+
+  defp loop(state) do
+    self_pid = self()
+    counter = state.counter
+    prefix = state.prefix
+    user = state.user
+
+    input = spawn(fn -> io_get(self_pid, prefix, counter, user.nickname) end)
+    wait_input(state, input)
+  end
+
+  def puts_activity(activity) do
+    status = Pleroma.Web.MastodonAPI.StatusView.render("status.json", %{activity: activity})
+    IO.puts("-- #{status.id} by #{status.account.display_name} (#{status.account.acct})")
+    IO.puts(HtmlSanitizeEx.strip_tags(status.content))
+    IO.puts("")
+  end
+
+  def handle_command(state, "help") do
+    IO.puts("Available commands:")
+    IO.puts("help - This help")
+    IO.puts("home - Show the home timeline")
+    IO.puts("p <text> - Post the given text")
+    IO.puts("r <id> <text> - Reply to the post with the given id")
+    IO.puts("quit - Quit")
+
+    state
+  end
+
+  def handle_command(%{user: user} = state, "r " <> text) do
+    text = String.trim(text)
+    [activity_id, rest] = String.split(text, " ", parts: 2)
+
+    with %Activity{} <- Activity.get_by_id(activity_id),
+         {:ok, _activity} <-
+           CommonAPI.post(user, %{"status" => rest, "in_reply_to_status_id" => activity_id}) do
+      IO.puts("Replied!")
+    else
+      _e -> IO.puts("Could not reply...")
+    end
+
+    state
+  end
+
+  def handle_command(%{user: user} = state, "p " <> text) do
+    text = String.trim(text)
+
+    with {:ok, _activity} <- CommonAPI.post(user, %{"status" => text}) do
+      IO.puts("Posted!")
+    else
+      _e -> IO.puts("Could not post...")
+    end
+
+    state
+  end
+
+  def handle_command(state, "home") do
+    user = state.user
+
+    params =
+      %{}
+      |> Map.put("type", ["Create"])
+      |> Map.put("blocking_user", user)
+      |> Map.put("muting_user", user)
+      |> Map.put("user", user)
+
+    activities =
+      [user.ap_id | user.following]
+      |> ActivityPub.fetch_activities(params)
+
+    Enum.each(activities, fn activity ->
+      puts_activity(activity)
+    end)
+
+    state
+  end
+
+  def handle_command(state, command) do
+    IO.puts("Unknown command '#{command}'")
+    state
+  end
+
+  defp wait_input(state, input) do
+    receive do
+      {:input, ^input, "quit\n"} ->
+        IO.puts("Exiting...")
+
+      {:input, ^input, code} when is_binary(code) ->
+        code = String.trim(code)
+
+        state = handle_command(state, code)
+
+        loop(%{state | counter: state.counter + 1})
+
+      {:error, :interrupted} ->
+        IO.puts("Caught Ctrl+C...")
+        loop(%{state | counter: state.counter + 1})
+
+      {:input, ^input, msg} ->
+        :ok = Logger.warn("received unknown message: #{inspect(msg)}")
+        loop(%{state | counter: state.counter + 1})
+    end
+  end
+
+  defp run_state(opts) do
+    %{prefix: "pleroma", counter: 1, user: opts[:user]}
+  end
+
+  defp io_get(pid, prefix, counter, username) do
+    prompt = prompt(prefix, counter, username)
+    send(pid, {:input, self(), IO.gets(:stdio, prompt)})
+  end
+
+  defp prompt(prefix, counter, username) do
+    prompt = "#{username}@#{prefix}:#{counter}>"
+    prompt <> " "
+  end
+end
--- a/lib/pleroma/captcha/kocaptcha.ex
+++ b/lib/pleroma/captcha/kocaptcha.ex
@ -15,7 +15,7 @@ defmodule Pleroma.Captcha.Kocaptcha do
        %{error: "Kocaptcha service unavailable"}

      {:ok, res} ->
-        json_resp = Poison.decode!(res.body)
+        json_resp = Jason.decode!(res.body)

        %{
          type: :kocaptcha,
--- a/lib/pleroma/config.ex
+++ b/lib/pleroma/config.ex
@ -12,8 +12,12 @@ defmodule Pleroma.Config do
  def get([key], default), do: get(key, default)

  def get([parent_key | keys], default) do
-    Application.get_env(:pleroma, parent_key)
-    |> get_in(keys) || default
+    case :pleroma
+         |> Application.get_env(parent_key)
+         |> get_in(keys) do
+      nil -> default
+      any -> any
+    end
  end

  def get(key, default) do
--- a/lib/pleroma/config/deprecation_warnings.ex
+++ b/lib/pleroma/config/deprecation_warnings.ex
@ -5,15 +5,6 @@
 defmodule Pleroma.Config.DeprecationWarnings do
  require Logger

-  def check_frontend_config_mechanism do
-    if Pleroma.Config.get(:fe) do
-      Logger.warn("""
-      !!!DEPRECATION WARNING!!!
-      You are using the old configuration mechanism for the frontend. Please check config.md.
-      """)
-    end
-  end
-
  def check_hellthread_threshold do
    if Pleroma.Config.get([:mrf_hellthread, :threshold]) do
      Logger.warn("""
@ -24,7 +15,6 @@ defmodule Pleroma.Config.DeprecationWarnings do
  end

  def warn do
-    check_frontend_config_mechanism()
    check_hellthread_threshold()
  end
 end
--- a/lib/pleroma/conversation.ex
+++ b/lib/pleroma/conversation.ex
@ -0,0 +1,92 @@
+# Pleroma: A lightweight social networking server
+# Copyright © 2017-2019 Pleroma Authors <https://pleroma.social/>
+# SPDX-License-Identifier: AGPL-3.0-only
+
+defmodule Pleroma.Conversation do
+  alias Pleroma.Conversation.Participation
+  alias Pleroma.Repo
+  alias Pleroma.User
+  use Ecto.Schema
+  import Ecto.Changeset
+
+  schema "conversations" do
+    # This is the context ap id.
+    field(:ap_id, :string)
+    has_many(:participations, Participation)
+    has_many(:users, through: [:participations, :user])
+
+    timestamps()
+  end
+
+  def creation_cng(struct, params) do
+    struct
+    |> cast(params, [:ap_id])
+    |> validate_required([:ap_id])
+    |> unique_constraint(:ap_id)
+  end
+
+  def create_for_ap_id(ap_id) do
+    %__MODULE__{}
+    |> creation_cng(%{ap_id: ap_id})
+    |> Repo.insert(
+      on_conflict: [set: [updated_at: NaiveDateTime.utc_now()]],
+      returning: true,
+      conflict_target: :ap_id
+    )
+  end
+
+  def get_for_ap_id(ap_id) do
+    Repo.get_by(__MODULE__, ap_id: ap_id)
+  end
+
+  @doc """
+  This will
+  1. Create a conversation if there isn't one already
+  2. Create a participation for all the people involved who don't have one already
+  3. Bump all relevant participations to 'unread'
+  """
+  def create_or_bump_for(activity, opts \\ []) do
+    with true <- Pleroma.Web.ActivityPub.Visibility.is_direct?(activity),
+         "Create" <- activity.data["type"],
+         object <- Pleroma.Object.normalize(activity),
+         true <- object.data["type"] in ["Note", "Question"],
+         ap_id when is_binary(ap_id) and byte_size(ap_id) > 0 <- object.data["context"] do
+      {:ok, conversation} = create_for_ap_id(ap_id)
+
+      users = User.get_users_from_set(activity.recipients, false)
+
+      participations =
+        Enum.map(users, fn user ->
+          {:ok, participation} =
+            Participation.create_for_user_and_conversation(user, conversation, opts)
+
+          participation
+        end)
+
+      {:ok,
+       %{
+         conversation
+         | participations: participations
+       }}
+    else
+      e -> {:error, e}
+    end
+  end
+
+  @doc """
+  This is only meant to be run by a mix task. It creates conversations/participations for all direct messages in the database.
+  """
+  def bump_for_all_activities do
+    stream =
+      Pleroma.Web.ActivityPub.ActivityPub.fetch_direct_messages_query()
+      |> Repo.stream()
+
+    Repo.transaction(
+      fn ->
+        stream
+        |> Enum.each(fn a -> create_or_bump_for(a, read: true) end)
+      end,
+      timeout: :infinity
+    )
+  end
+end
--- a/lib/pleroma/conversation/participation.ex
+++ b/lib/pleroma/conversation/participation.ex
@ -0,0 +1,83 @@
+# Pleroma: A lightweight social networking server
+# Copyright © 2017-2019 Pleroma Authors <https://pleroma.social/>
+# SPDX-License-Identifier: AGPL-3.0-only
+
+defmodule Pleroma.Conversation.Participation do
+  use Ecto.Schema
+  alias Pleroma.Conversation
+  alias Pleroma.Repo
+  alias Pleroma.User
+  alias Pleroma.Web.ActivityPub.ActivityPub
+  import Ecto.Changeset
+  import Ecto.Query
+
+  schema "conversation_participations" do
+    belongs_to(:user, User, type: Pleroma.FlakeId)
+    belongs_to(:conversation, Conversation)
+    field(:read, :boolean, default: false)
+    field(:last_activity_id, Pleroma.FlakeId, virtual: true)
+
+    timestamps()
+  end
+
+  def creation_cng(struct, params) do
+    struct
+    |> cast(params, [:user_id, :conversation_id, :read])
+    |> validate_required([:user_id, :conversation_id])
+  end
+
+  def create_for_user_and_conversation(user, conversation, opts \\ []) do
+    read = !!opts[:read]
+
+    %__MODULE__{}
+    |> creation_cng(%{user_id: user.id, conversation_id: conversation.id, read: read})
+    |> Repo.insert(
+      on_conflict: [set: [read: read, updated_at: NaiveDateTime.utc_now()]],
+      returning: true,
+      conflict_target: [:user_id, :conversation_id]
+    )
+  end
+
+  def read_cng(struct, params) do
+    struct
+    |> cast(params, [:read])
+    |> validate_required([:read])
+  end
+
+  def mark_as_read(participation) do
+    participation
+    |> read_cng(%{read: true})
+    |> Repo.update()
+  end
+
+  def mark_as_unread(participation) do
+    participation
+    |> read_cng(%{read: false})
+    |> Repo.update()
+  end
+
+  def for_user(user, params \\ %{}) do
+    from(p in __MODULE__,
+      where: p.user_id == ^user.id,
+      order_by: [desc: p.updated_at]
+    )
+    |> Pleroma.Pagination.fetch_paginated(params)
+    |> Repo.preload(conversation: [:users])
+  end
+
+  def for_user_with_last_activity_id(user, params \\ %{}) do
+    for_user(user, params)
+    |> Enum.map(fn participation ->
+      activity_id =
+        ActivityPub.fetch_latest_activity_id_for_context(participation.conversation.ap_id, %{
+          "user" => user,
+          "blocking_user" => user
+        })
+
+      %{
+        participation
+        | last_activity_id: activity_id
+      }
+    end)
+  end
+end
--- a/lib/pleroma/emails/admin_email.ex
+++ b/lib/pleroma/emails/admin_email.ex
@ -29,7 +29,7 @@ defmodule Pleroma.Emails.AdminEmail do
      end

    statuses_html =
-      if length(statuses) > 0 do
+      if is_list(statuses) && length(statuses) > 0 do
        statuses_list_html =
          statuses
          |> Enum.map(fn
--- a/lib/pleroma/emoji.ex
+++ b/lib/pleroma/emoji.ex
@ -22,7 +22,7 @@ defmodule Pleroma.Emoji do

  @ets __MODULE__.Ets
  @ets_options [:ordered_set, :protected, :named_table, {:read_concurrency, true}]
-  @groups Application.get_env(:pleroma, :emoji)[:groups]
+  @groups Pleroma.Config.get([:emoji, :groups])

  @doc false
  def start_link do
@ -112,7 +112,7 @@ defmodule Pleroma.Emoji do

    # Compat thing for old custom emoji handling & default emoji,
    # it should run even if there are no emoji packs
-    shortcode_globs = Application.get_env(:pleroma, :emoji)[:shortcode_globs] || []
+    shortcode_globs = Pleroma.Config.get([:emoji, :shortcode_globs], [])

    emojis =
      (load_from_file("config/emoji.txt") ++
--- a/lib/pleroma/filter.ex
+++ b/lib/pleroma/filter.ex
@ -38,7 +38,8 @@ defmodule Pleroma.Filter do
    query =
      from(
        f in Pleroma.Filter,
-        where: f.user_id == ^user_id
+        where: f.user_id == ^user_id,
+        order_by: [desc: :id]
      )

    Repo.all(query)
--- a/lib/pleroma/formatter.ex
+++ b/lib/pleroma/formatter.ex
@ -8,7 +8,7 @@ defmodule Pleroma.Formatter do
  alias Pleroma.User
  alias Pleroma.Web.MediaProxy

-  @safe_mention_regex ~r/^(\s*(?<mentions>@.+?\s+)+)(?<rest>.*)/
+  @safe_mention_regex ~r/^(\s*(?<mentions>(@.+?\s+){1,})+)(?<rest>.*)/s
  @link_regex ~r"((?:http(s)?:\/\/)?[\w.-]+(?:\.[\w\.-]+)+[\w\-\._~%:/?#[\]@!\$&'\(\)\*\+,;=.]+)|[0-9a-z+\-\.]+:[0-9a-z$-_.+!*'(),]+"ui
  @markdown_characters_regex ~r/(`|\*|_|{|}|[|]|\(|\)|#|\+|-|\.|!)/

@ -113,9 +113,7 @@ defmodule Pleroma.Formatter do

      html =
        if not strip do
-          "<img height='32px' width='32px' alt='#{emoji}' title='#{emoji}' src='#{
-            MediaProxy.url(file)
-          }' />"
+          "<img class='emoji' alt='#{emoji}' title='#{emoji}' src='#{MediaProxy.url(file)}' />"
        else
          ""
        end
@ -130,12 +128,23 @@ defmodule Pleroma.Formatter do

  def demojify(text, nil), do: text

+  @doc "Outputs a list of the emoji-shortcodes in a text"
  def get_emoji(text) when is_binary(text) do
    Enum.filter(Emoji.get_all(), fn {emoji, _, _} -> String.contains?(text, ":#{emoji}:") end)
  end

  def get_emoji(_), do: []

+  @doc "Outputs a list of the emoji-Maps in a text"
+  def get_emoji_map(text) when is_binary(text) do
+    get_emoji(text)
+    |> Enum.reduce(%{}, fn {name, file, _group}, acc ->
+      Map.put(acc, name, "#{Pleroma.Web.Endpoint.static_url()}#{file}")
+    end)
+  end
+
+  def get_emoji_map(_), do: []
+
  def html_escape({text, mentions, hashtags}, type) do
    {html_escape(text, type), mentions, hashtags}
  end
--- a/lib/pleroma/gopher/server.ex
+++ b/lib/pleroma/gopher/server.ex
@ -77,13 +77,13 @@ defmodule Pleroma.Gopher.Server.ProtocolHandler do
      user = User.get_cached_by_ap_id(activity.data["actor"])

      object = Object.normalize(activity)
-      like_count = object["like_count"] || 0
-      announcement_count = object["announcement_count"] || 0
+      like_count = object.data["like_count"] || 0
+      announcement_count = object.data["announcement_count"] || 0

      link("Post ##{activity.id} by #{user.nickname}", "/notices/#{activity.id}") <>
        info("#{like_count} likes, #{announcement_count} repeats") <>
        "i\tfake\t(NULL)\t0\r\n" <>
-        info(HTML.strip_tags(String.replace(object["content"], "<br>", "\r")))
+        info(HTML.strip_tags(String.replace(object.data["content"], "<br>", "\r")))
    end)
    |> Enum.join("i\tfake\t(NULL)\t0\r\n")
  end
--- a/lib/pleroma/html.ex
+++ b/lib/pleroma/html.ex
@ -28,12 +28,18 @@ defmodule Pleroma.HTML do
  def filter_tags(html), do: filter_tags(html, nil)
  def strip_tags(html), do: Scrubber.scrub(html, Scrubber.StripTags)

-  def get_cached_scrubbed_html_for_activity(content, scrubbers, activity, key \\ "") do
+  def get_cached_scrubbed_html_for_activity(
+        content,
+        scrubbers,
+        activity,
+        key \\ "",
+        callback \\ fn x -> x end
+      ) do
    key = "#{key}#{generate_scrubber_signature(scrubbers)}|#{activity.id}"

    Cachex.fetch!(:scrubber_cache, key, fn _key ->
      object = Pleroma.Object.normalize(activity)
-      ensure_scrubbed_html(content, scrubbers, object.data["fake"] || false)
+      ensure_scrubbed_html(content, scrubbers, object.data["fake"] || false, callback)
    end)
  end

@ -42,24 +48,27 @@ defmodule Pleroma.HTML do
      content,
      HtmlSanitizeEx.Scrubber.StripTags,
      activity,
-      key
+      key,
+      &HtmlEntities.decode/1
    )
  end

  def ensure_scrubbed_html(
        content,
        scrubbers,
-        false = _fake
+        fake,
+        callback
      ) do
-    {:commit, filter_tags(content, scrubbers)}
-  end
+    content =
+      content
+      |> filter_tags(scrubbers)
+      |> callback.()

-  def ensure_scrubbed_html(
-        content,
-        scrubbers,
-        true = _fake
-      ) do
-    {:ignore, filter_tags(content, scrubbers)}
+    if fake do
+      {:ignore, content}
+    else
+      {:commit, content}
+    end
  end

  defp generate_scrubber_signature(scrubber) when is_atom(scrubber) do
@ -95,7 +104,6 @@ defmodule Pleroma.HTML.Scrubber.TwitterText do
  paragraphs, breaks and links are allowed through the filter.
  """

-  @markup Application.get_env(:pleroma, :markup)
  @valid_schemes Pleroma.Config.get([:uri_schemes, :valid_schemes], [])

  require HtmlSanitizeEx.Scrubber.Meta
@ -133,15 +141,14 @@ defmodule Pleroma.HTML.Scrubber.TwitterText do
  Meta.allow_tag_with_these_attributes("span", [])

  # allow inline images for custom emoji
-  @allow_inline_images Keyword.get(@markup, :allow_inline_images)
-
-  if @allow_inline_images do
+  if Pleroma.Config.get([:markup, :allow_inline_images]) do
    # restrict img tags to http/https only, because of MediaProxy.
    Meta.allow_tag_with_uri_attributes("img", ["src"], ["http", "https"])

    Meta.allow_tag_with_these_attributes("img", [
      "width",
      "height",
+      "class",
      "title",
      "alt"
    ])
@ -158,7 +165,6 @@ defmodule Pleroma.HTML.Scrubber.Default do
  # credo:disable-for-previous-line
  # No idea how to fix this one…

-  @markup Application.get_env(:pleroma, :markup)
  @valid_schemes Pleroma.Config.get([:uri_schemes, :valid_schemes], [])

  Meta.remove_cdata_sections_before_scrub()
@ -203,7 +209,7 @@ defmodule Pleroma.HTML.Scrubber.Default do
  Meta.allow_tag_with_this_attribute_values("span", "class", ["h-card"])
  Meta.allow_tag_with_these_attributes("span", [])

-  @allow_inline_images Keyword.get(@markup, :allow_inline_images)
+  @allow_inline_images Pleroma.Config.get([:markup, :allow_inline_images])

  if @allow_inline_images do
    # restrict img tags to http/https only, because of MediaProxy.
@ -212,14 +218,13 @@ defmodule Pleroma.HTML.Scrubber.Default do
    Meta.allow_tag_with_these_attributes("img", [
      "width",
      "height",
+      "class",
      "title",
      "alt"
    ])
  end

-  @allow_tables Keyword.get(@markup, :allow_tables)
-
-  if @allow_tables do
+  if Pleroma.Config.get([:markup, :allow_tables]) do
    Meta.allow_tag_with_these_attributes("table", [])
    Meta.allow_tag_with_these_attributes("tbody", [])
    Meta.allow_tag_with_these_attributes("td", [])
@ -228,9 +233,7 @@ defmodule Pleroma.HTML.Scrubber.Default do
    Meta.allow_tag_with_these_attributes("tr", [])
  end

-  @allow_headings Keyword.get(@markup, :allow_headings)
-
-  if @allow_headings do
+  if Pleroma.Config.get([:markup, :allow_headings]) do
    Meta.allow_tag_with_these_attributes("h1", [])
    Meta.allow_tag_with_these_attributes("h2", [])
    Meta.allow_tag_with_these_attributes("h3", [])
@ -238,9 +241,7 @@ defmodule Pleroma.HTML.Scrubber.Default do
    Meta.allow_tag_with_these_attributes("h5", [])
  end

-  @allow_fonts Keyword.get(@markup, :allow_fonts)
-
-  if @allow_fonts do
+  if Pleroma.Config.get([:markup, :allow_fonts]) do
    Meta.allow_tag_with_these_attributes("font", ["face"])
  end

--- a/lib/pleroma/http/connection.ex
+++ b/lib/pleroma/http/connection.ex
@ -8,7 +8,7 @@ defmodule Pleroma.HTTP.Connection do
  """

  @hackney_options [
-    connect_timeout: 2_000,
+    connect_timeout: 10_000,
    recv_timeout: 20_000,
    follow_redirect: true,
    pool: :federation
@ -32,9 +32,11 @@ defmodule Pleroma.HTTP.Connection do
  defp hackney_options(opts) do
    options = Keyword.get(opts, :adapter, [])
    adapter_options = Pleroma.Config.get([:http, :adapter], [])
+    proxy_url = Pleroma.Config.get([:http, :proxy_url], nil)

    @hackney_options
    |> Keyword.merge(adapter_options)
    |> Keyword.merge(options)
+    |> Keyword.merge(proxy: proxy_url)
  end
 end
--- a/lib/pleroma/http/http.ex
+++ b/lib/pleroma/http/http.ex
@ -65,12 +65,9 @@ defmodule Pleroma.HTTP do
  end

  def process_request_options(options) do
-    config = Application.get_env(:pleroma, :http, [])
-    proxy = Keyword.get(config, :proxy_url, nil)
-
-    case proxy do
+    case Pleroma.Config.get([:http, :proxy_url]) do
      nil -> options
-      _ -> options ++ [proxy: proxy]
+      proxy -> options ++ [proxy: proxy]
    end
  end

--- a/lib/pleroma/http/request_builder.ex
+++ b/lib/pleroma/http/request_builder.ex
@ -45,8 +45,15 @@ defmodule Pleroma.HTTP.RequestBuilder do
  Add headers to the request
  """
  @spec headers(map(), list(tuple)) :: map()
-  def headers(request, h) do
-    Map.put_new(request, :headers, h)
+  def headers(request, header_list) do
+    header_list =
+      if Pleroma.Config.get([:http, :send_user_agent]) do
+        header_list ++ [{"User-Agent", Pleroma.Application.user_agent()}]
+      else
+        header_list
+      end
+
+    Map.put_new(request, :headers, header_list)
  end

  @doc """
--- a/lib/pleroma/keys.ex
+++ b/lib/pleroma/keys.ex
@ -0,0 +1,44 @@
+# Pleroma: A lightweight social networking server
+# Copyright © 2017-2019 Pleroma Authors <https://pleroma.social/>
+# SPDX-License-Identifier: AGPL-3.0-only
+
+defmodule Pleroma.Keys do
+  # Native generation of RSA keys is only available since OTP 20+ and in default build conditions
+  # We try at compile time to generate natively an RSA key otherwise we fallback on the old way.
+  try do
+    _ = :public_key.generate_key({:rsa, 2048, 65_537})
+
+    def generate_rsa_pem do
+      key = :public_key.generate_key({:rsa, 2048, 65_537})
+      entry = :public_key.pem_entry_encode(:RSAPrivateKey, key)
+      pem = :public_key.pem_encode([entry]) |> String.trim_trailing()
+      {:ok, pem}
+    end
+  rescue
+    _ ->
+      def generate_rsa_pem do
+        port = Port.open({:spawn, "openssl genrsa"}, [:binary])
+
+        {:ok, pem} =
+          receive do
+            {^port, {:data, pem}} -> {:ok, pem}
+          end
+
+        Port.close(port)
+
+        if Regex.match?(~r/RSA PRIVATE KEY/, pem) do
+          {:ok, pem}
+        else
+          :error
+        end
+      end
+  end
+
+  def keys_from_pem(pem) do
+    [private_key_code] = :public_key.pem_decode(pem)
+    private_key = :public_key.pem_entry_decode(private_key_code)
+    {:RSAPrivateKey, _, modulus, exponent, _, _, _, _, _, _, _} = private_key
+    public_key = {:RSAPublicKey, modulus, exponent}
+    {:ok, private_key, public_key}
+  end
+end
--- a/lib/pleroma/notification.ex
+++ b/lib/pleroma/notification.ex
@ -33,6 +33,13 @@ defmodule Pleroma.Notification do
  def for_user_query(user) do
    Notification
    |> where(user_id: ^user.id)
+    |> where(
+      [n, a],
+      fragment(
+        "? not in (SELECT ap_id FROM users WHERE info->'deactivated' @> 'true')",
+        a.actor
+      )
+    )
    |> join(:inner, [n], activity in assoc(n, :activity))
    |> join(:left, [n, a], object in Object,
      on:
@ -120,10 +127,15 @@ defmodule Pleroma.Notification do

  def create_notifications(%Activity{data: %{"to" => _, "type" => type}} = activity)
      when type in ["Create", "Like", "Announce", "Follow"] do
-    users = get_notified_from_activity(activity)
+    object = Object.normalize(activity)

-    notifications = Enum.map(users, fn user -> create_notification(activity, user) end)
-    {:ok, notifications}
+    unless object && object.data["type"] == "Answer" do
+      users = get_notified_from_activity(activity)
+      notifications = Enum.map(users, fn user -> create_notification(activity, user) end)
+      {:ok, notifications}
+    else
+      {:ok, []}
+    end
  end

  def create_notifications(_), do: {:ok, []}
@ -159,7 +171,16 @@ defmodule Pleroma.Notification do
  def get_notified_from_activity(_, _local_only), do: []

  def skip?(activity, user) do
-    [:self, :blocked, :local, :muted, :followers, :follows, :recently_followed]
+    [
+      :self,
+      :blocked,
+      :muted,
+      :followers,
+      :follows,
+      :non_followers,
+      :non_follows,
+      :recently_followed
+    ]
    |> Enum.any?(&skip?(&1, activity, user))
  end

@ -172,12 +193,6 @@ defmodule Pleroma.Notification do
    User.blocks?(user, %{ap_id: actor})
  end

-  def skip?(:local, %{local: true}, %{info: %{notification_settings: %{"local" => false}}}),
-    do: true
-
-  def skip?(:local, %{local: false}, %{info: %{notification_settings: %{"remote" => false}}}),
-    do: true
-
  def skip?(:muted, activity, user) do
    actor = activity.data["actor"]

@ -194,12 +209,32 @@ defmodule Pleroma.Notification do
    User.following?(follower, user)
  end

+  def skip?(
+        :non_followers,
+        activity,
+        %{info: %{notification_settings: %{"non_followers" => false}}} = user
+      ) do
+    actor = activity.data["actor"]
+    follower = User.get_cached_by_ap_id(actor)
+    !User.following?(follower, user)
+  end
+
  def skip?(:follows, activity, %{info: %{notification_settings: %{"follows" => false}}} = user) do
    actor = activity.data["actor"]
    followed = User.get_cached_by_ap_id(actor)
    User.following?(user, followed)
  end

+  def skip?(
+        :non_follows,
+        activity,
+        %{info: %{notification_settings: %{"non_follows" => false}}} = user
+      ) do
+    actor = activity.data["actor"]
+    followed = User.get_cached_by_ap_id(actor)
+    !User.following?(user, followed)
+  end
+
  def skip?(:recently_followed, %{data: %{"type" => "Follow"}} = activity, user) do
    actor = activity.data["actor"]

--- a/lib/pleroma/object.ex
+++ b/lib/pleroma/object.ex
@ -35,6 +35,9 @@ defmodule Pleroma.Object do
    |> unique_constraint(:ap_id, name: :objects_unique_apid_index)
  end

+  def get_by_id(nil), do: nil
+  def get_by_id(id), do: Repo.get(Object, id)
+
  def get_by_ap_id(nil), do: nil

  def get_by_ap_id(ap_id) do
@ -130,6 +133,13 @@ defmodule Pleroma.Object do
    end
  end

+  def prune(%Object{data: %{"id" => id}} = object) do
+    with {:ok, object} <- Repo.delete(object),
+         {:ok, true} <- Cachex.del(:object_cache, "object:#{id}") do
+      {:ok, object}
+    end
+  end
+
  def set_cache(%Object{data: %{"id" => ap_id}} = object) do
    Cachex.put(:object_cache, "object:#{ap_id}", object)
    {:ok, object}
@ -188,4 +198,34 @@ defmodule Pleroma.Object do
      _ -> {:error, "Not found"}
    end
  end
+
+  def increase_vote_count(ap_id, name) do
+    with %Object{} = object <- Object.normalize(ap_id),
+         "Question" <- object.data["type"] do
+      multiple = Map.has_key?(object.data, "anyOf")
+
+      options =
+        (object.data["anyOf"] || object.data["oneOf"] || [])
+        |> Enum.map(fn
+          %{"name" => ^name} = option ->
+            Kernel.update_in(option["replies"]["totalItems"], &(&1 + 1))
+
+          option ->
+            option
+        end)
+
+      data =
+        if multiple do
+          Map.put(object.data, "anyOf", options)
+        else
+          Map.put(object.data, "oneOf", options)
+        end
+
+      object
+      |> Object.change(%{data: data})
+      |> update_and_set_cache()
+    else
+      _ -> :noop
+    end
+  end
 end
--- a/lib/pleroma/object/containment.ex
+++ b/lib/pleroma/object/containment.ex
@ -1,7 +1,5 @@
 defmodule Pleroma.Object.Containment do
  @moduledoc """
-  # Object Containment
-
  This module contains some useful functions for containing objects to specific
  origins and determining those origins.  They previously lived in the
  ActivityPub `Transmogrifier` module.
--- a/lib/pleroma/object/fetcher.ex
+++ b/lib/pleroma/object/fetcher.ex
@ -1,4 +1,5 @@
 defmodule Pleroma.Object.Fetcher do
+  alias Pleroma.HTTP
  alias Pleroma.Object
  alias Pleroma.Object.Containment
  alias Pleroma.Web.ActivityPub.Transmogrifier
@ -6,7 +7,18 @@ defmodule Pleroma.Object.Fetcher do

  require Logger

-  @httpoison Application.get_env(:pleroma, :httpoison)
+  defp reinject_object(data) do
+    Logger.debug("Reinjecting object #{data["id"]}")
+
+    with data <- Transmogrifier.fix_object(data),
+         {:ok, object} <- Object.create(data) do
+      {:ok, object}
+    else
+      e ->
+        Logger.error("Error while processing object: #{inspect(e)}")
+        {:error, e}
+    end
+  end

  # TODO:
  # This will create a Create activity, which we need internally at the moment.
@ -26,12 +38,17 @@ defmodule Pleroma.Object.Fetcher do
             "object" => data
           },
           :ok <- Containment.contain_origin(id, params),
-           {:ok, activity} <- Transmogrifier.handle_incoming(params) do
-        {:ok, Object.normalize(activity, false)}
+           {:ok, activity} <- Transmogrifier.handle_incoming(params),
+           {:object, _data, %Object{} = object} <-
+             {:object, data, Object.normalize(activity, false)} do
+        {:ok, object}
      else
        {:error, {:reject, nil}} ->
          {:reject, nil}

+        {:object, data, nil} ->
+          reinject_object(data)
+
        object = %Object{} ->
          {:ok, object}

@ -60,7 +77,7 @@ defmodule Pleroma.Object.Fetcher do

    with true <- String.starts_with?(id, "http"),
         {:ok, %{body: body, status: code}} when code in 200..299 <-
-           @httpoison.get(
+           HTTP.get(
             id,
             [{:Accept, "application/activity+json"}]
           ),
--- a/lib/pleroma/plugs/ensure_public_or_authenticated_plug.ex
+++ b/lib/pleroma/plugs/ensure_public_or_authenticated_plug.ex
@ -0,0 +1,31 @@
+# Pleroma: A lightweight social networking server
+# Copyright © 2017-2019 Pleroma Authors <https://pleroma.social/>
+# SPDX-License-Identifier: AGPL-3.0-only
+
+defmodule Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug do
+  import Plug.Conn
+  alias Pleroma.Config
+  alias Pleroma.User
+
+  def init(options) do
+    options
+  end
+
+  def call(conn, _) do
+    public? = Config.get!([:instance, :public])
+
+    case {public?, conn} do
+      {true, _} ->
+        conn
+
+      {false, %{assigns: %{user: %User{}}}} ->
+        conn
+
+      {false, _} ->
+        conn
+        |> put_resp_content_type("application/json")
+        |> send_resp(403, Jason.encode!(%{error: "This resource requires authentication."}))
+        |> halt
+    end
+  end
+end
--- a/lib/pleroma/plugs/federating_plug.ex
+++ b/lib/pleroma/plugs/federating_plug.ex
@ -10,7 +10,7 @@ defmodule Pleroma.Web.FederatingPlug do
  end

  def call(conn, _opts) do
-    if Keyword.get(Application.get_env(:pleroma, :instance), :federating) do
+    if Pleroma.Config.get([:instance, :federating]) do
      conn
    else
      conn
--- a/lib/pleroma/plugs/http_security_plug.ex
+++ b/lib/pleroma/plugs/http_security_plug.ex
@ -20,8 +20,9 @@ defmodule Pleroma.Plugs.HTTPSecurityPlug do

  defp headers do
    referrer_policy = Config.get([:http_security, :referrer_policy])
+    report_uri = Config.get([:http_security, :report_uri])

-    [
+    headers = [
      {"x-xss-protection", "1; mode=block"},
      {"x-permitted-cross-domain-policies", "none"},
      {"x-frame-options", "DENY"},
@ -30,12 +31,27 @@ defmodule Pleroma.Plugs.HTTPSecurityPlug do
      {"x-download-options", "noopen"},
      {"content-security-policy", csp_string() <> ";"}
    ]
+
+    if report_uri do
+      report_group = %{
+        "group" => "csp-endpoint",
+        "max-age" => 10_886_400,
+        "endpoints" => [
+          %{"url" => report_uri}
+        ]
+      }
+
+      headers ++ [{"reply-to", Jason.encode!(report_group)}]
+    else
+      headers
+    end
  end

  defp csp_string do
    scheme = Config.get([Pleroma.Web.Endpoint, :url])[:scheme]
    static_url = Pleroma.Web.Endpoint.static_url()
-    websocket_url = String.replace(static_url, "http", "ws")
+    websocket_url = Pleroma.Web.Endpoint.websocket_url()
+    report_uri = Config.get([:http_security, :report_uri])

    connect_src = "connect-src 'self' #{static_url} #{websocket_url}"

@ -53,7 +69,7 @@ defmodule Pleroma.Plugs.HTTPSecurityPlug do
        "script-src 'self'"
      end

-    [
+    main_part = [
      "default-src 'none'",
      "base-uri 'self'",
      "frame-ancestors 'none'",
@ -63,11 +79,14 @@ defmodule Pleroma.Plugs.HTTPSecurityPlug do
      "font-src 'self'",
      "manifest-src 'self'",
      connect_src,
-      script_src,
-      if scheme == "https" do
-        "upgrade-insecure-requests"
-      end
+      script_src
    ]
+
+    report = if report_uri, do: ["report-uri #{report_uri}; report-to csp-endpoint"], else: []
+
+    insecure = if scheme == "https", do: ["upgrade-insecure-requests"], else: []
+
+    (main_part ++ report ++ insecure)
    |> Enum.join("; ")
  end

--- a/lib/pleroma/plugs/http_signature.ex
+++ b/lib/pleroma/plugs/http_signature.ex
@ -4,7 +4,6 @@

 defmodule Pleroma.Web.Plugs.HTTPSignaturePlug do
  alias Pleroma.Web.ActivityPub.Utils
-  alias Pleroma.Web.HTTPSignatures
  import Plug.Conn
  require Logger

--- a/lib/pleroma/plugs/oauth_plug.ex
+++ b/lib/pleroma/plugs/oauth_plug.ex
@ -8,6 +8,7 @@ defmodule Pleroma.Plugs.OAuthPlug do

  alias Pleroma.Repo
  alias Pleroma.User
+  alias Pleroma.Web.OAuth.App
  alias Pleroma.Web.OAuth.Token

  @realm_reg Regex.compile!("Bearer\:?\s+(.*)$", "i")
@ -16,14 +17,45 @@ defmodule Pleroma.Plugs.OAuthPlug do

  def call(%{assigns: %{user: %User{}}} = conn, _), do: conn

-  def call(conn, _) do
-    with {:ok, token_str} <- fetch_token_str(conn),
-         {:ok, user, token_record} <- fetch_user_and_token(token_str) do
+  def call(%{params: %{"access_token" => access_token}} = conn, _) do
+    with {:ok, user, token_record} <- fetch_user_and_token(access_token) do
      conn
      |> assign(:token, token_record)
      |> assign(:user, user)
    else
-      _ -> conn
+      _ ->
+        # token found, but maybe only with app
+        with {:ok, app, token_record} <- fetch_app_and_token(access_token) do
+          conn
+          |> assign(:token, token_record)
+          |> assign(:app, app)
+        else
+          _ -> conn
+        end
+    end
+  end
+
+  def call(conn, _) do
+    case fetch_token_str(conn) do
+      {:ok, token} ->
+        with {:ok, user, token_record} <- fetch_user_and_token(token) do
+          conn
+          |> assign(:token, token_record)
+          |> assign(:user, user)
+        else
+          _ ->
+            # token found, but maybe only with app
+            with {:ok, app, token_record} <- fetch_app_and_token(token) do
+              conn
+              |> assign(:token, token_record)
+              |> assign(:app, app)
+            else
+              _ -> conn
+            end
+        end
+
+      _ ->
+        conn
    end
  end

@ -44,6 +76,16 @@ defmodule Pleroma.Plugs.OAuthPlug do
    end
  end

+  @spec fetch_app_and_token(String.t()) :: {:ok, App.t(), Token.t()} | nil
+  defp fetch_app_and_token(token) do
+    query =
+      from(t in Token, where: t.token == ^token, join: app in assoc(t, :app), preload: [app: app])
+
+    with %Token{app: app} = token_record <- Repo.one(query) do
+      {:ok, app, token_record}
+    end
+  end
+
  # Gets token from session by :oauth_token key
  #
  @spec fetch_token_from_session(Plug.Conn.t()) :: :no_token_found | {:ok, String.t()}
--- a/lib/pleroma/plugs/rate_limit_plug.ex
+++ b/lib/pleroma/plugs/rate_limit_plug.ex
@ -0,0 +1,36 @@
+# Pleroma: A lightweight social networking server
+# Copyright © 2017-2019 Pleroma Authors <https://pleroma.social/>
+# SPDX-License-Identifier: AGPL-3.0-only
+
+defmodule Pleroma.Plugs.RateLimitPlug do
+  import Phoenix.Controller, only: [json: 2]
+  import Plug.Conn
+
+  def init(opts), do: opts
+
+  def call(conn, opts) do
+    enabled? = Pleroma.Config.get([:app_account_creation, :enabled])
+
+    case check_rate(conn, Map.put(opts, :enabled, enabled?)) do
+      {:ok, _count} -> conn
+      {:error, _count} -> render_error(conn)
+      %Plug.Conn{} = conn -> conn
+    end
+  end
+
+  defp check_rate(conn, %{enabled: true} = opts) do
+    max_requests = opts[:max_requests]
+    bucket_name = conn.remote_ip |> Tuple.to_list() |> Enum.join(".")
+
+    ExRated.check_rate(bucket_name, opts[:interval] * 1000, max_requests)
+  end
+
+  defp check_rate(conn, _), do: conn
+
+  defp render_error(conn) do
+    conn
+    |> put_status(:forbidden)
+    |> json(%{error: "Rate limit exceeded."})
+    |> halt()
+  end
+end
--- a/lib/pleroma/repo.ex
+++ b/lib/pleroma/repo.ex
@ -19,4 +19,32 @@ defmodule Pleroma.Repo do
  def init(_, opts) do
    {:ok, Keyword.put(opts, :url, System.get_env("DATABASE_URL"))}
  end
+
+  @doc "find resource based on prepared query"
+  @spec find_resource(Ecto.Query.t()) :: {:ok, struct()} | {:error, :not_found}
+  def find_resource(%Ecto.Query{} = query) do
+    case __MODULE__.one(query) do
+      nil -> {:error, :not_found}
+      resource -> {:ok, resource}
+    end
+  end
+
+  def find_resource(_query), do: {:error, :not_found}
+
+  @doc """
+  Gets association from cache or loads if need
+
+  ## Examples
+
+    iex> Repo.get_assoc(token, :user)
+    %User{}
+
+  """
+  @spec get_assoc(struct(), atom()) :: {:ok, struct()} | {:error, :not_found}
+  def get_assoc(resource, association) do
+    case __MODULE__.preload(resource, association) do
+      %{^association => assoc} when not is_nil(assoc) -> {:ok, assoc}
+      _ -> {:error, :not_found}
+    end
+  end
 end
--- a/lib/pleroma/reverse_proxy.ex
+++ b/lib/pleroma/reverse_proxy.ex
@ -3,6 +3,8 @@
 # SPDX-License-Identifier: AGPL-3.0-only

 defmodule Pleroma.ReverseProxy do
+  alias Pleroma.HTTP
+
  @keep_req_headers ~w(accept user-agent accept-encoding cache-control if-modified-since) ++
                      ~w(if-unmodified-since if-none-match if-range range)
  @resp_cache_headers ~w(etag date last-modified cache-control)
@ -59,9 +61,6 @@ defmodule Pleroma.ReverseProxy do
  * `http`: options for [hackney](https://github.com/benoitc/hackney).

  """
-  @hackney Application.get_env(:pleroma, :hackney, :hackney)
-  @httpoison Application.get_env(:pleroma, :httpoison, HTTPoison)
-
  @default_hackney_options []

  @inline_content_types [
@ -97,7 +96,7 @@ defmodule Pleroma.ReverseProxy do
    hackney_opts =
      @default_hackney_options
      |> Keyword.merge(Keyword.get(opts, :http, []))
-      |> @httpoison.process_request_options()
+      |> HTTP.process_request_options()

    req_headers = build_req_headers(conn.req_headers, opts)

@ -147,7 +146,7 @@ defmodule Pleroma.ReverseProxy do
    Logger.debug("#{__MODULE__} #{method} #{url} #{inspect(headers)}")
    method = method |> String.downcase() |> String.to_existing_atom()

-    case @hackney.request(method, url, headers, "", hackney_opts) do
+    case :hackney.request(method, url, headers, "", hackney_opts) do
      {:ok, code, headers, client} when code in @valid_resp_codes ->
        {:ok, code, downcase_headers(headers), client}

@ -197,7 +196,7 @@ defmodule Pleroma.ReverseProxy do
             duration,
             Keyword.get(opts, :max_read_duration, @max_read_duration)
           ),
-         {:ok, data} <- @hackney.stream_body(client),
+         {:ok, data} <- :hackney.stream_body(client),
         {:ok, duration} <- increase_read_duration(duration),
         sent_so_far = sent_so_far + byte_size(data),
         :ok <- body_size_constraint(sent_so_far, Keyword.get(opts, :max_body_size)),
--- a/lib/pleroma/signature.ex
+++ b/lib/pleroma/signature.ex
@ -0,0 +1,40 @@
+# Pleroma: A lightweight social networking server
+# Copyright © 2017-2019 Pleroma Authors <https://pleroma.social/>
+# SPDX-License-Identifier: AGPL-3.0-only
+
+defmodule Pleroma.Signature do
+  @behaviour HTTPSignatures.Adapter
+
+  alias Pleroma.Keys
+  alias Pleroma.User
+  alias Pleroma.Web.ActivityPub.ActivityPub
+  alias Pleroma.Web.ActivityPub.Utils
+
+  def fetch_public_key(conn) do
+    with actor_id <- Utils.get_ap_id(conn.params["actor"]),
+         {:ok, public_key} <- User.get_public_key_for_ap_id(actor_id) do
+      {:ok, public_key}
+    else
+      e ->
+        {:error, e}
+    end
+  end
+
+  def refetch_public_key(conn) do
+    with actor_id <- Utils.get_ap_id(conn.params["actor"]),
+         {:ok, _user} <- ActivityPub.make_user_from_ap_id(actor_id),
+         {:ok, public_key} <- User.get_public_key_for_ap_id(actor_id) do
+      {:ok, public_key}
+    else
+      e ->
+        {:error, e}
+    end
+  end
+
+  def sign(%User{} = user, headers) do
+    with {:ok, %{info: %{keys: keys}}} <- User.ensure_keys_present(user),
+         {:ok, private_key, _} <- Keys.keys_from_pem(keys) do
+      HTTPSignatures.sign(private_key, user.ap_id <> "#main-key", headers)
+    end
+  end
+end
--- a/lib/pleroma/stats.ex
+++ b/lib/pleroma/stats.ex
@ -34,7 +34,7 @@ defmodule Pleroma.Stats do
  def update_stats do
    peers =
      from(
-        u in Pleroma.User,
+        u in User,
        select: fragment("distinct split_part(?, '@', 2)", u.nickname),
        where: u.local != ^true
      )
@ -44,10 +44,13 @@ defmodule Pleroma.Stats do
    domain_count = Enum.count(peers)

    status_query =
-      from(u in User.local_user_query(), select: fragment("sum((?->>'note_count')::int)", u.info))
+      from(u in User.Query.build(%{local: true}),
+        select: fragment("sum((?->>'note_count')::int)", u.info)
+      )

    status_count = Repo.one(status_query)
-    user_count = Repo.aggregate(User.active_local_user_query(), :count, :id)
+
+    user_count = Repo.aggregate(User.Query.build(%{local: true, active: true}), :count, :id)

    Agent.update(__MODULE__, fn _ ->
      {peers, %{domain_count: domain_count, status_count: status_count, user_count: user_count}}
--- a/lib/pleroma/upload.ex
+++ b/lib/pleroma/upload.ex
@ -4,7 +4,7 @@

 defmodule Pleroma.Upload do
  @moduledoc """
-  # Upload
+  Manage user uploads

  Options:
  * `:type`: presets for activity type (defaults to Document) and size limits from app configuration
--- a/lib/pleroma/uploaders/mdii.ex
+++ b/lib/pleroma/uploaders/mdii.ex
@ -4,11 +4,10 @@

 defmodule Pleroma.Uploaders.MDII do
  alias Pleroma.Config
+  alias Pleroma.HTTP

  @behaviour Pleroma.Uploaders.Uploader

-  @httpoison Application.get_env(:pleroma, :httpoison)
-
  # MDII-hosted images are never passed through the MediaPlug; only local media.
  # Delegate to Pleroma.Uploaders.Local
  def get_file(file) do
@ -25,7 +24,7 @@ defmodule Pleroma.Uploaders.MDII do
    query = "#{cgi}?#{extension}"

    with {:ok, %{status: 200, body: body}} <-
-           @httpoison.post(query, file_data, [], adapter: [pool: :default]) do
+           HTTP.post(query, file_data, [], adapter: [pool: :default]) do
      remote_file_name = String.split(body) |> List.first()
      public_url = "#{files}/#{remote_file_name}.#{extension}"
      {:ok, {:url, public_url}}
--- a/lib/pleroma/uploaders/swift/keystone.ex
+++ b/lib/pleroma/uploaders/swift/keystone.ex
@ -14,7 +14,7 @@ defmodule Pleroma.Uploaders.Swift.Keystone do

  def process_response_body(body) do
    body
-    |> Poison.decode!()
+    |> Jason.decode!()
  end

  def get_token do
@ -38,7 +38,7 @@ defmodule Pleroma.Uploaders.Swift.Keystone do
  end

  def make_auth_body(username, password, tenant) do
-    Poison.encode!(%{
+    Jason.encode!(%{
      :auth => %{
        :passwordCredentials => %{
          :username => username,
--- a/lib/pleroma/user.ex
+++ b/lib/pleroma/user.ex
@ -10,8 +10,7 @@ defmodule Pleroma.User do

  alias Comeonin.Pbkdf2
  alias Pleroma.Activity
-  alias Pleroma.Bookmark
-  alias Pleroma.Formatter
+  alias Pleroma.Keys
  alias Pleroma.Notification
  alias Pleroma.Object
  alias Pleroma.Registration
@ -55,10 +54,9 @@ defmodule Pleroma.User do
    field(:search_type, :integer, virtual: true)
    field(:tags, {:array, :string}, default: [])
    field(:last_refreshed_at, :naive_datetime_usec)
-    has_many(:bookmarks, Bookmark)
    has_many(:notifications, Notification)
    has_many(:registrations, Registration)
-    embeds_one(:info, Pleroma.User.Info)
+    embeds_one(:info, User.Info)

    timestamps()
  end
@ -108,10 +106,8 @@ defmodule Pleroma.User do
  def ap_followers(%User{} = user), do: "#{ap_id(user)}/followers"

  def user_info(%User{} = user) do
-    oneself = if user.local, do: 1, else: 0
-
    %{
-      following_count: length(user.following) - oneself,
+      following_count: following_count(user),
      note_count: user.info.note_count,
      follower_count: user.info.follower_count,
      locked: user.info.locked,
@ -120,6 +116,20 @@ defmodule Pleroma.User do
    }
  end

+  def restrict_deactivated(query) do
+    from(u in query,
+      where: not fragment("? \\? 'deactivated' AND ?->'deactivated' @> 'true'", u.info, u.info)
+    )
+  end
+
+  def following_count(%User{following: []}), do: 0
+
+  def following_count(%User{} = user) do
+    user
+    |> get_friends_query()
+    |> Repo.aggregate(:count, :id)
+  end
+
  def remote_user_creation(params) do
    params =
      params
@ -157,7 +167,7 @@ defmodule Pleroma.User do

  def update_changeset(struct, params \\ %{}) do
    struct
-    |> cast(params, [:bio, :name, :avatar])
+    |> cast(params, [:bio, :name, :avatar, :following])
    |> unique_constraint(:nickname)
    |> validate_format(:nickname, local_nickname_regex())
    |> validate_length(:bio, max: 5000)
@ -207,14 +217,15 @@ defmodule Pleroma.User do
  end

  def register_changeset(struct, params \\ %{}, opts \\ []) do
-    confirmation_status =
-      if opts[:confirmed] || !Pleroma.Config.get([:instance, :account_activation_required]) do
-        :confirmed
+    need_confirmation? =
+      if is_nil(opts[:need_confirmation]) do
+        Pleroma.Config.get([:instance, :account_activation_required])
      else
-        :unconfirmed
+        opts[:need_confirmation]
      end

-    info_change = User.Info.confirmation_changeset(%User.Info{}, confirmation_status)
+    info_change =
+      User.Info.confirmation_changeset(%User.Info{}, need_confirmation: need_confirmation?)

    changeset =
      struct
@ -223,7 +234,7 @@ defmodule Pleroma.User do
      |> validate_confirmation(:password)
      |> unique_constraint(:email)
      |> unique_constraint(:nickname)
-      |> validate_exclusion(:nickname, Pleroma.Config.get([Pleroma.User, :restricted_nicknames]))
+      |> validate_exclusion(:nickname, Pleroma.Config.get([User, :restricted_nicknames]))
      |> validate_format(:nickname, local_nickname_regex())
      |> validate_format(:email, @email_regex)
      |> validate_length(:bio, max: 1000)
@ -257,10 +268,7 @@ defmodule Pleroma.User do
    candidates = Pleroma.Config.get([:instance, :autofollowed_nicknames])

    autofollowed_users =
-      from(u in User,
-        where: u.local == true,
-        where: u.nickname in ^candidates
-      )
+      User.Query.build(%{nickname: candidates, local: true, deactivated: false})
      |> Repo.all()

    follow_all(user, autofollowed_users)
@ -271,7 +279,7 @@ defmodule Pleroma.User do
    with {:ok, user} <- Repo.insert(changeset),
         {:ok, user} <- autofollow_users(user),
         {:ok, user} <- set_cache(user),
-         {:ok, _} <- Pleroma.User.WelcomeMessage.post_welcome_message_to_user(user),
+         {:ok, _} <- User.WelcomeMessage.post_welcome_message_to_user(user),
         {:ok, _} <- try_send_confirmation_email(user) do
      {:ok, user}
    end
@ -358,9 +366,7 @@ defmodule Pleroma.User do
  end

  def follow(%User{} = follower, %User{info: info} = followed) do
-    user_config = Application.get_env(:pleroma, :user)
-    deny_follow_blocked = Keyword.get(user_config, :deny_follow_blocked)
-
+    deny_follow_blocked = Pleroma.Config.get([:user, :deny_follow_blocked])
    ap_followers = followed.follower_address

    cond do
@ -418,24 +424,6 @@ defmodule Pleroma.User do
    Enum.member?(follower.following, followed.follower_address)
  end

-  def follow_import(%User{} = follower, followed_identifiers)
-      when is_list(followed_identifiers) do
-    Enum.map(
-      followed_identifiers,
-      fn followed_identifier ->
-        with %User{} = followed <- get_or_fetch(followed_identifier),
-             {:ok, follower} <- maybe_direct_follow(follower, followed),
-             {:ok, _} <- ActivityPub.follow(follower, followed) do
-          followed
-        else
-          err ->
-            Logger.debug("follow_import failed for #{followed_identifier} with: #{inspect(err)}")
-            err
-        end
-      end
-    )
-  end
-
  def locked?(%User{} = user) do
    user.info.locked || false
  end
@ -507,7 +495,15 @@ defmodule Pleroma.User do

  def get_cached_by_nickname(nickname) do
    key = "nickname:#{nickname}"
-    Cachex.fetch!(:user_cache, key, fn _ -> get_or_fetch_by_nickname(nickname) end)
+
+    Cachex.fetch!(:user_cache, key, fn ->
+      user_result = get_or_fetch_by_nickname(nickname)
+
+      case user_result do
+        {:ok, user} -> {:commit, user}
+        {:error, _error} -> {:ignore, nil}
+      end
+    end)
  end

  def get_cached_by_nickname_or_id(nickname_or_id) do
@ -543,47 +539,37 @@ defmodule Pleroma.User do

  def get_or_fetch_by_nickname(nickname) do
    with %User{} = user <- get_by_nickname(nickname) do
-      user
+      {:ok, user}
    else
      _e ->
        with [_nick, _domain] <- String.split(nickname, "@"),
             {:ok, user} <- fetch_by_nickname(nickname) do
          if Pleroma.Config.get([:fetch_initial_posts, :enabled]) do
-            # TODO turn into job
-            {:ok, _} = Task.start(__MODULE__, :fetch_initial_posts, [user])
+            fetch_initial_posts(user)
          end

-          user
+          {:ok, user}
        else
-          _e -> nil
+          _e -> {:error, "not found " <> nickname}
        end
    end
  end

  @doc "Fetch some posts when the user has just been federated with"
-  def fetch_initial_posts(user) do
-    pages = Pleroma.Config.get!([:fetch_initial_posts, :pages])
+  def fetch_initial_posts(user),
+    do: PleromaJobQueue.enqueue(:background, __MODULE__, [:fetch_initial_posts, user])

-    Enum.each(
-      # Insert all the posts in reverse order, so they're in the right order on the timeline
-      Enum.reverse(Utils.fetch_ordered_collection(user.info.source_data["outbox"], pages)),
-      &Pleroma.Web.Federator.incoming_ap_doc/1
-    )
-  end
-
-  def get_followers_query(%User{id: id, follower_address: follower_address}, nil) do
-    from(
-      u in User,
-      where: fragment("? <@ ?", ^[follower_address], u.following),
-      where: u.id != ^id
-    )
+  @spec get_followers_query(User.t(), pos_integer() | nil) :: Ecto.Query.t()
+  def get_followers_query(%User{} = user, nil) do
+    User.Query.build(%{followers: user, deactivated: false})
  end

  def get_followers_query(user, page) do
    from(u in get_followers_query(user, nil))
-    |> paginate(page, 20)
+    |> User.Query.paginate(page, 20)
  end

+  @spec get_followers_query(User.t()) :: Ecto.Query.t()
  def get_followers_query(user), do: get_followers_query(user, nil)

  def get_followers(user, page \\ nil) do
@ -598,19 +584,17 @@ defmodule Pleroma.User do
    Repo.all(from(u in q, select: u.id))
  end

-  def get_friends_query(%User{id: id, following: following}, nil) do
-    from(
-      u in User,
-      where: u.follower_address in ^following,
-      where: u.id != ^id
-    )
+  @spec get_friends_query(User.t(), pos_integer() | nil) :: Ecto.Query.t()
+  def get_friends_query(%User{} = user, nil) do
+    User.Query.build(%{friends: user, deactivated: false})
  end

  def get_friends_query(user, page) do
    from(u in get_friends_query(user, nil))
-    |> paginate(page, 20)
+    |> User.Query.paginate(page, 20)
  end

+  @spec get_friends_query(User.t()) :: Ecto.Query.t()
  def get_friends_query(user), do: get_friends_query(user, nil)

  def get_friends(user, page \\ nil) do
@ -625,33 +609,10 @@ defmodule Pleroma.User do
    Repo.all(from(u in q, select: u.id))
  end

-  def get_follow_requests_query(%User{} = user) do
-    from(
-      a in Activity,
-      where:
-        fragment(
-          "? ->> 'type' = 'Follow'",
-          a.data
-        ),
-      where:
-        fragment(
-          "? ->> 'state' = 'pending'",
-          a.data
-        ),
-      where:
-        fragment(
-          "coalesce((?)->'object'->>'id', (?)->>'object') = ?",
-          a.data,
-          a.data,
-          ^user.ap_id
-        )
-    )
-  end
-
+  @spec get_follow_requests(User.t()) :: {:ok, [User.t()]}
  def get_follow_requests(%User{} = user) do
    users =
-      user
-      |> User.get_follow_requests_query()
+      Activity.follow_requests_for_actor(user)
      |> join(:inner, [a], u in User, on: a.actor == u.ap_id)
      |> where([a, u], not fragment("? @> ?", u.following, ^[user.follower_address]))
      |> group_by([a, u], u.id)
@ -715,18 +676,15 @@ defmodule Pleroma.User do

    info_cng = User.Info.set_note_count(user.info, note_count)

-    cng =
-      change(user)
-      |> put_embed(:info, info_cng)
-
-    update_and_set_cache(cng)
+    user
+    |> change()
+    |> put_embed(:info, info_cng)
+    |> update_and_set_cache()
  end

  def update_follower_count(%User{} = user) do
    follower_count_query =
-      User
-      |> where([u], ^user.follower_address in u.following)
-      |> where([u], u.id != ^user.id)
+      User.Query.build(%{followers: user, deactivated: false})
      |> select([u], %{count: count(u.id)})

    User
@ -750,38 +708,31 @@ defmodule Pleroma.User do
    end
  end

-  def get_users_from_set_query(ap_ids, false) do
-    from(
-      u in User,
-      where: u.ap_id in ^ap_ids
-    )
-  end
-
-  def get_users_from_set_query(ap_ids, true) do
-    query = get_users_from_set_query(ap_ids, false)
-
-    from(
-      u in query,
-      where: u.local == true
-    )
+  def remove_duplicated_following(%User{following: following} = user) do
+    uniq_following = Enum.uniq(following)
+
+    if length(following) == length(uniq_following) do
+      {:ok, user}
+    else
+      user
+      |> update_changeset(%{following: uniq_following})
+      |> update_and_set_cache()
+    end
  end

+  @spec get_users_from_set([String.t()], boolean()) :: [User.t()]
  def get_users_from_set(ap_ids, local_only \\ true) do
-    get_users_from_set_query(ap_ids, local_only)
+    criteria = %{ap_id: ap_ids, deactivated: false}
+    criteria = if local_only, do: Map.put(criteria, :local, true), else: criteria
+
+    User.Query.build(criteria)
    |> Repo.all()
  end

+  @spec get_recipients_from_activity(Activity.t()) :: [User.t()]
  def get_recipients_from_activity(%Activity{recipients: to}) do
-    query =
-      from(
-        u in User,
-        where: u.ap_id in ^to,
-        or_where: fragment("? && ?", u.following, ^to)
-      )
-
-    query = from(u in query, where: u.local == true)
-
-    Repo.all(query)
+    User.Query.build(%{recipients_from_activity: to, local: true, deactivated: false})
+    |> Repo.all()
  end

  def search(query, resolve \\ false, for_user \\ nil) do
@ -807,7 +758,7 @@ defmodule Pleroma.User do

    from(s in subquery(boost_search_rank_query(distinct_query, for_user)),
      order_by: [desc: s.search_rank],
-      limit: 20
+      limit: 40
    )
  end

@ -878,6 +829,7 @@ defmodule Pleroma.User do
          ^processed_query
        )
    )
+    |> restrict_deactivated()
  end

  defp trigram_search_subquery(term) do
@ -896,23 +848,7 @@ defmodule Pleroma.User do
      },
      where: fragment("trim(? || ' ' || coalesce(?, '')) % ?", u.nickname, u.name, ^term)
    )
-  end
-
-  def blocks_import(%User{} = blocker, blocked_identifiers) when is_list(blocked_identifiers) do
-    Enum.map(
-      blocked_identifiers,
-      fn blocked_identifier ->
-        with %User{} = blocked <- get_or_fetch(blocked_identifier),
-             {:ok, blocker} <- block(blocker, blocked),
-             {:ok, _} <- ActivityPub.block(blocker, blocked) do
-          blocked
-        else
-          err ->
-            Logger.debug("blocks_import failed for #{blocked_identifier} with: #{inspect(err)}")
-            err
-        end
-      end
-    )
+    |> restrict_deactivated()
  end

  def mute(muter, %User{ap_id: ap_id}) do
@ -1043,14 +979,23 @@ defmodule Pleroma.User do
    end
  end

-  def muted_users(user),
-    do: Repo.all(from(u in User, where: u.ap_id in ^user.info.mutes))
+  @spec muted_users(User.t()) :: [User.t()]
+  def muted_users(user) do
+    User.Query.build(%{ap_id: user.info.mutes, deactivated: false})
+    |> Repo.all()
+  end

-  def blocked_users(user),
-    do: Repo.all(from(u in User, where: u.ap_id in ^user.info.blocks))
+  @spec blocked_users(User.t()) :: [User.t()]
+  def blocked_users(user) do
+    User.Query.build(%{ap_id: user.info.blocks, deactivated: false})
+    |> Repo.all()
+  end

-  def subscribers(user),
-    do: Repo.all(from(u in User, where: u.ap_id in ^user.info.subscribers))
+  @spec subscribers(User.t()) :: [User.t()]
+  def subscribers(user) do
+    User.Query.build(%{ap_id: user.info.subscribers, deactivated: false})
+    |> Repo.all()
+  end

  def block_domain(user, domain) do
    info_cng =
@ -1076,77 +1021,25 @@ defmodule Pleroma.User do
    update_and_set_cache(cng)
  end

-  def maybe_local_user_query(query, local) do
-    if local, do: local_user_query(query), else: query
-  end
-
-  def local_user_query(query \\ User) do
-    from(
-      u in query,
-      where: u.local == true,
-      where: not is_nil(u.nickname)
-    )
-  end
-
-  def maybe_external_user_query(query, external) do
-    if external, do: external_user_query(query), else: query
-  end
-
-  def external_user_query(query \\ User) do
-    from(
-      u in query,
-      where: u.local == false,
-      where: not is_nil(u.nickname)
-    )
-  end
-
-  def maybe_active_user_query(query, active) do
-    if active, do: active_user_query(query), else: query
-  end
-
-  def active_user_query(query \\ User) do
-    from(
-      u in query,
-      where: fragment("not (?->'deactivated' @> 'true')", u.info),
-      where: not is_nil(u.nickname)
-    )
-  end
-
-  def maybe_deactivated_user_query(query, deactivated) do
-    if deactivated, do: deactivated_user_query(query), else: query
-  end
-
-  def deactivated_user_query(query \\ User) do
-    from(
-      u in query,
-      where: fragment("(?->'deactivated' @> 'true')", u.info),
-      where: not is_nil(u.nickname)
-    )
-  end
-
-  def active_local_user_query do
-    from(
-      u in local_user_query(),
-      where: fragment("not (?->'deactivated' @> 'true')", u.info)
-    )
-  end
-
-  def moderator_user_query do
-    from(
-      u in User,
-      where: u.local == true,
-      where: fragment("?->'is_moderator' @> 'true'", u.info)
-    )
+  def deactivate_async(user, status \\ true) do
+    PleromaJobQueue.enqueue(:background, __MODULE__, [:deactivate_async, user, status])
  end

  def deactivate(%User{} = user, status \\ true) do
    info_cng = User.Info.set_activation_status(user.info, status)

-    cng =
-      change(user)
-      |> put_embed(:info, info_cng)
+    with {:ok, friends} <- User.get_friends(user),
+         {:ok, followers} <- User.get_followers(user),
+         {:ok, user} <-
+           user
+           |> change()
+           |> put_embed(:info, info_cng)
+           |> update_and_set_cache() do
+      Enum.each(followers, &invalidate_cache(&1))
+      Enum.each(friends, &update_follower_count(&1))

-    update_and_set_cache(cng)
+      {:ok, user}
+    end
  end

  def update_notification_settings(%User{} = user, settings \\ %{}) do
@ -1157,7 +1050,12 @@ defmodule Pleroma.User do
    |> update_and_set_cache()
  end

-  def delete(%User{} = user) do
+  @spec delete(User.t()) :: :ok
+  def delete(%User{} = user),
+    do: PleromaJobQueue.enqueue(:background, __MODULE__, [:delete, user])
+
+  @spec perform(atom(), User.t()) :: {:ok, User.t()}
+  def perform(:delete, %User{} = user) do
    {:ok, user} = User.deactivate(user)

    # Remove all relationships
@ -1172,23 +1070,92 @@ defmodule Pleroma.User do
    delete_user_activities(user)
  end

-  def delete_user_activities(%User{ap_id: ap_id} = user) do
-    Activity
-    |> where(actor: ^ap_id)
-    |> Activity.with_preloaded_object()
-    |> Repo.all()
-    |> Enum.each(fn
-      %{data: %{"type" => "Create"}} = activity ->
-        activity |> Object.normalize() |> ActivityPub.delete()
+  @spec perform(atom(), User.t()) :: {:ok, User.t()}
+  def perform(:fetch_initial_posts, %User{} = user) do
+    pages = Pleroma.Config.get!([:fetch_initial_posts, :pages])

-      # TODO: Do something with likes, follows, repeats.
-      _ ->
-        "Doing nothing"
-    end)
+    Enum.each(
+      # Insert all the posts in reverse order, so they're in the right order on the timeline
+      Enum.reverse(Utils.fetch_ordered_collection(user.info.source_data["outbox"], pages)),
+      &Pleroma.Web.Federator.incoming_ap_doc/1
+    )

    {:ok, user}
  end

+  def perform(:deactivate_async, user, status), do: deactivate(user, status)
+
+  @spec perform(atom(), User.t(), list()) :: list() | {:error, any()}
+  def perform(:blocks_import, %User{} = blocker, blocked_identifiers)
+      when is_list(blocked_identifiers) do
+    Enum.map(
+      blocked_identifiers,
+      fn blocked_identifier ->
+        with {:ok, %User{} = blocked} <- get_or_fetch(blocked_identifier),
+             {:ok, blocker} <- block(blocker, blocked),
+             {:ok, _} <- ActivityPub.block(blocker, blocked) do
+          blocked
+        else
+          err ->
+            Logger.debug("blocks_import failed for #{blocked_identifier} with: #{inspect(err)}")
+            err
+        end
+      end
+    )
+  end
+
+  @spec perform(atom(), User.t(), list()) :: list() | {:error, any()}
+  def perform(:follow_import, %User{} = follower, followed_identifiers)
+      when is_list(followed_identifiers) do
+    Enum.map(
+      followed_identifiers,
+      fn followed_identifier ->
+        with {:ok, %User{} = followed} <- get_or_fetch(followed_identifier),
+             {:ok, follower} <- maybe_direct_follow(follower, followed),
+             {:ok, _} <- ActivityPub.follow(follower, followed) do
+          followed
+        else
+          err ->
+            Logger.debug("follow_import failed for #{followed_identifier} with: #{inspect(err)}")
+            err
+        end
+      end
+    )
+  end
+
+  def blocks_import(%User{} = blocker, blocked_identifiers) when is_list(blocked_identifiers),
+    do:
+      PleromaJobQueue.enqueue(:background, __MODULE__, [
+        :blocks_import,
+        blocker,
+        blocked_identifiers
+      ])
+
+  def follow_import(%User{} = follower, followed_identifiers) when is_list(followed_identifiers),
+    do:
+      PleromaJobQueue.enqueue(:background, __MODULE__, [
+        :follow_import,
+        follower,
+        followed_identifiers
+      ])
+
+  def delete_user_activities(%User{ap_id: ap_id} = user) do
+    stream =
+      ap_id
+      |> Activity.query_by_actor()
+      |> Repo.stream()
+
+    Repo.transaction(fn -> Enum.each(stream, &delete_activity(&1)) end, timeout: :infinity)
+
+    {:ok, user}
+  end
+
+  defp delete_activity(%{data: %{"type" => "Create"}} = activity) do
+    Object.normalize(activity) |> ActivityPub.delete()
+  end
+
+  defp delete_activity(_activity), do: "Doing nothing"
+
  def html_filter_policy(%User{info: %{no_rich_text: true}}) do
    Pleroma.HTML.Scrubber.TwitterText
  end
@ -1202,11 +1169,11 @@ defmodule Pleroma.User do

    case ap_try do
      {:ok, user} ->
-        user
+        {:ok, user}

      _ ->
        case OStatus.make_user(ap_id) do
-          {:ok, user} -> user
+          {:ok, user} -> {:ok, user}
          _ -> {:error, "Could not fetch by AP id"}
        end
    end
@ -1216,20 +1183,20 @@ defmodule Pleroma.User do
    user = get_cached_by_ap_id(ap_id)

    if !is_nil(user) and !User.needs_update?(user) do
-      user
+      {:ok, user}
    else
      # Whether to fetch initial posts for the user (if it's a new user & the fetching is enabled)
      should_fetch_initial = is_nil(user) and Pleroma.Config.get([:fetch_initial_posts, :enabled])

-      user = fetch_by_ap_id(ap_id)
+      resp = fetch_by_ap_id(ap_id)

      if should_fetch_initial do
-        with %User{} = user do
-          {:ok, _} = Task.start(__MODULE__, :fetch_initial_posts, [user])
+        with {:ok, %User{} = user} <- resp do
+          fetch_initial_posts(user)
        end
      end

-      user
+      resp
    end
  end

@ -1271,7 +1238,7 @@ defmodule Pleroma.User do
  end

  def get_public_key_for_ap_id(ap_id) do
-    with %User{} = user <- get_or_fetch_by_ap_id(ap_id),
+    with {:ok, %User{} = user} <- get_or_fetch_by_ap_id(ap_id),
         {:ok, public_key} <- public_key_from_info(user.info) do
      {:ok, public_key}
    else
@ -1295,7 +1262,7 @@ defmodule Pleroma.User do
  def ap_enabled?(_), do: false

  @doc "Gets or fetch a user by uri or nickname."
-  @spec get_or_fetch(String.t()) :: User.t()
+  @spec get_or_fetch(String.t()) :: {:ok, User.t()} | {:error, String.t()}
  def get_or_fetch("http" <> _host = uri), do: get_or_fetch_by_ap_id(uri)
  def get_or_fetch(nickname), do: get_or_fetch_by_nickname(nickname)

@ -1323,18 +1290,15 @@ defmodule Pleroma.User do
    end
  end

-  def parse_bio(bio, user \\ %User{info: %{source_data: %{}}})
-  def parse_bio(nil, _user), do: ""
-  def parse_bio(bio, _user) when bio == "", do: bio
+  def parse_bio(bio) when is_binary(bio) and bio != "" do
+    bio
+    |> CommonUtils.format_input("text/plain", mentions_format: :full)
+    |> elem(0)
+  end

-  def parse_bio(bio, user) do
-    emoji =
-      (user.info.source_data["tag"] || [])
-      |> Enum.filter(fn %{"type" => t} -> t == "Emoji" end)
-      |> Enum.map(fn %{"icon" => %{"url" => url}, "name" => name} ->
-        {String.trim(name, ":"), url}
-      end)
+  def parse_bio(_), do: ""

+  def parse_bio(bio, user) when is_binary(bio) and bio != "" do
    # TODO: get profile URLs other than user.ap_id
    profile_urls = [user.ap_id]

@ -1344,9 +1308,10 @@ defmodule Pleroma.User do
      rel: &RelMe.maybe_put_rel_me(&1, profile_urls)
    )
    |> elem(0)
-    |> Formatter.emojify(emoji)
  end

+  def parse_bio(_, _), do: ""
+
  def tag(user_identifiers, tags) when is_list(user_identifiers) do
    Repo.transaction(fn ->
      for user_identifier <- user_identifiers, do: tag(user_identifier, tags)
@ -1414,23 +1379,66 @@ defmodule Pleroma.User do
    }
  end

+  @spec all_superusers() :: [User.t()]
  def all_superusers do
-    from(
-      u in User,
-      where: u.local == true,
-      where: fragment("?->'is_admin' @> 'true' OR ?->'is_moderator' @> 'true'", u.info, u.info)
-    )
+    User.Query.build(%{super_users: true, local: true, deactivated: false})
    |> Repo.all()
  end

-  defp paginate(query, page, page_size) do
-    from(u in query,
-      limit: ^page_size,
-      offset: ^((page - 1) * page_size)
-    )
-  end
-
  def showing_reblogs?(%User{} = user, %User{} = target) do
    target.ap_id not in user.info.muted_reblogs
  end
+
+  @spec toggle_confirmation(User.t()) :: {:ok, User.t()} | {:error, Changeset.t()}
+  def toggle_confirmation(%User{} = user) do
+    need_confirmation? = !user.info.confirmation_pending
+
+    info_changeset =
+      User.Info.confirmation_changeset(user.info, need_confirmation: need_confirmation?)
+
+    user
+    |> change()
+    |> put_embed(:info, info_changeset)
+    |> update_and_set_cache()
+  end
+
+  def get_mascot(%{info: %{mascot: %{} = mascot}}) when not is_nil(mascot) do
+    mascot
+  end
+
+  def get_mascot(%{info: %{mascot: mascot}}) when is_nil(mascot) do
+    # use instance-default
+    config = Pleroma.Config.get([:assets, :mascots])
+    default_mascot = Pleroma.Config.get([:assets, :default_mascot])
+    mascot = Keyword.get(config, default_mascot)
+
+    %{
+      "id" => "default-mascot",
+      "url" => mascot[:url],
+      "preview_url" => mascot[:url],
+      "pleroma" => %{
+        "mime_type" => mascot[:mime_type]
+      }
+    }
+  end
+
+  def ensure_keys_present(user) do
+    info = user.info
+
+    if info.keys do
+      {:ok, user}
+    else
+      {:ok, pem} = Keys.generate_rsa_pem()
+
+      info_cng =
+        info
+        |> User.Info.set_keys(pem)
+
+      cng =
+        Ecto.Changeset.change(user)
+        |> Ecto.Changeset.put_embed(:info, info_cng)
+
+      update_and_set_cache(cng)
+    end
+  end
 end
--- a/lib/pleroma/user/info.ex
+++ b/lib/pleroma/user/info.ex
@ -8,6 +8,8 @@ defmodule Pleroma.User.Info do

  alias Pleroma.User.Info

+  @type t :: %__MODULE__{}
+
  embedded_schema do
    field(:banner, :map, default: %{})
    field(:background, :map, default: %{})
@ -40,10 +42,16 @@ defmodule Pleroma.User.Info do
    field(:hide_follows, :boolean, default: false)
    field(:hide_favorites, :boolean, default: true)
    field(:pinned_activities, {:array, :string}, default: [])
-    field(:flavour, :string, default: nil)
+    field(:mascot, :map, default: nil)
+    field(:emoji, {:array, :map}, default: [])

    field(:notification_settings, :map,
-      default: %{"remote" => true, "local" => true, "followers" => true, "follows" => true}
+      default: %{
+        "followers" => true,
+        "follows" => true,
+        "non_follows" => true,
+        "non_followers" => true
+      }
    )

    # Found in the wild
@ -64,10 +72,15 @@ defmodule Pleroma.User.Info do
  end

  def update_notification_settings(info, settings) do
+    settings =
+      settings
+      |> Enum.map(fn {k, v} -> {k, v in [true, "true", "True", "1"]} end)
+      |> Map.new()
+
    notification_settings =
      info.notification_settings
      |> Map.merge(settings)
-      |> Map.take(["remote", "local", "followers", "follows"])
+      |> Map.take(["followers", "follows", "non_follows", "non_followers"])

    params = %{notification_settings: notification_settings}

@ -209,21 +222,23 @@ defmodule Pleroma.User.Info do
    ])
  end

-  def confirmation_changeset(info, :confirmed) do
-    confirmation_changeset(info, %{
-      confirmation_pending: false,
-      confirmation_token: nil
-    })
-  end
+  @spec confirmation_changeset(Info.t(), keyword()) :: Changeset.t()
+  def confirmation_changeset(info, opts) do
+    need_confirmation? = Keyword.get(opts, :need_confirmation)

-  def confirmation_changeset(info, :unconfirmed) do
-    confirmation_changeset(info, %{
-      confirmation_pending: true,
-      confirmation_token: :crypto.strong_rand_bytes(32) |> Base.url_encode64()
-    })
-  end
+    params =
+      if need_confirmation? do
+        %{
+          confirmation_pending: true,
+          confirmation_token: :crypto.strong_rand_bytes(32) |> Base.url_encode64()
+        }
+      else
+        %{
+          confirmation_pending: false,
+          confirmation_token: nil
+        }
+      end

-  def confirmation_changeset(info, params) do
    cast(info, params, [:confirmation_pending, :confirmation_token])
  end

@ -235,12 +250,12 @@ defmodule Pleroma.User.Info do
    |> validate_required([:settings])
  end

-  def mastodon_flavour_update(info, flavour) do
-    params = %{flavour: flavour}
+  def mascot_update(info, url) do
+    params = %{mascot: url}

    info
-    |> cast(params, [:flavour])
-    |> validate_required([:flavour])
+    |> cast(params, [:mascot])
+    |> validate_required([:mascot])
  end

  def set_source_data(info, source_data) do
--- a/lib/pleroma/user/query.ex
+++ b/lib/pleroma/user/query.ex
@ -0,0 +1,154 @@
+# Pleroma: A lightweight social networking server
+# Copyright © 2017-2018 Pleroma Authors <https://pleroma.social/>
+# SPDX-License-Identifier: AGPL-3.0-only
+
+defmodule Pleroma.User.Query do
+  @moduledoc """
+  User query builder module. Builds query from new query or another user query.
+
+    ## Example:
+        query = Pleroma.User.Query(%{nickname: "nickname"})
+        another_query = Pleroma.User.Query.build(query, %{email: "email@example.com"})
+        Pleroma.Repo.all(query)
+        Pleroma.Repo.all(another_query)
+
+  Adding new rules:
+    - *ilike criteria*
+      - add field to @ilike_criteria list
+      - pass non empty string
+      - e.g. Pleroma.User.Query.build(%{nickname: "nickname"})
+    - *equal criteria*
+      - add field to @equal_criteria list
+      - pass non empty string
+      - e.g. Pleroma.User.Query.build(%{email: "email@example.com"})
+    - *contains criteria*
+      - add field to @containns_criteria list
+      - pass values list
+      - e.g. Pleroma.User.Query.build(%{ap_id: ["http://ap_id1", "http://ap_id2"]})
+  """
+  import Ecto.Query
+  import Pleroma.Web.AdminAPI.Search, only: [not_empty_string: 1]
+  alias Pleroma.User
+
+  @type criteria ::
+          %{
+            query: String.t(),
+            tags: [String.t()],
+            name: String.t(),
+            email: String.t(),
+            local: boolean(),
+            external: boolean(),
+            active: boolean(),
+            deactivated: boolean(),
+            is_admin: boolean(),
+            is_moderator: boolean(),
+            super_users: boolean(),
+            followers: User.t(),
+            friends: User.t(),
+            recipients_from_activity: [String.t()],
+            nickname: [String.t()],
+            ap_id: [String.t()]
+          }
+          | %{}
+
+  @ilike_criteria [:nickname, :name, :query]
+  @equal_criteria [:email]
+  @role_criteria [:is_admin, :is_moderator]
+  @contains_criteria [:ap_id, :nickname]
+
+  @spec build(criteria()) :: Query.t()
+  def build(query \\ base_query(), criteria) do
+    prepare_query(query, criteria)
+  end
+
+  @spec paginate(Ecto.Query.t(), pos_integer(), pos_integer()) :: Ecto.Query.t()
+  def paginate(query, page, page_size) do
+    from(u in query,
+      limit: ^page_size,
+      offset: ^((page - 1) * page_size)
+    )
+  end
+
+  defp base_query do
+    from(u in User)
+  end
+
+  defp prepare_query(query, criteria) do
+    Enum.reduce(criteria, query, &compose_query/2)
+  end
+
+  defp compose_query({key, value}, query)
+       when key in @ilike_criteria and not_empty_string(value) do
+    # hack for :query key
+    key = if key == :query, do: :nickname, else: key
+    where(query, [u], ilike(field(u, ^key), ^"%#{value}%"))
+  end
+
+  defp compose_query({key, value}, query)
+       when key in @equal_criteria and not_empty_string(value) do
+    where(query, [u], ^[{key, value}])
+  end
+
+  defp compose_query({key, values}, query) when key in @contains_criteria and is_list(values) do
+    where(query, [u], field(u, ^key) in ^values)
+  end
+
+  defp compose_query({:tags, tags}, query) when is_list(tags) and length(tags) > 0 do
+    Enum.reduce(tags, query, &prepare_tag_criteria/2)
+  end
+
+  defp compose_query({key, _}, query) when key in @role_criteria do
+    where(query, [u], fragment("(?->? @> 'true')", u.info, ^to_string(key)))
+  end
+
+  defp compose_query({:super_users, _}, query) do
+    where(
+      query,
+      [u],
+      fragment("?->'is_admin' @> 'true' OR ?->'is_moderator' @> 'true'", u.info, u.info)
+    )
+  end
+
+  defp compose_query({:local, _}, query), do: location_query(query, true)
+
+  defp compose_query({:external, _}, query), do: location_query(query, false)
+
+  defp compose_query({:active, _}, query) do
+    where(query, [u], fragment("not (?->'deactivated' @> 'true')", u.info))
+    |> where([u], not is_nil(u.nickname))
+  end
+
+  defp compose_query({:deactivated, false}, query) do
+    User.restrict_deactivated(query)
+  end
+
+  defp compose_query({:deactivated, true}, query) do
+    where(query, [u], fragment("?->'deactivated' @> 'true'", u.info))
+    |> where([u], not is_nil(u.nickname))
+  end
+
+  defp compose_query({:followers, %User{id: id, follower_address: follower_address}}, query) do
+    where(query, [u], fragment("? <@ ?", ^[follower_address], u.following))
+    |> where([u], u.id != ^id)
+  end
+
+  defp compose_query({:friends, %User{id: id, following: following}}, query) do
+    where(query, [u], u.follower_address in ^following)
+    |> where([u], u.id != ^id)
+  end
+
+  defp compose_query({:recipients_from_activity, to}, query) do
+    where(query, [u], u.ap_id in ^to or fragment("? && ?", u.following, ^to))
+  end
+
+  defp compose_query(_unsupported_param, query), do: query
+
+  defp prepare_tag_criteria(tag, query) do
+    or_where(query, [u], fragment("? = any(?)", ^tag, u.tags))
+  end
+
+  defp location_query(query, local) do
+    where(query, [u], u.local == ^local)
+    |> where([u], not is_nil(u.nickname))
+  end
+end
--- a/lib/pleroma/user_invite_token.ex
+++ b/lib/pleroma/user_invite_token.ex
@ -24,7 +24,7 @@ defmodule Pleroma.UserInviteToken do
    timestamps()
  end

-  @spec create_invite(map()) :: UserInviteToken.t()
+  @spec create_invite(map()) :: {:ok, UserInviteToken.t()}
  def create_invite(params \\ %{}) do
    %UserInviteToken{}
    |> cast(params, [:max_use, :expires_at])
--- a/lib/pleroma/web/activity_pub/activity_pub.ex
+++ b/lib/pleroma/web/activity_pub/activity_pub.ex
@ -4,7 +4,7 @@

 defmodule Pleroma.Web.ActivityPub.ActivityPub do
  alias Pleroma.Activity
-  alias Pleroma.Instances
+  alias Pleroma.Conversation
  alias Pleroma.Notification
  alias Pleroma.Object
  alias Pleroma.Object.Fetcher
@ -14,7 +14,6 @@ defmodule Pleroma.Web.ActivityPub.ActivityPub do
  alias Pleroma.User
  alias Pleroma.Web.ActivityPub.MRF
  alias Pleroma.Web.ActivityPub.Transmogrifier
-  alias Pleroma.Web.Federator
  alias Pleroma.Web.WebFinger

  import Ecto.Query
@ -23,8 +22,6 @@ defmodule Pleroma.Web.ActivityPub.ActivityPub do

  require Logger

-  @httpoison Application.get_env(:pleroma, :httpoison)
-
  # For Announce activities, we filter the recipients based on following status for any actors
  # that match actual users.  See issue #164 for more information about why this is necessary.
  defp get_recipients(%{"type" => "Announce"} = data) do
@ -111,6 +108,15 @@ defmodule Pleroma.Web.ActivityPub.ActivityPub do

  def decrease_replies_count_if_reply(_object), do: :noop

+  def increase_poll_votes_if_vote(%{
+        "object" => %{"inReplyTo" => reply_ap_id, "name" => name},
+        "type" => "Create"
+      }) do
+    Object.increase_vote_count(reply_ap_id, name)
+  end
+
+  def increase_poll_votes_if_vote(_create_data), do: :noop
+
  def insert(map, local \\ true, fake \\ false) when is_map(map) do
    with nil <- Activity.normalize(map),
         map <- lazy_put_activity_defaults(map, fake),
@ -136,12 +142,17 @@ defmodule Pleroma.Web.ActivityPub.ActivityPub do
          activity
        end

-      Task.start(fn ->
-        Pleroma.Web.RichMedia.Helpers.fetch_data_for_activity(activity)
-      end)
+      PleromaJobQueue.enqueue(:background, Pleroma.Web.RichMedia.Helpers, [:fetch, activity])

      Notification.create_notifications(activity)
+
+      participations =
+        activity
+        |> Conversation.create_or_bump_for()
+        |> get_participations()
+
      stream_out(activity)
+      stream_out_participations(participations)
      {:ok, activity}
    else
      %Activity{} = activity ->
@ -164,42 +175,59 @@ defmodule Pleroma.Web.ActivityPub.ActivityPub do
    end
  end

+  defp get_participations({:ok, %{participations: participations}}), do: participations
+  defp get_participations(_), do: []
+
+  def stream_out_participations(participations) do
+    participations =
+      participations
+      |> Repo.preload(:user)
+
+    Enum.each(participations, fn participation ->
+      Pleroma.Web.Streamer.stream("participation", participation)
+    end)
+  end
+
  def stream_out(activity) do
    public = "https://www.w3.org/ns/activitystreams#Public"

    if activity.data["type"] in ["Create", "Announce", "Delete"] do
      object = Object.normalize(activity)
-      Pleroma.Web.Streamer.stream("user", activity)
-      Pleroma.Web.Streamer.stream("list", activity)
+      # Do not stream out poll replies
+      unless object.data["type"] == "Answer" do
+        Pleroma.Web.Streamer.stream("user", activity)
+        Pleroma.Web.Streamer.stream("list", activity)

-      if Enum.member?(activity.data["to"], public) do
-        Pleroma.Web.Streamer.stream("public", activity)
+        if Enum.member?(activity.data["to"], public) do
+          Pleroma.Web.Streamer.stream("public", activity)

-        if activity.local do
-          Pleroma.Web.Streamer.stream("public:local", activity)
-        end
+          if activity.local do
+            Pleroma.Web.Streamer.stream("public:local", activity)
+          end

-        if activity.data["type"] in ["Create"] do
-          object.data
-          |> Map.get("tag", [])
-          |> Enum.filter(fn tag -> is_bitstring(tag) end)
-          |> Enum.each(fn tag -> Pleroma.Web.Streamer.stream("hashtag:" <> tag, activity) end)
+          if activity.data["type"] in ["Create"] do
+            object.data
+            |> Map.get("tag", [])
+            |> Enum.filter(fn tag -> is_bitstring(tag) end)
+            |> Enum.each(fn tag -> Pleroma.Web.Streamer.stream("hashtag:" <> tag, activity) end)

-          if object.data["attachment"] != [] do
-            Pleroma.Web.Streamer.stream("public:media", activity)
+            if object.data["attachment"] != [] do
+              Pleroma.Web.Streamer.stream("public:media", activity)

-            if activity.local do
-              Pleroma.Web.Streamer.stream("public:local:media", activity)
+              if activity.local do
+                Pleroma.Web.Streamer.stream("public:local:media", activity)
+              end
            end
          end
+        else
+          # TODO: Write test, replace with visibility test
+          if !Enum.member?(activity.data["cc"] || [], public) &&
+               !Enum.member?(
+                 activity.data["to"],
+                 User.get_cached_by_ap_id(activity.data["actor"]).follower_address
+               ),
+             do: Pleroma.Web.Streamer.stream("direct", activity)
        end
-      else
-        if !Enum.member?(activity.data["cc"] || [], public) &&
-             !Enum.member?(
-               activity.data["to"],
-               User.get_cached_by_ap_id(activity.data["actor"]).follower_address
-             ),
-           do: Pleroma.Web.Streamer.stream("direct", activity)
      end
    end
  end
@ -218,6 +246,7 @@ defmodule Pleroma.Web.ActivityPub.ActivityPub do
         {:ok, activity} <- insert(create_data, local, fake),
         {:fake, false, activity} <- {:fake, fake, activity},
         _ <- increase_replies_count_if_reply(create_data),
+         _ <- increase_poll_votes_if_vote(create_data),
         # Changing note count prior to enqueuing federation task in order to avoid
         # race conditions on updating user.info
         {:ok, _actor} <- increase_note_count_if_public(actor, activity),
@ -382,16 +411,12 @@ defmodule Pleroma.Web.ActivityPub.ActivityPub do
  end

  def block(blocker, blocked, activity_id \\ nil, local \\ true) do
-    ap_config = Application.get_env(:pleroma, :activitypub)
-    unfollow_blocked = Keyword.get(ap_config, :unfollow_blocked)
-    outgoing_blocks = Keyword.get(ap_config, :outgoing_blocks)
+    outgoing_blocks = Pleroma.Config.get([:activitypub, :outgoing_blocks])
+    unfollow_blocked = Pleroma.Config.get([:activitypub, :unfollow_blocked])

-    with true <- unfollow_blocked do
+    if unfollow_blocked do
      follow_activity = fetch_latest_follow(blocker, blocked)
-
-      if follow_activity do
-        unfollow(blocker, blocked, nil, local)
-      end
+      if follow_activity, do: unfollow(blocker, blocked, nil, local)
    end

    with true <- outgoing_blocks,
@ -456,35 +481,45 @@ defmodule Pleroma.Web.ActivityPub.ActivityPub do
    end
  end

-  def fetch_activities_for_context(context, opts \\ %{}) do
+  defp fetch_activities_for_context_query(context, opts) do
    public = ["https://www.w3.org/ns/activitystreams#Public"]

    recipients =
      if opts["user"], do: [opts["user"].ap_id | opts["user"].following] ++ public, else: public

-    query = from(activity in Activity)
-
-    query =
-      query
-      |> restrict_blocked(opts)
-      |> restrict_recipients(recipients, opts["user"])
-
-    query =
-      from(
-        activity in query,
-        where:
-          fragment(
-            "?->>'type' = ? and ?->>'context' = ?",
-            activity.data,
-            "Create",
-            activity.data,
-            ^context
-          ),
-        order_by: [desc: :id]
+    from(activity in Activity)
+    |> maybe_preload_objects(opts)
+    |> restrict_blocked(opts)
+    |> restrict_recipients(recipients, opts["user"])
+    |> where(
+      [activity],
+      fragment(
+        "?->>'type' = ? and ?->>'context' = ?",
+        activity.data,
+        "Create",
+        activity.data,
+        ^context
      )
-      |> Activity.with_preloaded_object()
+    )
+    |> exclude_poll_votes(opts)
+    |> order_by([activity], desc: activity.id)
+  end

-    Repo.all(query)
+  @spec fetch_activities_for_context(String.t(), keyword() | map()) :: [Activity.t()]
+  def fetch_activities_for_context(context, opts \\ %{}) do
+    context
+    |> fetch_activities_for_context_query(opts)
+    |> Repo.all()
+  end
+
+  @spec fetch_latest_activity_id_for_context(String.t(), keyword() | map()) ::
+          Pleroma.FlakeId.t() | nil
+  def fetch_latest_activity_id_for_context(context, opts \\ %{}) do
+    context
+    |> fetch_activities_for_context_query(Map.merge(%{"skip_preload" => true}, opts))
+    |> limit(1)
+    |> select([a], a.id)
+    |> Repo.one()
  end

  def fetch_public_activities(opts \\ %{}) do
@ -514,8 +549,6 @@ defmodule Pleroma.Web.ActivityPub.ActivityPub do
            )
        )

-      Ecto.Adapters.SQL.to_sql(:all, Repo, query)
-
      query
    else
      Logger.error("Could not restrict visibility to #{visibility}")
@ -531,8 +564,6 @@ defmodule Pleroma.Web.ActivityPub.ActivityPub do
          fragment("activity_visibility(?, ?, ?) = ?", a.actor, a.recipients, a.data, ^visibility)
      )

-    Ecto.Adapters.SQL.to_sql(:all, Repo, query)
-
    query
  end

@ -543,6 +574,18 @@ defmodule Pleroma.Web.ActivityPub.ActivityPub do

  defp restrict_visibility(query, _visibility), do: query

+  defp restrict_thread_visibility(query, %{"user" => %User{ap_id: ap_id}}) do
+    query =
+      from(
+        a in query,
+        where: fragment("thread_visibility(?, (?)->>'id') = true", ^ap_id, a.data)
+      )
+
+    query
+  end
+
+  defp restrict_thread_visibility(query, _), do: query
+
  def fetch_user_activities(user, reading_user, params \\ %{}) do
    params =
      params
@ -619,20 +662,6 @@ defmodule Pleroma.Web.ActivityPub.ActivityPub do

  defp restrict_tag(query, _), do: query

-  defp restrict_to_cc(query, recipients_to, recipients_cc) do
-    from(
-      activity in query,
-      where:
-        fragment(
-          "(?->'to' \\?| ?) or (?->'cc' \\?| ?)",
-          activity.data,
-          ^recipients_to,
-          activity.data,
-          ^recipients_cc
-        )
-    )
-  end
-
  defp restrict_recipients(query, [], _user), do: query

  defp restrict_recipients(query, recipients, nil) do
@ -669,6 +698,12 @@ defmodule Pleroma.Web.ActivityPub.ActivityPub do

  defp restrict_type(query, _), do: query

+  defp restrict_state(query, %{"state" => state}) do
+    from(activity in query, where: fragment("?->>'state' = ?", activity.data, ^state))
+  end
+
+  defp restrict_state(query, _), do: query
+
  defp restrict_favorited_by(query, %{"favorited_by" => ap_id}) do
    from(
      activity in query,
@ -724,8 +759,11 @@ defmodule Pleroma.Web.ActivityPub.ActivityPub do
    blocks = info.blocks || []
    domain_blocks = info.domain_blocks || []

+    query =
+      if has_named_binding?(query, :object), do: query, else: Activity.with_joined_object(query)
+
    from(
-      activity in query,
+      [activity, object: o] in query,
      where: fragment("not (? = ANY(?))", activity.actor, ^blocks),
      where: fragment("not (? && ?)", activity.recipients, ^blocks),
      where:
@ -735,7 +773,8 @@ defmodule Pleroma.Web.ActivityPub.ActivityPub do
          activity.data,
          ^blocks
        ),
-      where: fragment("not (split_part(?, '/', 3) = ANY(?))", activity.actor, ^domain_blocks)
+      where: fragment("not (split_part(?, '/', 3) = ANY(?))", activity.actor, ^domain_blocks),
+      where: fragment("not (split_part(?->>'actor', '/', 3) = ANY(?))", o.data, ^domain_blocks)
    )
  end

@ -776,6 +815,18 @@ defmodule Pleroma.Web.ActivityPub.ActivityPub do

  defp restrict_muted_reblogs(query, _), do: query

+  defp exclude_poll_votes(query, %{"include_poll_votes" => "true"}), do: query
+
+  defp exclude_poll_votes(query, _) do
+    if has_named_binding?(query, :object) do
+      from([activity, object: o] in query,
+        where: fragment("not(?->>'type' = ?)", o.data, "Answer")
+      )
+    else
+      query
+    end
+  end
+
  defp maybe_preload_objects(query, %{"skip_preload" => true}), do: query

  defp maybe_preload_objects(query, _) do
@ -783,11 +834,40 @@ defmodule Pleroma.Web.ActivityPub.ActivityPub do
    |> Activity.with_preloaded_object()
  end

+  defp maybe_preload_bookmarks(query, %{"skip_preload" => true}), do: query
+
+  defp maybe_preload_bookmarks(query, opts) do
+    query
+    |> Activity.with_preloaded_bookmark(opts["user"])
+  end
+
+  defp maybe_set_thread_muted_field(query, %{"skip_preload" => true}), do: query
+
+  defp maybe_set_thread_muted_field(query, opts) do
+    query
+    |> Activity.with_set_thread_muted_field(opts["user"])
+  end
+
+  defp maybe_order(query, %{order: :desc}) do
+    query
+    |> order_by(desc: :id)
+  end
+
+  defp maybe_order(query, %{order: :asc}) do
+    query
+    |> order_by(asc: :id)
+  end
+
+  defp maybe_order(query, _), do: query
+
  def fetch_activities_query(recipients, opts \\ %{}) do
    base_query = from(activity in Activity)

    base_query
    |> maybe_preload_objects(opts)
+    |> maybe_preload_bookmarks(opts)
+    |> maybe_set_thread_muted_field(opts)
+    |> maybe_order(opts)
    |> restrict_recipients(recipients, opts["user"])
    |> restrict_tag(opts)
    |> restrict_tag_reject(opts)
@ -796,15 +876,19 @@ defmodule Pleroma.Web.ActivityPub.ActivityPub do
    |> restrict_local(opts)
    |> restrict_actor(opts)
    |> restrict_type(opts)
+    |> restrict_state(opts)
    |> restrict_favorited_by(opts)
    |> restrict_blocked(opts)
    |> restrict_muted(opts)
    |> restrict_media(opts)
    |> restrict_visibility(opts)
+    |> restrict_thread_visibility(opts)
    |> restrict_replies(opts)
    |> restrict_reblogs(opts)
    |> restrict_pinned(opts)
    |> restrict_muted_reblogs(opts)
+    |> Activity.restrict_deactivated_users()
+    |> exclude_poll_votes(opts)
  end

  def fetch_activities(recipients, opts \\ %{}) do
@ -813,9 +897,18 @@ defmodule Pleroma.Web.ActivityPub.ActivityPub do
    |> Enum.reverse()
  end

-  def fetch_activities_bounded(recipients_to, recipients_cc, opts \\ %{}) do
+  def fetch_activities_bounded_query(query, recipients, recipients_with_public) do
+    from(activity in query,
+      where:
+        fragment("? && ?", activity.recipients, ^recipients) or
+          (fragment("? && ?", activity.recipients, ^recipients_with_public) and
+             "https://www.w3.org/ns/activitystreams#Public" in activity.recipients)
+    )
+  end
+
+  def fetch_activities_bounded(recipients, recipients_with_public, opts \\ %{}) do
    fetch_activities_query([], opts)
-    |> restrict_to_cc(recipients_to, recipients_cc)
+    |> fetch_activities_bounded_query(recipients, recipients_with_public)
    |> Pagination.fetch_paginated(opts)
    |> Enum.reverse()
  end
@ -833,7 +926,7 @@ defmodule Pleroma.Web.ActivityPub.ActivityPub do
    end
  end

-  def user_data_from_user_object(data) do
+  defp object_to_user_data(data) do
    avatar =
      data["icon"]["url"] &&
        %{
@ -880,9 +973,19 @@ defmodule Pleroma.Web.ActivityPub.ActivityPub do
    {:ok, user_data}
  end

+  def user_data_from_user_object(data) do
+    with {:ok, data} <- MRF.filter(data),
+         {:ok, data} <- object_to_user_data(data) do
+      {:ok, data}
+    else
+      e -> {:error, e}
+    end
+  end
+
  def fetch_and_prepare_user_from_ap_id(ap_id) do
-    with {:ok, data} <- Fetcher.fetch_and_contain_remote_object_from_id(ap_id) do
-      user_data_from_user_object(data)
+    with {:ok, data} <- Fetcher.fetch_and_contain_remote_object_from_id(ap_id),
+         {:ok, data} <- user_data_from_user_object(data) do
+      {:ok, data}
    else
      e -> Logger.error("Could not decode user at fetch #{ap_id}, #{inspect(e)}")
    end
@ -908,89 +1011,6 @@ defmodule Pleroma.Web.ActivityPub.ActivityPub do
    end
  end

-  def should_federate?(inbox, public) do
-    if public do
-      true
-    else
-      inbox_info = URI.parse(inbox)
-      !Enum.member?(Pleroma.Config.get([:instance, :quarantined_instances], []), inbox_info.host)
-    end
-  end
-
-  def publish(actor, activity) do
-    remote_followers =
-      if actor.follower_address in activity.recipients do
-        {:ok, followers} = User.get_followers(actor)
-        followers |> Enum.filter(&(!&1.local))
-      else
-        []
-      end
-
-    public = is_public?(activity)
-
-    {:ok, data} = Transmogrifier.prepare_outgoing(activity.data)
-    json = Jason.encode!(data)
-
-    (Pleroma.Web.Salmon.remote_users(activity) ++ remote_followers)
-    |> Enum.filter(fn user -> User.ap_enabled?(user) end)
-    |> Enum.map(fn %{info: %{source_data: data}} ->
-      (is_map(data["endpoints"]) && Map.get(data["endpoints"], "sharedInbox")) || data["inbox"]
-    end)
-    |> Enum.uniq()
-    |> Enum.filter(fn inbox -> should_federate?(inbox, public) end)
-    |> Instances.filter_reachable()
-    |> Enum.each(fn {inbox, unreachable_since} ->
-      Federator.publish_single_ap(%{
-        inbox: inbox,
-        json: json,
-        actor: actor,
-        id: activity.data["id"],
-        unreachable_since: unreachable_since
-      })
-    end)
-  end
-
-  def publish_one(%{inbox: inbox, json: json, actor: actor, id: id} = params) do
-    Logger.info("Federating #{id} to #{inbox}")
-    host = URI.parse(inbox).host
-
-    digest = "SHA-256=" <> (:crypto.hash(:sha256, json) |> Base.encode64())
-
-    date =
-      NaiveDateTime.utc_now()
-      |> Timex.format!("{WDshort}, {0D} {Mshort} {YYYY} {h24}:{m}:{s} GMT")
-
-    signature =
-      Pleroma.Web.HTTPSignatures.sign(actor, %{
-        host: host,
-        "content-length": byte_size(json),
-        digest: digest,
-        date: date
-      })
-
-    with {:ok, %{status: code}} when code in 200..299 <-
-           result =
-             @httpoison.post(
-               inbox,
-               json,
-               [
-                 {"Content-Type", "application/activity+json"},
-                 {"Date", date},
-                 {"signature", signature},
-                 {"digest", digest}
-               ]
-             ) do
-      if !Map.has_key?(params, :unreachable_since) || params[:unreachable_since],
-        do: Instances.set_reachable(inbox)
-
-      result
-    else
-      {_post_result, response} ->
-        unless params[:unreachable_since], do: Instances.set_unreachable(inbox)
-        {:error, response}
-    end
-  end
-
  # filter out broken threads
  def contain_broken_threads(%Activity{} = activity, %User{} = user) do
    entire_thread_visible_for_user?(activity, user)
@ -1001,11 +1021,10 @@ defmodule Pleroma.Web.ActivityPub.ActivityPub do
    contain_broken_threads(activity, user)
  end

-  # do post-processing on a timeline
-  def contain_timeline(timeline, user) do
-    timeline
-    |> Enum.filter(fn activity ->
-      contain_activity(activity, user)
-    end)
+  def fetch_direct_messages_query do
+    Activity
+    |> restrict_type(%{"type" => "Create"})
+    |> restrict_visibility(%{visibility: "direct"})
+    |> order_by([activity], asc: activity.id)
  end
 end
--- a/lib/pleroma/web/activity_pub/activity_pub_controller.ex
+++ b/lib/pleroma/web/activity_pub/activity_pub_controller.ex
@ -27,7 +27,7 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubController do
  plug(:relay_active? when action in [:relay])

  def relay_active?(conn, _) do
-    if Keyword.get(Application.get_env(:pleroma, :instance), :allow_relay) do
+    if Pleroma.Config.get([:instance, :allow_relay]) do
      conn
    else
      conn
@ -39,7 +39,7 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubController do

  def user(conn, %{"nickname" => nickname}) do
    with %User{} = user <- User.get_cached_by_nickname(nickname),
-         {:ok, user} <- Pleroma.Web.WebFinger.ensure_keys_present(user) do
+         {:ok, user} <- User.ensure_keys_present(user) do
      conn
      |> put_resp_header("content-type", "application/activity+json")
      |> json(UserView.render("user.json", %{user: user}))
@ -106,7 +106,7 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubController do

  def following(conn, %{"nickname" => nickname, "page" => page}) do
    with %User{} = user <- User.get_cached_by_nickname(nickname),
-         {:ok, user} <- Pleroma.Web.WebFinger.ensure_keys_present(user) do
+         {:ok, user} <- User.ensure_keys_present(user) do
      {page, _} = Integer.parse(page)

      conn
@ -117,7 +117,7 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubController do

  def following(conn, %{"nickname" => nickname}) do
    with %User{} = user <- User.get_cached_by_nickname(nickname),
-         {:ok, user} <- Pleroma.Web.WebFinger.ensure_keys_present(user) do
+         {:ok, user} <- User.ensure_keys_present(user) do
      conn
      |> put_resp_header("content-type", "application/activity+json")
      |> json(UserView.render("following.json", %{user: user}))
@ -126,7 +126,7 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubController do

  def followers(conn, %{"nickname" => nickname, "page" => page}) do
    with %User{} = user <- User.get_cached_by_nickname(nickname),
-         {:ok, user} <- Pleroma.Web.WebFinger.ensure_keys_present(user) do
+         {:ok, user} <- User.ensure_keys_present(user) do
      {page, _} = Integer.parse(page)

      conn
@ -137,7 +137,7 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubController do

  def followers(conn, %{"nickname" => nickname}) do
    with %User{} = user <- User.get_cached_by_nickname(nickname),
-         {:ok, user} <- Pleroma.Web.WebFinger.ensure_keys_present(user) do
+         {:ok, user} <- User.ensure_keys_present(user) do
      conn
      |> put_resp_header("content-type", "application/activity+json")
      |> json(UserView.render("followers.json", %{user: user}))
@ -146,7 +146,7 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubController do

  def outbox(conn, %{"nickname" => nickname} = params) do
    with %User{} = user <- User.get_cached_by_nickname(nickname),
-         {:ok, user} <- Pleroma.Web.WebFinger.ensure_keys_present(user) do
+         {:ok, user} <- User.ensure_keys_present(user) do
      conn
      |> put_resp_header("content-type", "application/activity+json")
      |> json(UserView.render("outbox.json", %{user: user, max_id: params["max_id"]}))
@ -155,7 +155,7 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubController do

  def inbox(%{assigns: %{valid_signature: true}} = conn, %{"nickname" => nickname} = params) do
    with %User{} = recipient <- User.get_cached_by_nickname(nickname),
-         %User{} = actor <- User.get_or_fetch_by_ap_id(params["actor"]),
+         {:ok, %User{} = actor} <- User.get_or_fetch_by_ap_id(params["actor"]),
         true <- Utils.recipient_in_message(recipient, actor, params),
         params <- Utils.maybe_splice_recipient(recipient.ap_id, params) do
      Federator.incoming_ap_doc(params)
@ -195,7 +195,7 @@ defmodule Pleroma.Web.ActivityPub.ActivityPubController do

  def relay(conn, _params) do
    with %User{} = user <- Relay.get_actor(),
-         {:ok, user} <- Pleroma.Web.WebFinger.ensure_keys_present(user) do
+         {:ok, user} <- User.ensure_keys_present(user) do
      conn
      |> put_resp_header("content-type", "application/activity+json")
      |> json(UserView.render("user.json", %{user: user}))
--- a/lib/pleroma/web/activity_pub/mrf.ex
+++ b/lib/pleroma/web/activity_pub/mrf.ex
@ -17,9 +17,7 @@ defmodule Pleroma.Web.ActivityPub.MRF do
  end

  def get_policies do
-    Application.get_env(:pleroma, :instance, [])
-    |> Keyword.get(:rewrite_policy, [])
-    |> get_policies()
+    Pleroma.Config.get([:instance, :rewrite_policy], []) |> get_policies()
  end

  defp get_policies(policy) when is_atom(policy), do: [policy]
--- a/lib/pleroma/web/activity_pub/mrf/anti_followbot_policy.ex
+++ b/lib/pleroma/web/activity_pub/mrf/anti_followbot_policy.ex
@ -5,6 +5,8 @@
 defmodule Pleroma.Web.ActivityPub.MRF.AntiFollowbotPolicy do
  alias Pleroma.User

+  @moduledoc "Prevent followbots from following with a bit of heuristic"
+
  @behaviour Pleroma.Web.ActivityPub.MRF

  # XXX: this should become User.normalize_by_ap_id() or similar, really.
--- a/lib/pleroma/web/activity_pub/mrf/drop_policy.ex
+++ b/lib/pleroma/web/activity_pub/mrf/drop_policy.ex
@ -4,6 +4,7 @@

 defmodule Pleroma.Web.ActivityPub.MRF.DropPolicy do
  require Logger
+  @moduledoc "Drop and log everything received"
  @behaviour Pleroma.Web.ActivityPub.MRF

  @impl true
--- a/lib/pleroma/web/activity_pub/mrf/ensure_re_prepended.ex
+++ b/lib/pleroma/web/activity_pub/mrf/ensure_re_prepended.ex
@ -5,6 +5,7 @@
 defmodule Pleroma.Web.ActivityPub.MRF.EnsureRePrepended do
  alias Pleroma.Object

+  @moduledoc "Ensure a re: is prepended on replies to a post with a Subject"
  @behaviour Pleroma.Web.ActivityPub.MRF

  @reply_prefix Regex.compile!("^re:[[:space:]]*", [:caseless])
--- a/lib/pleroma/web/activity_pub/mrf/hellthread_policy.ex
+++ b/lib/pleroma/web/activity_pub/mrf/hellthread_policy.ex
@ -4,6 +4,8 @@

 defmodule Pleroma.Web.ActivityPub.MRF.HellthreadPolicy do
  alias Pleroma.User
+  @moduledoc "Block messages with too much mentions (configurable)"
+
  @behaviour Pleroma.Web.ActivityPub.MRF

  defp delist_message(message, threshold) when threshold > 0 do
--- a/lib/pleroma/web/activity_pub/mrf/keyword_policy.ex
+++ b/lib/pleroma/web/activity_pub/mrf/keyword_policy.ex
@ -3,6 +3,8 @@
 # SPDX-License-Identifier: AGPL-3.0-only

 defmodule Pleroma.Web.ActivityPub.MRF.KeywordPolicy do
+  @moduledoc "Reject or Word-Replace messages with a keyword or regex"
+
  @behaviour Pleroma.Web.ActivityPub.MRF
  defp string_matches?(string, _) when not is_binary(string) do
    false
--- a/lib/pleroma/web/activity_pub/mrf/no_placeholder_text_policy.ex
+++ b/lib/pleroma/web/activity_pub/mrf/no_placeholder_text_policy.ex
@ -3,6 +3,7 @@
 # SPDX-License-Identifier: AGPL-3.0-only

 defmodule Pleroma.Web.ActivityPub.MRF.NoPlaceholderTextPolicy do
+  @moduledoc "Ensure no content placeholder is present (such as the dot from mastodon)"
  @behaviour Pleroma.Web.ActivityPub.MRF

  @impl true
--- a/lib/pleroma/web/activity_pub/mrf/noop_policy.ex
+++ b/lib/pleroma/web/activity_pub/mrf/noop_policy.ex
@ -3,6 +3,7 @@
 # SPDX-License-Identifier: AGPL-3.0-only

 defmodule Pleroma.Web.ActivityPub.MRF.NoOpPolicy do
+  @moduledoc "Does nothing (lets the messages go through unmodified)"
  @behaviour Pleroma.Web.ActivityPub.MRF

  @impl true
--- a/lib/pleroma/web/activity_pub/mrf/normalize_markup.ex
+++ b/lib/pleroma/web/activity_pub/mrf/normalize_markup.ex
@ -3,6 +3,7 @@
 # SPDX-License-Identifier: AGPL-3.0-only

 defmodule Pleroma.Web.ActivityPub.MRF.NormalizeMarkup do
+  @moduledoc "Scrub configured hypertext markup"
  alias Pleroma.HTML

  @behaviour Pleroma.Web.ActivityPub.MRF
--- a/lib/pleroma/web/activity_pub/mrf/reject_non_public.ex
+++ b/lib/pleroma/web/activity_pub/mrf/reject_non_public.ex
@ -4,6 +4,7 @@

 defmodule Pleroma.Web.ActivityPub.MRF.RejectNonPublic do
  alias Pleroma.User
+  @moduledoc "Rejects non-public (followers-only, direct) activities"
  @behaviour Pleroma.Web.ActivityPub.MRF

  @impl true
--- a/lib/pleroma/web/activity_pub/mrf/simple_policy.ex
+++ b/lib/pleroma/web/activity_pub/mrf/simple_policy.ex
@ -4,6 +4,7 @@

 defmodule Pleroma.Web.ActivityPub.MRF.SimplePolicy do
  alias Pleroma.User
+  @moduledoc "Filter activities depending on their origin instance"
  @behaviour Pleroma.Web.ActivityPub.MRF

  defp check_accept(%{host: actor_host} = _actor_info, object) do
@ -47,14 +48,13 @@ defmodule Pleroma.Web.ActivityPub.MRF.SimplePolicy do
         %{host: actor_host} = _actor_info,
         %{
           "type" => "Create",
-           "object" => %{"attachment" => child_attachment} = child_object
+           "object" => child_object
         } = object
-       )
-       when length(child_attachment) > 0 do
+       ) do
    object =
      if Enum.member?(Pleroma.Config.get([:mrf_simple, :media_nsfw]), actor_host) do
        tags = (child_object["tag"] || []) ++ ["nsfw"]
-        child_object = Map.put(child_object, "tags", tags)
+        child_object = Map.put(child_object, "tag", tags)
        child_object = Map.put(child_object, "sensitive", true)
        Map.put(object, "object", child_object)
      else
@ -74,8 +74,7 @@ defmodule Pleroma.Web.ActivityPub.MRF.SimplePolicy do
               actor_host
             ),
           user <- User.get_cached_by_ap_id(object["actor"]),
-           true <- "https://www.w3.org/ns/activitystreams#Public" in object["to"],
-           true <- user.follower_address in object["cc"] do
+           true <- "https://www.w3.org/ns/activitystreams#Public" in object["to"] do
        to =
          List.delete(object["to"], "https://www.w3.org/ns/activitystreams#Public") ++
            [user.follower_address]
@ -94,18 +93,63 @@ defmodule Pleroma.Web.ActivityPub.MRF.SimplePolicy do
    {:ok, object}
  end

+  defp check_report_removal(%{host: actor_host} = _actor_info, %{"type" => "Flag"} = object) do
+    if actor_host in Pleroma.Config.get([:mrf_simple, :report_removal]) do
+      {:reject, nil}
+    else
+      {:ok, object}
+    end
+  end
+
+  defp check_report_removal(_actor_info, object), do: {:ok, object}
+
+  defp check_avatar_removal(%{host: actor_host} = _actor_info, %{"icon" => _icon} = object) do
+    if actor_host in Pleroma.Config.get([:mrf_simple, :avatar_removal]) do
+      {:ok, Map.delete(object, "icon")}
+    else
+      {:ok, object}
+    end
+  end
+
+  defp check_avatar_removal(_actor_info, object), do: {:ok, object}
+
+  defp check_banner_removal(%{host: actor_host} = _actor_info, %{"image" => _image} = object) do
+    if actor_host in Pleroma.Config.get([:mrf_simple, :banner_removal]) do
+      {:ok, Map.delete(object, "image")}
+    else
+      {:ok, object}
+    end
+  end
+
+  defp check_banner_removal(_actor_info, object), do: {:ok, object}
+
  @impl true
-  def filter(object) do
-    actor_info = URI.parse(object["actor"])
+  def filter(%{"actor" => actor} = object) do
+    actor_info = URI.parse(actor)

    with {:ok, object} <- check_accept(actor_info, object),
         {:ok, object} <- check_reject(actor_info, object),
         {:ok, object} <- check_media_removal(actor_info, object),
         {:ok, object} <- check_media_nsfw(actor_info, object),
-         {:ok, object} <- check_ftl_removal(actor_info, object) do
+         {:ok, object} <- check_ftl_removal(actor_info, object),
+         {:ok, object} <- check_report_removal(actor_info, object) do
      {:ok, object}
    else
      _e -> {:reject, nil}
    end
  end
+
+  def filter(%{"id" => actor, "type" => obj_type} = object)
+      when obj_type in ["Application", "Group", "Organization", "Person", "Service"] do
+    actor_info = URI.parse(actor)
+
+    with {:ok, object} <- check_avatar_removal(actor_info, object),
+         {:ok, object} <- check_banner_removal(actor_info, object) do
+      {:ok, object}
+    else
+      _e -> {:reject, nil}
+    end
+  end
+
+  def filter(object), do: {:ok, object}
 end
--- a/lib/pleroma/web/activity_pub/mrf/tag_policy.ex
+++ b/lib/pleroma/web/activity_pub/mrf/tag_policy.ex
@ -5,6 +5,19 @@
 defmodule Pleroma.Web.ActivityPub.MRF.TagPolicy do
  alias Pleroma.User
  @behaviour Pleroma.Web.ActivityPub.MRF
+  @moduledoc """
+     Apply policies based on user tags
+
+     This policy applies policies on a user activities depending on their tags
+     on your instance.
+
+     - `mrf_tag:media-force-nsfw`: Mark as sensitive on presence of attachments
+     - `mrf_tag:media-strip`: Remove attachments
+     - `mrf_tag:force-unlisted`: Mark as unlisted (removes from the federated timeline)
+     - `mrf_tag:sandbox`: Remove from public (local and federated) timelines
+     - `mrf_tag:disable-remote-subscription`: Reject non-local follow requests
+     - `mrf_tag:disable-any-subscription`: Reject any follow requests
+  """

  defp get_tags(%User{tags: tags}) when is_list(tags), do: tags
  defp get_tags(_), do: []
@ -18,7 +31,7 @@ defmodule Pleroma.Web.ActivityPub.MRF.TagPolicy do

    object =
      object
-      |> Map.put("tags", tags)
+      |> Map.put("tag", tags)
      |> Map.put("sensitive", true)

    message = Map.put(message, "object", object)
--- a/lib/pleroma/web/activity_pub/mrf/user_allowlist.ex
+++ b/lib/pleroma/web/activity_pub/mrf/user_allowlist.ex
@ -5,6 +5,7 @@
 defmodule Pleroma.Web.ActivityPub.MRF.UserAllowListPolicy do
  alias Pleroma.Config

+  @moduledoc "Accept-list of users from specified instances"
  @behaviour Pleroma.Web.ActivityPub.MRF

  defp filter_by_list(object, []), do: {:ok, object}
@ -18,10 +19,12 @@ defmodule Pleroma.Web.ActivityPub.MRF.UserAllowListPolicy do
  end

  @impl true
-  def filter(object) do
-    actor_info = URI.parse(object["actor"])
+  def filter(%{"actor" => actor} = object) do
+    actor_info = URI.parse(actor)
    allow_list = Config.get([:mrf_user_allowlist, String.to_atom(actor_info.host)], [])

    filter_by_list(object, allow_list)
  end
+
+  def filter(object), do: {:ok, object}
 end
--- a/lib/pleroma/web/activity_pub/publisher.ex
+++ b/lib/pleroma/web/activity_pub/publisher.ex
@ -0,0 +1,151 @@
+# Pleroma: A lightweight social networking server
+# Copyright © 2017-2019 Pleroma Authors <https://pleroma.social/>
+# SPDX-License-Identifier: AGPL-3.0-only
+
+defmodule Pleroma.Web.ActivityPub.Publisher do
+  alias Pleroma.Activity
+  alias Pleroma.Config
+  alias Pleroma.HTTP
+  alias Pleroma.Instances
+  alias Pleroma.User
+  alias Pleroma.Web.ActivityPub.Relay
+  alias Pleroma.Web.ActivityPub.Transmogrifier
+
+  import Pleroma.Web.ActivityPub.Visibility
+
+  @behaviour Pleroma.Web.Federator.Publisher
+
+  require Logger
+
+  @moduledoc """
+  ActivityPub outgoing federation module.
+  """
+
+  @doc """
+  Determine if an activity can be represented by running it through Transmogrifier.
+  """
+  def is_representable?(%Activity{} = activity) do
+    with {:ok, _data} <- Transmogrifier.prepare_outgoing(activity.data) do
+      true
+    else
+      _e ->
+        false
+    end
+  end
+
+  @doc """
+  Publish a single message to a peer.  Takes a struct with the following
+  parameters set:
+
+  * `inbox`: the inbox to publish to
+  * `json`: the JSON message body representing the ActivityPub message
+  * `actor`: the actor which is signing the message
+  * `id`: the ActivityStreams URI of the message
+  """
+  def publish_one(%{inbox: inbox, json: json, actor: %User{} = actor, id: id} = params) do
+    Logger.info("Federating #{id} to #{inbox}")
+    host = URI.parse(inbox).host
+
+    digest = "SHA-256=" <> (:crypto.hash(:sha256, json) |> Base.encode64())
+
+    date =
+      NaiveDateTime.utc_now()
+      |> Timex.format!("{WDshort}, {0D} {Mshort} {YYYY} {h24}:{m}:{s} GMT")
+
+    signature =
+      Pleroma.Signature.sign(actor, %{
+        host: host,
+        "content-length": byte_size(json),
+        digest: digest,
+        date: date
+      })
+
+    with {:ok, %{status: code}} when code in 200..299 <-
+           result =
+             HTTP.post(
+               inbox,
+               json,
+               [
+                 {"Content-Type", "application/activity+json"},
+                 {"Date", date},
+                 {"signature", signature},
+                 {"digest", digest}
+               ]
+             ) do
+      if !Map.has_key?(params, :unreachable_since) || params[:unreachable_since],
+        do: Instances.set_reachable(inbox)
+
+      result
+    else
+      {_post_result, response} ->
+        unless params[:unreachable_since], do: Instances.set_unreachable(inbox)
+        {:error, response}
+    end
+  end
+
+  defp should_federate?(inbox, public) do
+    if public do
+      true
+    else
+      inbox_info = URI.parse(inbox)
+      !Enum.member?(Pleroma.Config.get([:instance, :quarantined_instances], []), inbox_info.host)
+    end
+  end
+
+  @doc """
+  Publishes an activity to all relevant peers.
+  """
+  def publish(%User{} = actor, %Activity{} = activity) do
+    remote_followers =
+      if actor.follower_address in activity.recipients do
+        {:ok, followers} = User.get_followers(actor)
+        followers |> Enum.filter(&(!&1.local))
+      else
+        []
+      end
+
+    public = is_public?(activity)
+
+    if public && Config.get([:instance, :allow_relay]) do
+      Logger.info(fn -> "Relaying #{activity.data["id"]} out" end)
+      Relay.publish(activity)
+    end
+
+    {:ok, data} = Transmogrifier.prepare_outgoing(activity.data)
+    json = Jason.encode!(data)
+
+    (Pleroma.Web.Salmon.remote_users(activity) ++ remote_followers)
+    |> Enum.filter(fn user -> User.ap_enabled?(user) end)
+    |> Enum.map(fn %{info: %{source_data: data}} ->
+      (is_map(data["endpoints"]) && Map.get(data["endpoints"], "sharedInbox")) || data["inbox"]
+    end)
+    |> Enum.uniq()
+    |> Enum.filter(fn inbox -> should_federate?(inbox, public) end)
+    |> Instances.filter_reachable()
+    |> Enum.each(fn {inbox, unreachable_since} ->
+      Pleroma.Web.Federator.Publisher.enqueue_one(
+        __MODULE__,
+        %{
+          inbox: inbox,
+          json: json,
+          actor: actor,
+          id: activity.data["id"],
+          unreachable_since: unreachable_since
+        }
+      )
+    end)
+  end
+
+  def gather_webfinger_links(%User{} = user) do
+    [
+      %{"rel" => "self", "type" => "application/activity+json", "href" => user.ap_id},
+      %{
+        "rel" => "self",
+        "type" => "application/ld+json; profile=\"https://www.w3.org/ns/activitystreams\"",
+        "href" => user.ap_id
+      }
+    ]
+  end
+
+  def gather_nodeinfo_protocol_names, do: ["activitypub"]
+end
--- a/lib/pleroma/web/activity_pub/relay.ex
+++ b/lib/pleroma/web/activity_pub/relay.ex
@ -15,7 +15,7 @@ defmodule Pleroma.Web.ActivityPub.Relay do

  def follow(target_instance) do
    with %User{} = local_user <- get_actor(),
-         %User{} = target_user <- User.get_or_fetch_by_ap_id(target_instance),
+         {:ok, %User{} = target_user} <- User.get_or_fetch_by_ap_id(target_instance),
         {:ok, activity} <- ActivityPub.follow(local_user, target_user) do
      Logger.info("relay: followed instance: #{target_instance}; id=#{activity.data["id"]}")
      {:ok, activity}
@ -28,7 +28,7 @@ defmodule Pleroma.Web.ActivityPub.Relay do

  def unfollow(target_instance) do
    with %User{} = local_user <- get_actor(),
-         %User{} = target_user <- User.get_or_fetch_by_ap_id(target_instance),
+         {:ok, %User{} = target_user} <- User.get_or_fetch_by_ap_id(target_instance),
         {:ok, activity} <- ActivityPub.unfollow(local_user, target_user) do
      Logger.info("relay: unfollowed instance: #{target_instance}: id=#{activity.data["id"]}")
      {:ok, activity}
--- a/lib/pleroma/web/activity_pub/transmogrifier.ex
+++ b/lib/pleroma/web/activity_pub/transmogrifier.ex
@ -11,7 +11,6 @@ defmodule Pleroma.Web.ActivityPub.Transmogrifier do
  alias Pleroma.Object.Containment
  alias Pleroma.Repo
  alias Pleroma.User
-  alias Pleroma.User
  alias Pleroma.Web.ActivityPub.ActivityPub
  alias Pleroma.Web.ActivityPub.Utils
  alias Pleroma.Web.ActivityPub.Visibility
@ -36,6 +35,7 @@ defmodule Pleroma.Web.ActivityPub.Transmogrifier do
    |> fix_likes
    |> fix_addressing
    |> fix_summary
+    |> fix_type
  end

  def fix_summary(%{"summary" => nil} = object) do
@ -66,7 +66,11 @@ defmodule Pleroma.Web.ActivityPub.Transmogrifier do
    end
  end

-  def fix_explicit_addressing(%{"to" => to, "cc" => cc} = object, explicit_mentions) do
+  def fix_explicit_addressing(
+        %{"to" => to, "cc" => cc} = object,
+        explicit_mentions,
+        follower_collection
+      ) do
    explicit_to =
      to
      |> Enum.filter(fn x -> x in explicit_mentions end)
@ -77,6 +81,7 @@ defmodule Pleroma.Web.ActivityPub.Transmogrifier do

    final_cc =
      (cc ++ explicit_cc)
+      |> Enum.reject(fn x -> String.ends_with?(x, "/followers") and x != follower_collection end)
      |> Enum.uniq()

    object
@ -84,7 +89,7 @@ defmodule Pleroma.Web.ActivityPub.Transmogrifier do
    |> Map.put("cc", final_cc)
  end

-  def fix_explicit_addressing(object, _explicit_mentions), do: object
+  def fix_explicit_addressing(object, _explicit_mentions, _followers_collection), do: object

  # if directMessage flag is set to true, leave the addressing alone
  def fix_explicit_addressing(%{"directMessage" => true} = object), do: object
@ -94,10 +99,12 @@ defmodule Pleroma.Web.ActivityPub.Transmogrifier do
      object
      |> Utils.determine_explicit_mentions()

-    explicit_mentions = explicit_mentions ++ ["https://www.w3.org/ns/activitystreams#Public"]
+    follower_collection = User.get_cached_by_ap_id(Containment.get_actor(object)).follower_address

-    object
-    |> fix_explicit_addressing(explicit_mentions)
+    explicit_mentions =
+      explicit_mentions ++ ["https://www.w3.org/ns/activitystreams#Public", follower_collection]
+
+    fix_explicit_addressing(object, explicit_mentions, follower_collection)
  end

  # if as:Public is addressed, then make sure the followers collection is also addressed
@ -126,7 +133,7 @@ defmodule Pleroma.Web.ActivityPub.Transmogrifier do
  def fix_implicit_addressing(object, _), do: object

  def fix_addressing(object) do
-    %User{} = user = User.get_or_fetch_by_ap_id(object["actor"])
+    {:ok, %User{} = user} = User.get_or_fetch_by_ap_id(object["actor"])
    followers_collection = User.ap_followers(user)

    object
@ -134,7 +141,7 @@ defmodule Pleroma.Web.ActivityPub.Transmogrifier do
    |> fix_addressing_list("cc")
    |> fix_addressing_list("bto")
    |> fix_addressing_list("bcc")
-    |> fix_explicit_addressing
+    |> fix_explicit_addressing()
    |> fix_implicit_addressing(followers_collection)
  end

@ -329,6 +336,18 @@ defmodule Pleroma.Web.ActivityPub.Transmogrifier do

  def fix_content_map(object), do: object

+  def fix_type(%{"inReplyTo" => reply_id} = object) when is_binary(reply_id) do
+    reply = Object.normalize(reply_id)
+
+    if reply.data["type"] == "Question" and object["name"] do
+      Map.put(object, "type", "Answer")
+    else
+      object
+    end
+  end
+
+  def fix_type(object), do: object
+
  defp mastodon_follow_hack(%{"id" => id, "actor" => follower_id}, followed) do
    with true <- id =~ "follows",
         %User{local: true} = follower <- User.get_cached_by_ap_id(follower_id),
@ -399,7 +418,7 @@ defmodule Pleroma.Web.ActivityPub.Transmogrifier do
  # - tags
  # - emoji
  def handle_incoming(%{"type" => "Create", "object" => %{"type" => objtype} = object} = data)
-      when objtype in ["Article", "Note", "Video", "Page"] do
+      when objtype in ["Article", "Note", "Video", "Page", "Question", "Answer"] do
    actor = Containment.get_actor(data)

    data =
@ -407,7 +426,7 @@ defmodule Pleroma.Web.ActivityPub.Transmogrifier do
      |> fix_addressing

    with nil <- Activity.get_create_by_object_ap_id(object["id"]),
-         %User{} = user <- User.get_or_fetch_by_ap_id(data["actor"]) do
+         {:ok, %User{} = user} <- User.get_or_fetch_by_ap_id(data["actor"]) do
      object = fix_object(data["object"])

      params = %{
@ -436,7 +455,7 @@ defmodule Pleroma.Web.ActivityPub.Transmogrifier do
        %{"type" => "Follow", "object" => followed, "actor" => follower, "id" => id} = data
      ) do
    with %User{local: true} = followed <- User.get_cached_by_ap_id(followed),
-         %User{} = follower <- User.get_or_fetch_by_ap_id(follower),
+         {:ok, %User{} = follower} <- User.get_or_fetch_by_ap_id(follower),
         {:ok, activity} <- ActivityPub.follow(follower, followed, id, false) do
      with deny_follow_blocked <- Pleroma.Config.get([:user, :deny_follow_blocked]),
           {:user_blocked, false} <-
@ -485,7 +504,7 @@ defmodule Pleroma.Web.ActivityPub.Transmogrifier do
        %{"type" => "Accept", "object" => follow_object, "actor" => _actor, "id" => _id} = data
      ) do
    with actor <- Containment.get_actor(data),
-         %User{} = followed <- User.get_or_fetch_by_ap_id(actor),
+         {:ok, %User{} = followed} <- User.get_or_fetch_by_ap_id(actor),
         {:ok, follow_activity} <- get_follow_activity(follow_object, followed),
         {:ok, follow_activity} <- Utils.update_follow_state(follow_activity, "accept"),
         %User{local: true} = follower <- User.get_cached_by_ap_id(follow_activity.data["actor"]),
@ -511,7 +530,7 @@ defmodule Pleroma.Web.ActivityPub.Transmogrifier do
        %{"type" => "Reject", "object" => follow_object, "actor" => _actor, "id" => _id} = data
      ) do
    with actor <- Containment.get_actor(data),
-         %User{} = followed <- User.get_or_fetch_by_ap_id(actor),
+         {:ok, %User{} = followed} <- User.get_or_fetch_by_ap_id(actor),
         {:ok, follow_activity} <- get_follow_activity(follow_object, followed),
         {:ok, follow_activity} <- Utils.update_follow_state(follow_activity, "reject"),
         %User{local: true} = follower <- User.get_cached_by_ap_id(follow_activity.data["actor"]),
@ -535,7 +554,7 @@ defmodule Pleroma.Web.ActivityPub.Transmogrifier do
        %{"type" => "Like", "object" => object_id, "actor" => _actor, "id" => id} = data
      ) do
    with actor <- Containment.get_actor(data),
-         %User{} = actor <- User.get_or_fetch_by_ap_id(actor),
+         {:ok, %User{} = actor} <- User.get_or_fetch_by_ap_id(actor),
         {:ok, object} <- get_obj_helper(object_id),
         {:ok, activity, _object} <- ActivityPub.like(actor, object, id, false) do
      {:ok, activity}
@ -548,7 +567,7 @@ defmodule Pleroma.Web.ActivityPub.Transmogrifier do
        %{"type" => "Announce", "object" => object_id, "actor" => _actor, "id" => id} = data
      ) do
    with actor <- Containment.get_actor(data),
-         %User{} = actor <- User.get_or_fetch_by_ap_id(actor),
+         {:ok, %User{} = actor} <- User.get_or_fetch_by_ap_id(actor),
         {:ok, object} <- get_obj_helper(object_id),
         public <- Visibility.is_public?(data),
         {:ok, activity, _object} <- ActivityPub.announce(actor, object, id, false, public) do
@ -603,7 +622,7 @@ defmodule Pleroma.Web.ActivityPub.Transmogrifier do
    object_id = Utils.get_ap_id(object_id)

    with actor <- Containment.get_actor(data),
-         %User{} = actor <- User.get_or_fetch_by_ap_id(actor),
+         {:ok, %User{} = actor} <- User.get_or_fetch_by_ap_id(actor),
         {:ok, object} <- get_obj_helper(object_id),
         :ok <- Containment.contain_origin(actor.ap_id, object.data),
         {:ok, activity} <- ActivityPub.delete(object, false) do
@ -622,7 +641,7 @@ defmodule Pleroma.Web.ActivityPub.Transmogrifier do
        } = data
      ) do
    with actor <- Containment.get_actor(data),
-         %User{} = actor <- User.get_or_fetch_by_ap_id(actor),
+         {:ok, %User{} = actor} <- User.get_or_fetch_by_ap_id(actor),
         {:ok, object} <- get_obj_helper(object_id),
         {:ok, activity, _} <- ActivityPub.unannounce(actor, object, id, false) do
      {:ok, activity}
@ -640,7 +659,7 @@ defmodule Pleroma.Web.ActivityPub.Transmogrifier do
        } = _data
      ) do
    with %User{local: true} = followed <- User.get_cached_by_ap_id(followed),
-         %User{} = follower <- User.get_or_fetch_by_ap_id(follower),
+         {:ok, %User{} = follower} <- User.get_or_fetch_by_ap_id(follower),
         {:ok, activity} <- ActivityPub.unfollow(follower, followed, id, false) do
      User.unfollow(follower, followed)
      {:ok, activity}
@ -659,7 +678,7 @@ defmodule Pleroma.Web.ActivityPub.Transmogrifier do
      ) do
    with true <- Pleroma.Config.get([:activitypub, :accept_blocks]),
         %User{local: true} = blocked <- User.get_cached_by_ap_id(blocked),
-         %User{} = blocker <- User.get_or_fetch_by_ap_id(blocker),
+         {:ok, %User{} = blocker} <- User.get_or_fetch_by_ap_id(blocker),
         {:ok, activity} <- ActivityPub.unblock(blocker, blocked, id, false) do
      User.unblock(blocker, blocked)
      {:ok, activity}
@ -673,7 +692,7 @@ defmodule Pleroma.Web.ActivityPub.Transmogrifier do
      ) do
    with true <- Pleroma.Config.get([:activitypub, :accept_blocks]),
         %User{local: true} = blocked = User.get_cached_by_ap_id(blocked),
-         %User{} = blocker = User.get_or_fetch_by_ap_id(blocker),
+         {:ok, %User{} = blocker} = User.get_or_fetch_by_ap_id(blocker),
         {:ok, activity} <- ActivityPub.block(blocker, blocked, id, false) do
      User.unfollow(blocker, blocked)
      User.block(blocker, blocked)
@ -692,7 +711,7 @@ defmodule Pleroma.Web.ActivityPub.Transmogrifier do
        } = data
      ) do
    with actor <- Containment.get_actor(data),
-         %User{} = actor <- User.get_or_fetch_by_ap_id(actor),
+         {:ok, %User{} = actor} <- User.get_or_fetch_by_ap_id(actor),
         {:ok, object} <- get_obj_helper(object_id),
         {:ok, activity, _, _} <- ActivityPub.unlike(actor, object, id, false) do
      {:ok, activity}
@ -732,6 +751,7 @@ defmodule Pleroma.Web.ActivityPub.Transmogrifier do
    |> set_reply_to_uri
    |> strip_internal_fields
    |> strip_internal_tags
+    |> set_type
  end

  #  @doc
@ -856,10 +876,16 @@ defmodule Pleroma.Web.ActivityPub.Transmogrifier do
    |> Map.put("tag", tags ++ mentions)
  end

+  def add_emoji_tags(%User{info: %{"emoji" => _emoji} = user_info} = object) do
+    user_info = add_emoji_tags(user_info)
+
+    object
+    |> Map.put(:info, user_info)
+  end
+
  # TODO: we should probably send mtime instead of unix epoch time for updated
-  def add_emoji_tags(object) do
+  def add_emoji_tags(%{"emoji" => emoji} = object) do
    tags = object["tag"] || []
-    emoji = object["emoji"] || []

    out =
      emoji
@ -877,6 +903,10 @@ defmodule Pleroma.Web.ActivityPub.Transmogrifier do
    |> Map.put("tag", tags ++ out)
  end

+  def add_emoji_tags(object) do
+    object
+  end
+
  def set_conversation(object) do
    Map.put(object, "conversation", object["context"])
  end
@ -886,6 +916,12 @@ defmodule Pleroma.Web.ActivityPub.Transmogrifier do
    Map.put(object, "sensitive", "nsfw" in tags)
  end

+  def set_type(%{"type" => "Answer"} = object) do
+    Map.put(object, "type", "Note")
+  end
+
+  def set_type(object), do: object
+
  def add_attributed_to(object) do
    attributed_to = object["attributedTo"] || object["actor"]

--- a/lib/pleroma/web/activity_pub/utils.ex
+++ b/lib/pleroma/web/activity_pub/utils.ex
@ -19,7 +19,9 @@ defmodule Pleroma.Web.ActivityPub.Utils do

  require Logger

-  @supported_object_types ["Article", "Note", "Video", "Page"]
+  @supported_object_types ["Article", "Note", "Video", "Page", "Question", "Answer"]
+  @supported_report_states ~w(open closed resolved)
+  @valid_visibilities ~w(public unlisted private direct)

  # Some implementations send the actor URI as the actor field, others send the entire actor object,
  # so figure out what the actor's URI is based on what we have.
@ -670,7 +672,8 @@ defmodule Pleroma.Web.ActivityPub.Utils do
      "actor" => params.actor.ap_id,
      "content" => params.content,
      "object" => object,
-      "context" => params.context
+      "context" => params.context,
+      "state" => "open"
    }
    |> Map.merge(additional)
  end
@ -682,7 +685,7 @@ defmodule Pleroma.Web.ActivityPub.Utils do
  """
  def fetch_ordered_collection(from, pages_left, acc \\ []) do
    with {:ok, response} <- Tesla.get(from),
-         {:ok, collection} <- Poison.decode(response.body) do
+         {:ok, collection} <- Jason.decode(response.body) do
      case collection["type"] do
        "OrderedCollection" ->
          # If we've encountered the OrderedCollection and not the page,
@ -713,4 +716,94 @@ defmodule Pleroma.Web.ActivityPub.Utils do
      end
    end
  end
+
+  #### Report-related helpers
+
+  def update_report_state(%Activity{} = activity, state) when state in @supported_report_states do
+    with new_data <- Map.put(activity.data, "state", state),
+         changeset <- Changeset.change(activity, data: new_data),
+         {:ok, activity} <- Repo.update(changeset) do
+      {:ok, activity}
+    end
+  end
+
+  def update_report_state(_, _), do: {:error, "Unsupported state"}
+
+  def update_activity_visibility(activity, visibility) when visibility in @valid_visibilities do
+    [to, cc, recipients] =
+      activity
+      |> get_updated_targets(visibility)
+      |> Enum.map(&Enum.uniq/1)
+
+    object_data =
+      activity.object.data
+      |> Map.put("to", to)
+      |> Map.put("cc", cc)
+
+    {:ok, object} =
+      activity.object
+      |> Object.change(%{data: object_data})
+      |> Object.update_and_set_cache()
+
+    activity_data =
+      activity.data
+      |> Map.put("to", to)
+      |> Map.put("cc", cc)
+
+    activity
+    |> Map.put(:object, object)
+    |> Activity.change(%{data: activity_data, recipients: recipients})
+    |> Repo.update()
+  end
+
+  def update_activity_visibility(_, _), do: {:error, "Unsupported visibility"}
+
+  defp get_updated_targets(
+         %Activity{data: %{"to" => to} = data, recipients: recipients},
+         visibility
+       ) do
+    cc = Map.get(data, "cc", [])
+    follower_address = User.get_cached_by_ap_id(data["actor"]).follower_address
+    public = "https://www.w3.org/ns/activitystreams#Public"
+
+    case visibility do
+      "public" ->
+        to = [public | List.delete(to, follower_address)]
+        cc = [follower_address | List.delete(cc, public)]
+        recipients = [public | recipients]
+        [to, cc, recipients]
+
+      "private" ->
+        to = [follower_address | List.delete(to, public)]
+        cc = List.delete(cc, public)
+        recipients = List.delete(recipients, public)
+        [to, cc, recipients]
+
+      "unlisted" ->
+        to = [follower_address | List.delete(to, public)]
+        cc = [public | List.delete(cc, follower_address)]
+        recipients = recipients ++ [follower_address, public]
+        [to, cc, recipients]
+
+      _ ->
+        [to, cc, recipients]
+    end
+  end
+
+  def get_existing_votes(actor, %{data: %{"id" => id}}) do
+    query =
+      from(
+        [activity, object: object] in Activity.with_preloaded_object(Activity),
+        where: fragment("(?)->>'actor' = ?", activity.data, ^actor),
+        where:
+          fragment(
+            "(?)->'inReplyTo' = ?",
+            object.data,
+            ^to_string(id)
+          ),
+        where: fragment("(?)->>'type' = 'Answer'", object.data)
+      )
+
+    Repo.all(query)
+  end
 end
--- a/lib/pleroma/web/activity_pub/views/user_view.ex
+++ b/lib/pleroma/web/activity_pub/views/user_view.ex
@ -5,6 +5,7 @@
 defmodule Pleroma.Web.ActivityPub.UserView do
  use Pleroma.Web, :view

+  alias Pleroma.Keys
  alias Pleroma.Repo
  alias Pleroma.User
  alias Pleroma.Web.ActivityPub.ActivityPub
@ -12,8 +13,6 @@ defmodule Pleroma.Web.ActivityPub.UserView do
  alias Pleroma.Web.ActivityPub.Utils
  alias Pleroma.Web.Endpoint
  alias Pleroma.Web.Router.Helpers
-  alias Pleroma.Web.Salmon
-  alias Pleroma.Web.WebFinger

  import Ecto.Query

@ -34,8 +33,8 @@ defmodule Pleroma.Web.ActivityPub.UserView do

  # the instance itself is not a Person, but instead an Application
  def render("user.json", %{user: %{nickname: nil} = user}) do
-    {:ok, user} = WebFinger.ensure_keys_present(user)
-    {:ok, _, public_key} = Salmon.keys_from_pem(user.info.keys)
+    {:ok, user} = User.ensure_keys_present(user)
+    {:ok, _, public_key} = Keys.keys_from_pem(user.info.keys)
    public_key = :public_key.pem_entry_encode(:SubjectPublicKeyInfo, public_key)
    public_key = :public_key.pem_encode([public_key])

@ -62,13 +61,18 @@ defmodule Pleroma.Web.ActivityPub.UserView do
  end

  def render("user.json", %{user: user}) do
-    {:ok, user} = WebFinger.ensure_keys_present(user)
-    {:ok, _, public_key} = Salmon.keys_from_pem(user.info.keys)
+    {:ok, user} = User.ensure_keys_present(user)
+    {:ok, _, public_key} = Keys.keys_from_pem(user.info.keys)
    public_key = :public_key.pem_entry_encode(:SubjectPublicKeyInfo, public_key)
    public_key = :public_key.pem_encode([public_key])

    endpoints = render("endpoints.json", %{user: user})

+    user_tags =
+      user
+      |> Transmogrifier.add_emoji_tags()
+      |> Map.get("tag", [])
+
    %{
      "id" => user.ap_id,
      "type" => "Person",
@ -87,7 +91,7 @@ defmodule Pleroma.Web.ActivityPub.UserView do
        "publicKeyPem" => public_key
      },
      "endpoints" => endpoints,
-      "tag" => user.info.source_data["tag"] || []
+      "tag" => (user.info.source_data["tag"] || []) ++ user_tags
    }
    |> Map.merge(maybe_make_image(&User.avatar_url/2, "icon", user))
    |> Map.merge(maybe_make_image(&User.banner_url/2, "image", user))
--- a/lib/pleroma/web/activity_pub/visibility.ex
+++ b/lib/pleroma/web/activity_pub/visibility.ex
@ -1,6 +1,7 @@
 defmodule Pleroma.Web.ActivityPub.Visibility do
  alias Pleroma.Activity
  alias Pleroma.Object
+  alias Pleroma.Repo
  alias Pleroma.User

  def is_public?(%Object{data: %{"type" => "Tombstone"}}), do: false
@ -13,11 +14,12 @@ defmodule Pleroma.Web.ActivityPub.Visibility do
  end

  def is_private?(activity) do
-    unless is_public?(activity) do
-      follower_address = User.get_cached_by_ap_id(activity.data["actor"]).follower_address
-      Enum.any?(activity.data["to"], &(&1 == follower_address))
+    with false <- is_public?(activity),
+         %User{follower_address: follower_address} <-
+           User.get_cached_by_ap_id(activity.data["actor"]) do
+      follower_address in activity.data["to"]
    else
-      false
+      _ -> false
    end
  end

@ -38,24 +40,40 @@ defmodule Pleroma.Web.ActivityPub.Visibility do
    visible_for_user?(activity, nil) || Enum.any?(x, &(&1 in y))
  end

-  # guard
-  def entire_thread_visible_for_user?(nil, _user), do: false
+  def entire_thread_visible_for_user?(%Activity{} = activity, %User{} = user) do
+    {:ok, %{rows: [[result]]}} =
+      Ecto.Adapters.SQL.query(Repo, "SELECT thread_visibility($1, $2)", [
+        user.ap_id,
+        activity.data["id"]
+      ])

-  # XXX: Probably even more inefficient than the previous implementation intended to be a placeholder untill https://git.pleroma.social/pleroma/pleroma/merge_requests/971 is in develop
-  # credo:disable-for-previous-line Credo.Check.Readability.MaxLineLength
+    result
+  end

-  def entire_thread_visible_for_user?(
-        %Activity{} = tail,
-        # %Activity{data: %{"object" => %{"inReplyTo" => parent_id}}} = tail,
-        user
-      ) do
-    case Object.normalize(tail) do
-      %{data: %{"inReplyTo" => parent_id}} when is_binary(parent_id) ->
-        parent = Activity.get_in_reply_to_activity(tail)
-        visible_for_user?(tail, user) && entire_thread_visible_for_user?(parent, user)
+  def get_visibility(object) do
+    public = "https://www.w3.org/ns/activitystreams#Public"
+    to = object.data["to"] || []
+    cc = object.data["cc"] || []

-      _ ->
-        visible_for_user?(tail, user)
+    cond do
+      public in to ->
+        "public"
+
+      public in cc ->
+        "unlisted"
+
+      # this should use the sql for the object's activity
+      Enum.any?(to, &String.contains?(&1, "/followers")) ->
+        "private"
+
+      object.data["directMessage"] == true ->
+        "direct"
+
+      length(cc) > 0 ->
+        "private"
+
+      true ->
+        "direct"
    end
  end
 end
--- a/lib/pleroma/web/admin_api/admin_api_controller.ex
+++ b/lib/pleroma/web/admin_api/admin_api_controller.ex
@ -4,11 +4,16 @@

 defmodule Pleroma.Web.AdminAPI.AdminAPIController do
  use Pleroma.Web, :controller
+  alias Pleroma.Activity
  alias Pleroma.User
  alias Pleroma.UserInviteToken
+  alias Pleroma.Web.ActivityPub.ActivityPub
  alias Pleroma.Web.ActivityPub.Relay
  alias Pleroma.Web.AdminAPI.AccountView
+  alias Pleroma.Web.AdminAPI.ReportView
  alias Pleroma.Web.AdminAPI.Search
+  alias Pleroma.Web.CommonAPI
+  alias Pleroma.Web.MastodonAPI.StatusView

  import Pleroma.Web.ControllerHelper, only: [json_response: 3]

@ -59,7 +64,7 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIController do
      bio: "."
    }

-    changeset = User.register_changeset(%User{}, user_data, confirmed: true)
+    changeset = User.register_changeset(%User{}, user_data, need_confirmation: false)
    {:ok, user} = User.register(changeset)

    conn
@ -101,7 +106,10 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIController do
    search_params = %{
      query: params["query"],
      page: page,
-      page_size: page_size
+      page_size: page_size,
+      tags: params["tags"],
+      name: params["name"],
+      email: params["email"]
    }

    with {:ok, users, count} <- Search.user(Map.merge(search_params, filters)),
@ -116,11 +124,11 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIController do
           )
  end

-  @filters ~w(local external active deactivated)
-
-  defp maybe_parse_filters(filters) when is_nil(filters) or filters == "", do: %{}
+  @filters ~w(local external active deactivated is_admin is_moderator)

  @spec maybe_parse_filters(String.t()) :: %{required(String.t()) => true} | %{}
+  defp maybe_parse_filters(filters) when is_nil(filters) or filters == "", do: %{}
+
  defp maybe_parse_filters(filters) do
    filters
    |> String.split(",")
@ -284,12 +292,88 @@ defmodule Pleroma.Web.AdminAPI.AdminAPIController do
    |> json(token.token)
  end

+  def list_reports(conn, params) do
+    params =
+      params
+      |> Map.put("type", "Flag")
+      |> Map.put("skip_preload", true)
+
+    reports =
+      []
+      |> ActivityPub.fetch_activities(params)
+      |> Enum.reverse()
+
+    conn
+    |> put_view(ReportView)
+    |> render("index.json", %{reports: reports})
+  end
+
+  def report_show(conn, %{"id" => id}) do
+    with %Activity{} = report <- Activity.get_by_id(id) do
+      conn
+      |> put_view(ReportView)
+      |> render("show.json", %{report: report})
+    else
+      _ -> {:error, :not_found}
+    end
+  end
+
+  def report_update_state(conn, %{"id" => id, "state" => state}) do
+    with {:ok, report} <- CommonAPI.update_report_state(id, state) do
+      conn
+      |> put_view(ReportView)
+      |> render("show.json", %{report: report})
+    end
+  end
+
+  def report_respond(%{assigns: %{user: user}} = conn, %{"id" => id} = params) do
+    with false <- is_nil(params["status"]),
+         %Activity{} <- Activity.get_by_id(id) do
+      params =
+        params
+        |> Map.put("in_reply_to_status_id", id)
+        |> Map.put("visibility", "direct")
+
+      {:ok, activity} = CommonAPI.post(user, params)
+
+      conn
+      |> put_view(StatusView)
+      |> render("status.json", %{activity: activity})
+    else
+      true ->
+        {:param_cast, nil}
+
+      nil ->
+        {:error, :not_found}
+    end
+  end
+
+  def status_update(conn, %{"id" => id} = params) do
+    with {:ok, activity} <- CommonAPI.update_activity_scope(id, params) do
+      conn
+      |> put_view(StatusView)
+      |> render("status.json", %{activity: activity})
+    end
+  end
+
+  def status_delete(%{assigns: %{user: user}} = conn, %{"id" => id}) do
+    with {:ok, %Activity{}} <- CommonAPI.delete(id, user) do
+      json(conn, %{})
+    end
+  end
+
  def errors(conn, {:error, :not_found}) do
    conn
    |> put_status(404)
    |> json("Not found")
  end

+  def errors(conn, {:error, reason}) do
+    conn
+    |> put_status(400)
+    |> json(reason)
+  end
+
  def errors(conn, {:param_cast, _}) do
    conn
    |> put_status(400)
--- a/lib/pleroma/web/admin_api/search.ex
+++ b/lib/pleroma/web/admin_api/search.ex
@ -10,45 +10,23 @@ defmodule Pleroma.Web.AdminAPI.Search do

  @page_size 50

-  def user(%{query: term} = params) when is_nil(term) or term == "" do
-    query = maybe_filtered_query(params)
+  defmacro not_empty_string(string) do
+    quote do
+      is_binary(unquote(string)) and unquote(string) != ""
+    end
+  end
+
+  @spec user(map()) :: {:ok, [User.t()], pos_integer()}
+  def user(params \\ %{}) do
+    query = User.Query.build(params) |> order_by([u], u.nickname)

    paginated_query =
-      maybe_filtered_query(params)
-      |> paginate(params[:page] || 1, params[:page_size] || @page_size)
+      User.Query.paginate(query, params[:page] || 1, params[:page_size] || @page_size)

-    count = query |> Repo.aggregate(:count, :id)
+    count = Repo.aggregate(query, :count, :id)

    results = Repo.all(paginated_query)

    {:ok, results, count}
  end
-
-  def user(%{query: term} = params) when is_binary(term) do
-    search_query = from(u in maybe_filtered_query(params), where: ilike(u.nickname, ^"%#{term}%"))
-
-    count = search_query |> Repo.aggregate(:count, :id)
-
-    results =
-      search_query
-      |> paginate(params[:page] || 1, params[:page_size] || @page_size)
-      |> Repo.all()
-
-    {:ok, results, count}
-  end
-
-  defp maybe_filtered_query(params) do
-    from(u in User, order_by: u.nickname)
-    |> User.maybe_local_user_query(params[:local])
-    |> User.maybe_external_user_query(params[:external])
-    |> User.maybe_active_user_query(params[:active])
-    |> User.maybe_deactivated_user_query(params[:deactivated])
-  end
-
-  defp paginate(query, page, page_size) do
-    from(u in query,
-      limit: ^page_size,
-      offset: ^((page - 1) * page_size)
-    )
-  end
 end
--- a/lib/pleroma/web/admin_api/views/report_view.ex
+++ b/lib/pleroma/web/admin_api/views/report_view.ex
@ -0,0 +1,41 @@
+# Pleroma: A lightweight social networking server
+# Copyright © 2017-2019 Pleroma Authors <https://pleroma.social/>
+# SPDX-License-Identifier: AGPL-3.0-only
+
+defmodule Pleroma.Web.AdminAPI.ReportView do
+  use Pleroma.Web, :view
+  alias Pleroma.Activity
+  alias Pleroma.User
+  alias Pleroma.Web.CommonAPI.Utils
+  alias Pleroma.Web.MastodonAPI.AccountView
+  alias Pleroma.Web.MastodonAPI.StatusView
+
+  def render("index.json", %{reports: reports}) do
+    %{
+      reports: render_many(reports, __MODULE__, "show.json", as: :report)
+    }
+  end
+
+  def render("show.json", %{report: report}) do
+    user = User.get_cached_by_ap_id(report.data["actor"])
+    created_at = Utils.to_masto_date(report.data["published"])
+
+    [account_ap_id | status_ap_ids] = report.data["object"]
+    account = User.get_cached_by_ap_id(account_ap_id)
+
+    statuses =
+      Enum.map(status_ap_ids, fn ap_id ->
+        Activity.get_by_ap_id_with_object(ap_id)
+      end)
+
+    %{
+      id: report.id,
+      account: AccountView.render("account.json", %{user: account}),
+      actor: AccountView.render("account.json", %{user: user}),
+      content: report.data["content"],
+      created_at: created_at,
+      statuses: StatusView.render("index.json", %{activities: statuses, as: :activity}),
+      state: report.data["state"]
+    }
+  end
+end
--- a/lib/pleroma/web/auth/authenticator.ex
+++ b/lib/pleroma/web/auth/authenticator.ex
@ -42,4 +42,30 @@ defmodule Pleroma.Web.Auth.Authenticator do
    implementation().oauth_consumer_template() ||
      Pleroma.Config.get([:auth, :oauth_consumer_template], "consumer.html")
  end
+
+  @doc "Gets user by nickname or email for auth."
+  @spec fetch_user(String.t()) :: User.t() | nil
+  def fetch_user(name) do
+    User.get_by_nickname_or_email(name)
+  end
+
+  # Gets name and password from conn
+  #
+  @spec fetch_credentials(Plug.Conn.t() | map()) ::
+          {:ok, {name :: any, password :: any}} | {:error, :invalid_credentials}
+  def fetch_credentials(%Plug.Conn{params: params} = _),
+    do: fetch_credentials(params)
+
+  def fetch_credentials(params) do
+    case params do
+      %{"authorization" => %{"name" => name, "password" => password}} ->
+        {:ok, {name, password}}
+
+      %{"grant_type" => "password", "username" => name, "password" => password} ->
+        {:ok, {name, password}}
+
+      _ ->
+        {:error, :invalid_credentials}
+    end
+  end
 end
--- a/lib/pleroma/web/auth/ldap_authenticator.ex
+++ b/lib/pleroma/web/auth/ldap_authenticator.ex
@ -7,6 +7,9 @@ defmodule Pleroma.Web.Auth.LDAPAuthenticator do

  require Logger

+  import Pleroma.Web.Auth.Authenticator,
+    only: [fetch_credentials: 1, fetch_user: 1]
+
  @behaviour Pleroma.Web.Auth.Authenticator
  @base Pleroma.Web.Auth.PleromaAuthenticator

@ -20,30 +23,20 @@ defmodule Pleroma.Web.Auth.LDAPAuthenticator do
  defdelegate oauth_consumer_template, to: @base

  def get_user(%Plug.Conn{} = conn) do
-    if Pleroma.Config.get([:ldap, :enabled]) do
-      {name, password} =
-        case conn.params do
-          %{"authorization" => %{"name" => name, "password" => password}} ->
-            {name, password}
-
-          %{"grant_type" => "password", "username" => name, "password" => password} ->
-            {name, password}
-        end
-
-      case ldap_user(name, password) do
-        %User{} = user ->
-          {:ok, user}
-
-        {:error, {:ldap_connection_error, _}} ->
-          # When LDAP is unavailable, try default authenticator
-          @base.get_user(conn)
-
-        error ->
-          error
-      end
+    with {:ldap, true} <- {:ldap, Pleroma.Config.get([:ldap, :enabled])},
+         {:ok, {name, password}} <- fetch_credentials(conn),
+         %User{} = user <- ldap_user(name, password) do
+      {:ok, user}
    else
-      # Fall back to default authenticator
-      @base.get_user(conn)
+      {:error, {:ldap_connection_error, _}} ->
+        # When LDAP is unavailable, try default authenticator
+        @base.get_user(conn)
+
+      {:ldap, _} ->
+        @base.get_user(conn)
+
+      error ->
+        error
    end
  end

@ -94,7 +87,7 @@ defmodule Pleroma.Web.Auth.LDAPAuthenticator do

    case :eldap.simple_bind(connection, "#{uid}=#{name},#{base}", password) do
      :ok ->
-        case User.get_by_nickname_or_email(name) do
+        case fetch_user(name) do
          %User{} = user ->
            user

--- a/lib/pleroma/web/auth/pleroma_authenticator.ex
+++ b/lib/pleroma/web/auth/pleroma_authenticator.ex
@ -8,19 +8,14 @@ defmodule Pleroma.Web.Auth.PleromaAuthenticator do
  alias Pleroma.Repo
  alias Pleroma.User

+  import Pleroma.Web.Auth.Authenticator,
+    only: [fetch_credentials: 1, fetch_user: 1]
+
  @behaviour Pleroma.Web.Auth.Authenticator

  def get_user(%Plug.Conn{} = conn) do
-    {name, password} =
-      case conn.params do
-        %{"authorization" => %{"name" => name, "password" => password}} ->
-          {name, password}
-
-        %{"grant_type" => "password", "username" => name, "password" => password} ->
-          {name, password}
-      end
-
-    with {_, %User{} = user} <- {:user, User.get_by_nickname_or_email(name)},
+    with {:ok, {name, password}} <- fetch_credentials(conn),
+         {_, %User{} = user} <- {:user, fetch_user(name)},
         {_, true} <- {:checkpw, Pbkdf2.checkpw(password, user.password_hash)} do
      {:ok, user}
    else
@ -79,7 +74,7 @@ defmodule Pleroma.Web.Auth.PleromaAuthenticator do
               password_confirmation: random_password
             },
             external: true,
-             confirmed: true
+             need_confirmation: false
           )
           |> Repo.insert(),
         {:ok, _} <-
--- a/lib/pleroma/web/common_api/common_api.ex
+++ b/lib/pleroma/web/common_api/common_api.ex
@ -71,6 +71,9 @@ defmodule Pleroma.Web.CommonAPI do
         {:ok, _} <- unpin(activity_id, user),
         {:ok, delete} <- ActivityPub.delete(object) do
      {:ok, delete}
+    else
+      _ ->
+        {:error, "Could not delete"}
    end
  end

@ -116,32 +119,81 @@ defmodule Pleroma.Web.CommonAPI do
    end
  end

-  def get_visibility(%{"visibility" => visibility})
-      when visibility in ~w{public unlisted private direct},
-      do: visibility
+  def vote(user, object, choices) do
+    with "Question" <- object.data["type"],
+         {:author, false} <- {:author, object.data["actor"] == user.ap_id},
+         {:existing_votes, []} <- {:existing_votes, Utils.get_existing_votes(user.ap_id, object)},
+         {options, max_count} <- get_options_and_max_count(object),
+         option_count <- Enum.count(options),
+         {:choice_check, {choices, true}} <-
+           {:choice_check, normalize_and_validate_choice_indices(choices, option_count)},
+         {:count_check, true} <- {:count_check, Enum.count(choices) <= max_count} do
+      answer_activities =
+        Enum.map(choices, fn index ->
+          answer_data = make_answer_data(user, object, Enum.at(options, index)["name"])

-  def get_visibility(%{"in_reply_to_status_id" => status_id}) when not is_nil(status_id) do
-    case get_replied_to_activity(status_id) do
-      nil ->
-        "public"
+          ActivityPub.create(%{
+            to: answer_data["to"],
+            actor: user,
+            context: object.data["context"],
+            object: answer_data,
+            additional: %{"cc" => answer_data["cc"]}
+          })
+        end)

-      in_reply_to ->
-        # XXX: these heuristics should be moved out of MastodonAPI.
-        with %Object{} = object <- Object.normalize(in_reply_to) do
-          Pleroma.Web.MastodonAPI.StatusView.get_visibility(object)
-        end
+      object = Object.get_cached_by_ap_id(object.data["id"])
+      {:ok, answer_activities, object}
+    else
+      {:author, _} -> {:error, "Poll's author can't vote"}
+      {:existing_votes, _} -> {:error, "Already voted"}
+      {:choice_check, {_, false}} -> {:error, "Invalid indices"}
+      {:count_check, false} -> {:error, "Too many choices"}
    end
  end

-  def get_visibility(_), do: "public"
+  defp get_options_and_max_count(object) do
+    if Map.has_key?(object.data, "anyOf") do
+      {object.data["anyOf"], Enum.count(object.data["anyOf"])}
+    else
+      {object.data["oneOf"], 1}
+    end
+  end
+
+  defp normalize_and_validate_choice_indices(choices, count) do
+    Enum.map_reduce(choices, true, fn index, valid ->
+      index = if is_binary(index), do: String.to_integer(index), else: index
+      {index, if(valid, do: index < count, else: valid)}
+    end)
+  end
+
+  def get_visibility(%{"visibility" => visibility}, in_reply_to)
+      when visibility in ~w{public unlisted private direct},
+      do: {visibility, get_replied_to_visibility(in_reply_to)}
+
+  def get_visibility(_, in_reply_to) when not is_nil(in_reply_to) do
+    visibility = get_replied_to_visibility(in_reply_to)
+    {visibility, visibility}
+  end
+
+  def get_visibility(_, in_reply_to), do: {"public", get_replied_to_visibility(in_reply_to)}
+
+  def get_replied_to_visibility(nil), do: nil
+
+  def get_replied_to_visibility(activity) do
+    with %Object{} = object <- Object.normalize(activity) do
+      Pleroma.Web.ActivityPub.Visibility.get_visibility(object)
+    end
+  end

  def post(user, %{"status" => status} = data) do
-    visibility = get_visibility(data)
    limit = Pleroma.Config.get([:instance, :limit])

    with status <- String.trim(status),
         attachments <- attachments_from_ids(data),
         in_reply_to <- get_replied_to_activity(data["in_reply_to_status_id"]),
+         {visibility, in_reply_to_visibility} <- get_visibility(data, in_reply_to),
+         {_, false} <-
+           {:private_to_public, in_reply_to_visibility == "direct" && visibility != "direct"},
         {content_html, mentions, tags} <-
           make_content_html(
             status,
@ -149,10 +201,12 @@ defmodule Pleroma.Web.CommonAPI do
             data,
             visibility
           ),
+         {poll, poll_emoji} <- make_poll_data(data),
         {to, cc} <- to_for_user_and_mentions(user, mentions, in_reply_to, visibility),
         context <- make_context(in_reply_to),
-         cw <- data["spoiler_text"],
-         full_payload <- String.trim(status <> (data["spoiler_text"] || "")),
+         cw <- data["spoiler_text"] || "",
+         sensitive <- data["sensitive"] || Enum.member?(tags, {"#nsfw", "nsfw"}),
+         full_payload <- String.trim(status <> cw),
         length when length in 1..limit <- String.length(full_payload),
         object <-
           make_note_data(
@ -164,16 +218,15 @@ defmodule Pleroma.Web.CommonAPI do
             in_reply_to,
             tags,
             cw,
-             cc
+             cc,
+             sensitive,
+             poll
           ),
         object <-
           Map.put(
             object,
             "emoji",
-             (Formatter.get_emoji(status) ++ Formatter.get_emoji(data["spoiler_text"]))
-             |> Enum.reduce(%{}, fn {name, file, _}, acc ->
-               Map.put(acc, name, "#{Pleroma.Web.Endpoint.static_url()}#{file}")
-             end)
+             Map.merge(Formatter.get_emoji_map(full_payload), poll_emoji)
           ) do
      res =
        ActivityPub.create(
@ -188,6 +241,8 @@ defmodule Pleroma.Web.CommonAPI do
        )

      res
+    else
+      e -> {:error, e}
    end
  end

@ -196,7 +251,7 @@ defmodule Pleroma.Web.CommonAPI do
    user =
      with emoji <- emoji_from_profile(user),
           source_data <- (user.info.source_data || %{}) |> Map.put("tag", emoji),
-           info_cng <- Pleroma.User.Info.set_source_data(user.info, source_data),
+           info_cng <- User.Info.set_source_data(user.info, source_data),
           change <- Ecto.Changeset.change(user) |> Ecto.Changeset.put_embed(:info, info_cng),
           {:ok, user} <- User.update_and_set_cache(change) do
        user
@ -229,7 +284,7 @@ defmodule Pleroma.Web.CommonAPI do
         } = activity <- get_by_id_or_ap_id(id_or_ap_id),
         true <- Enum.member?(object_to, "https://www.w3.org/ns/activitystreams#Public"),
         %{valid?: true} = info_changeset <-
-           Pleroma.User.Info.add_pinnned_activity(user.info, activity),
+           User.Info.add_pinnned_activity(user.info, activity),
         changeset <-
           Ecto.Changeset.change(user) |> Ecto.Changeset.put_embed(:info, info_changeset),
         {:ok, _user} <- User.update_and_set_cache(changeset) do
@ -246,7 +301,7 @@ defmodule Pleroma.Web.CommonAPI do
  def unpin(id_or_ap_id, user) do
    with %Activity{} = activity <- get_by_id_or_ap_id(id_or_ap_id),
         %{valid?: true} = info_changeset <-
-           Pleroma.User.Info.remove_pinnned_activity(user.info, activity),
+           User.Info.remove_pinnned_activity(user.info, activity),
         changeset <-
           Ecto.Changeset.change(user) |> Ecto.Changeset.put_embed(:info, info_changeset),
         {:ok, _user} <- User.update_and_set_cache(changeset) do
@ -314,6 +369,60 @@ defmodule Pleroma.Web.CommonAPI do
    end
  end

+  def update_report_state(activity_id, state) do
+    with %Activity{} = activity <- Activity.get_by_id(activity_id),
+         {:ok, activity} <- Utils.update_report_state(activity, state) do
+      {:ok, activity}
+    else
+      nil ->
+        {:error, :not_found}
+
+      {:error, reason} ->
+        {:error, reason}
+
+      _ ->
+        {:error, "Could not update state"}
+    end
+  end
+
+  def update_activity_scope(activity_id, opts \\ %{}) do
+    with %Activity{} = activity <- Activity.get_by_id_with_object(activity_id),
+         {:ok, activity} <- toggle_sensitive(activity, opts),
+         {:ok, activity} <- set_visibility(activity, opts) do
+      {:ok, activity}
+    else
+      nil ->
+        {:error, :not_found}
+
+      {:error, reason} ->
+        {:error, reason}
+    end
+  end
+
+  defp toggle_sensitive(activity, %{"sensitive" => sensitive}) when sensitive in ~w(true false) do
+    toggle_sensitive(activity, %{"sensitive" => String.to_existing_atom(sensitive)})
+  end
+
+  defp toggle_sensitive(%Activity{object: object} = activity, %{"sensitive" => sensitive})
+       when is_boolean(sensitive) do
+    new_data = Map.put(object.data, "sensitive", sensitive)
+
+    {:ok, object} =
+      object
+      |> Object.change(%{data: new_data})
+      |> Object.update_and_set_cache()
+
+    {:ok, Map.put(activity, :object, object)}
+  end
+
+  defp toggle_sensitive(activity, _), do: {:ok, activity}
+
+  defp set_visibility(activity, %{"visibility" => visibility}) do
+    Utils.update_activity_visibility(activity, visibility)
+  end
+
+  defp set_visibility(activity, _), do: {:ok, activity}
+
  def hide_reblogs(user, muted) do
    ap_id = muted.ap_id

--- a/lib/pleroma/web/common_api/utils.ex
+++ b/lib/pleroma/web/common_api/utils.ex
@ -102,6 +102,72 @@ defmodule Pleroma.Web.CommonAPI.Utils do
    end
  end

+  def make_poll_data(%{"poll" => %{"options" => options, "expires_in" => expires_in}} = data)
+      when is_list(options) do
+    %{max_expiration: max_expiration, min_expiration: min_expiration} =
+      limits = Pleroma.Config.get([:instance, :poll_limits])
+
+    # XXX: There is probably a cleaner way of doing this
+    try do
+      # In some cases mastofe sends out strings instead of integers
+      expires_in = if is_binary(expires_in), do: String.to_integer(expires_in), else: expires_in
+
+      if Enum.count(options) > limits.max_options do
+        raise ArgumentError, message: "Poll can't contain more than #{limits.max_options} options"
+      end
+
+      {poll, emoji} =
+        Enum.map_reduce(options, %{}, fn option, emoji ->
+          if String.length(option) > limits.max_option_chars do
+            raise ArgumentError,
+              message:
+                "Poll options cannot be longer than #{limits.max_option_chars} characters each"
+          end
+
+          {%{
+             "name" => option,
+             "type" => "Note",
+             "replies" => %{"type" => "Collection", "totalItems" => 0}
+           }, Map.merge(emoji, Formatter.get_emoji_map(option))}
+        end)
+
+      case expires_in do
+        expires_in when expires_in > max_expiration ->
+          raise ArgumentError, message: "Expiration date is too far in the future"
+
+        expires_in when expires_in < min_expiration ->
+          raise ArgumentError, message: "Expiration date is too soon"
+
+        _ ->
+          :noop
+      end
+
+      end_time =
+        NaiveDateTime.utc_now()
+        |> NaiveDateTime.add(expires_in)
+        |> NaiveDateTime.to_iso8601()
+
+      poll =
+        if Pleroma.Web.ControllerHelper.truthy_param?(data["poll"]["multiple"]) do
+          %{"type" => "Question", "anyOf" => poll, "closed" => end_time}
+        else
+          %{"type" => "Question", "oneOf" => poll, "closed" => end_time}
+        end
+
+      {poll, emoji}
+    rescue
+      e in ArgumentError -> e.message
+    end
+  end
+
+  def make_poll_data(%{"poll" => poll}) when is_map(poll) do
+    "Invalid poll"
+  end
+
+  def make_poll_data(_data) do
+    {%{}, %{}}
+  end
+
  def make_content_html(
        status,
        attachments,
@ -223,7 +289,9 @@ defmodule Pleroma.Web.CommonAPI.Utils do
        in_reply_to,
        tags,
        cw \\ nil,
-        cc \\ []
+        cc \\ [],
+        sensitive \\ false,
+        merge \\ %{}
      ) do
    object = %{
      "type" => "Note",
@ -231,20 +299,22 @@ defmodule Pleroma.Web.CommonAPI.Utils do
      "cc" => cc,
      "content" => content_html,
      "summary" => cw,
+      "sensitive" => !Enum.member?(["false", "False", "0", false], sensitive),
      "context" => context,
      "attachment" => attachments,
      "actor" => actor,
      "tag" => tags |> Enum.map(fn {_, tag} -> tag end) |> Enum.uniq()
    }

-    if in_reply_to do
-      in_reply_to_object = Object.normalize(in_reply_to)
+    object =
+      with false <- is_nil(in_reply_to),
+           %Object{} = in_reply_to_object <- Object.normalize(in_reply_to) do
+        Map.put(object, "inReplyTo", in_reply_to_object.data["id"])
+      else
+        _ -> object
+      end

-      object
-      |> Map.put("inReplyTo", in_reply_to_object.data["id"])
-    else
-      object
-    end
+    Map.merge(object, merge)
  end

  def format_naive_asctime(date) do
@ -421,4 +491,15 @@ defmodule Pleroma.Web.CommonAPI.Utils do
        {:error, "No such conversation"}
    end
  end
+
+  def make_answer_data(%User{ap_id: ap_id}, object, name) do
+    %{
+      "type" => "Answer",
+      "actor" => ap_id,
+      "cc" => [object.data["actor"]],
+      "to" => [],
+      "name" => name,
+      "inReplyTo" => object.data["id"]
+    }
+  end
 end
--- a/lib/pleroma/web/controller_helper.ex
+++ b/lib/pleroma/web/controller_helper.ex
@ -10,12 +10,6 @@ defmodule Pleroma.Web.ControllerHelper do
  def truthy_param?(blank_value) when blank_value in [nil, ""], do: nil
  def truthy_param?(value), do: value not in @falsy_param_values

-  def oauth_scopes(params, default) do
-    # Note: `scopes` is used by Mastodon — supporting it but sticking to
-    # OAuth's standard `scope` wherever we control it
-    Pleroma.Web.OAuth.parse_scopes(params["scope"] || params["scopes"], default)
-  end
-
  def json_response(conn, status, json) do
    conn
    |> put_status(status)
--- a/lib/pleroma/web/endpoint.ex
+++ b/lib/pleroma/web/endpoint.ex
@ -16,17 +16,39 @@ defmodule Pleroma.Web.Endpoint do

  plug(Pleroma.Plugs.UploadedMedia)

+  @static_cache_control "public, no-cache"
+
  # InstanceStatic needs to be before Plug.Static to be able to override shipped-static files
  # If you're adding new paths to `only:` you'll need to configure them in InstanceStatic as well
-  plug(Pleroma.Plugs.InstanceStatic, at: "/")
+  # Cache-control headers are duplicated in case we turn off etags in the future
+  plug(Pleroma.Plugs.InstanceStatic,
+    at: "/",
+    gzip: true,
+    cache_control_for_etags: @static_cache_control,
+    headers: %{
+      "cache-control" => @static_cache_control
+    }
+  )

  plug(
    Plug.Static,
    at: "/",
    from: :pleroma,
    only:
-      ~w(index.html robots.txt static finmoji emoji packs sounds images instance sw.js sw-pleroma.js favicon.png schemas doc)
+      ~w(index.html robots.txt static finmoji emoji packs sounds images instance sw.js sw-pleroma.js favicon.png schemas doc),
    # credo:disable-for-previous-line Credo.Check.Readability.MaxLineLength
+    gzip: true,
+    cache_control_for_etags: @static_cache_control,
+    headers: %{
+      "cache-control" => @static_cache_control
+    }
+  )
+
+  plug(Plug.Static.IndexHtml, at: "/pleroma/admin/")
+
+  plug(Plug.Static,
+    at: "/pleroma/admin/",
+    from: {:pleroma, "priv/static/adminfe/"}
  )

  # Code reloading can be explicitly enabled under the
@ -44,7 +66,7 @@ defmodule Pleroma.Web.Endpoint do
    parsers: [:urlencoded, :multipart, :json],
    pass: ["*/*"],
    json_decoder: Jason,
-    length: Application.get_env(:pleroma, :instance) |> Keyword.get(:upload_limit),
+    length: Pleroma.Config.get([:instance, :upload_limit]),
    body_reader: {Pleroma.Web.Plugs.DigestPlug, :read_body, []}
  )

--- a/lib/pleroma/web/federator/federator.ex
+++ b/lib/pleroma/web/federator/federator.ex
@ -7,21 +7,15 @@ defmodule Pleroma.Web.Federator do
  alias Pleroma.Object.Containment
  alias Pleroma.User
  alias Pleroma.Web.ActivityPub.ActivityPub
-  alias Pleroma.Web.ActivityPub.Relay
  alias Pleroma.Web.ActivityPub.Transmogrifier
  alias Pleroma.Web.ActivityPub.Utils
-  alias Pleroma.Web.ActivityPub.Visibility
+  alias Pleroma.Web.Federator.Publisher
  alias Pleroma.Web.Federator.RetryQueue
  alias Pleroma.Web.OStatus
-  alias Pleroma.Web.Salmon
-  alias Pleroma.Web.WebFinger
  alias Pleroma.Web.Websub

  require Logger

-  @websub Application.get_env(:pleroma, :websub)
-  @ostatus Application.get_env(:pleroma, :ostatus)
-
  def init do
    # 1 minute
    Process.sleep(1000 * 60)
@ -42,14 +36,6 @@ defmodule Pleroma.Web.Federator do
    PleromaJobQueue.enqueue(:federator_outgoing, __MODULE__, [:publish, activity], priority)
  end

-  def publish_single_ap(params) do
-    PleromaJobQueue.enqueue(:federator_outgoing, __MODULE__, [:publish_single_ap, params])
-  end
-
-  def publish_single_websub(websub) do
-    PleromaJobQueue.enqueue(:federator_outgoing, __MODULE__, [:publish_single_websub, websub])
-  end
-
  def verify_websub(websub) do
    PleromaJobQueue.enqueue(:federator_outgoing, __MODULE__, [:verify_websub, websub])
  end
@ -62,10 +48,6 @@ defmodule Pleroma.Web.Federator do
    PleromaJobQueue.enqueue(:federator_outgoing, __MODULE__, [:refresh_subscriptions])
  end

-  def publish_single_salmon(params) do
-    PleromaJobQueue.enqueue(:federator_outgoing, __MODULE__, [:publish_single_salmon, params])
-  end
-
  # Job Worker Callbacks

  def perform(:refresh_subscriptions) do
@ -92,26 +74,9 @@ defmodule Pleroma.Web.Federator do
  def perform(:publish, activity) do
    Logger.debug(fn -> "Running publish for #{activity.data["id"]}" end)

-    with actor when not is_nil(actor) <- User.get_cached_by_ap_id(activity.data["actor"]) do
-      {:ok, actor} = WebFinger.ensure_keys_present(actor)
-
-      if Visibility.is_public?(activity) do
-        if OStatus.is_representable?(activity) do
-          Logger.info(fn -> "Sending #{activity.data["id"]} out via WebSub" end)
-          Websub.publish(Pleroma.Web.OStatus.feed_path(actor), actor, activity)
-
-          Logger.info(fn -> "Sending #{activity.data["id"]} out via Salmon" end)
-          Pleroma.Web.Salmon.publish(actor, activity)
-        end
-
-        if Keyword.get(Application.get_env(:pleroma, :instance), :allow_relay) do
-          Logger.info(fn -> "Relaying #{activity.data["id"]} out" end)
-          Relay.publish(activity)
-        end
-      end
-
-      Logger.info(fn -> "Sending #{activity.data["id"]} out via AP" end)
-      Pleroma.Web.ActivityPub.ActivityPub.publish(actor, activity)
+    with %User{} = actor <- User.get_cached_by_ap_id(activity.data["actor"]),
+         {:ok, actor} <- User.ensure_keys_present(actor) do
+      Publisher.publish(actor, activity)
    end
  end

@ -120,12 +85,12 @@ defmodule Pleroma.Web.Federator do
      "Running WebSub verification for #{websub.id} (#{websub.topic}, #{websub.callback})"
    end)

-    @websub.verify(websub)
+    Websub.verify(websub)
  end

  def perform(:incoming_doc, doc) do
    Logger.info("Got document, trying to parse")
-    @ostatus.handle_incoming(doc)
+    OStatus.handle_incoming(doc)
  end

  def perform(:incoming_ap_doc, params) do
@ -148,25 +113,11 @@ defmodule Pleroma.Web.Federator do
      _e ->
        # Just drop those for now
        Logger.info("Unhandled activity")
-        Logger.info(Poison.encode!(params, pretty: 2))
+        Logger.info(Jason.encode!(params, pretty: true))
        :error
    end
  end

-  def perform(:publish_single_salmon, params) do
-    Salmon.send_to_user(params)
-  end
-
-  def perform(:publish_single_ap, params) do
-    case ActivityPub.publish_one(params) do
-      {:ok, _} ->
-        :ok
-
-      {:error, _} ->
-        RetryQueue.enqueue(params, ActivityPub)
-    end
-  end
-
  def perform(
        :publish_single_websub,
        %{xml: _xml, topic: _topic, callback: _callback, secret: _secret} = params
--- a/lib/pleroma/web/federator/publisher.ex
+++ b/lib/pleroma/web/federator/publisher.ex
@ -0,0 +1,95 @@
+# Pleroma: A lightweight social networking server
+# Copyright © 2017-2019 Pleroma Authors <https://pleroma.social/>
+# SPDX-License-Identifier: AGPL-3.0-only
+
+defmodule Pleroma.Web.Federator.Publisher do
+  alias Pleroma.Activity
+  alias Pleroma.Config
+  alias Pleroma.User
+  alias Pleroma.Web.Federator.RetryQueue
+
+  require Logger
+
+  @moduledoc """
+  Defines the contract used by federation implementations to publish messages to
+  their peers.
+  """
+
+  @doc """
+  Determine whether an activity can be relayed using the federation module.
+  """
+  @callback is_representable?(Pleroma.Activity.t()) :: boolean()
+
+  @doc """
+  Relays an activity to a specified peer, determined by the parameters.  The
+  parameters used are controlled by the federation module.
+  """
+  @callback publish_one(Map.t()) :: {:ok, Map.t()} | {:error, any()}
+
+  @doc """
+  Enqueue publishing a single activity.
+  """
+  @spec enqueue_one(module(), Map.t()) :: :ok
+  def enqueue_one(module, %{} = params),
+    do: PleromaJobQueue.enqueue(:federator_outgoing, __MODULE__, [:publish_one, module, params])
+
+  @spec perform(atom(), module(), any()) :: {:ok, any()} | {:error, any()}
+  def perform(:publish_one, module, params) do
+    case apply(module, :publish_one, [params]) do
+      {:ok, _} ->
+        :ok
+
+      {:error, _e} ->
+        RetryQueue.enqueue(params, module)
+    end
+  end
+
+  def perform(type, _, _) do
+    Logger.debug("Unknown task: #{type}")
+    {:error, "Don't know what to do with this"}
+  end
+
+  @doc """
+  Relays an activity to all specified peers.
+  """
+  @callback publish(User.t(), Activity.t()) :: :ok | {:error, any()}
+
+  @spec publish(User.t(), Activity.t()) :: :ok
+  def publish(%User{} = user, %Activity{} = activity) do
+    Config.get([:instance, :federation_publisher_modules])
+    |> Enum.each(fn module ->
+      if module.is_representable?(activity) do
+        Logger.info("Publishing #{activity.data["id"]} using #{inspect(module)}")
+        module.publish(user, activity)
+      end
+    end)
+
+    :ok
+  end
+
+  @doc """
+  Gathers links used by an outgoing federation module for WebFinger output.
+  """
+  @callback gather_webfinger_links(User.t()) :: list()
+
+  @spec gather_webfinger_links(User.t()) :: list()
+  def gather_webfinger_links(%User{} = user) do
+    Config.get([:instance, :federation_publisher_modules])
+    |> Enum.reduce([], fn module, links ->
+      links ++ module.gather_webfinger_links(user)
+    end)
+  end
+
+  @doc """
+  Gathers nodeinfo protocol names supported by the federation module.
+  """
+  @callback gather_nodeinfo_protocol_names() :: list()
+
+  @spec gather_nodeinfo_protocol_names() :: list()
+  def gather_nodeinfo_protocol_names do
+    Config.get([:instance, :federation_publisher_modules])
+    |> Enum.reduce([], fn module, links ->
+      links ++ module.gather_nodeinfo_protocol_names()
+    end)
+  end
+end
--- a/lib/pleroma/web/http_signatures/http_signatures.ex
+++ b/lib/pleroma/web/http_signatures/http_signatures.ex
@ -1,91 +0,0 @@
-# Pleroma: A lightweight social networking server
-# Copyright © 2017-2019 Pleroma Authors <https://pleroma.social/>
-# SPDX-License-Identifier: AGPL-3.0-only
-
-# https://tools.ietf.org/html/draft-cavage-http-signatures-08
-defmodule Pleroma.Web.HTTPSignatures do
-  alias Pleroma.User
-  alias Pleroma.Web.ActivityPub.ActivityPub
-  alias Pleroma.Web.ActivityPub.Utils
-
-  require Logger
-
-  def split_signature(sig) do
-    default = %{"headers" => "date"}
-
-    sig =
-      sig
-      |> String.trim()
-      |> String.split(",")
-      |> Enum.reduce(default, fn part, acc ->
-        [key | rest] = String.split(part, "=")
-        value = Enum.join(rest, "=")
-        Map.put(acc, key, String.trim(value, "\""))
-      end)
-
-    Map.put(sig, "headers", String.split(sig["headers"], ~r/\s/))
-  end
-
-  def validate(headers, signature, public_key) do
-    sigstring = build_signing_string(headers, signature["headers"])
-    Logger.debug("Signature: #{signature["signature"]}")
-    Logger.debug("Sigstring: #{sigstring}")
-    {:ok, sig} = Base.decode64(signature["signature"])
-    :public_key.verify(sigstring, :sha256, sig, public_key)
-  end
-
-  def validate_conn(conn) do
-    # TODO: How to get the right key and see if it is actually valid for that request.
-    # For now, fetch the key for the actor.
-    with actor_id <- Utils.get_ap_id(conn.params["actor"]),
-         {:ok, public_key} <- User.get_public_key_for_ap_id(actor_id) do
-      if validate_conn(conn, public_key) do
-        true
-      else
-        Logger.debug("Could not validate, re-fetching user and trying one more time")
-        # Fetch user anew and try one more time
-        with actor_id <- Utils.get_ap_id(conn.params["actor"]),
-             {:ok, _user} <- ActivityPub.make_user_from_ap_id(actor_id),
-             {:ok, public_key} <- User.get_public_key_for_ap_id(actor_id) do
-          validate_conn(conn, public_key)
-        end
-      end
-    else
-      _e ->
-        Logger.debug("Could not public key!")
-        false
-    end
-  end
-
-  def validate_conn(conn, public_key) do
-    headers = Enum.into(conn.req_headers, %{})
-    signature = split_signature(headers["signature"])
-    validate(headers, signature, public_key)
-  end
-
-  def build_signing_string(headers, used_headers) do
-    used_headers
-    |> Enum.map(fn header -> "#{header}: #{headers[header]}" end)
-    |> Enum.join("\n")
-  end
-
-  def sign(user, headers) do
-    with {:ok, %{info: %{keys: keys}}} <- Pleroma.Web.WebFinger.ensure_keys_present(user),
-         {:ok, private_key, _} = Pleroma.Web.Salmon.keys_from_pem(keys) do
-      sigstring = build_signing_string(headers, Map.keys(headers))
-
-      signature =
-        :public_key.sign(sigstring, :sha256, private_key)
-        |> Base.encode64()
-
-      [
-        keyId: user.ap_id <> "#main-key",
-        algorithm: "rsa-sha256",
-        headers: Map.keys(headers) |> Enum.join(" "),
-        signature: signature
-      ]
-      |> Enum.map(fn {k, v} -> "#{k}=\"#{v}\"" end)
-      |> Enum.join(",")
-    end
-  end
-end
--- a/lib/pleroma/web/mastodon_api/mastodon_api_controller.ex
+++ b/lib/pleroma/web/mastodon_api/mastodon_api_controller.ex
@ -8,7 +8,10 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController do
  alias Pleroma.Activity
  alias Pleroma.Bookmark
  alias Pleroma.Config
+  alias Pleroma.Conversation.Participation
  alias Pleroma.Filter
+  alias Pleroma.Formatter
+  alias Pleroma.HTTP
  alias Pleroma.Notification
  alias Pleroma.Object
  alias Pleroma.Object.Fetcher
@ -23,6 +26,7 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController do
  alias Pleroma.Web.CommonAPI
  alias Pleroma.Web.MastodonAPI.AccountView
  alias Pleroma.Web.MastodonAPI.AppView
+  alias Pleroma.Web.MastodonAPI.ConversationView
  alias Pleroma.Web.MastodonAPI.FilterView
  alias Pleroma.Web.MastodonAPI.ListView
  alias Pleroma.Web.MastodonAPI.MastodonAPI
@ -34,20 +38,30 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController do
  alias Pleroma.Web.MediaProxy
  alias Pleroma.Web.OAuth.App
  alias Pleroma.Web.OAuth.Authorization
+  alias Pleroma.Web.OAuth.Scopes
  alias Pleroma.Web.OAuth.Token
+  alias Pleroma.Web.TwitterAPI.TwitterAPI

  alias Pleroma.Web.ControllerHelper
  import Ecto.Query

  require Logger

-  @httpoison Application.get_env(:pleroma, :httpoison)
+  plug(
+    Pleroma.Plugs.RateLimitPlug,
+    %{
+      max_requests: Config.get([:app_account_creation, :max_requests]),
+      interval: Config.get([:app_account_creation, :interval])
+    }
+    when action in [:account_register]
+  )
+
  @local_mastodon_name "Mastodon-Local"

  action_fallback(:errors)

  def create_app(conn, params) do
-    scopes = ControllerHelper.oauth_scopes(params, ["read"])
+    scopes = Scopes.fetch_scopes(params, ["read"])

    app_attrs =
      params
@ -86,7 +100,7 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController do
    user_params =
      %{}
      |> add_if_present(params, "display_name", :name)
-      |> add_if_present(params, "note", :bio, fn value -> {:ok, User.parse_bio(value)} end)
+      |> add_if_present(params, "note", :bio, fn value -> {:ok, User.parse_bio(value, user)} end)
      |> add_if_present(params, "avatar", :avatar, fn value ->
        with %Plug.Upload{} <- value,
             {:ok, object} <- ActivityPub.upload(value, type: :avatar) do
@ -96,6 +110,12 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController do
        end
      end)

+    emojis_text = (user_params["display_name"] || "") <> (user_params["note"] || "")
+
+    user_info_emojis =
+      ((user.info.emoji || []) ++ Formatter.get_emoji_map(emojis_text))
+      |> Enum.dedup()
+
    info_params =
      [:no_rich_text, :locked, :hide_followers, :hide_follows, :hide_favorites, :show_role]
      |> Enum.reduce(%{}, fn key, acc ->
@ -112,6 +132,7 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController do
          _ -> :error
        end
      end)
+      |> Map.put(:emoji, user_info_emojis)

    info_cng = User.Info.profile_update(user.info, info_params)

@ -157,7 +178,7 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController do
    end
  end

-  @mastodon_api_level "2.5.0"
+  @mastodon_api_level "2.7.2"

  def masto_instance(conn, _params) do
    instance = Config.get(:instance)
@ -176,7 +197,8 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController do
      languages: ["en"],
      registrations: Pleroma.Config.get([:instance, :registrations_open]),
      # Extra (not present in Mastodon):
-      max_toot_chars: Keyword.get(instance, :limit)
+      max_toot_chars: Keyword.get(instance, :limit),
+      poll_limits: Keyword.get(instance, :poll_limits)
    }

    json(conn, response)
@ -282,11 +304,8 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController do
    activities =
      [user.ap_id | user.following]
      |> ActivityPub.fetch_activities(params)
-      |> ActivityPub.contain_timeline(user)
      |> Enum.reverse()

-    user = Repo.preload(user, bookmarks: :activity)
-
    conn
    |> add_link_headers(:home_timeline, activities)
    |> put_view(StatusView)
@ -305,8 +324,6 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController do
      |> ActivityPub.fetch_public_activities()
      |> Enum.reverse()

-    user = Repo.preload(user, bookmarks: :activity)
-
    conn
    |> add_link_headers(:public_timeline, activities, false, %{"local" => local_only})
    |> put_view(StatusView)
@ -314,8 +331,7 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController do
  end

  def user_statuses(%{assigns: %{user: reading_user}} = conn, params) do
-    with %User{} = user <- User.get_cached_by_id(params["id"]),
-         reading_user <- Repo.preload(reading_user, :bookmarks) do
+    with %User{} = user <- User.get_cached_by_id(params["id"]) do
      activities = ActivityPub.fetch_user_activities(user, reading_user, params)

      conn
@ -342,8 +358,6 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController do
      |> ActivityPub.fetch_activities_query(params)
      |> Pagination.fetch_paginated(params)

-    user = Repo.preload(user, bookmarks: :activity)
-
    conn
    |> add_link_headers(:dm_timeline, activities)
    |> put_view(StatusView)
@ -353,8 +367,6 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController do
  def get_status(%{assigns: %{user: user}} = conn, %{"id" => id}) do
    with %Activity{} = activity <- Activity.get_by_id_with_object(id),
         true <- Visibility.visible_for_user?(activity, user) do
-      user = Repo.preload(user, bookmarks: :activity)
-
      conn
      |> put_view(StatusView)
      |> try_render("status.json", %{activity: activity, for: user})
@ -398,6 +410,53 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController do
    end
  end

+  def get_poll(%{assigns: %{user: user}} = conn, %{"id" => id}) do
+    with %Object{} = object <- Object.get_by_id(id),
+         %Activity{} = activity <- Activity.get_create_by_object_ap_id(object.data["id"]),
+         true <- Visibility.visible_for_user?(activity, user) do
+      conn
+      |> put_view(StatusView)
+      |> try_render("poll.json", %{object: object, for: user})
+    else
+      nil ->
+        conn
+        |> put_status(404)
+        |> json(%{error: "Record not found"})
+
+      false ->
+        conn
+        |> put_status(404)
+        |> json(%{error: "Record not found"})
+    end
+  end
+
+  def poll_vote(%{assigns: %{user: user}} = conn, %{"id" => id, "choices" => choices}) do
+    with %Object{} = object <- Object.get_by_id(id),
+         true <- object.data["type"] == "Question",
+         %Activity{} = activity <- Activity.get_create_by_object_ap_id(object.data["id"]),
+         true <- Visibility.visible_for_user?(activity, user),
+         {:ok, _activities, object} <- CommonAPI.vote(user, object, choices) do
+      conn
+      |> put_view(StatusView)
+      |> try_render("poll.json", %{object: object, for: user})
+    else
+      nil ->
+        conn
+        |> put_status(404)
+        |> json(%{error: "Record not found"})
+
+      false ->
+        conn
+        |> put_status(404)
+        |> json(%{error: "Record not found"})
+
+      {:error, message} ->
+        conn
+        |> put_status(422)
+        |> json(%{error: message})
+    end
+  end
+
  def scheduled_statuses(%{assigns: %{user: user}} = conn, params) do
    with scheduled_activities <- MastodonAPI.get_scheduled_activities(user, params) do
      conn
@ -461,12 +520,6 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController do
      params
      |> Map.put("in_reply_to_status_id", params["in_reply_to_id"])

-    idempotency_key =
-      case get_req_header(conn, "idempotency-key") do
-        [key] -> key
-        _ -> Ecto.UUID.generate()
-      end
-
    scheduled_at = params["scheduled_at"]

    if scheduled_at && ScheduledActivity.far_enough?(scheduled_at) do
@ -479,17 +532,40 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController do
    else
      params = Map.drop(params, ["scheduled_at"])

-      {:ok, activity} =
-        Cachex.fetch!(:idempotency_cache, idempotency_key, fn _ ->
-          CommonAPI.post(user, params)
-        end)
+      case get_cached_status_or_post(conn, params) do
+        {:ignore, message} ->
+          conn
+          |> put_status(422)
+          |> json(%{error: message})

-      conn
-      |> put_view(StatusView)
-      |> try_render("status.json", %{activity: activity, for: user, as: :activity})
+        {:error, message} ->
+          conn
+          |> put_status(422)
+          |> json(%{error: message})
+
+        {_, activity} ->
+          conn
+          |> put_view(StatusView)
+          |> try_render("status.json", %{activity: activity, for: user, as: :activity})
+      end
    end
  end

+  defp get_cached_status_or_post(%{assigns: %{user: user}} = conn, params) do
+    idempotency_key =
+      case get_req_header(conn, "idempotency-key") do
+        [key] -> key
+        _ -> Ecto.UUID.generate()
+      end
+
+    Cachex.fetch(:idempotency_cache, idempotency_key, fn _ ->
+      case CommonAPI.post(user, params) do
+        {:ok, activity} -> activity
+        {:error, message} -> {:ignore, message}
+      end
+    end)
+  end
+
  def delete_status(%{assigns: %{user: user}} = conn, %{"id" => id}) do
    with {:ok, %Activity{}} <- CommonAPI.delete(id, user) do
      json(conn, %{})
@ -504,8 +580,6 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController do
  def reblog_status(%{assigns: %{user: user}} = conn, %{"id" => ap_id_or_id}) do
    with {:ok, announce, _activity} <- CommonAPI.repeat(ap_id_or_id, user),
         %Activity{} = announce <- Activity.normalize(announce.data) do
-      user = Repo.preload(user, bookmarks: :activity)
-
      conn
      |> put_view(StatusView)
      |> try_render("status.json", %{activity: announce, for: user, as: :activity})
@ -515,8 +589,6 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController do
  def unreblog_status(%{assigns: %{user: user}} = conn, %{"id" => ap_id_or_id}) do
    with {:ok, _unannounce, %{data: %{"id" => id}}} <- CommonAPI.unrepeat(ap_id_or_id, user),
         %Activity{} = activity <- Activity.get_create_by_object_ap_id_with_object(id) do
-      user = Repo.preload(user, bookmarks: :activity)
-
      conn
      |> put_view(StatusView)
      |> try_render("status.json", %{activity: activity, for: user, as: :activity})
@ -567,8 +639,6 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController do
         %User{} = user <- User.get_cached_by_nickname(user.nickname),
         true <- Visibility.visible_for_user?(activity, user),
         {:ok, _bookmark} <- Bookmark.create(user.id, activity.id) do
-      user = Repo.preload(user, bookmarks: :activity)
-
      conn
      |> put_view(StatusView)
      |> try_render("status.json", %{activity: activity, for: user, as: :activity})
@ -580,8 +650,6 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController do
         %User{} = user <- User.get_cached_by_nickname(user.nickname),
         true <- Visibility.visible_for_user?(activity, user),
         {:ok, _bookmark} <- Bookmark.destroy(user.id, activity.id) do
-      user = Repo.preload(user, bookmarks: :activity)
-
      conn
      |> put_view(StatusView)
      |> try_render("status.json", %{activity: activity, for: user, as: :activity})
@ -704,7 +772,42 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController do
    end
  end

-  def favourited_by(conn, %{"id" => id}) do
+  def set_mascot(%{assigns: %{user: user}} = conn, %{"file" => file}) do
+    with {:ok, object} <- ActivityPub.upload(file, actor: User.ap_id(user)),
+         %{} = attachment_data <- Map.put(object.data, "id", object.id),
+         %{type: type} = rendered <-
+           StatusView.render("attachment.json", %{attachment: attachment_data}) do
+      # Reject if not an image
+      if type == "image" do
+        # Sure!
+        # Save to the user's info
+        info_changeset = User.Info.mascot_update(user.info, rendered)
+
+        user_changeset =
+          user
+          |> Ecto.Changeset.change()
+          |> Ecto.Changeset.put_embed(:info, info_changeset)
+
+        {:ok, _user} = User.update_and_set_cache(user_changeset)
+
+        conn
+        |> json(rendered)
+      else
+        conn
+        |> put_resp_content_type("application/json")
+        |> send_resp(415, Jason.encode!(%{"error" => "mascots can only be images"}))
+      end
+    end
+  end
+
+  def get_mascot(%{assigns: %{user: user}} = conn, _params) do
+    mascot = User.get_mascot(user)
+
+    conn
+    |> json(mascot)
+  end
+
+  def favourited_by(%{assigns: %{user: user}} = conn, %{"id" => id}) do
    with %Activity{data: %{"object" => object}} <- Repo.get(Activity, id),
         %Object{data: %{"likes" => likes}} <- Object.normalize(object) do
      q = from(u in User, where: u.ap_id in ^likes)
@ -712,13 +815,13 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController do

      conn
      |> put_view(AccountView)
-      |> render(AccountView, "accounts.json", %{users: users, as: :user})
+      |> render(AccountView, "accounts.json", %{for: user, users: users, as: :user})
    else
      _ -> json(conn, [])
    end
  end

-  def reblogged_by(conn, %{"id" => id}) do
+  def reblogged_by(%{assigns: %{user: user}} = conn, %{"id" => id}) do
    with %Activity{data: %{"object" => object}} <- Repo.get(Activity, id),
         %Object{data: %{"announcements" => announces}} <- Object.normalize(object) do
      q = from(u in User, where: u.ap_id in ^announces)
@ -726,7 +829,7 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController do

      conn
      |> put_view(AccountView)
-      |> render("accounts.json", %{users: users, as: :user})
+      |> render("accounts.json", %{for: user, users: users, as: :user})
    else
      _ -> json(conn, [])
    end
@ -783,7 +886,7 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController do
      conn
      |> add_link_headers(:followers, followers, user)
      |> put_view(AccountView)
-      |> render("accounts.json", %{users: followers, as: :user})
+      |> render("accounts.json", %{for: for_user, users: followers, as: :user})
    end
  end

@ -800,7 +903,7 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController do
      conn
      |> add_link_headers(:following, followers, user)
      |> put_view(AccountView)
-      |> render("accounts.json", %{users: followers, as: :user})
+      |> render("accounts.json", %{for: for_user, users: followers, as: :user})
    end
  end

@ -808,7 +911,7 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController do
    with {:ok, follow_requests} <- User.get_follow_requests(followed) do
      conn
      |> put_view(AccountView)
-      |> render("accounts.json", %{users: follow_requests, as: :user})
+      |> render("accounts.json", %{for: followed, users: follow_requests, as: :user})
    end
  end

@ -1006,6 +1109,30 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController do
    end
  end

+  def status_search_query_with_gin(q, query) do
+    from([a, o] in q,
+      where:
+        fragment(
+          "to_tsvector('english', ?->>'content') @@ plainto_tsquery('english', ?)",
+          o.data,
+          ^query
+        ),
+      order_by: [desc: :id]
+    )
+  end
+
+  def status_search_query_with_rum(q, query) do
+    from([a, o] in q,
+      where:
+        fragment(
+          "? @@ plainto_tsquery('english', ?)",
+          o.fts_content,
+          ^query
+        ),
+      order_by: [fragment("? <=> now()::date", o.inserted_at)]
+    )
+  end
+
  def status_search(user, query) do
    fetched =
      if Regex.match?(~r/https?:/, query) do
@ -1019,20 +1146,19 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController do
      end || []

    q =
-      from(
-        [a, o] in Activity.with_preloaded_object(Activity),
+      from([a, o] in Activity.with_preloaded_object(Activity),
        where: fragment("?->>'type' = 'Create'", a.data),
        where: "https://www.w3.org/ns/activitystreams#Public" in a.recipients,
-        where:
-          fragment(
-            "to_tsvector('english', ?->>'content') @@ plainto_tsquery('english', ?)",
-            o.data,
-            ^query
-          ),
-        limit: 20,
-        order_by: [desc: :id]
+        limit: 40
      )

+    q =
+      if Pleroma.Config.get([:database, :rum_enabled]) do
+        status_search_query_with_rum(q, query)
+      else
+        status_search_query_with_gin(q, query)
+      end
+
    Repo.all(q) ++ fetched
  end

@ -1102,8 +1228,6 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController do
      ActivityPub.fetch_activities([], params)
      |> Enum.reverse()

-    user = Repo.preload(user, bookmarks: :activity)
-
    conn
    |> add_link_headers(:favourites, activities)
    |> put_view(StatusView)
@ -1149,7 +1273,6 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController do

  def bookmarks(%{assigns: %{user: user}} = conn, params) do
    user = User.get_cached_by_id(user.id)
-    user = Repo.preload(user, bookmarks: :activity)

    bookmarks =
      Bookmark.for_user_query(user.id)
@ -1157,7 +1280,7 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController do

    activities =
      bookmarks
-      |> Enum.map(fn b -> b.activity end)
+      |> Enum.map(fn b -> Map.put(b.activity, :bookmark, Map.delete(b, :activity)) end)

    conn
    |> add_link_headers(:bookmarks, bookmarks)
@ -1222,7 +1345,7 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController do
    accounts
    |> Enum.each(fn account_id ->
      with %Pleroma.List{} = list <- Pleroma.List.get(id, user),
-           %User{} = followed <- Pleroma.User.get_cached_by_id(account_id) do
+           %User{} = followed <- User.get_cached_by_id(account_id) do
        Pleroma.List.unfollow(list, followed)
      end
    end)
@ -1235,7 +1358,7 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController do
         {:ok, users} = Pleroma.List.get_following(list) do
      conn
      |> put_view(AccountView)
-      |> render("accounts.json", %{users: users, as: :user})
+      |> render("accounts.json", %{for: user, users: users, as: :user})
    end
  end

@ -1266,8 +1389,6 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController do
        |> ActivityPub.fetch_activities_bounded(following, params)
        |> Enum.reverse()

-      user = Repo.preload(user, bookmarks: :activity)
-
      conn
      |> put_view(StatusView)
      |> render("index.json", %{activities: activities, for: user, as: :activity})
@ -1290,13 +1411,10 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController do
      accounts =
        Map.put(%{}, user.id, AccountView.render("account.json", %{user: user, for: user}))

-      flavour = get_user_flavour(user)
-
      initial_state =
        %{
          meta: %{
-            streaming_api_base_url:
-              String.replace(Pleroma.Web.Endpoint.static_url(), "http", "ws"),
+            streaming_api_base_url: Pleroma.Web.Endpoint.websocket_url(),
            access_token: token,
            locale: "en",
            domain: Pleroma.Web.Endpoint.host(),
@ -1309,8 +1427,9 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController do
            display_sensitive_media: false,
            reduce_motion: false,
            max_toot_chars: limit,
-            mascot: "/images/pleroma-fox-tan-smol.png"
+            mascot: User.get_mascot(user)["url"]
          },
+          poll_limits: Config.get([:instance, :poll_limits]),
          rights: %{
            delete_others_notice: present?(user.info.is_moderator),
            admin: present?(user.info.is_admin)
@ -1378,7 +1497,7 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController do
      conn
      |> put_layout(false)
      |> put_view(MastodonView)
-      |> render("index.html", %{initial_state: initial_state, flavour: flavour})
+      |> render("index.html", %{initial_state: initial_state})
    else
      conn
      |> put_session(:return_to, conn.request_path)
@ -1401,43 +1520,6 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController do
    end
  end

-  @supported_flavours ["glitch", "vanilla"]
-
-  def set_flavour(%{assigns: %{user: user}} = conn, %{"flavour" => flavour} = _params)
-      when flavour in @supported_flavours do
-    flavour_cng = User.Info.mastodon_flavour_update(user.info, flavour)
-
-    with changeset <- Ecto.Changeset.change(user),
-         changeset <- Ecto.Changeset.put_embed(changeset, :info, flavour_cng),
-         {:ok, user} <- User.update_and_set_cache(changeset),
-         flavour <- user.info.flavour do
-      json(conn, flavour)
-    else
-      e ->
-        conn
-        |> put_resp_content_type("application/json")
-        |> send_resp(500, Jason.encode!(%{"error" => inspect(e)}))
-    end
-  end
-
-  def set_flavour(conn, _params) do
-    conn
-    |> put_status(400)
-    |> json(%{error: "Unsupported flavour"})
-  end
-
-  def get_flavour(%{assigns: %{user: user}} = conn, _params) do
-    json(conn, get_user_flavour(user))
-  end
-
-  defp get_user_flavour(%User{info: %{flavour: flavour}}) when flavour in @supported_flavours do
-    flavour
-  end
-
-  defp get_user_flavour(_) do
-    "glitch"
-  end
-
  def login(%{assigns: %{user: %User{}}} = conn, _params) do
    redirect(conn, to: local_mastodon_root_path(conn))
  end
@ -1548,7 +1630,7 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController do
      user_id: user.id,
      phrase: phrase,
      context: context,
-      hide: Map.get(params, "irreversible", nil),
+      hide: Map.get(params, "irreversible", false),
      whole_word: Map.get(params, "boolean", true)
      # expires_at
    }
@ -1636,7 +1718,7 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController do
        |> String.replace("{{user}}", user)

      with {:ok, %{status: 200, body: body}} <-
-             @httpoison.get(
+             HTTP.get(
               url,
               [],
               adapter: [
@ -1653,7 +1735,7 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController do
              x,
              "id",
              case User.get_or_fetch(x["acct"]) do
-                %{id: id} -> id
+                {:ok, %User{id: id}} -> id
                _ -> 0
              end
            )
@ -1705,6 +1787,78 @@ defmodule Pleroma.Web.MastodonAPI.MastodonAPIController do
    end
  end

+  def account_register(
+        %{assigns: %{app: app}} = conn,
+        %{"username" => nickname, "email" => _, "password" => _, "agreement" => true} = params
+      ) do
+    params =
+      params
+      |> Map.take([
+        "email",
+        "captcha_solution",
+        "captcha_token",
+        "captcha_answer_data",
+        "token",
+        "password"
+      ])
+      |> Map.put("nickname", nickname)
+      |> Map.put("fullname", params["fullname"] || nickname)
+      |> Map.put("bio", params["bio"] || "")
+      |> Map.put("confirm", params["password"])
+
+    with {:ok, user} <- TwitterAPI.register_user(params, need_confirmation: true),
+         {:ok, token} <- Token.create_token(app, user, %{scopes: app.scopes}) do
+      json(conn, %{
+        token_type: "Bearer",
+        access_token: token.token,
+        scope: app.scopes,
+        created_at: Token.Utils.format_created_at(token)
+      })
+    else
+      {:error, errors} ->
+        conn
+        |> put_status(400)
+        |> json(Jason.encode!(errors))
+    end
+  end
+
+  def account_register(%{assigns: %{app: _app}} = conn, _params) do
+    conn
+    |> put_status(400)
+    |> json(%{error: "Missing parameters"})
+  end
+
+  def account_register(conn, _) do
+    conn
+    |> put_status(403)
+    |> json(%{error: "Invalid credentials"})
+  end
+
+  def conversations(%{assigns: %{user: user}} = conn, params) do
+    participations = Participation.for_user_with_last_activity_id(user, params)
+
+    conversations =
+      Enum.map(participations, fn participation ->
+        ConversationView.render("participation.json", %{participation: participation, user: user})
+      end)
+
+    conn
+    |> add_link_headers(:conversations, participations)
+    |> json(conversations)
+  end
+
+  def conversation_read(%{assigns: %{user: user}} = conn, %{"id" => participation_id}) do
+    with %Participation{} = participation <-
+           Repo.get_by(Participation, id: participation_id, user_id: user.id),
+         {:ok, participation} <- Participation.mark_as_read(participation) do
+      participation_view =
+        ConversationView.render("participation.json", %{participation: participation, user: user})
+
+      conn
+      |> json(participation_view)
+    end
+  end
+
  def try_render(conn, target, params)
      when is_binary(target) do
    res = render(conn, target, params)
--- a/lib/pleroma/web/mastodon_api/views/account_view.ex
+++ b/lib/pleroma/web/mastodon_api/views/account_view.ex
@ -40,7 +40,7 @@ defmodule Pleroma.Web.MastodonAPI.AccountView do
    follow_activity = Pleroma.Web.ActivityPub.Utils.fetch_latest_follow(user, target)

    requested =
-      if follow_activity do
+      if follow_activity && !User.following?(target, user) do
        follow_activity.data["state"] == "pending"
      else
        false
@ -112,7 +112,7 @@ defmodule Pleroma.Web.MastodonAPI.AccountView do
      fields: fields,
      bot: bot,
      source: %{
-        note: "",
+        note: HTML.strip_tags((user.bio || "") |> String.replace("<br>", "\n")),
        sensitive: false,
        pleroma: %{}
      },
--- a/lib/pleroma/web/mastodon_api/views/conversation_view.ex
+++ b/lib/pleroma/web/mastodon_api/views/conversation_view.ex
@ -0,0 +1,43 @@
+defmodule Pleroma.Web.MastodonAPI.ConversationView do
+  use Pleroma.Web, :view
+
+  alias Pleroma.Activity
+  alias Pleroma.Repo
+  alias Pleroma.Web.ActivityPub.ActivityPub
+  alias Pleroma.Web.MastodonAPI.AccountView
+  alias Pleroma.Web.MastodonAPI.StatusView
+
+  def render("participation.json", %{participation: participation, user: user}) do
+    participation = Repo.preload(participation, conversation: :users)
+
+    last_activity_id =
+      with nil <- participation.last_activity_id do
+        ActivityPub.fetch_latest_activity_id_for_context(participation.conversation.ap_id, %{
+          "user" => user,
+          "blocking_user" => user
+        })
+      end
+
+    activity = Activity.get_by_id_with_object(last_activity_id)
+
+    last_status = StatusView.render("status.json", %{activity: activity, for: user})
+
+    # Conversations return all users except the current user.
+    users =
+      participation.conversation.users
+      |> Enum.reject(&(&1.id == user.id))
+
+    accounts =
+      AccountView.render("accounts.json", %{
+        users: users,
+        as: :user
+      })
+
+    %{
+      id: participation.id |> to_string(),
+      accounts: accounts,
+      unread: !participation.read,
+      last_status: last_status
+    }
+  end
+end
--- a/lib/pleroma/web/mastodon_api/views/status_view.ex
+++ b/lib/pleroma/web/mastodon_api/views/status_view.ex
@ -16,6 +16,8 @@ defmodule Pleroma.Web.MastodonAPI.StatusView do
  alias Pleroma.Web.MastodonAPI.StatusView
  alias Pleroma.Web.MediaProxy

+  import Pleroma.Web.ActivityPub.Visibility, only: [get_visibility: 1]
+
  # TODO: Add cached version.
  defp get_replied_to_activities(activities) do
    activities
@ -75,18 +77,22 @@ defmodule Pleroma.Web.MastodonAPI.StatusView do

  def render(
        "status.json",
-        %{activity: %{data: %{"type" => "Announce", "object" => object}} = activity} = opts
+        %{activity: %{data: %{"type" => "Announce", "object" => _object}} = activity} = opts
      ) do
    user = get_user(activity.data["actor"])
    created_at = Utils.to_masto_date(activity.data["published"])
+    activity_object = Object.normalize(activity)
+
+    reblogged_activity =
+      Activity.create_by_object_ap_id(activity_object.data["id"])
+      |> Activity.with_preloaded_bookmark(opts[:for])
+      |> Repo.one()

-    reblogged_activity = Activity.get_create_by_object_ap_id(object)
    reblogged = render("status.json", Map.put(opts, :activity, reblogged_activity))

-    activity_object = Object.normalize(activity)
    favorited = opts[:for] && opts[:for].ap_id in (activity_object.data["likes"] || [])

-    bookmarked = opts[:for] && CommonAPI.bookmarked?(opts[:for], reblogged_activity)
+    bookmarked = Activity.get_bookmark(reblogged_activity, opts[:for]) != nil

    mentions =
      activity.recipients
@ -96,8 +102,8 @@ defmodule Pleroma.Web.MastodonAPI.StatusView do

    %{
      id: to_string(activity.id),
-      uri: object,
-      url: object,
+      uri: activity_object.data["id"],
+      url: activity_object.data["id"],
      account: AccountView.render("account.json", %{user: user}),
      in_reply_to_id: nil,
      in_reply_to_account_id: nil,
@ -149,7 +155,13 @@ defmodule Pleroma.Web.MastodonAPI.StatusView do

    favorited = opts[:for] && opts[:for].ap_id in (object.data["likes"] || [])

-    bookmarked = opts[:for] && CommonAPI.bookmarked?(opts[:for], activity)
+    bookmarked = Activity.get_bookmark(activity, opts[:for]) != nil
+
+    thread_muted? =
+      case activity.thread_muted? do
+        thread_muted? when is_boolean(thread_muted?) -> thread_muted?
+        nil -> CommonAPI.thread_muted?(user, activity)
+      end

    attachment_data = object.data["attachment"] || []
    attachments = render_many(attachment_data, StatusView, "attachment.json", as: :attachment)
@ -222,12 +234,13 @@ defmodule Pleroma.Web.MastodonAPI.StatusView do
      reblogged: reblogged?(activity, opts[:for]),
      favourited: present?(favorited),
      bookmarked: present?(bookmarked),
-      muted: CommonAPI.thread_muted?(user, activity) || User.mutes?(opts[:for], user),
+      muted: thread_muted? || User.mutes?(opts[:for], user),
      pinned: pinned?(activity, user),
      sensitive: sensitive,
      spoiler_text: summary_html,
      visibility: get_visibility(object),
      media_attachments: attachments,
+      poll: render("poll.json", %{object: object, for: opts[:for]}),
      mentions: mentions,
      tags: build_tags(tags),
      application: %{
@ -278,8 +291,8 @@ defmodule Pleroma.Web.MastodonAPI.StatusView do
      provider_url: page_url_data.scheme <> "://" <> page_url_data.host,
      url: page_url,
      image: image_url |> MediaProxy.url(),
-      title: rich_media[:title],
-      description: rich_media[:description],
+      title: rich_media[:title] || "",
+      description: rich_media[:description] || "",
      pleroma: %{
        opengraph: rich_media
      }
@ -317,6 +330,64 @@ defmodule Pleroma.Web.MastodonAPI.StatusView do
    }
  end

+  def render("poll.json", %{object: object} = opts) do
+    {multiple, options} =
+      case object.data do
+        %{"anyOf" => options} when is_list(options) -> {true, options}
+        %{"oneOf" => options} when is_list(options) -> {false, options}
+        _ -> {nil, nil}
+      end
+
+    if options do
+      end_time =
+        (object.data["closed"] || object.data["endTime"])
+        |> NaiveDateTime.from_iso8601!()
+
+      expired =
+        end_time
+        |> NaiveDateTime.compare(NaiveDateTime.utc_now())
+        |> case do
+          :lt -> true
+          _ -> false
+        end
+
+      voted =
+        if opts[:for] do
+          existing_votes =
+            Pleroma.Web.ActivityPub.Utils.get_existing_votes(opts[:for].ap_id, object)
+
+          existing_votes != [] or opts[:for].ap_id == object.data["actor"]
+        else
+          false
+        end
+
+      {options, votes_count} =
+        Enum.map_reduce(options, 0, fn %{"name" => name} = option, count ->
+          current_count = option["replies"]["totalItems"] || 0
+
+          {%{
+             title: HTML.strip_tags(name),
+             votes_count: current_count
+           }, current_count + count}
+        end)
+
+      %{
+        # Mastodon uses separate ids for polls, but an object can't have
+        # more than one poll embedded so object id is fine
+        id: object.id,
+        expires_at: Utils.to_masto_date(end_time),
+        expired: expired,
+        multiple: multiple,
+        votes_count: votes_count,
+        options: options,
+        voted: voted,
+        emojis: build_emojis(object.data["emoji"])
+      }
+    else
+      nil
+    end
+  end
+
  def get_reply_to(activity, %{replied_to_activities: replied_to_activities}) do
    object = Object.normalize(activity)

@ -336,30 +407,6 @@ defmodule Pleroma.Web.MastodonAPI.StatusView do
    end
  end

-  def get_visibility(object) do
-    public = "https://www.w3.org/ns/activitystreams#Public"
-    to = object.data["to"] || []
-    cc = object.data["cc"] || []
-
-    cond do
-      public in to ->
-        "public"
-
-      public in cc ->
-        "unlisted"
-
-      # this should use the sql for the object's activity
-      Enum.any?(to, &String.contains?(&1, "/followers")) ->
-        "private"
-
-      length(cc) > 0 ->
-        "private"
-
-      true ->
-        "direct"
-    end
-  end
-
  def render_content(%{data: %{"type" => "Video"}} = object) do
    with name when not is_nil(name) and name != "" <- object.data["name"] do
      "<p><a href=\"#{object.data["id"]}\">#{name}</a></p>#{object.data["content"]}"
--- a/lib/pleroma/web/media_proxy/media_proxy.ex
+++ b/lib/pleroma/web/media_proxy/media_proxy.ex
@ -12,25 +12,27 @@ defmodule Pleroma.Web.MediaProxy do
  def url("/" <> _ = url), do: url

  def url(url) do
-    config = Application.get_env(:pleroma, :media_proxy, [])
-    domain = URI.parse(url).host
-
-    cond do
-      !Keyword.get(config, :enabled, false) or String.starts_with?(url, Pleroma.Web.base_url()) ->
-        url
-
-      Enum.any?(Pleroma.Config.get([:media_proxy, :whitelist]), fn pattern ->
-        String.equivalent?(domain, pattern)
-      end) ->
-        url
-
-      true ->
-        encode_url(url)
+    if !enabled?() or local?(url) or whitelisted?(url) do
+      url
+    else
+      encode_url(url)
    end
  end

+  defp enabled?, do: Pleroma.Config.get([:media_proxy, :enabled], false)
+
+  defp local?(url), do: String.starts_with?(url, Pleroma.Web.base_url())
+
+  defp whitelisted?(url) do
+    %{host: domain} = URI.parse(url)
+
+    Enum.any?(Pleroma.Config.get([:media_proxy, :whitelist]), fn pattern ->
+      String.equivalent?(domain, pattern)
+    end)
+  end
+
  def encode_url(url) do
-    secret = Application.get_env(:pleroma, Pleroma.Web.Endpoint)[:secret_key_base]
+    secret = Pleroma.Config.get([Pleroma.Web.Endpoint, :secret_key_base])

    # Must preserve `%2F` for compatibility with S3
    # https://git.pleroma.social/pleroma/pleroma/issues/580
@ -52,7 +54,7 @@ defmodule Pleroma.Web.MediaProxy do
  end

  def decode_url(sig, url) do
-    secret = Application.get_env(:pleroma, Pleroma.Web.Endpoint)[:secret_key_base]
+    secret = Pleroma.Config.get([Pleroma.Web.Endpoint, :secret_key_base])
    sig = Base.url_decode64!(sig, @base64_opts)
    local_sig = :crypto.hmac(:sha, secret, url)

--- a/lib/pleroma/web/mongooseim/mongoose_im_controller.ex
+++ b/lib/pleroma/web/mongooseim/mongoose_im_controller.ex
@ -0,0 +1,41 @@
+# Pleroma: A lightweight social networking server
+# Copyright © 2017-2019 Pleroma Authors <https://pleroma.social/>
+# SPDX-License-Identifier: AGPL-3.0-only
+
+defmodule Pleroma.Web.MongooseIM.MongooseIMController do
+  use Pleroma.Web, :controller
+  alias Comeonin.Pbkdf2
+  alias Pleroma.Repo
+  alias Pleroma.User
+
+  def user_exists(conn, %{"user" => username}) do
+    with %User{} <- Repo.get_by(User, nickname: username, local: true) do
+      conn
+      |> json(true)
+    else
+      _ ->
+        conn
+        |> put_status(:not_found)
+        |> json(false)
+    end
+  end
+
+  def check_password(conn, %{"user" => username, "pass" => password}) do
+    with %User{password_hash: password_hash} <-
+           Repo.get_by(User, nickname: username, local: true),
+         true <- Pbkdf2.checkpw(password, password_hash) do
+      conn
+      |> json(true)
+    else
+      false ->
+        conn
+        |> put_status(403)
+        |> json(false)
+
+      _ ->
+        conn
+        |> put_status(:not_found)
+        |> json(false)
+    end
+  end
+end
--- a/lib/pleroma/web/nodeinfo/nodeinfo_controller.ex
+++ b/lib/pleroma/web/nodeinfo/nodeinfo_controller.ex
@ -10,8 +10,7 @@ defmodule Pleroma.Web.Nodeinfo.NodeinfoController do
  alias Pleroma.User
  alias Pleroma.Web
  alias Pleroma.Web.ActivityPub.MRF
-
-  plug(Pleroma.Web.FederatingPlug)
+  alias Pleroma.Web.Federator.Publisher

  def schemas(conn, _params) do
    response = %{
@ -33,20 +32,15 @@ defmodule Pleroma.Web.Nodeinfo.NodeinfoController do
  # returns a nodeinfo 2.0 map, since 2.1 just adds a repository field
  # under software.
  def raw_nodeinfo do
-    instance = Application.get_env(:pleroma, :instance)
-    media_proxy = Application.get_env(:pleroma, :media_proxy)
-    suggestions = Application.get_env(:pleroma, :suggestions)
-    chat = Application.get_env(:pleroma, :chat)
-    gopher = Application.get_env(:pleroma, :gopher)
    stats = Stats.get_stats()

    mrf_simple =
-      Application.get_env(:pleroma, :mrf_simple)
+      Config.get(:mrf_simple)
      |> Enum.into(%{})

    # This horror is needed to convert regex sigils to strings
    mrf_keyword =
-      Application.get_env(:pleroma, :mrf_keyword, [])
+      Config.get(:mrf_keyword, [])
      |> Enum.map(fn {key, value} ->
        {key,
         Enum.map(value, fn
@ -75,14 +69,7 @@ defmodule Pleroma.Web.Nodeinfo.NodeinfoController do
      MRF.get_policies()
      |> Enum.map(fn policy -> to_string(policy) |> String.split(".") |> List.last() end)

-    quarantined = Keyword.get(instance, :quarantined_instances)
-
-    quarantined =
-      if is_list(quarantined) do
-        quarantined
-      else
-        []
-      end
+    quarantined = Config.get([:instance, :quarantined_instances], [])

    staff_accounts =
      User.all_superusers()
@ -93,7 +80,7 @@ defmodule Pleroma.Web.Nodeinfo.NodeinfoController do
      |> Enum.into(%{}, fn {k, v} -> {k, length(v)} end)

    federation_response =
-      if Keyword.get(instance, :mrf_transparency) do
+      if Config.get([:instance, :mrf_transparency]) do
        %{
          mrf_policies: mrf_policies,
          mrf_simple: mrf_simple,
@ -110,22 +97,22 @@ defmodule Pleroma.Web.Nodeinfo.NodeinfoController do
        "pleroma_api",
        "mastodon_api",
        "mastodon_api_streaming",
-        if Keyword.get(media_proxy, :enabled) do
+        if Config.get([:media_proxy, :enabled]) do
          "media_proxy"
        end,
-        if Keyword.get(gopher, :enabled) do
+        if Config.get([:gopher, :enabled]) do
          "gopher"
        end,
-        if Keyword.get(chat, :enabled) do
+        if Config.get([:chat, :enabled]) do
          "chat"
        end,
-        if Keyword.get(suggestions, :enabled) do
+        if Config.get([:suggestions, :enabled]) do
          "suggestions"
        end,
-        if Keyword.get(instance, :allow_relay) do
+        if Config.get([:instance, :allow_relay]) do
          "relay"
        end,
-        if Keyword.get(instance, :safe_dm_mentions) do
+        if Config.get([:instance, :safe_dm_mentions]) do
          "safe_dm_mentions"
        end
      ]
@ -137,12 +124,12 @@ defmodule Pleroma.Web.Nodeinfo.NodeinfoController do
        name: Pleroma.Application.name() |> String.downcase(),
        version: Pleroma.Application.version()
      },
-      protocols: ["ostatus", "activitypub"],
+      protocols: Publisher.gather_nodeinfo_protocol_names(),
      services: %{
        inbound: [],
        outbound: []
      },
-      openRegistrations: Keyword.get(instance, :registrations_open),
+      openRegistrations: Config.get([:instance, :registrations_open]),
      usage: %{
        users: %{
          total: stats.user_count || 0
@ -150,29 +137,29 @@ defmodule Pleroma.Web.Nodeinfo.NodeinfoController do
        localPosts: stats.status_count || 0
      },
      metadata: %{
-        nodeName: Keyword.get(instance, :name),
-        nodeDescription: Keyword.get(instance, :description),
-        private: !Keyword.get(instance, :public, true),
+        nodeName: Config.get([:instance, :name]),
+        nodeDescription: Config.get([:instance, :description]),
+        private: !Config.get([:instance, :public], true),
        suggestions: %{
-          enabled: Keyword.get(suggestions, :enabled, false),
-          thirdPartyEngine: Keyword.get(suggestions, :third_party_engine, ""),
-          timeout: Keyword.get(suggestions, :timeout, 5000),
-          limit: Keyword.get(suggestions, :limit, 23),
-          web: Keyword.get(suggestions, :web, "")
+          enabled: Config.get([:suggestions, :enabled], false),
+          thirdPartyEngine: Config.get([:suggestions, :third_party_engine], ""),
+          timeout: Config.get([:suggestions, :timeout], 5000),
+          limit: Config.get([:suggestions, :limit], 23),
+          web: Config.get([:suggestions, :web], "")
        },
        staffAccounts: staff_accounts,
        federation: federation_response,
-        postFormats: Keyword.get(instance, :allowed_post_formats),
+        postFormats: Config.get([:instance, :allowed_post_formats]),
        uploadLimits: %{
-          general: Keyword.get(instance, :upload_limit),
-          avatar: Keyword.get(instance, :avatar_upload_limit),
-          banner: Keyword.get(instance, :banner_upload_limit),
-          background: Keyword.get(instance, :background_upload_limit)
+          general: Config.get([:instance, :upload_limit]),
+          avatar: Config.get([:instance, :avatar_upload_limit]),
+          banner: Config.get([:instance, :banner_upload_limit]),
+          background: Config.get([:instance, :background_upload_limit])
        },
-        accountActivationRequired: Keyword.get(instance, :account_activation_required, false),
-        invitesEnabled: Keyword.get(instance, :invites_enabled, false),
+        accountActivationRequired: Config.get([:instance, :account_activation_required], false),
+        invitesEnabled: Config.get([:instance, :invites_enabled], false),
        features: features,
-        restrictedNicknames: Pleroma.Config.get([Pleroma.User, :restricted_nicknames])
+        restrictedNicknames: Config.get([Pleroma.User, :restricted_nicknames])
      }
    }
  end
--- a/lib/pleroma/web/oauth.ex
+++ b/lib/pleroma/web/oauth.ex
@ -3,18 +3,4 @@
 # SPDX-License-Identifier: AGPL-3.0-only

 defmodule Pleroma.Web.OAuth do
-  def parse_scopes(scopes, _default) when is_list(scopes) do
-    Enum.filter(scopes, &(&1 not in [nil, ""]))
-  end
-
-  def parse_scopes(scopes, default) when is_binary(scopes) do
-    scopes
-    |> String.trim()
-    |> String.split(~r/[\s,]+/)
-    |> parse_scopes(default)
-  end
-
-  def parse_scopes(_, default) do
-    default
-  end
 end
--- a/lib/pleroma/web/oauth/app.ex
+++ b/lib/pleroma/web/oauth/app.ex
@ -6,6 +6,8 @@ defmodule Pleroma.Web.OAuth.App do
  use Ecto.Schema
  import Ecto.Changeset

+  @type t :: %__MODULE__{}
+
  schema "apps" do
    field(:client_name, :string)
    field(:redirect_uris, :string)
--- a/lib/pleroma/web/oauth/authorization.ex
+++ b/lib/pleroma/web/oauth/authorization.ex
@ -13,39 +13,58 @@ defmodule Pleroma.Web.OAuth.Authorization do
  import Ecto.Changeset
  import Ecto.Query

+  @type t :: %__MODULE__{}
+
  schema "oauth_authorizations" do
    field(:token, :string)
    field(:scopes, {:array, :string}, default: [])
    field(:valid_until, :naive_datetime_usec)
    field(:used, :boolean, default: false)
-    belongs_to(:user, Pleroma.User, type: Pleroma.FlakeId)
+    belongs_to(:user, User, type: Pleroma.FlakeId)
    belongs_to(:app, App)

    timestamps()
  end

+  @spec create_authorization(App.t(), User.t() | %{}, [String.t()] | nil) ::
+          {:ok, Authorization.t()} | {:error, Changeset.t()}
  def create_authorization(%App{} = app, %User{} = user, scopes \\ nil) do
-    scopes = scopes || app.scopes
-    token = :crypto.strong_rand_bytes(32) |> Base.url_encode64(padding: false)
-
-    authorization = %Authorization{
-      token: token,
-      used: false,
+    %{
+      scopes: scopes || app.scopes,
      user_id: user.id,
-      app_id: app.id,
-      scopes: scopes,
-      valid_until: NaiveDateTime.add(NaiveDateTime.utc_now(), 60 * 10)
+      app_id: app.id
    }
-
-    Repo.insert(authorization)
+    |> create_changeset()
+    |> Repo.insert()
  end

+  @spec create_changeset(map()) :: Changeset.t()
+  def create_changeset(attrs \\ %{}) do
+    %Authorization{}
+    |> cast(attrs, [:user_id, :app_id, :scopes, :valid_until])
+    |> validate_required([:app_id, :scopes])
+    |> add_token()
+    |> add_lifetime()
+  end
+
+  defp add_token(changeset) do
+    token = :crypto.strong_rand_bytes(32) |> Base.url_encode64(padding: false)
+    put_change(changeset, :token, token)
+  end
+
+  defp add_lifetime(changeset) do
+    put_change(changeset, :valid_until, NaiveDateTime.add(NaiveDateTime.utc_now(), 60 * 10))
+  end
+
+  @spec use_changeset(Authtorizatiton.t(), map()) :: Changeset.t()
  def use_changeset(%Authorization{} = auth, params) do
    auth
    |> cast(params, [:used])
    |> validate_required([:used])
  end

+  @spec use_token(Authorization.t()) ::
+          {:ok, Authorization.t()} | {:error, Changeset.t()} | {:error, String.t()}
  def use_token(%Authorization{used: false, valid_until: valid_until} = auth) do
    if NaiveDateTime.diff(NaiveDateTime.utc_now(), valid_until) < 0 do
      Repo.update(use_changeset(auth, %{used: true}))
@ -56,6 +75,7 @@ defmodule Pleroma.Web.OAuth.Authorization do

  def use_token(%Authorization{used: true}), do: {:error, "already used"}

+  @spec delete_user_authorizations(User.t()) :: {integer(), any()}
  def delete_user_authorizations(%User{id: user_id}) do
    from(
      a in Pleroma.Web.OAuth.Authorization,
@ -63,4 +83,11 @@ defmodule Pleroma.Web.OAuth.Authorization do
    )
    |> Repo.delete_all()
  end
+
+  @doc "gets auth for app by token"
+  @spec get_by_token(App.t(), String.t()) :: {:ok, t()} | {:error, :not_found}
+  def get_by_token(%App{id: app_id} = _app, token) do
+    from(t in __MODULE__, where: t.app_id == ^app_id and t.token == ^token)
+    |> Repo.find_resource()
+  end
 end
--- a/lib/pleroma/web/oauth/oauth_controller.ex
+++ b/lib/pleroma/web/oauth/oauth_controller.ex
@ -13,8 +13,9 @@ defmodule Pleroma.Web.OAuth.OAuthController do
  alias Pleroma.Web.OAuth.App
  alias Pleroma.Web.OAuth.Authorization
  alias Pleroma.Web.OAuth.Token
-
-  import Pleroma.Web.ControllerHelper, only: [oauth_scopes: 2]
+  alias Pleroma.Web.OAuth.Token.Strategy.RefreshToken
+  alias Pleroma.Web.OAuth.Token.Strategy.Revoke, as: RevokeToken
+  alias Pleroma.Web.OAuth.Scopes

  if Pleroma.Config.oauth_consumer_enabled?(), do: plug(Ueberauth)

@ -53,7 +54,7 @@ defmodule Pleroma.Web.OAuth.OAuthController do
  defp do_authorize(conn, params) do
    app = Repo.get_by(App, client_id: params["client_id"])
    available_scopes = (app && app.scopes) || []
-    scopes = oauth_scopes(params, nil) || available_scopes
+    scopes = Scopes.fetch_scopes(params, available_scopes)

    # Note: `params` might differ from `conn.params`; use `@params` not `@conn.params` in template
    render(conn, Authenticator.auth_template(), %{
@ -109,7 +110,7 @@ defmodule Pleroma.Web.OAuth.OAuthController do

  defp handle_create_authorization_error(
         conn,
-         {scopes_issue, _},
+         {:error, scopes_issue},
         %{"authorization" => _} = params
       )
       when scopes_issue in [:unsupported_scopes, :missing_scopes] do
@ -138,25 +139,33 @@ defmodule Pleroma.Web.OAuth.OAuthController do
    Authenticator.handle_error(conn, error)
  end

-  def token_exchange(conn, %{"grant_type" => "authorization_code"} = params) do
-    with %App{} = app <- get_app_from_request(conn, params),
-         fixed_token = fix_padding(params["code"]),
-         %Authorization{} = auth <-
-           Repo.get_by(Authorization, token: fixed_token, app_id: app.id),
-         %User{} = user <- User.get_cached_by_id(auth.user_id),
-         {:ok, token} <- Token.exchange_token(app, auth),
-         {:ok, inserted_at} <- DateTime.from_naive(token.inserted_at, "Etc/UTC") do
-      response = %{
-        token_type: "Bearer",
-        access_token: token.token,
-        refresh_token: token.refresh_token,
-        created_at: DateTime.to_unix(inserted_at),
-        expires_in: 60 * 10,
-        scope: Enum.join(token.scopes, " "),
-        me: user.ap_id
-      }
+  @doc "Renew access_token with refresh_token"
+  def token_exchange(
+        conn,
+        %{"grant_type" => "refresh_token", "refresh_token" => token} = _params
+      ) do
+    with {:ok, app} <- Token.Utils.fetch_app(conn),
+         {:ok, %{user: user} = token} <- Token.get_by_refresh_token(app, token),
+         {:ok, token} <- RefreshToken.grant(token) do
+      response_attrs = %{created_at: Token.Utils.format_created_at(token)}

-      json(conn, response)
+      json(conn, Token.Response.build(user, token, response_attrs))
+    else
+      _error ->
+        put_status(conn, 400)
+        |> json(%{error: "Invalid credentials"})
+    end
+  end
+
+  def token_exchange(conn, %{"grant_type" => "authorization_code"} = params) do
+    with {:ok, app} <- Token.Utils.fetch_app(conn),
+         fixed_token = Token.Utils.fix_padding(params["code"]),
+         {:ok, auth} <- Authorization.get_by_token(app, fixed_token),
+         %User{} = user <- User.get_cached_by_id(auth.user_id),
+         {:ok, token} <- Token.exchange_token(app, auth) do
+      response_attrs = %{created_at: Token.Utils.format_created_at(token)}
+
+      json(conn, Token.Response.build(user, token, response_attrs))
    else
      _error ->
        put_status(conn, 400)
@ -168,25 +177,14 @@ defmodule Pleroma.Web.OAuth.OAuthController do
        conn,
        %{"grant_type" => "password"} = params
      ) do
-    with {_, {:ok, %User{} = user}} <- {:get_user, Authenticator.get_user(conn)},
-         %App{} = app <- get_app_from_request(conn, params),
+    with {:ok, %User{} = user} <- Authenticator.get_user(conn),
+         {:ok, app} <- Token.Utils.fetch_app(conn),
         {:auth_active, true} <- {:auth_active, User.auth_active?(user)},
         {:user_active, true} <- {:user_active, !user.info.deactivated},
-         scopes <- oauth_scopes(params, app.scopes),
-         [] <- scopes -- app.scopes,
-         true <- Enum.any?(scopes),
+         {:ok, scopes} <- validate_scopes(app, params),
         {:ok, auth} <- Authorization.create_authorization(app, user, scopes),
         {:ok, token} <- Token.exchange_token(app, auth) do
-      response = %{
-        token_type: "Bearer",
-        access_token: token.token,
-        refresh_token: token.refresh_token,
-        expires_in: 60 * 10,
-        scope: Enum.join(token.scopes, " "),
-        me: user.ap_id
-      }
-
-      json(conn, response)
+      json(conn, Token.Response.build(user, token))
    else
      {:auth_active, false} ->
        # Per https://github.com/tootsuite/mastodon/blob/
@ -218,10 +216,24 @@ defmodule Pleroma.Web.OAuth.OAuthController do
    token_exchange(conn, params)
  end

-  def token_revoke(conn, %{"token" => token} = params) do
-    with %App{} = app <- get_app_from_request(conn, params),
-         %Token{} = token <- Repo.get_by(Token, token: token, app_id: app.id),
-         {:ok, %Token{}} <- Repo.delete(token) do
+  def token_exchange(conn, %{"grant_type" => "client_credentials"} = _params) do
+    with {:ok, app} <- Token.Utils.fetch_app(conn),
+         {:ok, auth} <- Authorization.create_authorization(app, %User{}),
+         {:ok, token} <- Token.exchange_token(app, auth) do
+      json(conn, Token.Response.build_for_client_credentials(token))
+    else
+      _error ->
+        put_status(conn, 400)
+        |> json(%{error: "Invalid credentials"})
+    end
+  end
+
+  # Bad request
+  def token_exchange(conn, params), do: bad_request(conn, params)
+
+  def token_revoke(conn, %{"token" => _token} = params) do
+    with {:ok, app} <- Token.Utils.fetch_app(conn),
+         {:ok, _token} <- RevokeToken.revoke(app, params) do
      json(conn, %{})
    else
      _error ->
@ -230,17 +242,27 @@ defmodule Pleroma.Web.OAuth.OAuthController do
    end
  end

+  def token_revoke(conn, params), do: bad_request(conn, params)
+
+  # Response for bad request
+  defp bad_request(conn, _) do
+    conn
+    |> put_status(500)
+    |> json(%{error: "Bad request"})
+  end
+
  @doc "Prepares OAuth request to provider for Ueberauth"
  def prepare_request(conn, %{"provider" => provider, "authorization" => auth_attrs}) do
    scope =
-      oauth_scopes(auth_attrs, [])
-      |> Enum.join(" ")
+      auth_attrs
+      |> Scopes.fetch_scopes([])
+      |> Scopes.to_string()

    state =
      auth_attrs
      |> Map.delete("scopes")
      |> Map.put("scope", scope)
-      |> Poison.encode!()
+      |> Jason.encode!()

    params =
      auth_attrs
@ -278,25 +300,22 @@ defmodule Pleroma.Web.OAuth.OAuthController do
    params = callback_params(params)

    with {:ok, registration} <- Authenticator.get_registration(conn) do
-      user = Repo.preload(registration, :user).user
      auth_attrs = Map.take(params, ~w(client_id redirect_uri scope scopes state))

-      if user do
-        create_authorization(
-          conn,
-          %{"authorization" => auth_attrs},
-          user: user
-        )
-      else
-        registration_params =
-          Map.merge(auth_attrs, %{
-            "nickname" => Registration.nickname(registration),
-            "email" => Registration.email(registration)
-          })
+      case Repo.get_assoc(registration, :user) do
+        {:ok, user} ->
+          create_authorization(conn, %{"authorization" => auth_attrs}, user: user)

-        conn
-        |> put_session(:registration_id, registration.id)
-        |> registration_details(%{"authorization" => registration_params})
+        _ ->
+          registration_params =
+            Map.merge(auth_attrs, %{
+              "nickname" => Registration.nickname(registration),
+              "email" => Registration.email(registration)
+            })
+
+          conn
+          |> put_session(:registration_id, registration.id)
+          |> registration_details(%{"authorization" => registration_params})
      end
    else
      _ ->
@ -307,7 +326,7 @@ defmodule Pleroma.Web.OAuth.OAuthController do
  end

  defp callback_params(%{"state" => state} = params) do
-    Map.merge(params, Poison.decode!(state))
+    Map.merge(params, Jason.decode!(state))
  end

  def registration_details(conn, %{"authorization" => auth_attrs}) do
@ -315,7 +334,7 @@ defmodule Pleroma.Web.OAuth.OAuthController do
      client_id: auth_attrs["client_id"],
      redirect_uri: auth_attrs["redirect_uri"],
      state: auth_attrs["state"],
-      scopes: oauth_scopes(auth_attrs, []),
+      scopes: Scopes.fetch_scopes(auth_attrs, []),
      nickname: auth_attrs["nickname"],
      email: auth_attrs["email"]
    })
@ -390,48 +409,12 @@ defmodule Pleroma.Web.OAuth.OAuthController do
           {:get_user, (user && {:ok, user}) || Authenticator.get_user(conn)},
         %App{} = app <- Repo.get_by(App, client_id: client_id),
         true <- redirect_uri in String.split(app.redirect_uris),
-         scopes <- oauth_scopes(auth_attrs, []),
-         {:unsupported_scopes, []} <- {:unsupported_scopes, scopes -- app.scopes},
-         # Note: `scope` param is intentionally not optional in this context
-         {:missing_scopes, false} <- {:missing_scopes, scopes == []},
+         {:ok, scopes} <- validate_scopes(app, auth_attrs),
         {:auth_active, true} <- {:auth_active, User.auth_active?(user)} do
      Authorization.create_authorization(app, user, scopes)
    end
  end

-  # XXX - for whatever reason our token arrives urlencoded, but Plug.Conn should be
-  # decoding it.  Investigate sometime.
-  defp fix_padding(token) do
-    token
-    |> URI.decode()
-    |> Base.url_decode64!(padding: false)
-    |> Base.url_encode64(padding: false)
-  end
-
-  defp get_app_from_request(conn, params) do
-    # Per RFC 6749, HTTP Basic is preferred to body params
-    {client_id, client_secret} =
-      with ["Basic " <> encoded] <- get_req_header(conn, "authorization"),
-           {:ok, decoded} <- Base.decode64(encoded),
-           [id, secret] <-
-             String.split(decoded, ":")
-             |> Enum.map(fn s -> URI.decode_www_form(s) end) do
-        {id, secret}
-      else
-        _ -> {params["client_id"], params["client_secret"]}
-      end
-
-    if client_id && client_secret do
-      Repo.get_by(
-        App,
-        client_id: client_id,
-        client_secret: client_secret
-      )
-    else
-      nil
-    end
-  end
-
  # Special case: Local MastodonFE
  defp redirect_uri(conn, "."), do: mastodon_api_url(conn, :login)

@ -441,4 +424,12 @@ defmodule Pleroma.Web.OAuth.OAuthController do

  defp put_session_registration_id(conn, registration_id),
    do: put_session(conn, :registration_id, registration_id)
+
+  @spec validate_scopes(App.t(), map()) ::
+          {:ok, list()} | {:error, :missing_scopes | :unsupported_scopes}
+  defp validate_scopes(app, params) do
+    params
+    |> Scopes.fetch_scopes(app.scopes)
+    |> Scopes.validates(app.scopes)
+  end
 end
--- a/lib/pleroma/web/oauth/scopes.ex
+++ b/lib/pleroma/web/oauth/scopes.ex
@ -0,0 +1,67 @@
+# Pleroma: A lightweight social networking server
+# Copyright © 2017-2019 Pleroma Authors <https://pleroma.social/>
+# SPDX-License-Identifier: AGPL-3.0-only
+
+defmodule Pleroma.Web.OAuth.Scopes do
+  @moduledoc """
+  Functions for dealing with scopes.
+  """
+
+  @doc """
+  Fetch scopes from requiest params.
+
+  Note: `scopes` is used by Mastodon — supporting it but sticking to
+  OAuth's standard `scope` wherever we control it
+  """
+  @spec fetch_scopes(map(), list()) :: list()
+  def fetch_scopes(params, default) do
+    parse_scopes(params["scope"] || params["scopes"], default)
+  end
+
+  def parse_scopes(scopes, _default) when is_list(scopes) do
+    Enum.filter(scopes, &(&1 not in [nil, ""]))
+  end
+
+  def parse_scopes(scopes, default) when is_binary(scopes) do
+    scopes
+    |> to_list
+    |> parse_scopes(default)
+  end
+
+  def parse_scopes(_, default) do
+    default
+  end
+
+  @doc """
+  Convert scopes string to list
+  """
+  @spec to_list(binary()) :: [binary()]
+  def to_list(nil), do: []
+
+  def to_list(str) do
+    str
+    |> String.trim()
+    |> String.split(~r/[\s,]+/)
+  end
+
+  @doc """
+  Convert scopes list to string
+  """
+  @spec to_string(list()) :: binary()
+  def to_string(scopes), do: Enum.join(scopes, " ")
+
+  @doc """
+  Validates scopes.
+  """
+  @spec validates(list() | nil, list()) ::
+          {:ok, list()} | {:error, :missing_scopes | :unsupported_scopes}
+  def validates([], _app_scopes), do: {:error, :missing_scopes}
+  def validates(nil, _app_scopes), do: {:error, :missing_scopes}
+
+  def validates(scopes, app_scopes) do
+    case scopes -- app_scopes do
+      [] -> {:ok, scopes}
+      _ -> {:error, :unsupported_scopes}
+    end
+  end
+end
--- a/lib/pleroma/web/oauth/token.ex
+++ b/lib/pleroma/web/oauth/token.ex
@ -5,72 +5,122 @@
 defmodule Pleroma.Web.OAuth.Token do
  use Ecto.Schema

-  import Ecto.Query
+  import Ecto.Changeset

  alias Pleroma.Repo
  alias Pleroma.User
  alias Pleroma.Web.OAuth.App
  alias Pleroma.Web.OAuth.Authorization
  alias Pleroma.Web.OAuth.Token
+  alias Pleroma.Web.OAuth.Token.Query
+
+  @expires_in Pleroma.Config.get([:oauth2, :token_expires_in], 600)
+  @type t :: %__MODULE__{}

  schema "oauth_tokens" do
    field(:token, :string)
    field(:refresh_token, :string)
    field(:scopes, {:array, :string}, default: [])
    field(:valid_until, :naive_datetime_usec)
-    belongs_to(:user, Pleroma.User, type: Pleroma.FlakeId)
+    belongs_to(:user, User, type: Pleroma.FlakeId)
    belongs_to(:app, App)

    timestamps()
  end

+  @doc "Gets token for app by access token"
+  @spec get_by_token(App.t(), String.t()) :: {:ok, t()} | {:error, :not_found}
+  def get_by_token(%App{id: app_id} = _app, token) do
+    Query.get_by_app(app_id)
+    |> Query.get_by_token(token)
+    |> Repo.find_resource()
+  end
+
+  @doc "Gets token for app by refresh token"
+  @spec get_by_refresh_token(App.t(), String.t()) :: {:ok, t()} | {:error, :not_found}
+  def get_by_refresh_token(%App{id: app_id} = _app, token) do
+    Query.get_by_app(app_id)
+    |> Query.get_by_refresh_token(token)
+    |> Query.preload([:user])
+    |> Repo.find_resource()
+  end
+
+  @spec exchange_token(App.t(), Authorization.t()) ::
+          {:ok, Token.t()} | {:error, Changeset.t()}
  def exchange_token(app, auth) do
    with {:ok, auth} <- Authorization.use_token(auth),
         true <- auth.app_id == app.id do
-      create_token(app, User.get_cached_by_id(auth.user_id), auth.scopes)
+      user = if auth.user_id, do: User.get_cached_by_id(auth.user_id), else: %User{}
+
+      create_token(
+        app,
+        user,
+        %{scopes: auth.scopes}
+      )
    end
  end

-  def create_token(%App{} = app, %User{} = user, scopes \\ nil) do
-    scopes = scopes || app.scopes
-    token = :crypto.strong_rand_bytes(32) |> Base.url_encode64(padding: false)
-    refresh_token = :crypto.strong_rand_bytes(32) |> Base.url_encode64(padding: false)
+  defp put_token(changeset) do
+    changeset
+    |> change(%{token: Token.Utils.generate_token()})
+    |> validate_required([:token])
+    |> unique_constraint(:token)
+  end

-    token = %Token{
-      token: token,
-      refresh_token: refresh_token,
-      scopes: scopes,
-      user_id: user.id,
-      app_id: app.id,
-      valid_until: NaiveDateTime.add(NaiveDateTime.utc_now(), 60 * 10)
-    }
+  defp put_refresh_token(changeset, attrs) do
+    refresh_token = Map.get(attrs, :refresh_token, Token.Utils.generate_token())

-    Repo.insert(token)
+    changeset
+    |> change(%{refresh_token: refresh_token})
+    |> validate_required([:refresh_token])
+    |> unique_constraint(:refresh_token)
+  end
+
+  defp put_valid_until(changeset, attrs) do
+    expires_in =
+      Map.get(attrs, :valid_until, NaiveDateTime.add(NaiveDateTime.utc_now(), @expires_in))
+
+    changeset
+    |> change(%{valid_until: expires_in})
+    |> validate_required([:valid_until])
+  end
+
+  @spec create_token(App.t(), User.t(), map()) :: {:ok, Token} | {:error, Changeset.t()}
+  def create_token(%App{} = app, %User{} = user, attrs \\ %{}) do
+    %__MODULE__{user_id: user.id, app_id: app.id}
+    |> cast(%{scopes: attrs[:scopes] || app.scopes}, [:scopes])
+    |> validate_required([:scopes, :app_id])
+    |> put_valid_until(attrs)
+    |> put_token()
+    |> put_refresh_token(attrs)
+    |> Repo.insert()
  end

  def delete_user_tokens(%User{id: user_id}) do
-    from(
-      t in Token,
-      where: t.user_id == ^user_id
-    )
+    Query.get_by_user(user_id)
    |> Repo.delete_all()
  end

  def delete_user_token(%User{id: user_id}, token_id) do
-    from(
-      t in Token,
-      where: t.user_id == ^user_id,
-      where: t.id == ^token_id
-    )
+    Query.get_by_user(user_id)
+    |> Query.get_by_id(token_id)
+    |> Repo.delete_all()
+  end
+
+  def delete_expired_tokens do
+    Query.get_expired_tokens()
    |> Repo.delete_all()
  end

  def get_user_tokens(%User{id: user_id}) do
-    from(
-      t in Token,
-      where: t.user_id == ^user_id
-    )
+    Query.get_by_user(user_id)
+    |> Query.preload([:app])
    |> Repo.all()
-    |> Repo.preload(:app)
  end
+
+  def is_expired?(%__MODULE__{valid_until: valid_until}) do
+    NaiveDateTime.diff(NaiveDateTime.utc_now(), valid_until) > 0
+  end
+
+  def is_expired?(_), do: false
 end
--- a/lib/pleroma/web/oauth/token/clean_worker.ex
+++ b/lib/pleroma/web/oauth/token/clean_worker.ex
@ -0,0 +1,41 @@
+# Pleroma: A lightweight social networking server
+# Copyright © 2017-2018 Pleroma Authors <https://pleroma.social/>
+# SPDX-License-Identifier: AGPL-3.0-only
+
+defmodule Pleroma.Web.OAuth.Token.CleanWorker do
+  @moduledoc """
+  The module represents functions to clean an expired oauth tokens.
+  """
+
+  # 10 seconds
+  @start_interval 10_000
+  @interval Pleroma.Config.get(
+              # 24 hours
+              [:oauth2, :clean_expired_tokens_interval],
+              86_400_000
+            )
+  @queue :background
+
+  alias Pleroma.Web.OAuth.Token
+
+  def start_link, do: GenServer.start_link(__MODULE__, nil)
+
+  def init(_) do
+    if Pleroma.Config.get([:oauth2, :clean_expired_tokens], false) do
+      Process.send_after(self(), :perform, @start_interval)
+      {:ok, nil}
+    else
+      :ignore
+    end
+  end
+
+  @doc false
+  def handle_info(:perform, state) do
+    Process.send_after(self(), :perform, @interval)
+    PleromaJobQueue.enqueue(@queue, __MODULE__, [:clean])
+    {:noreply, state}
+  end
+
+  # Job Worker Callbacks
+  def perform(:clean), do: Token.delete_expired_tokens()
+end
--- a/lib/pleroma/web/oauth/token/query.ex
+++ b/lib/pleroma/web/oauth/token/query.ex
@ -0,0 +1,55 @@
+# Pleroma: A lightweight social networking server
+# Copyright © 2017-2018 Pleroma Authors <https://pleroma.social/>
+# SPDX-License-Identifier: AGPL-3.0-only
+
+defmodule Pleroma.Web.OAuth.Token.Query do
+  @moduledoc """
+  Contains queries for OAuth Token.
+  """
+
+  import Ecto.Query, only: [from: 2]
+
+  @type query :: Ecto.Queryable.t() | Token.t()
+
+  alias Pleroma.Web.OAuth.Token
+
+  @spec get_by_refresh_token(query, String.t()) :: query
+  def get_by_refresh_token(query \\ Token, refresh_token) do
+    from(q in query, where: q.refresh_token == ^refresh_token)
+  end
+
+  @spec get_by_token(query, String.t()) :: query
+  def get_by_token(query \\ Token, token) do
+    from(q in query, where: q.token == ^token)
+  end
+
+  @spec get_by_app(query, String.t()) :: query
+  def get_by_app(query \\ Token, app_id) do
+    from(q in query, where: q.app_id == ^app_id)
+  end
+
+  @spec get_by_id(query, String.t()) :: query
+  def get_by_id(query \\ Token, id) do
+    from(q in query, where: q.id == ^id)
+  end
+
+  @spec get_expired_tokens(query, DateTime.t() | nil) :: query
+  def get_expired_tokens(query \\ Token, date \\ nil) do
+    expired_date = date || Timex.now()
+    from(q in query, where: fragment("?", q.valid_until) < ^expired_date)
+  end
+
+  @spec get_by_user(query, String.t()) :: query
+  def get_by_user(query \\ Token, user_id) do
+    from(q in query, where: q.user_id == ^user_id)
+  end
+
+  @spec preload(query, any) :: query
+  def preload(query \\ Token, assoc_preload \\ [])
+
+  def preload(query, assoc_preload) when is_list(assoc_preload) do
+    from(q in query, preload: ^assoc_preload)
+  end
+
+  def preload(query, _assoc_preload), do: query
+end
--- a/lib/pleroma/web/oauth/token/response.ex
+++ b/lib/pleroma/web/oauth/token/response.ex
@ -0,0 +1,32 @@
+defmodule Pleroma.Web.OAuth.Token.Response do
+  @moduledoc false
+
+  alias Pleroma.User
+  alias Pleroma.Web.OAuth.Token.Utils
+
+  @expires_in Pleroma.Config.get([:oauth2, :token_expires_in], 600)
+
+  @doc false
+  def build(%User{} = user, token, opts \\ %{}) do
+    %{
+      token_type: "Bearer",
+      access_token: token.token,
+      refresh_token: token.refresh_token,
+      expires_in: @expires_in,
+      scope: Enum.join(token.scopes, " "),
+      me: user.ap_id
+    }
+    |> Map.merge(opts)
+  end
+
+  def build_for_client_credentials(token) do
+    %{
+      token_type: "Bearer",
+      access_token: token.token,
+      refresh_token: token.refresh_token,
+      created_at: Utils.format_created_at(token),
+      expires_in: @expires_in,
+      scope: Enum.join(token.scopes, " ")
+    }
+  end
+end
--- a/lib/pleroma/web/oauth/token/strategy/refresh_token.ex
+++ b/lib/pleroma/web/oauth/token/strategy/refresh_token.ex
@ -0,0 +1,54 @@
+defmodule Pleroma.Web.OAuth.Token.Strategy.RefreshToken do
+  @moduledoc """
+  Functions for dealing with refresh token strategy.
+  """
+
+  alias Pleroma.Config
+  alias Pleroma.Repo
+  alias Pleroma.Web.OAuth.Token
+  alias Pleroma.Web.OAuth.Token.Strategy.Revoke
+
+  @doc """
+  Will grant access token by refresh token.
+  """
+  @spec grant(Token.t()) :: {:ok, Token.t()} | {:error, any()}
+  def grant(token) do
+    access_token = Repo.preload(token, [:user, :app])
+
+    result =
+      Repo.transaction(fn ->
+        token_params = %{
+          app: access_token.app,
+          user: access_token.user,
+          scopes: access_token.scopes
+        }
+
+        access_token
+        |> revoke_access_token()
+        |> create_access_token(token_params)
+      end)
+
+    case result do
+      {:ok, {:error, reason}} -> {:error, reason}
+      {:ok, {:ok, token}} -> {:ok, token}
+      {:error, reason} -> {:error, reason}
+    end
+  end
+
+  defp revoke_access_token(token) do
+    Revoke.revoke(token)
+  end
+
+  defp create_access_token({:error, error}, _), do: {:error, error}
+
+  defp create_access_token({:ok, token}, %{app: app, user: user} = token_params) do
+    Token.create_token(app, user, add_refresh_token(token_params, token.refresh_token))
+  end
+
+  defp add_refresh_token(params, token) do
+    case Config.get([:oauth2, :issue_new_refresh_token], false) do
+      true -> Map.put(params, :refresh_token, token)
+      false -> params
+    end
+  end
+end
--- a/lib/pleroma/web/oauth/token/strategy/revoke.ex
+++ b/lib/pleroma/web/oauth/token/strategy/revoke.ex
@ -0,0 +1,22 @@
+defmodule Pleroma.Web.OAuth.Token.Strategy.Revoke do
+  @moduledoc """
+  Functions for dealing with revocation.
+  """
+
+  alias Pleroma.Repo
+  alias Pleroma.Web.OAuth.App
+  alias Pleroma.Web.OAuth.Token
+
+  @doc "Finds and revokes access token for app and by token"
+  @spec revoke(App.t(), map()) :: {:ok, Token.t()} | {:error, :not_found | Ecto.Changeset.t()}
+  def revoke(%App{} = app, %{"token" => token} = _attrs) do
+    with {:ok, token} <- Token.get_by_token(app, token),
+         do: revoke(token)
+  end
+
+  @doc "Revokes access token"
+  @spec revoke(Token.t()) :: {:ok, Token.t()} | {:error, Ecto.Changeset.t()}
+  def revoke(%Token{} = token) do
+    Repo.delete(token)
+  end
+end
--- a/lib/pleroma/web/oauth/token/utils.ex
+++ b/lib/pleroma/web/oauth/token/utils.ex
@ -0,0 +1,68 @@
+defmodule Pleroma.Web.OAuth.Token.Utils do
+  @moduledoc """
+  Auxiliary functions for dealing with tokens.
+  """
+
+  alias Pleroma.Repo
+  alias Pleroma.Web.OAuth.App
+
+  @doc "Fetch app by client credentials from request"
+  @spec fetch_app(Plug.Conn.t()) :: {:ok, App.t()} | {:error, :not_found}
+  def fetch_app(conn) do
+    res =
+      conn
+      |> fetch_client_credentials()
+      |> fetch_client
+
+    case res do
+      %App{} = app -> {:ok, app}
+      _ -> {:error, :not_found}
+    end
+  end
+
+  defp fetch_client({id, secret}) when is_binary(id) and is_binary(secret) do
+    Repo.get_by(App, client_id: id, client_secret: secret)
+  end
+
+  defp fetch_client({_id, _secret}), do: nil
+
+  defp fetch_client_credentials(conn) do
+    # Per RFC 6749, HTTP Basic is preferred to body params
+    with ["Basic " <> encoded] <- Plug.Conn.get_req_header(conn, "authorization"),
+         {:ok, decoded} <- Base.decode64(encoded),
+         [id, secret] <-
+           Enum.map(
+             String.split(decoded, ":"),
+             fn s -> URI.decode_www_form(s) end
+           ) do
+      {id, secret}
+    else
+      _ -> {conn.params["client_id"], conn.params["client_secret"]}
+    end
+  end
+
+  @doc "convert token inserted_at to unix timestamp"
+  def format_created_at(%{inserted_at: inserted_at} = _token) do
+    inserted_at
+    |> DateTime.from_naive!("Etc/UTC")
+    |> DateTime.to_unix()
+  end
+
+  @doc false
+  @spec generate_token(keyword()) :: binary()
+  def generate_token(opts \\ []) do
+    opts
+    |> Keyword.get(:size, 32)
+    |> :crypto.strong_rand_bytes()
+    |> Base.url_encode64(padding: false)
+  end
+
+  # XXX - for whatever reason our token arrives urlencoded, but Plug.Conn should be
+  # decoding it.  Investigate sometime.
+  def fix_padding(token) do
+    token
+    |> URI.decode()
+    |> Base.url_decode64!(padding: false)
+    |> Base.url_encode64(padding: false)
+  end
+end
--- a/lib/pleroma/web/ostatus/activity_representer.ex
+++ b/lib/pleroma/web/ostatus/activity_representer.ex
@ -18,15 +18,18 @@ defmodule Pleroma.Web.OStatus.ActivityRepresenter do
    end
  end

-  defp get_in_reply_to(%{"object" => %{"inReplyTo" => in_reply_to}}) do
-    [
-      {:"thr:in-reply-to",
-       [ref: to_charlist(in_reply_to), href: to_charlist(get_href(in_reply_to))], []}
-    ]
+  defp get_in_reply_to(activity) do
+    with %Object{data: %{"inReplyTo" => in_reply_to}} <- Object.normalize(activity) do
+      [
+        {:"thr:in-reply-to",
+         [ref: to_charlist(in_reply_to), href: to_charlist(get_href(in_reply_to))], []}
+      ]
+    else
+      _ ->
+        []
+    end
  end

-  defp get_in_reply_to(_), do: []
-
  defp get_mentions(to) do
    Enum.map(to, fn id ->
      cond do
@ -98,7 +101,7 @@ defmodule Pleroma.Web.OStatus.ActivityRepresenter do
         []}
      end)

-    in_reply_to = get_in_reply_to(activity.data)
+    in_reply_to = get_in_reply_to(activity)
    author = if with_author, do: [{:author, UserRepresenter.to_simple_form(user)}], else: []
    mentions = activity.recipients |> get_mentions

@ -146,7 +149,6 @@ defmodule Pleroma.Web.OStatus.ActivityRepresenter do
    updated_at = activity.data["published"]
    inserted_at = activity.data["published"]

-    _in_reply_to = get_in_reply_to(activity.data)
    author = if with_author, do: [{:author, UserRepresenter.to_simple_form(user)}], else: []
    mentions = activity.recipients |> get_mentions

@ -177,7 +179,6 @@ defmodule Pleroma.Web.OStatus.ActivityRepresenter do
    updated_at = activity.data["published"]
    inserted_at = activity.data["published"]

-    _in_reply_to = get_in_reply_to(activity.data)
    author = if with_author, do: [{:author, UserRepresenter.to_simple_form(user)}], else: []

    retweeted_activity = Activity.get_create_by_object_ap_id(activity.data["object"])
--- a/lib/pleroma/web/ostatus/ostatus.ex
+++ b/lib/pleroma/web/ostatus/ostatus.ex
@ -3,19 +3,19 @@
 # SPDX-License-Identifier: AGPL-3.0-only

 defmodule Pleroma.Web.OStatus do
-  @httpoison Application.get_env(:pleroma, :httpoison)
-
  import Ecto.Query
  import Pleroma.Web.XML
  require Logger

  alias Pleroma.Activity
+  alias Pleroma.HTTP
  alias Pleroma.Object
  alias Pleroma.Repo
  alias Pleroma.User
  alias Pleroma.Web
  alias Pleroma.Web.ActivityPub.ActivityPub
  alias Pleroma.Web.ActivityPub.Transmogrifier
+  alias Pleroma.Web.ActivityPub.Visibility
  alias Pleroma.Web.OStatus.DeleteHandler
  alias Pleroma.Web.OStatus.FollowHandler
  alias Pleroma.Web.OStatus.NoteHandler
@ -30,7 +30,7 @@ defmodule Pleroma.Web.OStatus do
      is_nil(object) ->
        false

-      object.data["type"] == "Note" ->
+      Visibility.is_public?(activity) && object.data["type"] == "Note" ->
        true

      true ->
@ -362,7 +362,7 @@ defmodule Pleroma.Web.OStatus do
  def fetch_activity_from_atom_url(url) do
    with true <- String.starts_with?(url, "http"),
         {:ok, %{body: body, status: code}} when code in 200..299 <-
-           @httpoison.get(
+           HTTP.get(
             url,
             [{:Accept, "application/atom+xml"}]
           ) do
@ -379,7 +379,7 @@ defmodule Pleroma.Web.OStatus do
    Logger.debug("Trying to fetch #{url}")

    with true <- String.starts_with?(url, "http"),
-         {:ok, %{body: body}} <- @httpoison.get(url, []),
+         {:ok, %{body: body}} <- HTTP.get(url, []),
         {:ok, atom_url} <- get_atom_url(body) do
      fetch_activity_from_atom_url(atom_url)
    else
--- a/lib/pleroma/web/rich_media/helpers.ex
+++ b/lib/pleroma/web/rich_media/helpers.ex
@ -24,6 +24,7 @@ defmodule Pleroma.Web.RichMedia.Helpers do
  def fetch_data_for_activity(%Activity{data: %{"type" => "Create"}} = activity) do
    with true <- Pleroma.Config.get([:rich_media, :enabled]),
         %Object{} = object <- Object.normalize(activity),
+         false <- object.data["sensitive"] || false,
         {:ok, page_url} <- HTML.extract_first_external_url(object, object.data["content"]),
         :ok <- validate_page_url(page_url),
         {:ok, rich_media} <- Parser.parse(page_url) do
@ -34,4 +35,6 @@ defmodule Pleroma.Web.RichMedia.Helpers do
  end

  def fetch_data_for_activity(_), do: %{}
+
+  def perform(:fetch, %Activity{} = activity), do: fetch_data_for_activity(activity)
 end
--- a/lib/pleroma/web/rich_media/parser.ex
+++ b/lib/pleroma/web/rich_media/parser.ex
@ -37,7 +37,10 @@ defmodule Pleroma.Web.RichMedia.Parser do
    try do
      {:ok, %Tesla.Env{body: html}} = Pleroma.HTTP.get(url, [], adapter: @hackney_options)

-      html |> maybe_parse() |> clean_parsed_data() |> check_parsed_data()
+      html
+      |> maybe_parse()
+      |> clean_parsed_data()
+      |> check_parsed_data()
    rescue
      e ->
        {:error, "Parsing error: #{inspect(e)}"}
--- a/lib/pleroma/web/router.ex
+++ b/lib/pleroma/web/router.ex
@ -84,11 +84,13 @@ defmodule Pleroma.Web.Router do
    plug(Pleroma.Plugs.EnsureUserKeyPlug)
  end

-  pipeline :oauth_read_or_unauthenticated do
+  pipeline :oauth_read_or_public do
    plug(Pleroma.Plugs.OAuthScopesPlug, %{
      scopes: ["read"],
      fallback: :proceed_unauthenticated
    })
+
+    plug(Pleroma.Plugs.EnsurePublicOrAuthenticatedPlug)
  end

  pipeline :oauth_read do
@ -146,34 +148,60 @@ defmodule Pleroma.Web.Router do
  scope "/api/pleroma/admin", Pleroma.Web.AdminAPI do
    pipe_through([:admin_api, :oauth_write])

-    post("/user/follow", AdminAPIController, :user_follow)
-    post("/user/unfollow", AdminAPIController, :user_unfollow)
-
-    get("/users", AdminAPIController, :list_users)
-    get("/users/:nickname", AdminAPIController, :user_show)
+    post("/users/follow", AdminAPIController, :user_follow)
+    post("/users/unfollow", AdminAPIController, :user_unfollow)

+    # TODO: to be removed at version 1.0
    delete("/user", AdminAPIController, :user_delete)
-    patch("/users/:nickname/toggle_activation", AdminAPIController, :user_toggle_activation)
    post("/user", AdminAPIController, :user_create)
+
+    delete("/users", AdminAPIController, :user_delete)
+    post("/users", AdminAPIController, :user_create)
+    patch("/users/:nickname/toggle_activation", AdminAPIController, :user_toggle_activation)
    put("/users/tag", AdminAPIController, :tag_users)
    delete("/users/tag", AdminAPIController, :untag_users)

+    # TODO: to be removed at version 1.0
    get("/permission_group/:nickname", AdminAPIController, :right_get)
    get("/permission_group/:nickname/:permission_group", AdminAPIController, :right_get)
    post("/permission_group/:nickname/:permission_group", AdminAPIController, :right_add)
    delete("/permission_group/:nickname/:permission_group", AdminAPIController, :right_delete)

-    put("/activation_status/:nickname", AdminAPIController, :set_activation_status)
+    get("/users/:nickname/permission_group", AdminAPIController, :right_get)
+    get("/users/:nickname/permission_group/:permission_group", AdminAPIController, :right_get)
+    post("/users/:nickname/permission_group/:permission_group", AdminAPIController, :right_add)
+
+    delete(
+      "/users/:nickname/permission_group/:permission_group",
+      AdminAPIController,
+      :right_delete
+    )
+
+    put("/users/:nickname/activation_status", AdminAPIController, :set_activation_status)

    post("/relay", AdminAPIController, :relay_follow)
    delete("/relay", AdminAPIController, :relay_unfollow)

-    get("/invite_token", AdminAPIController, :get_invite_token)
-    get("/invites", AdminAPIController, :invites)
-    post("/revoke_invite", AdminAPIController, :revoke_invite)
-    post("/email_invite", AdminAPIController, :email_invite)
+    get("/users/invite_token", AdminAPIController, :get_invite_token)
+    get("/users/invites", AdminAPIController, :invites)
+    post("/users/revoke_invite", AdminAPIController, :revoke_invite)
+    post("/users/email_invite", AdminAPIController, :email_invite)

+    # TODO: to be removed at version 1.0
    get("/password_reset", AdminAPIController, :get_password_reset)
+
+    get("/users/:nickname/password_reset", AdminAPIController, :get_password_reset)
+
+    get("/users", AdminAPIController, :list_users)
+    get("/users/:nickname", AdminAPIController, :user_show)
+
+    get("/reports", AdminAPIController, :list_reports)
+    get("/reports/:id", AdminAPIController, :report_show)
+    put("/reports/:id", AdminAPIController, :report_update_state)
+    post("/reports/:id/respond", AdminAPIController, :report_respond)
+
+    put("/statuses/:id", AdminAPIController, :status_update)
+    delete("/statuses/:id", AdminAPIController, :status_delete)
  end

  scope "/", Pleroma.Web.TwitterAPI do
@ -197,6 +225,7 @@ defmodule Pleroma.Web.Router do
      post("/change_password", UtilController, :change_password)
      post("/delete_account", UtilController, :delete_account)
      put("/notification_settings", UtilController, :update_notificaton_settings)
+      post("/disable_account", UtilController, :disable_account)
    end

    scope [] do
@ -276,9 +305,10 @@ defmodule Pleroma.Web.Router do

      get("/suggestions", MastodonAPIController, :suggestions)

-      get("/endorsements", MastodonAPIController, :empty_array)
+      get("/conversations", MastodonAPIController, :conversations)
+      post("/conversations/:id/read", MastodonAPIController, :conversation_read)

-      get("/pleroma/flavour", MastodonAPIController, :get_flavour)
+      get("/endorsements", MastodonAPIController, :empty_array)
    end

    scope [] do
@ -303,6 +333,8 @@ defmodule Pleroma.Web.Router do
      put("/scheduled_statuses/:id", MastodonAPIController, :update_scheduled_status)
      delete("/scheduled_statuses/:id", MastodonAPIController, :delete_scheduled_status)

+      post("/polls/:id/votes", MastodonAPIController, :poll_vote)
+
      post("/media", MastodonAPIController, :upload)
      put("/media/:id", MastodonAPIController, :update_media)

@ -318,7 +350,8 @@ defmodule Pleroma.Web.Router do
      put("/filters/:id", MastodonAPIController, :update_filter)
      delete("/filters/:id", MastodonAPIController, :delete_filter)

-      post("/pleroma/flavour/:flavour", MastodonAPIController, :set_flavour)
+      get("/pleroma/mascot", MastodonAPIController, :get_mascot)
+      put("/pleroma/mascot", MastodonAPIController, :set_mascot)

      post("/reports", MastodonAPIController, :reports)
    end
@ -364,6 +397,8 @@ defmodule Pleroma.Web.Router do
  scope "/api/v1", Pleroma.Web.MastodonAPI do
    pipe_through(:api)

+    post("/accounts", MastodonAPIController, :account_register)
+
    get("/instance", MastodonAPIController, :masto_instance)
    get("/instance/peers", MastodonAPIController, :peers)
    post("/apps", MastodonAPIController, :create_app)
@ -380,7 +415,7 @@ defmodule Pleroma.Web.Router do
    get("/accounts/search", MastodonAPIController, :account_search)

    scope [] do
-      pipe_through(:oauth_read_or_unauthenticated)
+      pipe_through(:oauth_read_or_public)

      get("/timelines/public", MastodonAPIController, :public_timeline)
      get("/timelines/tag/:tag", MastodonAPIController, :hashtag_timeline)
@ -389,6 +424,8 @@ defmodule Pleroma.Web.Router do
      get("/statuses/:id", MastodonAPIController, :get_status)
      get("/statuses/:id/context", MastodonAPIController, :get_context)

+      get("/polls/:id", MastodonAPIController, :get_poll)
+
      get("/accounts/:id/statuses", MastodonAPIController, :user_statuses)
      get("/accounts/:id/followers", MastodonAPIController, :followers)
      get("/accounts/:id/following", MastodonAPIController, :following)
@ -401,7 +438,7 @@ defmodule Pleroma.Web.Router do
  end

  scope "/api/v2", Pleroma.Web.MastodonAPI do
-    pipe_through([:api, :oauth_read_or_unauthenticated])
+    pipe_through([:api, :oauth_read_or_public])
    get("/search", MastodonAPIController, :search2)
  end

@ -431,7 +468,7 @@ defmodule Pleroma.Web.Router do
    )

    scope [] do
-      pipe_through(:oauth_read_or_unauthenticated)
+      pipe_through(:oauth_read_or_public)

      get("/statuses/user_timeline", TwitterAPI.Controller, :user_timeline)
      get("/qvitter/statuses/user_timeline", TwitterAPI.Controller, :user_timeline)
@ -449,7 +486,7 @@ defmodule Pleroma.Web.Router do
  end

  scope "/api", Pleroma.Web do
-    pipe_through([:api, :oauth_read_or_unauthenticated])
+    pipe_through([:api, :oauth_read_or_public])

    get("/statuses/public_timeline", TwitterAPI.Controller, :public_timeline)

@ -463,7 +500,7 @@ defmodule Pleroma.Web.Router do
  end

  scope "/api", Pleroma.Web, as: :twitter_api_search do
-    pipe_through([:api, :oauth_read_or_unauthenticated])
+    pipe_through([:api, :oauth_read_or_public])
    get("/pleroma/search_user", TwitterAPI.Controller, :search_user)
  end

@ -647,7 +684,7 @@ defmodule Pleroma.Web.Router do
    delete("/auth/sign_out", MastodonAPIController, :logout)

    scope [] do
-      pipe_through(:oauth_read_or_unauthenticated)
+      pipe_through(:oauth_read_or_public)
      get("/web/*path", MastodonAPIController, :index)
    end
  end
@ -670,9 +707,15 @@ defmodule Pleroma.Web.Router do
    end
  end

+  scope "/", Pleroma.Web.MongooseIM do
+    get("/user_exists", MongooseIMController, :user_exists)
+    get("/check_password", MongooseIMController, :check_password)
+  end
+
  scope "/", Fallback do
    get("/registration/:token", RedirectController, :registration_page)
    get("/:maybe_nickname_or_id", RedirectController, :redirector_with_meta)
+    get("/api*path", RedirectController, :api_not_implemented)
    get("/*path", RedirectController, :redirector)

    options("/*path", RedirectController, :empty)
@ -684,6 +727,12 @@ defmodule Fallback.RedirectController do
  alias Pleroma.User
  alias Pleroma.Web.Metadata

+  def api_not_implemented(conn, _params) do
+    conn
+    |> put_status(404)
+    |> json(%{error: "Not implemented"})
+  end
+
  def redirector(conn, _params, code \\ 200) do
    conn
    |> put_resp_content_type("text/html")
--- a/lib/pleroma/web/salmon/salmon.ex
+++ b/lib/pleroma/web/salmon/salmon.ex
@ -3,12 +3,18 @@
 # SPDX-License-Identifier: AGPL-3.0-only

 defmodule Pleroma.Web.Salmon do
-  @httpoison Application.get_env(:pleroma, :httpoison)
+  @behaviour Pleroma.Web.Federator.Publisher

  use Bitwise

+  alias Pleroma.Activity
+  alias Pleroma.HTTP
  alias Pleroma.Instances
+  alias Pleroma.Keys
  alias Pleroma.User
+  alias Pleroma.Web.ActivityPub.Visibility
+  alias Pleroma.Web.Federator.Publisher
+  alias Pleroma.Web.OStatus
  alias Pleroma.Web.OStatus.ActivityRepresenter
  alias Pleroma.Web.XML

@ -83,45 +89,6 @@ defmodule Pleroma.Web.Salmon do
    "RSA.#{modulus_enc}.#{exponent_enc}"
  end

-  # Native generation of RSA keys is only available since OTP 20+ and in default build conditions
-  # We try at compile time to generate natively an RSA key otherwise we fallback on the old way.
-  try do
-    _ = :public_key.generate_key({:rsa, 2048, 65_537})
-
-    def generate_rsa_pem do
-      key = :public_key.generate_key({:rsa, 2048, 65_537})
-      entry = :public_key.pem_entry_encode(:RSAPrivateKey, key)
-      pem = :public_key.pem_encode([entry]) |> String.trim_trailing()
-      {:ok, pem}
-    end
-  rescue
-    _ ->
-      def generate_rsa_pem do
-        port = Port.open({:spawn, "openssl genrsa"}, [:binary])
-
-        {:ok, pem} =
-          receive do
-            {^port, {:data, pem}} -> {:ok, pem}
-          end
-
-        Port.close(port)
-
-        if Regex.match?(~r/RSA PRIVATE KEY/, pem) do
-          {:ok, pem}
-        else
-          :error
-        end
-      end
-  end
-
-  def keys_from_pem(pem) do
-    [private_key_code] = :public_key.pem_decode(pem)
-    private_key = :public_key.pem_entry_decode(private_key_code)
-    {:RSAPrivateKey, _, modulus, exponent, _, _, _, _, _, _, _} = private_key
-    public_key = {:RSAPublicKey, modulus, exponent}
-    {:ok, private_key, public_key}
-  end
-
  def encode(private_key, doc) do
    type = "application/atom+xml"
    encoding = "base64url"
@ -165,12 +132,12 @@ defmodule Pleroma.Web.Salmon do
  end

  @doc "Pushes an activity to remote account."
-  def send_to_user(%{recipient: %{info: %{salmon: salmon}}} = params),
-    do: send_to_user(Map.put(params, :recipient, salmon))
+  def publish_one(%{recipient: %{info: %{salmon: salmon}}} = params),
+    do: publish_one(Map.put(params, :recipient, salmon))

-  def send_to_user(%{recipient: url, feed: feed, poster: poster} = params) when is_binary(url) do
+  def publish_one(%{recipient: url, feed: feed} = params) when is_binary(url) do
    with {:ok, %{status: code}} when code in 200..299 <-
-           poster.(
+           HTTP.post(
             url,
             feed,
             [{"Content-Type", "application/magic-envelope+xml"}]
@ -184,11 +151,11 @@ defmodule Pleroma.Web.Salmon do
      e ->
        unless params[:unreachable_since], do: Instances.set_reachable(url)
        Logger.debug(fn -> "Pushing Salmon to #{url} failed, #{inspect(e)}" end)
-        :error
+        {:error, "Unreachable instance"}
    end
  end

-  def send_to_user(_), do: :noop
+  def publish_one(_), do: :noop

  @supported_activities [
    "Create",
@ -199,13 +166,19 @@ defmodule Pleroma.Web.Salmon do
    "Delete"
  ]

+  def is_representable?(%Activity{data: %{"type" => type}} = activity)
+      when type in @supported_activities,
+      do: Visibility.is_public?(activity)
+
+  def is_representable?(_), do: false
+
  @doc """
  Publishes an activity to remote accounts
  """
-  @spec publish(User.t(), Pleroma.Activity.t(), Pleroma.HTTP.t()) :: none
-  def publish(user, activity, poster \\ &@httpoison.post/3)
+  @spec publish(User.t(), Pleroma.Activity.t()) :: none
+  def publish(user, activity)

-  def publish(%{info: %{keys: keys}} = user, %{data: %{"type" => type}} = activity, poster)
+  def publish(%{info: %{keys: keys}} = user, %{data: %{"type" => type}} = activity)
      when type in @supported_activities do
    feed = ActivityRepresenter.to_simple_form(activity, user, true)

@ -215,7 +188,7 @@ defmodule Pleroma.Web.Salmon do
        |> :xmerl.export_simple(:xmerl_xml)
        |> to_string

-      {:ok, private, _} = keys_from_pem(keys)
+      {:ok, private, _} = Keys.keys_from_pem(keys)
      {:ok, feed} = encode(private, feed)

      remote_users = remote_users(activity)
@ -229,15 +202,29 @@ defmodule Pleroma.Web.Salmon do
      |> Enum.each(fn remote_user ->
        Logger.debug(fn -> "Sending Salmon to #{remote_user.ap_id}" end)

-        Pleroma.Web.Federator.publish_single_salmon(%{
+        Publisher.enqueue_one(__MODULE__, %{
          recipient: remote_user,
          feed: feed,
-          poster: poster,
          unreachable_since: reachable_urls_metadata[remote_user.info.salmon]
        })
      end)
    end
  end

-  def publish(%{id: id}, _, _), do: Logger.debug(fn -> "Keys missing for user #{id}" end)
+  def publish(%{id: id}, _), do: Logger.debug(fn -> "Keys missing for user #{id}" end)
+
+  def gather_webfinger_links(%User{} = user) do
+    {:ok, _private, public} = Keys.keys_from_pem(user.info.keys)
+    magic_key = encode_key(public)
+
+    [
+      %{"rel" => "salmon", "href" => OStatus.salmon_path(user)},
+      %{
+        "rel" => "magic-public-key",
+        "href" => "data:application/magic-public-key,#{magic_key}"
+      }
+    ]
+  end
+
+  def gather_nodeinfo_protocol_names, do: []
 end
--- a/lib/pleroma/web/streamer.ex
+++ b/lib/pleroma/web/streamer.ex
@ -6,6 +6,7 @@ defmodule Pleroma.Web.Streamer do
  use GenServer
  require Logger
  alias Pleroma.Activity
+  alias Pleroma.Conversation.Participation
  alias Pleroma.Notification
  alias Pleroma.Object
  alias Pleroma.User
@ -71,6 +72,15 @@ defmodule Pleroma.Web.Streamer do
    {:noreply, topics}
  end

+  def handle_cast(%{action: :stream, topic: "participation", item: participation}, topics) do
+    user_topic = "direct:#{participation.user_id}"
+    Logger.debug("Trying to push a conversation participation to #{user_topic}\n\n")
+
+    push_to_socket(topics, user_topic, participation)
+
+    {:noreply, topics}
+  end
+
  def handle_cast(%{action: :stream, topic: "list", item: item}, topics) do
    # filter the recipient list if the activity is not public, see #270.
    recipient_lists =
@ -192,6 +202,19 @@ defmodule Pleroma.Web.Streamer do
    |> Jason.encode!()
  end

+  def represent_conversation(%Participation{} = participation) do
+    %{
+      event: "conversation",
+      payload:
+        Pleroma.Web.MastodonAPI.ConversationView.render("participation.json", %{
+          participation: participation,
+          user: participation.user
+        })
+        |> Jason.encode!()
+    }
+    |> Jason.encode!()
+  end
+
  def push_to_socket(topics, topic, %Activity{data: %{"type" => "Announce"}} = item) do
    Enum.each(topics[topic] || [], fn socket ->
      # Get the current user so we have up-to-date blocks etc.
@ -214,6 +237,12 @@ defmodule Pleroma.Web.Streamer do
    end)
  end

+  def push_to_socket(topics, topic, %Participation{} = participation) do
+    Enum.each(topics[topic] || [], fn socket ->
+      send(socket.transport_pid, {:text, represent_conversation(participation)})
+    end)
+  end
+
  def push_to_socket(topics, topic, %Activity{
        data: %{"type" => "Delete", "deleted_activity_id" => deleted_activity_id}
      }) do
--- a/Show more
+++ b/Show more