From ee4fe2f4adf635284080f91118d87675ad843b42 Mon Sep 17 00:00:00 2001
From: Rob Loranger <dev@loranger.xyz>
Date: Fri, 16 Aug 2019 14:27:24 -0700
Subject: [PATCH 001/127] add basic text file imports

this adds basic support for importing files as blog posts.

.txt and .md are supported at this time and the
collection is selectable, defaulting to draft.

if a collection is specified the post is federated.
---
 account.go                         |  13 +--
 account_import.go                  | 134 +++++++++++++++++++++++++++++
 go.mod                             |   4 +-
 go.sum                             |  12 +++
 routes.go                          |   9 +-
 templates/user/import.tmpl         |  33 +++++++
 templates/user/include/header.tmpl |   2 +
 7 files changed, 197 insertions(+), 10 deletions(-)
 create mode 100644 account_import.go
 create mode 100644 templates/user/import.tmpl

diff --git a/account.go b/account.go
index 1cf259b..9db9b1f 100644
--- a/account.go
+++ b/account.go
@@ -13,6 +13,13 @@ package writefreely
 import (
 	"encoding/json"
 	"fmt"
+	"html/template"
+	"net/http"
+	"regexp"
+	"strings"
+	"sync"
+	"time"
+
 	"github.com/gorilla/mux"
 	"github.com/gorilla/sessions"
 	"github.com/guregu/null/zero"
@@ -22,12 +29,6 @@ import (
 	"github.com/writeas/web-core/log"
 	"github.com/writeas/writefreely/author"
 	"github.com/writeas/writefreely/page"
-	"html/template"
-	"net/http"
-	"regexp"
-	"strings"
-	"sync"
-	"time"
 )
 
 type (
diff --git a/account_import.go b/account_import.go
new file mode 100644
index 0000000..c8fe8a2
--- /dev/null
+++ b/account_import.go
@@ -0,0 +1,134 @@
+package writefreely
+
+import (
+	"fmt"
+	"html/template"
+	"io"
+	"io/ioutil"
+	"net/http"
+	"os"
+	"path/filepath"
+
+	"github.com/hashicorp/go-multierror"
+	"github.com/writeas/impart"
+	wfimport "github.com/writeas/import"
+	"github.com/writeas/web-core/log"
+)
+
+func viewImport(app *App, u *User, w http.ResponseWriter, r *http.Request) error {
+	// Fetch extra user data
+	p := NewUserPage(app, r, u, "Import", nil)
+
+	c, err := app.db.GetCollections(u)
+	if err != nil {
+		return impart.HTTPError{http.StatusInternalServerError, fmt.Sprintf("unable to fetch collections: %v", err)}
+	}
+
+	d := struct {
+		*UserPage
+		Collections *[]Collection
+		Flashes     []template.HTML
+	}{
+		UserPage:    p,
+		Collections: c,
+		Flashes:     []template.HTML{},
+	}
+
+	flashes, _ := getSessionFlashes(app, w, r, nil)
+	for _, flash := range flashes {
+		d.Flashes = append(d.Flashes, template.HTML(flash))
+	}
+
+	showUserPage(w, "import", d)
+	return nil
+}
+
+func handleImport(app *App, u *User, w http.ResponseWriter, r *http.Request) error {
+	// limit 10MB per submission
+	r.ParseMultipartForm(10 << 20)
+	files := r.MultipartForm.File["files"]
+	var fileErrs []error
+	for _, formFile := range files {
+		// TODO: count uploaded files that succeed and report back with message
+		file, err := formFile.Open()
+		if err != nil {
+			fileErrs = append(fileErrs, fmt.Errorf("failed to open form file: %s", formFile.Filename))
+			log.Error("import textfile: open from form: %v", err)
+			continue
+		}
+		defer file.Close()
+
+		tempFile, err := ioutil.TempFile("", "post-upload-*.txt")
+		if err != nil {
+			fileErrs = append(fileErrs, fmt.Errorf("failed to create temporary file for: %s", formFile.Filename))
+			log.Error("import textfile: create temp file: %v", err)
+			continue
+		}
+		defer tempFile.Close()
+
+		_, err = io.Copy(tempFile, file)
+		if err != nil {
+			fileErrs = append(fileErrs, fmt.Errorf("failed to copy file into temporary location: %s", formFile.Filename))
+			log.Error("import textfile: copy to temp: %v", err)
+			continue
+		}
+
+		info, err := tempFile.Stat()
+		if err != nil {
+			fileErrs = append(fileErrs, fmt.Errorf("failed to get file info of: %s", formFile.Filename))
+			log.Error("import textfile: stat temp file: %v", err)
+			continue
+		}
+		post, err := wfimport.FromFile(filepath.Join(os.TempDir(), info.Name()))
+		if err == wfimport.ErrEmptyFile {
+			// not a real error so don't log
+			_ = addSessionFlash(app, w, r, fmt.Sprintf("%s was empty, import skipped", formFile.Filename), nil)
+			continue
+		} else if err != nil {
+			fileErrs = append(fileErrs, fmt.Errorf("failed to read copy of %s", formFile.Filename))
+			log.Error("import textfile: file to post: %v", err)
+			continue
+		}
+
+		post.Collection = r.PostFormValue("collection")
+		coll, _ := app.db.GetCollection(post.Collection)
+		if coll == nil {
+			coll = &Collection{
+				ID: 0,
+			}
+		}
+
+		submittedPost := SubmittedPost{
+			Title:   &post.Title,
+			Content: &post.Content,
+			Font:    "norm",
+		}
+		if coll.ID != 0 && app.cfg.App.Federation {
+			token, err := app.db.GetAccessToken(u.ID)
+			if err != nil {
+				fileErrs = append(fileErrs, fmt.Errorf("failed to authenticate uploading: %s", formFile.Filename))
+				log.Error("import textfile: get accesstoken: %+v", err)
+				continue
+			}
+			ownedPost, err := app.db.CreateOwnedPost(&submittedPost, token, coll.Alias, app.cfg.App.Host)
+			if err != nil {
+				fileErrs = append(fileErrs, fmt.Errorf("failed to create owned post for %s", formFile.Filename))
+				log.Error("import textfile: create owned post: %v", err)
+				continue
+			}
+			go federatePost(app, ownedPost, coll.ID, false)
+		} else {
+			_, err = app.db.CreatePost(u.ID, coll.ID, &submittedPost)
+			if err != nil {
+				fileErrs = append(fileErrs, fmt.Errorf("failed to create post from %s", formFile.Filename))
+				log.Error("import textfile: create db post: %v", err)
+				continue
+			}
+		}
+	}
+	if len(fileErrs) != 0 {
+		_ = addSessionFlash(app, w, r, multierror.ListFormatFunc(fileErrs), nil)
+	}
+
+	return impart.HTTPError{http.StatusFound, "/me/import"}
+}
diff --git a/go.mod b/go.mod
index cc5fc57..8c62e9e 100644
--- a/go.mod
+++ b/go.mod
@@ -28,6 +28,7 @@ require (
 	github.com/gorilla/schema v1.0.2
 	github.com/gorilla/sessions v1.1.3
 	github.com/guregu/null v3.4.0+incompatible
+	github.com/hashicorp/go-multierror v1.0.0
 	github.com/ikeikeikeike/go-sitemap-generator v1.0.1
 	github.com/ikeikeikeike/go-sitemap-generator/v2 v2.0.2
 	github.com/imdario/mergo v0.3.7 // indirect
@@ -56,6 +57,7 @@ require (
 	github.com/writeas/go-webfinger v0.0.0-20190106002315-85cf805c86d2
 	github.com/writeas/httpsig v1.0.0
 	github.com/writeas/impart v1.1.0
+	github.com/writeas/import v0.0.0-20190815235139-628d10daaa9e
 	github.com/writeas/monday v0.0.0-20181024183321-54a7dd579219
 	github.com/writeas/nerds v1.0.0
 	github.com/writeas/openssl-go v1.0.0 // indirect
@@ -63,7 +65,7 @@ require (
 	github.com/writeas/slug v1.2.0
 	github.com/writeas/web-core v1.0.0
 	github.com/writefreely/go-nodeinfo v1.2.0
-	golang.org/x/crypto v0.0.0-20190208162236-193df9c0f06f // indirect
+	golang.org/x/crypto v0.0.0-20190208162236-193df9c0f06f
 	golang.org/x/lint v0.0.0-20181217174547-8f45f776aaf1 // indirect
 	golang.org/x/net v0.0.0-20190206173232-65e2d4e15006 // indirect
 	golang.org/x/sys v0.0.0-20190209173611-3b5209105503 // indirect
diff --git a/go.sum b/go.sum
index 8898bec..30e4a9d 100644
--- a/go.sum
+++ b/go.sum
@@ -1,3 +1,5 @@
+code.as/core/socks v1.0.0 h1:SPQXNp4SbEwjOAP9VzUahLHak8SDqy5n+9cm9tpjZOs=
+code.as/core/socks v1.0.0/go.mod h1:BAXBy5O9s2gmw6UxLqNJcVbWY7C/UPs+801CcSsfWOY=
 github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/Unknwon/com v0.0.0-20181010210213-41959bdd855f h1:m1tYqjD/N0vF/S8s/ZKz/eccUr8RAAcrOK2MhXeTegA=
@@ -80,6 +82,10 @@ github.com/gorilla/sessions v1.1.3 h1:uXoZdcdA5XdXF3QzuSlheVRUvjl+1rKY7zBXL68L9R
 github.com/gorilla/sessions v1.1.3/go.mod h1:8KCfur6+4Mqcc6S0FEfKuN15Vl5MgXW92AE8ovaJD0w=
 github.com/guregu/null v3.4.0+incompatible h1:a4mw37gBO7ypcBlTJeZGuMpSxxFTV9qFfFKgWxQSGaM=
 github.com/guregu/null v3.4.0+incompatible/go.mod h1:ePGpQaN9cw0tj45IR5E5ehMvsFlLlQZAkkOXZurJ3NM=
+github.com/hashicorp/errwrap v1.0.0 h1:hLrqtEDnRye3+sgx6z4qVLNuviH3MR5aQ0ykNJa/UYA=
+github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
+github.com/hashicorp/go-multierror v1.0.0 h1:iVjPR7a6H0tWELX5NxNe7bYopibicUzc7uPribsnS6o=
+github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk=
 github.com/ikeikeikeike/go-sitemap-generator v1.0.1 h1:49Fn8gro/B12vCY8pf5/+/Jpr3kwB9TvP0MSymo69SY=
 github.com/ikeikeikeike/go-sitemap-generator v1.0.1/go.mod h1:QI+zWsz6yQyxkG9LWNcnu0f7aiAE5tPdsZOsICgmd1c=
 github.com/ikeikeikeike/go-sitemap-generator/v2 v2.0.2 h1:wIdDEle9HEy7vBPjC6oKz6ejs3Ut+jmsYvuOoAW2pSM=
@@ -151,10 +157,16 @@ github.com/writeas/go-strip-markdown v2.0.1+incompatible h1:IIqxTM5Jr7RzhigcL6Fk
 github.com/writeas/go-strip-markdown v2.0.1+incompatible/go.mod h1:Rsyu10ZhbEK9pXdk8V6MVnZmTzRG0alMNLMwa0J01fE=
 github.com/writeas/go-webfinger v0.0.0-20190106002315-85cf805c86d2 h1:DUsp4OhdfI+e6iUqcPQlwx8QYXuUDsToTz/x82D3Zuo=
 github.com/writeas/go-webfinger v0.0.0-20190106002315-85cf805c86d2/go.mod h1:w2VxyRO/J5vfNjJHYVubsjUGHd3RLDoVciz0DE3ApOc=
+github.com/writeas/go-writeas v1.1.0 h1:WHGm6wriBkxYAOGbvriXH8DlMUGOi6jhSZLUZKQ+4mQ=
+github.com/writeas/go-writeas v1.1.0/go.mod h1:oh9U1rWaiE0p3kzdKwwvOpNXgp0P0IELI7OLOwV4fkA=
 github.com/writeas/httpsig v1.0.0 h1:peIAoIA3DmlP8IG8tMNZqI4YD1uEnWBmkcC9OFPjt3A=
 github.com/writeas/httpsig v1.0.0/go.mod h1:7ClMGSrSVXJbmiLa17bZ1LrG1oibGZmUMlh3402flPY=
 github.com/writeas/impart v1.1.0 h1:nPnoO211VscNkp/gnzir5UwCDEvdHThL5uELU60NFSE=
 github.com/writeas/impart v1.1.0/go.mod h1:g0MpxdnTOHHrl+Ca/2oMXUHJ0PcRAEWtkCzYCJUXC9Y=
+github.com/writeas/import v0.0.0-20190815214647-baae8acd8d06 h1:S6oKKP8GhSoyZUvVuhO9UiQ9f+U1aR/x5B4MP7YQHaU=
+github.com/writeas/import v0.0.0-20190815214647-baae8acd8d06/go.mod h1:f3K8z7YnJwKnPIT4h7980n9C6cQb4DIB2QcxVCTB7lE=
+github.com/writeas/import v0.0.0-20190815235139-628d10daaa9e h1:31PkvDTWkjzC1nGzWw9uAE92ZfcVyFX/K9L9ejQjnEs=
+github.com/writeas/import v0.0.0-20190815235139-628d10daaa9e/go.mod h1:f3K8z7YnJwKnPIT4h7980n9C6cQb4DIB2QcxVCTB7lE=
 github.com/writeas/monday v0.0.0-20181024183321-54a7dd579219 h1:baEp0631C8sT2r/hqwypIw2snCFZa6h7U6TojoLHu/c=
 github.com/writeas/monday v0.0.0-20181024183321-54a7dd579219/go.mod h1:NyM35ayknT7lzO6O/1JpfgGyv+0W9Z9q7aE0J8bXxfQ=
 github.com/writeas/nerds v1.0.0 h1:ZzRcCN+Sr3MWID7o/x1cr1ZbLvdpej9Y1/Ho+JKlqxo=
diff --git a/routes.go b/routes.go
index 724c532..022a7ea 100644
--- a/routes.go
+++ b/routes.go
@@ -11,13 +11,14 @@
 package writefreely
 
 import (
+	"net/http"
+	"path/filepath"
+	"strings"
+
 	"github.com/gorilla/mux"
 	"github.com/writeas/go-webfinger"
 	"github.com/writeas/web-core/log"
 	"github.com/writefreely/go-nodeinfo"
-	"net/http"
-	"path/filepath"
-	"strings"
 )
 
 // InitStaticRoutes adds routes for serving static files.
@@ -93,6 +94,8 @@ func InitRoutes(apper Apper, r *mux.Router) *mux.Router {
 	me.HandleFunc("/posts/export.json", handler.Download(viewExportPosts, UserLevelUser)).Methods("GET")
 	me.HandleFunc("/export", handler.User(viewExportOptions)).Methods("GET")
 	me.HandleFunc("/export.json", handler.Download(viewExportFull, UserLevelUser)).Methods("GET")
+	me.HandleFunc("/import", handler.User(viewImport)).Methods("GET")
+	me.HandleFunc("/import", handler.User(handleImport)).Methods("POST")
 	me.HandleFunc("/settings", handler.User(viewSettings)).Methods("GET")
 	me.HandleFunc("/invites", handler.User(handleViewUserInvites)).Methods("GET")
 	me.HandleFunc("/logout", handler.Web(viewLogout, UserLevelNone)).Methods("GET")
diff --git a/templates/user/import.tmpl b/templates/user/import.tmpl
new file mode 100644
index 0000000..c258783
--- /dev/null
+++ b/templates/user/import.tmpl
@@ -0,0 +1,33 @@
+{{define "import"}}
+{{template "header" .}}
+
+<div class="snug content-container">
+	<h2 id="posts-header">Import</h2>
+	<p>Upload text or markdown files to import as posts.</p>
+	<div class="formContainer">
+		<form id="importPosts" class="import" enctype="multipart/form-data" action="/me/import" method="POST">
+			<label for="file" hidden>Browse files to upload</label>
+			<input class="fileInput" name="files" type="file" multiple accept=".txt,.md"/>
+			<br />
+			<label for="collection">Select a blog to import the posts under.</label>
+			<select name="collection">
+				{{range $i, $el := .Collections}}
+				<option value={{.Alias}}>
+					{{if .Title}}{{.Title}}{{else}}{{.Alias}}{{end}}
+				</option>
+				{{end}}
+				<option value="" selected>drafts</option>
+			</select>
+			<br />
+			<input type="submit" value="Import" />
+		</form>
+	</div>
+	{{if .Flashes}}
+	<ul class="errors">
+		{{range .Flashes}}<li class="urgent">{{.}}</li>{{end}}
+	</ul>
+	{{end}}
+</div>
+
+{{template "footer" .}}
+{{end}}
\ No newline at end of file
diff --git a/templates/user/include/header.tmpl b/templates/user/include/header.tmpl
index 312d0b8..e8fd908 100644
--- a/templates/user/include/header.tmpl
+++ b/templates/user/include/header.tmpl
@@ -27,6 +27,7 @@
 						{{if .IsAdmin}}<li><a href="/admin">Admin</a></li>{{end}}
 						<li><a href="/me/settings">Settings</a></li>
 						<li><a href="/me/export">Export</a></li>
+						<li><a href="/me/import">Import</a></li>
 						<li class="separator"><hr /></li>
 						<li><a href="/me/logout">Log out</a></li>
 					</ul></li>
@@ -45,6 +46,7 @@
 						{{if .IsAdmin}}<li><a href="/admin">Admin dashboard</a></li>{{end}}
 						<li><a href="/me/settings">Account settings</a></li>
 						<li><a href="/me/export">Export</a></li>
+						<li><a href="/me/import">Import</a></li>
 						{{if .CanInvite}}<li><a href="/me/invites">Invite people</a></li>{{end}}
 						<li class="separator"><hr /></li>
 						<li><a href="/me/logout">Log out</a></li>

From 0ca198c715a81161d79ba65c23046424a5fbe601 Mon Sep 17 00:00:00 2001
From: Rob Loranger <dev@loranger.xyz>
Date: Sat, 17 Aug 2019 16:18:40 -0700
Subject: [PATCH 002/127] include nice alert message on success

different template action for partial or complete import success
---
 account_import.go          | 25 +++++++++++++++++++++++--
 templates/user/import.tmpl |  5 +++++
 2 files changed, 28 insertions(+), 2 deletions(-)

diff --git a/account_import.go b/account_import.go
index c8fe8a2..3fd434e 100644
--- a/account_import.go
+++ b/account_import.go
@@ -8,6 +8,7 @@ import (
 	"net/http"
 	"os"
 	"path/filepath"
+	"strings"
 
 	"github.com/hashicorp/go-multierror"
 	"github.com/writeas/impart"
@@ -28,6 +29,8 @@ func viewImport(app *App, u *User, w http.ResponseWriter, r *http.Request) error
 		*UserPage
 		Collections *[]Collection
 		Flashes     []template.HTML
+		Message     string
+		InfoMsg     bool
 	}{
 		UserPage:    p,
 		Collections: c,
@@ -36,7 +39,14 @@ func viewImport(app *App, u *User, w http.ResponseWriter, r *http.Request) error
 
 	flashes, _ := getSessionFlashes(app, w, r, nil)
 	for _, flash := range flashes {
-		d.Flashes = append(d.Flashes, template.HTML(flash))
+		if strings.HasPrefix(flash, "SUCCESS: ") {
+			d.Message = strings.TrimPrefix(flash, "SUCCESS: ")
+		} else if strings.HasPrefix(flash, "INFO: ") {
+			d.Message = strings.TrimPrefix(flash, "INFO: ")
+			d.InfoMsg = true
+		} else {
+			d.Flashes = append(d.Flashes, template.HTML(flash))
+		}
 	}
 
 	showUserPage(w, "import", d)
@@ -48,8 +58,9 @@ func handleImport(app *App, u *User, w http.ResponseWriter, r *http.Request) err
 	r.ParseMultipartForm(10 << 20)
 	files := r.MultipartForm.File["files"]
 	var fileErrs []error
+	filesSubmitted := len(files)
+	var filesImported int
 	for _, formFile := range files {
-		// TODO: count uploaded files that succeed and report back with message
 		file, err := formFile.Open()
 		if err != nil {
 			fileErrs = append(fileErrs, fmt.Errorf("failed to open form file: %s", formFile.Filename))
@@ -125,10 +136,20 @@ func handleImport(app *App, u *User, w http.ResponseWriter, r *http.Request) err
 				continue
 			}
 		}
+		filesImported++
 	}
 	if len(fileErrs) != 0 {
 		_ = addSessionFlash(app, w, r, multierror.ListFormatFunc(fileErrs), nil)
 	}
 
+	if filesImported == filesSubmitted {
+		verb := "posts"
+		if filesSubmitted == 1 {
+			verb = "post"
+		}
+		_ = addSessionFlash(app, w, r, fmt.Sprintf("SUCCESS: Import complete, %d %s imported.", filesImported, verb), nil)
+	} else if filesImported > 0 {
+		_ = addSessionFlash(app, w, r, fmt.Sprintf("INFO: %d of %d posts imported, see details below.", filesImported, filesSubmitted), nil)
+	}
 	return impart.HTTPError{http.StatusFound, "/me/import"}
 }
diff --git a/templates/user/import.tmpl b/templates/user/import.tmpl
index c258783..3833095 100644
--- a/templates/user/import.tmpl
+++ b/templates/user/import.tmpl
@@ -2,6 +2,11 @@
 {{template "header" .}}
 
 <div class="snug content-container">
+	{{if .Message}}
+	<div class="alert {{if .InfoMsg}}info{{else}}success{{end}}">
+		<p>{{.Message}}</p>
+	</div>
+	{{end}}
 	<h2 id="posts-header">Import</h2>
 	<p>Upload text or markdown files to import as posts.</p>
 	<div class="formContainer">

From 6c5d89ac86d3c51746a0501a2135e92e4ba16631 Mon Sep 17 00:00:00 2001
From: Rob Loranger <dev@loranger.xyz>
Date: Mon, 19 Aug 2019 09:05:52 -0700
Subject: [PATCH 003/127] move import post handler under /api

handler for post request to import is now under /api/me/import
form target updated

also allow all plaintext files in form
---
 routes.go                  | 2 +-
 templates/user/import.tmpl | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/routes.go b/routes.go
index 022a7ea..7dcdc65 100644
--- a/routes.go
+++ b/routes.go
@@ -95,7 +95,6 @@ func InitRoutes(apper Apper, r *mux.Router) *mux.Router {
 	me.HandleFunc("/export", handler.User(viewExportOptions)).Methods("GET")
 	me.HandleFunc("/export.json", handler.Download(viewExportFull, UserLevelUser)).Methods("GET")
 	me.HandleFunc("/import", handler.User(viewImport)).Methods("GET")
-	me.HandleFunc("/import", handler.User(handleImport)).Methods("POST")
 	me.HandleFunc("/settings", handler.User(viewSettings)).Methods("GET")
 	me.HandleFunc("/invites", handler.User(handleViewUserInvites)).Methods("GET")
 	me.HandleFunc("/logout", handler.Web(viewLogout, UserLevelNone)).Methods("GET")
@@ -108,6 +107,7 @@ func InitRoutes(apper Apper, r *mux.Router) *mux.Router {
 	apiMe.HandleFunc("/password", handler.All(updatePassphrase)).Methods("POST")
 	apiMe.HandleFunc("/self", handler.All(updateSettings)).Methods("POST")
 	apiMe.HandleFunc("/invites", handler.User(handleCreateUserInvite)).Methods("POST")
+	apiMe.HandleFunc("/import", handler.User(handleImport)).Methods("POST")
 
 	// Sign up validation
 	write.HandleFunc("/api/alias", handler.All(handleUsernameCheck)).Methods("POST")
diff --git a/templates/user/import.tmpl b/templates/user/import.tmpl
index 3833095..002cf14 100644
--- a/templates/user/import.tmpl
+++ b/templates/user/import.tmpl
@@ -10,9 +10,9 @@
 	<h2 id="posts-header">Import</h2>
 	<p>Upload text or markdown files to import as posts.</p>
 	<div class="formContainer">
-		<form id="importPosts" class="import" enctype="multipart/form-data" action="/me/import" method="POST">
+		<form id="importPosts" class="import" enctype="multipart/form-data" action="/api/me/import" method="POST">
 			<label for="file" hidden>Browse files to upload</label>
-			<input class="fileInput" name="files" type="file" multiple accept=".txt,.md"/>
+			<input class="fileInput" name="files" type="file" multiple accept="text/plain"/>
 			<br />
 			<label for="collection">Select a blog to import the posts under.</label>
 			<select name="collection">

From 92f75a887187fc26c2d4a7544c3d74a4e3e71646 Mon Sep 17 00:00:00 2001
From: Rob Loranger <dev@loranger.xyz>
Date: Mon, 19 Aug 2019 09:06:56 -0700
Subject: [PATCH 004/127] avoid generating excess access tokens

this changes the import handler to use CreatePost instead of
CreateOwnedPost which required generation of non expiring access tokens
---
 account_import.go | 41 +++++++++++++++++++++--------------------
 1 file changed, 21 insertions(+), 20 deletions(-)

diff --git a/account_import.go b/account_import.go
index 3fd434e..c9868ba 100644
--- a/account_import.go
+++ b/account_import.go
@@ -108,33 +108,34 @@ func handleImport(app *App, u *User, w http.ResponseWriter, r *http.Request) err
 				ID: 0,
 			}
 		}
+		coll.hostName = app.cfg.App.Host
 
 		submittedPost := SubmittedPost{
 			Title:   &post.Title,
 			Content: &post.Content,
 			Font:    "norm",
 		}
+		rp, err := app.db.CreatePost(u.ID, coll.ID, &submittedPost)
+		if err != nil {
+			fileErrs = append(fileErrs, fmt.Errorf("failed to create post from %s", formFile.Filename))
+			log.Error("import textfile: create db post: %v", err)
+			continue
+		}
+
+		// create public post
+
 		if coll.ID != 0 && app.cfg.App.Federation {
-			token, err := app.db.GetAccessToken(u.ID)
-			if err != nil {
-				fileErrs = append(fileErrs, fmt.Errorf("failed to authenticate uploading: %s", formFile.Filename))
-				log.Error("import textfile: get accesstoken: %+v", err)
-				continue
-			}
-			ownedPost, err := app.db.CreateOwnedPost(&submittedPost, token, coll.Alias, app.cfg.App.Host)
-			if err != nil {
-				fileErrs = append(fileErrs, fmt.Errorf("failed to create owned post for %s", formFile.Filename))
-				log.Error("import textfile: create owned post: %v", err)
-				continue
-			}
-			go federatePost(app, ownedPost, coll.ID, false)
-		} else {
-			_, err = app.db.CreatePost(u.ID, coll.ID, &submittedPost)
-			if err != nil {
-				fileErrs = append(fileErrs, fmt.Errorf("failed to create post from %s", formFile.Filename))
-				log.Error("import textfile: create db post: %v", err)
-				continue
-			}
+			go federatePost(
+				app,
+				&PublicPost{
+					Post: rp,
+					Collection: &CollectionObj{
+						Collection: *coll,
+					},
+				},
+				coll.ID,
+				false,
+			)
 		}
 		filesImported++
 	}

From 9dbf14c05e149b52d52d40e16e96b577460ae929 Mon Sep 17 00:00:00 2001
From: Rob Loranger <dev@loranger.xyz>
Date: Wed, 21 Aug 2019 10:07:30 -0700
Subject: [PATCH 005/127] include time in imported posts

---
 account_import.go | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/account_import.go b/account_import.go
index c9868ba..f28017c 100644
--- a/account_import.go
+++ b/account_import.go
@@ -9,6 +9,7 @@ import (
 	"os"
 	"path/filepath"
 	"strings"
+	"time"
 
 	"github.com/hashicorp/go-multierror"
 	"github.com/writeas/impart"
@@ -109,11 +110,12 @@ func handleImport(app *App, u *User, w http.ResponseWriter, r *http.Request) err
 			}
 		}
 		coll.hostName = app.cfg.App.Host
-
+		created := info.ModTime().Truncate(time.Second).UTC().Format("2006-01-02T15:04:05Z")
 		submittedPost := SubmittedPost{
 			Title:   &post.Title,
 			Content: &post.Content,
 			Font:    "norm",
+			Created: &created,
 		}
 		rp, err := app.db.CreatePost(u.ID, coll.ID, &submittedPost)
 		if err != nil {

From 4acd35f8cda4a780a96114a8983f2b9430a73d07 Mon Sep 17 00:00:00 2001
From: Rob Loranger <dev@loranger.xyz>
Date: Wed, 21 Aug 2019 13:12:56 -0700
Subject: [PATCH 006/127] revert include time in imported posts

in favor of library side generation to support zip files
---
 account_import.go | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/account_import.go b/account_import.go
index f28017c..7f438c5 100644
--- a/account_import.go
+++ b/account_import.go
@@ -9,7 +9,6 @@ import (
 	"os"
 	"path/filepath"
 	"strings"
-	"time"
 
 	"github.com/hashicorp/go-multierror"
 	"github.com/writeas/impart"
@@ -110,12 +109,10 @@ func handleImport(app *App, u *User, w http.ResponseWriter, r *http.Request) err
 			}
 		}
 		coll.hostName = app.cfg.App.Host
-		created := info.ModTime().Truncate(time.Second).UTC().Format("2006-01-02T15:04:05Z")
 		submittedPost := SubmittedPost{
 			Title:   &post.Title,
 			Content: &post.Content,
 			Font:    "norm",
-			Created: &created,
 		}
 		rp, err := app.db.CreatePost(u.ID, coll.ID, &submittedPost)
 		if err != nil {

From cbc9c6725af313960a7855bb1f6ab9656387fea7 Mon Sep 17 00:00:00 2001
From: Rob Loranger <dev@loranger.xyz>
Date: Wed, 21 Aug 2019 14:43:05 -0700
Subject: [PATCH 007/127] include imported created time

this updates to parse the time from the imported file, using v0.1.1 of
the wfimport library
---
 account_import.go | 2 ++
 go.mod            | 2 +-
 go.sum            | 4 ++++
 3 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/account_import.go b/account_import.go
index 7f438c5..6e6cea5 100644
--- a/account_import.go
+++ b/account_import.go
@@ -109,10 +109,12 @@ func handleImport(app *App, u *User, w http.ResponseWriter, r *http.Request) err
 			}
 		}
 		coll.hostName = app.cfg.App.Host
+		created := post.Created.Format("2006-01-02T15:04:05Z")
 		submittedPost := SubmittedPost{
 			Title:   &post.Title,
 			Content: &post.Content,
 			Font:    "norm",
+			Created: &created,
 		}
 		rp, err := app.db.CreatePost(u.ID, coll.ID, &submittedPost)
 		if err != nil {
diff --git a/go.mod b/go.mod
index 8c62e9e..f1b7733 100644
--- a/go.mod
+++ b/go.mod
@@ -57,7 +57,7 @@ require (
 	github.com/writeas/go-webfinger v0.0.0-20190106002315-85cf805c86d2
 	github.com/writeas/httpsig v1.0.0
 	github.com/writeas/impart v1.1.0
-	github.com/writeas/import v0.0.0-20190815235139-628d10daaa9e
+	github.com/writeas/import v0.1.1
 	github.com/writeas/monday v0.0.0-20181024183321-54a7dd579219
 	github.com/writeas/nerds v1.0.0
 	github.com/writeas/openssl-go v1.0.0 // indirect
diff --git a/go.sum b/go.sum
index 30e4a9d..1805e66 100644
--- a/go.sum
+++ b/go.sum
@@ -159,6 +159,8 @@ github.com/writeas/go-webfinger v0.0.0-20190106002315-85cf805c86d2 h1:DUsp4OhdfI
 github.com/writeas/go-webfinger v0.0.0-20190106002315-85cf805c86d2/go.mod h1:w2VxyRO/J5vfNjJHYVubsjUGHd3RLDoVciz0DE3ApOc=
 github.com/writeas/go-writeas v1.1.0 h1:WHGm6wriBkxYAOGbvriXH8DlMUGOi6jhSZLUZKQ+4mQ=
 github.com/writeas/go-writeas v1.1.0/go.mod h1:oh9U1rWaiE0p3kzdKwwvOpNXgp0P0IELI7OLOwV4fkA=
+github.com/writeas/go-writeas/v2 v2.0.2 h1:akvdMg89U5oBJiCkBwOXljVLTqP354uN6qnG2oOMrbk=
+github.com/writeas/go-writeas/v2 v2.0.2/go.mod h1:9sjczQJKmru925fLzg0usrU1R1tE4vBmQtGnItUMR0M=
 github.com/writeas/httpsig v1.0.0 h1:peIAoIA3DmlP8IG8tMNZqI4YD1uEnWBmkcC9OFPjt3A=
 github.com/writeas/httpsig v1.0.0/go.mod h1:7ClMGSrSVXJbmiLa17bZ1LrG1oibGZmUMlh3402flPY=
 github.com/writeas/impart v1.1.0 h1:nPnoO211VscNkp/gnzir5UwCDEvdHThL5uELU60NFSE=
@@ -167,6 +169,8 @@ github.com/writeas/import v0.0.0-20190815214647-baae8acd8d06 h1:S6oKKP8GhSoyZUvV
 github.com/writeas/import v0.0.0-20190815214647-baae8acd8d06/go.mod h1:f3K8z7YnJwKnPIT4h7980n9C6cQb4DIB2QcxVCTB7lE=
 github.com/writeas/import v0.0.0-20190815235139-628d10daaa9e h1:31PkvDTWkjzC1nGzWw9uAE92ZfcVyFX/K9L9ejQjnEs=
 github.com/writeas/import v0.0.0-20190815235139-628d10daaa9e/go.mod h1:f3K8z7YnJwKnPIT4h7980n9C6cQb4DIB2QcxVCTB7lE=
+github.com/writeas/import v0.1.1 h1:SbYltT+nxrJBUe0xQWJqeKMHaupbxV0a6K3RtwcE4yY=
+github.com/writeas/import v0.1.1/go.mod h1:gFe0Pl7ZWYiXbI0TJxeMMyylPGZmhVvCfQxhMEc8CxM=
 github.com/writeas/monday v0.0.0-20181024183321-54a7dd579219 h1:baEp0631C8sT2r/hqwypIw2snCFZa6h7U6TojoLHu/c=
 github.com/writeas/monday v0.0.0-20181024183321-54a7dd579219/go.mod h1:NyM35ayknT7lzO6O/1JpfgGyv+0W9Z9q7aE0J8bXxfQ=
 github.com/writeas/nerds v1.0.0 h1:ZzRcCN+Sr3MWID7o/x1cr1ZbLvdpej9Y1/Ho+JKlqxo=

From 7fb3c4cafe6a55b756d4ea19ac2368e434369a7f Mon Sep 17 00:00:00 2001
From: Rob Loranger <dev@loranger.xyz>
Date: Wed, 21 Aug 2019 15:42:48 -0700
Subject: [PATCH 008/127] allow markdown extensions in import form

---
 templates/user/import.tmpl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/templates/user/import.tmpl b/templates/user/import.tmpl
index 002cf14..cf9ba17 100644
--- a/templates/user/import.tmpl
+++ b/templates/user/import.tmpl
@@ -12,7 +12,7 @@
 	<div class="formContainer">
 		<form id="importPosts" class="import" enctype="multipart/form-data" action="/api/me/import" method="POST">
 			<label for="file" hidden>Browse files to upload</label>
-			<input class="fileInput" name="files" type="file" multiple accept="text/plain"/>
+			<input class="fileInput" name="files" type="file" multiple accept="text/markdown, text/plain"/>
 			<br />
 			<label for="collection">Select a blog to import the posts under.</label>
 			<select name="collection">

From d9bf8ab6ccf7806ed72d76e9e1709600b33f38d6 Mon Sep 17 00:00:00 2001
From: Rob Loranger <dev@loranger.xyz>
Date: Mon, 26 Aug 2019 14:53:05 -0700
Subject: [PATCH 009/127] update to wfimport v0.2.0

now checking for and returning invalid content type errors
---
 account_import.go | 4 ++++
 go.mod            | 2 +-
 go.sum            | 2 ++
 3 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/account_import.go b/account_import.go
index 6e6cea5..88a9a91 100644
--- a/account_import.go
+++ b/account_import.go
@@ -95,6 +95,10 @@ func handleImport(app *App, u *User, w http.ResponseWriter, r *http.Request) err
 			// not a real error so don't log
 			_ = addSessionFlash(app, w, r, fmt.Sprintf("%s was empty, import skipped", formFile.Filename), nil)
 			continue
+		} else if err == wfimport.ErrInvalidContentType {
+			// same as above
+			_ = addSessionFlash(app, w, r, fmt.Sprintf("%s is not a supported post file", formFile.Filename), nil)
+			continue
 		} else if err != nil {
 			fileErrs = append(fileErrs, fmt.Errorf("failed to read copy of %s", formFile.Filename))
 			log.Error("import textfile: file to post: %v", err)
diff --git a/go.mod b/go.mod
index f1b7733..0d7d865 100644
--- a/go.mod
+++ b/go.mod
@@ -57,7 +57,7 @@ require (
 	github.com/writeas/go-webfinger v0.0.0-20190106002315-85cf805c86d2
 	github.com/writeas/httpsig v1.0.0
 	github.com/writeas/impart v1.1.0
-	github.com/writeas/import v0.1.1
+	github.com/writeas/import v0.2.0
 	github.com/writeas/monday v0.0.0-20181024183321-54a7dd579219
 	github.com/writeas/nerds v1.0.0
 	github.com/writeas/openssl-go v1.0.0 // indirect
diff --git a/go.sum b/go.sum
index 1805e66..de39ce4 100644
--- a/go.sum
+++ b/go.sum
@@ -171,6 +171,8 @@ github.com/writeas/import v0.0.0-20190815235139-628d10daaa9e h1:31PkvDTWkjzC1nGz
 github.com/writeas/import v0.0.0-20190815235139-628d10daaa9e/go.mod h1:f3K8z7YnJwKnPIT4h7980n9C6cQb4DIB2QcxVCTB7lE=
 github.com/writeas/import v0.1.1 h1:SbYltT+nxrJBUe0xQWJqeKMHaupbxV0a6K3RtwcE4yY=
 github.com/writeas/import v0.1.1/go.mod h1:gFe0Pl7ZWYiXbI0TJxeMMyylPGZmhVvCfQxhMEc8CxM=
+github.com/writeas/import v0.2.0 h1:Ov23JW9Rnjxk06rki1Spar45bNX647HhwhAZj3flJiY=
+github.com/writeas/import v0.2.0/go.mod h1:gFe0Pl7ZWYiXbI0TJxeMMyylPGZmhVvCfQxhMEc8CxM=
 github.com/writeas/monday v0.0.0-20181024183321-54a7dd579219 h1:baEp0631C8sT2r/hqwypIw2snCFZa6h7U6TojoLHu/c=
 github.com/writeas/monday v0.0.0-20181024183321-54a7dd579219/go.mod h1:NyM35ayknT7lzO6O/1JpfgGyv+0W9Z9q7aE0J8bXxfQ=
 github.com/writeas/nerds v1.0.0 h1:ZzRcCN+Sr3MWID7o/x1cr1ZbLvdpej9Y1/Ho+JKlqxo=

From 2fa2086654eaee570ebc594e6cd2ae6380cccb7f Mon Sep 17 00:00:00 2001
From: Rob Loranger <dev@loranger.xyz>
Date: Mon, 26 Aug 2019 15:04:00 -0700
Subject: [PATCH 010/127] newline in import.tmpl

---
 templates/user/import.tmpl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/templates/user/import.tmpl b/templates/user/import.tmpl
index cf9ba17..0fd8a93 100644
--- a/templates/user/import.tmpl
+++ b/templates/user/import.tmpl
@@ -35,4 +35,4 @@
 </div>
 
 {{template "footer" .}}
-{{end}}
\ No newline at end of file
+{{end}}

From b7acd39051a293289c182f2a9166f681bbe8b07f Mon Sep 17 00:00:00 2001
From: Matt Baer <matt@write.as>
Date: Mon, 9 Sep 2019 22:04:20 +0200
Subject: [PATCH 011/127] Add Cache-Control headers on AP endpoints

Includes:

* AP Collection fetching via canonical URL
* AP Collection fetching via API
* AP Post fetching via canonical URL
* AP Post fetching via API

Ref T693
---
 activitypub.go | 10 ++++++++++
 collections.go |  1 +
 posts.go       |  2 ++
 3 files changed, 13 insertions(+)

diff --git a/activitypub.go b/activitypub.go
index 997609d..f436a87 100644
--- a/activitypub.go
+++ b/activitypub.go
@@ -37,6 +37,8 @@ import (
 const (
 	// TODO: delete. don't use this!
 	apCustomHandleDefault = "blog"
+
+	apCacheTime = time.Minute
 )
 
 type RemoteUser struct {
@@ -84,6 +86,7 @@ func handleFetchCollectionActivities(app *App, w http.ResponseWriter, r *http.Re
 
 	p := c.PersonObject()
 
+	setCacheControl(w, apCacheTime)
 	return impart.RenderActivityJSON(w, p, http.StatusOK)
 }
 
@@ -137,6 +140,7 @@ func handleFetchCollectionOutbox(app *App, w http.ResponseWriter, r *http.Reques
 		ocp.OrderedItems = append(ocp.OrderedItems, *a)
 	}
 
+	setCacheControl(w, apCacheTime)
 	return impart.RenderActivityJSON(w, ocp, http.StatusOK)
 }
 
@@ -183,6 +187,7 @@ func handleFetchCollectionFollowers(app *App, w http.ResponseWriter, r *http.Req
 			ocp.OrderedItems = append(ocp.OrderedItems, f.ActorID)
 		}
 	*/
+	setCacheControl(w, apCacheTime)
 	return impart.RenderActivityJSON(w, ocp, http.StatusOK)
 }
 
@@ -219,6 +224,7 @@ func handleFetchCollectionFollowing(app *App, w http.ResponseWriter, r *http.Req
 	// Return outbox page
 	ocp := activitystreams.NewOrderedCollectionPage(accountRoot, "following", 0, p)
 	ocp.OrderedItems = []interface{}{}
+	setCacheControl(w, apCacheTime)
 	return impart.RenderActivityJSON(w, ocp, http.StatusOK)
 }
 
@@ -703,3 +709,7 @@ func unmarshalActor(actorResp []byte, actor *activitystreams.Person) error {
 
 	return nil
 }
+
+func setCacheControl(w http.ResponseWriter, ttl time.Duration) {
+	w.Header().Set("Cache-Control", fmt.Sprintf("public, max-age=%.0f", ttl.Seconds()))
+}
diff --git a/collections.go b/collections.go
index 997d4d7..a13aad2 100644
--- a/collections.go
+++ b/collections.go
@@ -730,6 +730,7 @@ func handleViewCollection(app *App, w http.ResponseWriter, r *http.Request) erro
 	if strings.Contains(r.Header.Get("Accept"), "application/activity+json") {
 		ac := c.PersonObject()
 		ac.Context = []interface{}{activitystreams.Namespace}
+		setCacheControl(w, apCacheTime)
 		return impart.RenderActivityJSON(w, ac, http.StatusOK)
 	}
 
diff --git a/posts.go b/posts.go
index 2f3606f..625410b 100644
--- a/posts.go
+++ b/posts.go
@@ -1034,6 +1034,7 @@ func fetchPost(app *App, w http.ResponseWriter, r *http.Request) error {
 		p.Collection = &CollectionObj{Collection: *coll}
 		po := p.ActivityObject()
 		po.Context = []interface{}{activitystreams.Namespace}
+		setCacheControl(w, apCacheTime)
 		return impart.RenderActivityJSON(w, po, http.StatusOK)
 	}
 
@@ -1359,6 +1360,7 @@ Are you sure it was ever here?`,
 		p.extractData()
 		ap := p.ActivityObject()
 		ap.Context = []interface{}{activitystreams.Namespace}
+		setCacheControl(w, apCacheTime)
 		return impart.RenderActivityJSON(w, ap, http.StatusOK)
 	} else {
 		p.extractData()

From caca8f0ae26f586e4736eeefd01eef0e6ed80808 Mon Sep 17 00:00:00 2001
From: Rob Loranger <dev@loranger.xyz>
Date: Thu, 3 Oct 2019 09:47:08 -0700
Subject: [PATCH 012/127] show timestamps in local date/locale

this adds a helper script to rewrite all time elements with a proper
datetime attribute into the users locale via the browser
navigator.language.

collection, collection-post and chorus-collection-post templates now
include this script
---
 static/js/localdate.js                | 9 +++++++++
 templates/chorus-collection-post.tmpl | 1 +
 templates/collection-post.tmpl        | 1 +
 templates/collection.tmpl             | 1 +
 4 files changed, 12 insertions(+)
 create mode 100644 static/js/localdate.js

diff --git a/static/js/localdate.js b/static/js/localdate.js
new file mode 100644
index 0000000..19fa502
--- /dev/null
+++ b/static/js/localdate.js
@@ -0,0 +1,9 @@
+function toLocalDate(el) {
+	var d = new Date(el.getAttribute("datetime"));
+	el.textContent = d.toLocaleDateString(navigator.language || "en-US", { year: 'numeric', month: 'long', day: 'numeric' });
+}
+
+var $dates = document.querySelectorAll("time");
+for (var i=0; i < $dates.length; i++) {
+	toLocalDate($dates[i]);
+}
diff --git a/templates/chorus-collection-post.tmpl b/templates/chorus-collection-post.tmpl
index bab2e31..e60a435 100644
--- a/templates/chorus-collection-post.tmpl
+++ b/templates/chorus-collection-post.tmpl
@@ -90,6 +90,7 @@ article time.dt-published {
 		{{range .Collection.ExternalScripts}}<script type="text/javascript" src="{{.}}" async></script>{{end}}
 		{{if .Collection.Script}}<script type="text/javascript">{{.Collection.ScriptDisplay}}</script>{{end}}
 	{{end}}
+	<script src="/js/localdate.js"></script>
 	<script type="text/javascript">
 
 var pinning = false;
diff --git a/templates/collection-post.tmpl b/templates/collection-post.tmpl
index 7075226..a4a9541 100644
--- a/templates/collection-post.tmpl
+++ b/templates/collection-post.tmpl
@@ -70,6 +70,7 @@
 		{{range .Collection.ExternalScripts}}<script type="text/javascript" src="{{.}}" async></script>{{end}}
 		{{if .Collection.Script}}<script type="text/javascript">{{.Collection.ScriptDisplay}}</script>{{end}}
 	{{end}}
+	<script src="/js/localdate.js"></script>
 	<script type="text/javascript">
 
 var pinning = false;
diff --git a/templates/collection.tmpl b/templates/collection.tmpl
index 36a266b..285fc4d 100644
--- a/templates/collection.tmpl
+++ b/templates/collection.tmpl
@@ -113,6 +113,7 @@
 	{{end}}
 	<script src="/js/h.js"></script>
 	<script src="/js/postactions.js"></script>
+	<script src="/js/localdate.js"></script>
 	<script type="text/javascript">
 var deleting = false;
 function delPost(e, id, owned) {

From 513765c09f013791aa0b5f73a737fe28cb6a63bf Mon Sep 17 00:00:00 2001
From: Rob Loranger <dev@loranger.xyz>
Date: Thu, 3 Oct 2019 14:09:53 -0700
Subject: [PATCH 013/127] include localdate in all collections +reader

---
 templates/chorus-collection.tmpl | 1 +
 templates/collection-tags.tmpl   | 1 +
 templates/read.tmpl              | 2 +-
 3 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/templates/chorus-collection.tmpl b/templates/chorus-collection.tmpl
index e36d3b5..ce095ac 100644
--- a/templates/chorus-collection.tmpl
+++ b/templates/chorus-collection.tmpl
@@ -112,6 +112,7 @@ body#collection header nav.tabs a:first-child {
 		{{if .Script}}<script type="text/javascript">{{.ScriptDisplay}}</script>{{end}}
 	{{end}}
 	<script src="/js/h.js"></script>
+	<script src="/js/localdate.js"></script>
 	<script src="/js/postactions.js"></script>
 	<script type="text/javascript">
 var deleting = false;
diff --git a/templates/collection-tags.tmpl b/templates/collection-tags.tmpl
index 7cad3b7..44ebd38 100644
--- a/templates/collection-tags.tmpl
+++ b/templates/collection-tags.tmpl
@@ -74,6 +74,7 @@
 	{{end}}
 	{{if .IsOwner}}
 	<script src="/js/h.js"></script>
+	<script src="/js/localdate.js"></script>
 	<script src="/js/postactions.js"></script>
 	{{end}}
 	<script type="text/javascript">
diff --git a/templates/read.tmpl b/templates/read.tmpl
index 9541ab5..66a4904 100644
--- a/templates/read.tmpl
+++ b/templates/read.tmpl
@@ -112,7 +112,7 @@
 		</nav>{{end}}
 
 		</div>
-
+		<script src="/js/localdate.js">
 <script type="text/javascript">
 (function() {
 	var $articles = document.querySelectorAll('article');

From dccfae7a6137afbdb89c45026fdd1932d073c45e Mon Sep 17 00:00:00 2001
From: Michael Demetriou <accounts@qzx.gr>
Date: Tue, 8 Oct 2019 15:58:19 +0300
Subject: [PATCH 014/127] Mentioning pleroma accounts works! Mastodon still
 needs the type to b be Note to work but I will open an issue for them and see
 what their reaction will be.

---
 activitypub.go | 25 ++++++++++++++++++++++++-
 go.mod         |  5 +++++
 go.sum         |  7 +++++++
 posts.go       | 18 ++++++++++++++++++
 webfinger.go   | 31 ++++++++++++++++++++++++++++++-
 5 files changed, 84 insertions(+), 2 deletions(-)

diff --git a/activitypub.go b/activitypub.go
index e37fb97..68ac7c9 100644
--- a/activitypub.go
+++ b/activitypub.go
@@ -26,6 +26,7 @@ import (
 
 	"github.com/gorilla/mux"
 	"github.com/writeas/activity/streams"
+	"github.com/writeas/activityserve"
 	"github.com/writeas/httpsig"
 	"github.com/writeas/impart"
 	"github.com/writeas/nerds/store"
@@ -594,12 +595,12 @@ func federatePost(app *App, p *PublicPost, collID int64, isUpdate bool) error {
 		}
 	}
 
+	var activity *activitystreams.Activity
 	for si, instFolls := range inboxes {
 		na.CC = []string{}
 		for _, f := range instFolls {
 			na.CC = append(na.CC, f)
 		}
-		var activity *activitystreams.Activity
 		if isUpdate {
 			activity = activitystreams.NewUpdateActivity(na)
 		} else {
@@ -612,6 +613,28 @@ func federatePost(app *App, p *PublicPost, collID int64, isUpdate bool) error {
 			log.Error("Couldn't post! %v", err)
 		}
 	}
+
+	for _, tag := range na.Tag {
+		if tag.Type == "Mention" {
+			activity = activitystreams.NewCreateActivity(na)
+			activity.To = na.To
+			activity.CC = na.CC
+			// This here might be redundant in some cases as we might have already
+			// sent this to the sharedInbox of this instance above, but we need too
+			// much logic to catch this at the expense of the odd extra request.
+			// I don't believe we'd ever have too many mentions in a single post that this
+			// could become a burden.
+			remoteActor, err := activityserve.NewRemoteActor(tag.HRef)
+			if err != nil {
+				log.Error("Couldn't fetch remote actor", err)
+			}
+			err = makeActivityPost(app.cfg.App.Host, actor, remoteActor.GetInbox(), activity)
+			if err != nil {
+				log.Error("Couldn't post! %v", err)
+			}
+		}
+	}
+
 	return nil
 }
 
diff --git a/go.mod b/go.mod
index 9c67aeb..6711795 100644
--- a/go.mod
+++ b/go.mod
@@ -6,11 +6,13 @@ require (
 	github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf // indirect
 	github.com/captncraig/cors v0.0.0-20180620154129-376d45073b49 // indirect
 	github.com/clbanning/mxj v1.8.4 // indirect
+	github.com/dchest/uniuri v0.0.0-20160212164326-8902c56451e9 // indirect
 	github.com/dustin/go-humanize v1.0.0
 	github.com/fatih/color v1.7.0
 	github.com/go-sql-driver/mysql v1.4.1
 	github.com/go-test/deep v1.0.1 // indirect
 	github.com/golang/lint v0.0.0-20181217174547-8f45f776aaf1 // indirect
+	github.com/gologme/log v0.0.0-20181207131047-4e5d8ccb38e8 // indirect
 	github.com/gopherjs/gopherjs v0.0.0-20181103185306-d547d1d9531e // indirect
 	github.com/gorilla/feeds v1.1.0
 	github.com/gorilla/mux v1.7.0
@@ -36,6 +38,7 @@ require (
 	github.com/smartystreets/goconvey v0.0.0-20181108003508-044398e4856c // indirect
 	github.com/stretchr/testify v1.3.0 // indirect
 	github.com/writeas/activity v0.1.2
+	github.com/writeas/activityserve v0.0.0-20191008122325-5fc3b48e70c5
 	github.com/writeas/go-strip-markdown v2.0.1+incompatible
 	github.com/writeas/go-webfinger v0.0.0-20190106002315-85cf805c86d2
 	github.com/writeas/httpsig v1.0.0
@@ -58,3 +61,5 @@ require (
 	gopkg.in/yaml.v1 v1.0.0-20140924161607-9f9df34309c0 // indirect
 	gopkg.in/yaml.v2 v2.2.2 // indirect
 )
+
+go 1.13
diff --git a/go.sum b/go.sum
index ec1e19d..356c06f 100644
--- a/go.sum
+++ b/go.sum
@@ -23,12 +23,15 @@ github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDk
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/dchest/uniuri v0.0.0-20160212164326-8902c56451e9 h1:74lLNRzvsdIlkTgfDSMuaPjBr4cf6k7pwQQANm/yLKU=
+github.com/dchest/uniuri v0.0.0-20160212164326-8902c56451e9/go.mod h1:GgB8SF9nRG+GqaDtLcwJZsQFhcogVCJ79j4EdT0c2V4=
 github.com/dustin/go-humanize v1.0.0 h1:VSnTsYCnlFHaM2/igO1h6X3HA71jcobQuxemgkq4zYo=
 github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
 github.com/fatih/color v1.7.0 h1:DkWD4oS2D8LGGgTQ6IvwJJXSL5Vp2ffcQg58nFV38Ys=
 github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
 github.com/fatih/structs v1.1.0 h1:Q7juDM0QtcnhCpeyLGQKyg4TOIghuNXrkL32pHAUMxo=
 github.com/fatih/structs v1.1.0/go.mod h1:9NiDSp5zOcgEDl+j00MP/WkGVPOlPRLejGD8Ga6PJ7M=
+github.com/go-fed/httpsig v0.1.0 h1:6F2OxRVnNTN4OPN+Mc2jxs2WEay9/qiHT/jphlvAwIY=
 github.com/go-fed/httpsig v0.1.0/go.mod h1:T56HUNYZUQ1AGUzhAYPugZfp36sKApVnGBgKlIY+aIE=
 github.com/go-sql-driver/mysql v1.4.1 h1:g24URVg0OFbNUTx9qqY1IRZ9D9z3iPyi5zKhQZpNwpA=
 github.com/go-sql-driver/mysql v1.4.1/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w=
@@ -38,6 +41,8 @@ github.com/golang/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:tluoj9z5200j
 github.com/golang/lint v0.0.0-20181217174547-8f45f776aaf1 h1:6DVPu65tee05kY0/rciBQ47ue+AnuY8KTayV6VHikIo=
 github.com/golang/lint v0.0.0-20181217174547-8f45f776aaf1/go.mod h1:tluoj9z5200jBnyusfRPU2LqT6J+DAorxEvtC7LHB+E=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/gologme/log v0.0.0-20181207131047-4e5d8ccb38e8 h1:WD8iJ37bRNwvETMfVTusVSAi0WdXTpfNVGY2aHycNKY=
+github.com/gologme/log v0.0.0-20181207131047-4e5d8ccb38e8/go.mod h1:gq31gQ8wEHkR+WekdWsqDuf8pXTUZA9BnnzTuPz1Y9U=
 github.com/google/shlex v0.0.0-20181106134648-c34317bd91bf h1:7+FW5aGwISbqUtkfmIpZJGRgNFg2ioYPvFaUxdqpDsg=
 github.com/google/shlex v0.0.0-20181106134648-c34317bd91bf/go.mod h1:RpwtwJQFrIEPstU94h88MWPXP2ektJZ8cZ0YntAmXiE=
 github.com/gopherjs/gopherjs v0.0.0-20181103185306-d547d1d9531e h1:JKmoR8x90Iww1ks85zJ1lfDGgIiMDuIptTOhJq+zKyg=
@@ -115,6 +120,8 @@ github.com/tsenart/deadcode v0.0.0-20160724212837-210d2dc333e9 h1:vY5WqiEon0ZSTG
 github.com/tsenart/deadcode v0.0.0-20160724212837-210d2dc333e9/go.mod h1:q+QjxYvZ+fpjMXqs+XEriussHjSYqeXVnAdSV1tkMYk=
 github.com/writeas/activity v0.1.2 h1:Y12B5lIrabfqKE7e7HFCWiXrlfXljr9tlkFm2mp7DgY=
 github.com/writeas/activity v0.1.2/go.mod h1:mYYgiewmEM+8tlifirK/vl6tmB2EbjYaxwb+ndUw5T0=
+github.com/writeas/activityserve v0.0.0-20191008122325-5fc3b48e70c5 h1:nG84xWpxBM8YU/FJchezJqg7yZH8ImSRow6NoYtbSII=
+github.com/writeas/activityserve v0.0.0-20191008122325-5fc3b48e70c5/go.mod h1:Kz62mzYsCnrFTSTSFLXFj3fGYBQOntmBWTDDq57b46A=
 github.com/writeas/go-strip-markdown v2.0.1+incompatible h1:IIqxTM5Jr7RzhigcL6FkrCNfXkvbR+Nbu1ls48pXYcw=
 github.com/writeas/go-strip-markdown v2.0.1+incompatible/go.mod h1:Rsyu10ZhbEK9pXdk8V6MVnZmTzRG0alMNLMwa0J01fE=
 github.com/writeas/go-webfinger v0.0.0-20190106002315-85cf805c86d2 h1:DUsp4OhdfI+e6iUqcPQlwx8QYXuUDsToTz/x82D3Zuo=
diff --git a/posts.go b/posts.go
index 88730f7..520f716 100644
--- a/posts.go
+++ b/posts.go
@@ -1108,6 +1108,24 @@ func (p *PublicPost) ActivityObject(cfg *config.Config) *activitystreams.Object
 			})
 		}
 	}
+	// Find mentioned users
+	mentionedUsers := make(map[string]string)
+	//:= map[string]string{"@qwazix@pleroma.site": "https://pleroma.site/users/qwazix", "@tzo@cybre.space": "https://cybre.space/users/tzo"}
+
+	stripper := bluemonday.StrictPolicy()
+	content := stripper.Sanitize(p.Content)
+	mentionRegex := regexp.MustCompile(`@[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}`)
+	mentions := mentionRegex.FindAllString(content, -1)
+
+	for _, handle := range mentions {
+		actorIRI := RemoteLookup(handle)
+		mentionedUsers[handle] = actorIRI
+	}
+
+	for handle, iri := range mentionedUsers {
+		o.CC = append(o.CC, iri)
+		o.Tag = append(o.Tag, activitystreams.Tag{"Mention", iri, handle})
+	}
 	return o
 }
 
diff --git a/webfinger.go b/webfinger.go
index c95d88e..c3f8530 100644
--- a/webfinger.go
+++ b/webfinger.go
@@ -11,11 +11,15 @@
 package writefreely
 
 import (
+	"encoding/json"
+	"io/ioutil"
+	"net/http"
+	"strings"
+
 	"github.com/writeas/go-webfinger"
 	"github.com/writeas/impart"
 	"github.com/writeas/web-core/log"
 	"github.com/writeas/writefreely/config"
-	"net/http"
 )
 
 type wfResolver struct {
@@ -80,3 +84,28 @@ func (wfr wfResolver) DummyUser(username string, hostname string, r []webfinger.
 func (wfr wfResolver) IsNotFoundError(err error) bool {
 	return err == wfUserNotFoundErr
 }
+
+// RemoteLookup looks up a user by handle at a remote server
+// and returns the actor URL
+// TODO make this work
+func RemoteLookup(handle string) string {
+	handle = strings.TrimLeft(handle, "@")
+	// let's take the server part of the handle
+	parts := strings.Split(handle, "@")
+	resp, err := http.Get("https://" + parts[1] + "/.well-known/webfinger?resource=acct:" + handle)
+	if err != nil {
+		log.Error("Error performing webfinger request", err)
+	}
+
+	body, err := ioutil.ReadAll(resp.Body)
+	if err != nil {
+		log.Error("Error reading webfinger response", err)
+	}
+
+	var result map[string]interface{}
+	json.Unmarshal(body, &result)
+
+	aliases := result["aliases"].([]interface{})
+
+	return aliases[0].(string)
+}

From 3eb638b14a1ea89319e773a9b13240e40eb06cd3 Mon Sep 17 00:00:00 2001
From: Michael Demetriou <accounts@qzx.gr>
Date: Wed, 9 Oct 2019 14:34:31 +0300
Subject: [PATCH 015/127] Fix @thebaer's comments in
 https://github.com/writeas/writefreely/commit/dccfae7a6137afbdb89c45026fdd1932d073c45e#commitcomment-35410380

---
 activitypub.go | 16 ++++++++++++++++
 posts.go       |  5 ++---
 webfinger.go   |  3 ++-
 3 files changed, 20 insertions(+), 4 deletions(-)

diff --git a/activitypub.go b/activitypub.go
index 68ac7c9..fa25061 100644
--- a/activitypub.go
+++ b/activitypub.go
@@ -589,18 +589,25 @@ func federatePost(app *App, p *PublicPost, collID int64, isUpdate bool) error {
 			inbox = f.Inbox
 		}
 		if _, ok := inboxes[inbox]; ok {
+			// check if we're already sending to this shared inbox
 			inboxes[inbox] = append(inboxes[inbox], f.ActorID)
 		} else {
+			// add the new shared inbox to the list
 			inboxes[inbox] = []string{f.ActorID}
 		}
 	}
 
 	var activity *activitystreams.Activity
+	// for each one of the shared inboxes
 	for si, instFolls := range inboxes {
+		// add all followers from that instance
+		// to the CC field
 		na.CC = []string{}
 		for _, f := range instFolls {
 			na.CC = append(na.CC, f)
 		}
+		// create a new "Create" activity
+		// with our article as object
 		if isUpdate {
 			activity = activitystreams.NewUpdateActivity(na)
 		} else {
@@ -608,12 +615,19 @@ func federatePost(app *App, p *PublicPost, collID int64, isUpdate bool) error {
 			activity.To = na.To
 			activity.CC = na.CC
 		}
+		// and post it to that sharedInbox
 		err = makeActivityPost(app.cfg.App.Host, actor, si, activity)
 		if err != nil {
 			log.Error("Couldn't post! %v", err)
 		}
 	}
 
+	// re-create the object so that the CC list gets reset and has
+	// the mentioned users. This might seem wasteful but the code is
+	// cleaner than adding the mentioned users to CC here instead of
+	// in p.ActivityObject()
+	na = p.ActivityObject(app.cfg)
+
 	for _, tag := range na.Tag {
 		if tag.Type == "Mention" {
 			activity = activitystreams.NewCreateActivity(na)
@@ -632,6 +646,8 @@ func federatePost(app *App, p *PublicPost, collID int64, isUpdate bool) error {
 			if err != nil {
 				log.Error("Couldn't post! %v", err)
 			}
+			// log.Info("Activity", activity)
+
 		}
 	}
 
diff --git a/posts.go b/posts.go
index 520f716..4b6fcc1 100644
--- a/posts.go
+++ b/posts.go
@@ -1110,11 +1110,10 @@ func (p *PublicPost) ActivityObject(cfg *config.Config) *activitystreams.Object
 	}
 	// Find mentioned users
 	mentionedUsers := make(map[string]string)
-	//:= map[string]string{"@qwazix@pleroma.site": "https://pleroma.site/users/qwazix", "@tzo@cybre.space": "https://cybre.space/users/tzo"}
 
 	stripper := bluemonday.StrictPolicy()
 	content := stripper.Sanitize(p.Content)
-	mentionRegex := regexp.MustCompile(`@[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}`)
+	mentionRegex := regexp.MustCompile(`@[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]+\b`)
 	mentions := mentionRegex.FindAllString(content, -1)
 
 	for _, handle := range mentions {
@@ -1124,7 +1123,7 @@ func (p *PublicPost) ActivityObject(cfg *config.Config) *activitystreams.Object
 
 	for handle, iri := range mentionedUsers {
 		o.CC = append(o.CC, iri)
-		o.Tag = append(o.Tag, activitystreams.Tag{"Mention", iri, handle})
+		o.Tag = append(o.Tag, activitystreams.Tag{Type: "Mention", HRef: iri, Name: handle})
 	}
 	return o
 }
diff --git a/webfinger.go b/webfinger.go
index c3f8530..d19478f 100644
--- a/webfinger.go
+++ b/webfinger.go
@@ -87,7 +87,6 @@ func (wfr wfResolver) IsNotFoundError(err error) bool {
 
 // RemoteLookup looks up a user by handle at a remote server
 // and returns the actor URL
-// TODO make this work
 func RemoteLookup(handle string) string {
 	handle = strings.TrimLeft(handle, "@")
 	// let's take the server part of the handle
@@ -95,11 +94,13 @@ func RemoteLookup(handle string) string {
 	resp, err := http.Get("https://" + parts[1] + "/.well-known/webfinger?resource=acct:" + handle)
 	if err != nil {
 		log.Error("Error performing webfinger request", err)
+		return ""
 	}
 
 	body, err := ioutil.ReadAll(resp.Body)
 	if err != nil {
 		log.Error("Error reading webfinger response", err)
+		return ""
 	}
 
 	var result map[string]interface{}

From e5bbd45b49c7c6d0f17441b0a2f6fe83d7b6038f Mon Sep 17 00:00:00 2001
From: Michael Demetriou <accounts@qzx.gr>
Date: Thu, 10 Oct 2019 10:59:14 +0300
Subject: [PATCH 016/127] Change the result that webfinger returns from the
 first alias to the last because mastodon doesn't like

https://my.instance/@me but https://my.instance/users/me
---
 webfinger.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/webfinger.go b/webfinger.go
index d19478f..715e1cf 100644
--- a/webfinger.go
+++ b/webfinger.go
@@ -108,5 +108,5 @@ func RemoteLookup(handle string) string {
 
 	aliases := result["aliases"].([]interface{})
 
-	return aliases[0].(string)
+	return aliases[len(aliases)-1].(string)
 }

From 99bb77153e4d78e2ec04075ab2e7b28aae9ec2f2 Mon Sep 17 00:00:00 2001
From: Michael Demetriou <accounts@qzx.gr>
Date: Thu, 10 Oct 2019 15:11:46 +0300
Subject: [PATCH 017/127] Handles are saved in `remoteusers` while the links
 take you to an intermediate page (WIP) that shows the user profile page url

---
 activitypub.go | 38 ++++++++++++++++++++++++++------------
 collections.go | 15 +++++++++++++++
 postrender.go  |  3 +++
 posts.go       | 42 +++++++++++++++++++++++++++++++++++++-----
 routes.go      |  1 +
 5 files changed, 82 insertions(+), 17 deletions(-)

diff --git a/activitypub.go b/activitypub.go
index fa25061..081fcea 100644
--- a/activitypub.go
+++ b/activitypub.go
@@ -26,7 +26,6 @@ import (
 
 	"github.com/gorilla/mux"
 	"github.com/writeas/activity/streams"
-	"github.com/writeas/activityserve"
 	"github.com/writeas/httpsig"
 	"github.com/writeas/impart"
 	"github.com/writeas/nerds/store"
@@ -45,6 +44,7 @@ type RemoteUser struct {
 	ActorID     string
 	Inbox       string
 	SharedInbox string
+	Handle      string
 }
 
 func (ru *RemoteUser) AsPerson() *activitystreams.Person {
@@ -133,7 +133,7 @@ func handleFetchCollectionOutbox(app *App, w http.ResponseWriter, r *http.Reques
 	posts, err := app.db.GetPosts(app.cfg, c, p, false, true, false)
 	for _, pp := range *posts {
 		pp.Collection = res
-		o := pp.ActivityObject(app.cfg)
+		o := pp.ActivityObject(app)
 		a := activitystreams.NewCreateActivity(o)
 		ocp.OrderedItems = append(ocp.OrderedItems, *a)
 	}
@@ -525,7 +525,7 @@ func deleteFederatedPost(app *App, p *PublicPost, collID int64) error {
 	}
 	p.Collection.hostName = app.cfg.App.Host
 	actor := p.Collection.PersonObject(collID)
-	na := p.ActivityObject(app.cfg)
+	na := p.ActivityObject(app)
 
 	// Add followers
 	p.Collection.ID = collID
@@ -571,7 +571,7 @@ func federatePost(app *App, p *PublicPost, collID int64, isUpdate bool) error {
 		}
 	}
 	actor := p.Collection.PersonObject(collID)
-	na := p.ActivityObject(app.cfg)
+	na := p.ActivityObject(app)
 
 	// Add followers
 	p.Collection.ID = collID
@@ -626,8 +626,7 @@ func federatePost(app *App, p *PublicPost, collID int64, isUpdate bool) error {
 	// the mentioned users. This might seem wasteful but the code is
 	// cleaner than adding the mentioned users to CC here instead of
 	// in p.ActivityObject()
-	na = p.ActivityObject(app.cfg)
-
+	na = p.ActivityObject(app)
 	for _, tag := range na.Tag {
 		if tag.Type == "Mention" {
 			activity = activitystreams.NewCreateActivity(na)
@@ -638,11 +637,11 @@ func federatePost(app *App, p *PublicPost, collID int64, isUpdate bool) error {
 			// much logic to catch this at the expense of the odd extra request.
 			// I don't believe we'd ever have too many mentions in a single post that this
 			// could become a burden.
-			remoteActor, err := activityserve.NewRemoteActor(tag.HRef)
-			if err != nil {
-				log.Error("Couldn't fetch remote actor", err)
-			}
-			err = makeActivityPost(app.cfg.App.Host, actor, remoteActor.GetInbox(), activity)
+
+			fmt.Println(tag.HRef)
+			fmt.Println("aaa")
+			remoteUser, err := getRemoteUser(app, tag.HRef)
+			err = makeActivityPost(app.cfg.App.Host, actor, remoteUser.Inbox, activity)
 			if err != nil {
 				log.Error("Couldn't post! %v", err)
 			}
@@ -656,7 +655,7 @@ func federatePost(app *App, p *PublicPost, collID int64, isUpdate bool) error {
 
 func getRemoteUser(app *App, actorID string) (*RemoteUser, error) {
 	u := RemoteUser{ActorID: actorID}
-	err := app.db.QueryRow("SELECT id, inbox, shared_inbox FROM remoteusers WHERE actor_id = ?", actorID).Scan(&u.ID, &u.Inbox, &u.SharedInbox)
+	err := app.db.QueryRow("SELECT id, inbox, shared_inbox, handle FROM remoteusers WHERE actor_id = ?", actorID).Scan(&u.ID, &u.Inbox, &u.SharedInbox, &u.Handle)
 	switch {
 	case err == sql.ErrNoRows:
 		return nil, impart.HTTPError{http.StatusNotFound, "No remote user with that ID."}
@@ -668,6 +667,21 @@ func getRemoteUser(app *App, actorID string) (*RemoteUser, error) {
 	return &u, nil
 }
 
+// getRemoteUserFromHandle retrieves the profile page of a remote user
+// from the @user@server.tld handle
+func getRemoteUserFromHandle(app *App, handle string) (*RemoteUser, error) {
+	u := RemoteUser{Handle: handle}
+	err := app.db.QueryRow("SELECT id, actor_id, inbox, shared_inbox FROM remoteusers WHERE handle = ?", handle).Scan(&u.ID, &u.ActorID, &u.Inbox, &u.SharedInbox)
+	switch {
+	case err == sql.ErrNoRows:
+		return nil, impart.HTTPError{http.StatusNotFound, "No remote user with that handle."}
+	case err != nil:
+		log.Error("Couldn't get remote user %s: %v", handle, err)
+		return nil, err
+	}
+	return &u, nil
+}
+
 func getActor(app *App, actorIRI string) (*activitystreams.Person, *RemoteUser, error) {
 	log.Info("Fetching actor %s locally", actorIRI)
 	actor := &activitystreams.Person{}
diff --git a/collections.go b/collections.go
index c095ecb..9ce9d8e 100644
--- a/collections.go
+++ b/collections.go
@@ -820,6 +820,21 @@ func handleViewCollection(app *App, w http.ResponseWriter, r *http.Request) erro
 	return err
 }
 
+func handleViewMention(app *App, w http.ResponseWriter, r *http.Request) error {
+	vars := mux.Vars(r)
+	handle := vars["handle"]
+
+	remoteUser, err := getRemoteUserFromHandle(app, handle)
+	if err != nil {
+		log.Error("Couldn't find this user in our database "+handle, err)
+		return err
+	}
+
+	w.Write([]byte("go to " + remoteUser.ActorID))
+
+	return nil
+}
+
 func handleViewCollectionTag(app *App, w http.ResponseWriter, r *http.Request) error {
 	vars := mux.Vars(r)
 	tag := vars["tag"]
diff --git a/postrender.go b/postrender.go
index 83fb5ad..e31c462 100644
--- a/postrender.go
+++ b/postrender.go
@@ -34,6 +34,7 @@ var (
 	titleElementReg = regexp.MustCompile("</?h[1-6]>")
 	hashtagReg      = regexp.MustCompile(`{{\[\[\|\|([^|]+)\|\|\]\]}}`)
 	markeddownReg   = regexp.MustCompile("<p>(.+)</p>")
+	mentionReg      = regexp.MustCompile(`@[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]+\b`)
 )
 
 func (p *Post) formatContent(cfg *config.Config, c *Collection, isOwner bool) {
@@ -82,6 +83,8 @@ func applyMarkdownSpecial(data []byte, skipNoFollow bool, baseURL string, cfg *c
 			tagPrefix = "/read/t/"
 		}
 		md = []byte(hashtagReg.ReplaceAll(md, []byte("<a href=\""+tagPrefix+"$1\" class=\"hashtag\"><span>#</span><span class=\"p-category\">$1</span></a>")))
+		handlePrefix := baseURL + "mention:"
+		md = []byte(mentionReg.ReplaceAll(md, []byte("<a href=\""+handlePrefix+"$0\" class=\"mention\">$0</a>")))
 	}
 	// Strip out bad HTML
 	policy := getSanitizationPolicy()
diff --git a/posts.go b/posts.go
index 4b6fcc1..3eeb232 100644
--- a/posts.go
+++ b/posts.go
@@ -25,6 +25,7 @@ import (
 	"github.com/guregu/null/zero"
 	"github.com/kylemcc/twitter-text-go/extract"
 	"github.com/microcosm-cc/bluemonday"
+	"github.com/writeas/activityserve"
 	stripmd "github.com/writeas/go-strip-markdown"
 	"github.com/writeas/impart"
 	"github.com/writeas/monday"
@@ -35,7 +36,6 @@ import (
 	"github.com/writeas/web-core/i18n"
 	"github.com/writeas/web-core/log"
 	"github.com/writeas/web-core/tags"
-	"github.com/writeas/writefreely/config"
 	"github.com/writeas/writefreely/page"
 	"github.com/writeas/writefreely/parse"
 )
@@ -1033,7 +1033,7 @@ func fetchPost(app *App, w http.ResponseWriter, r *http.Request) error {
 		}
 
 		p.Collection = &CollectionObj{Collection: *coll}
-		po := p.ActivityObject(app.cfg)
+		po := p.ActivityObject(app)
 		po.Context = []interface{}{activitystreams.Namespace}
 		return impart.RenderActivityJSON(w, po, http.StatusOK)
 	}
@@ -1068,7 +1068,8 @@ func (p *PublicPost) CanonicalURL() string {
 	return p.Collection.CanonicalURL() + p.Slug.String
 }
 
-func (p *PublicPost) ActivityObject(cfg *config.Config) *activitystreams.Object {
+func (p *PublicPost) ActivityObject(app *App) *activitystreams.Object {
+	cfg := app.cfg
 	o := activitystreams.NewArticleObject()
 	o.ID = p.Collection.FederatedAPIBase() + "api/posts/" + p.ID
 	o.Published = p.Created
@@ -1117,7 +1118,38 @@ func (p *PublicPost) ActivityObject(cfg *config.Config) *activitystreams.Object
 	mentions := mentionRegex.FindAllString(content, -1)
 
 	for _, handle := range mentions {
-		actorIRI := RemoteLookup(handle)
+		var actorIRI string
+		remoteuser, errRemoteUser := getRemoteUserFromHandle(app, handle)
+		if errRemoteUser != nil {
+			// can't find using handle in the table but the table may already have this user without
+			// handle from a previous version
+			actorIRI = RemoteLookup(handle)
+			_, errRemoteUser := getRemoteUser(app, actorIRI)
+			// if it exists then we need to update the handle
+			if errRemoteUser == nil {
+				// query := "UPDATE remoteusers SET handle='" + handle + "' WHERE actor_id='" + iri + "';"
+				// log.Info(query)
+				_, err := app.db.Exec("UPDATE remoteusers SET handle=? WHERE actor_id=?;", handle, actorIRI)
+				if err != nil {
+					log.Error("Can't update handle (" + handle + ") in database for user " + actorIRI)
+				}
+			} else {
+				// this probably means we don't have the user in the table so let's try to insert it
+				// here we need to ask the server for the inboxes
+				remoteActor, err := activityserve.NewRemoteActor(actorIRI)
+				if err != nil {
+					log.Error("Couldn't fetch remote actor", err)
+				}
+				fmt.Println(actorIRI, remoteActor.GetInbox(), remoteActor.GetSharedInbox(), handle)
+				_, err = app.db.Exec("INSERT INTO remoteusers (actor_id, inbox, shared_inbox, handle) VALUES( ?, ?, ?, ?)", actorIRI, remoteActor.GetInbox(), remoteActor.GetSharedInbox(), handle)
+				if err != nil {
+					log.Error("Can't insert remote user in database", err)
+					return nil
+				}
+			}
+		} else {
+			actorIRI = remoteuser.ActorID
+		}
 		mentionedUsers[handle] = actorIRI
 	}
 
@@ -1379,7 +1411,7 @@ Are you sure it was ever here?`,
 			return ErrCollectionPageNotFound
 		}
 		p.extractData()
-		ap := p.ActivityObject(app.cfg)
+		ap := p.ActivityObject(app)
 		ap.Context = []interface{}{activitystreams.Namespace}
 		return impart.RenderActivityJSON(w, ap, http.StatusOK)
 	} else {
diff --git a/routes.go b/routes.go
index 0113e93..4c26f47 100644
--- a/routes.go
+++ b/routes.go
@@ -184,6 +184,7 @@ func InitRoutes(apper Apper, r *mux.Router) *mux.Router {
 
 func RouteCollections(handler *Handler, r *mux.Router) {
 	r.HandleFunc("/page/{page:[0-9]+}", handler.Web(handleViewCollection, UserLevelReader))
+	r.HandleFunc("/mention:{handle}", handler.Web(handleViewMention, UserLevelReader))
 	r.HandleFunc("/tag:{tag}", handler.Web(handleViewCollectionTag, UserLevelReader))
 	r.HandleFunc("/tag:{tag}/feed/", handler.Web(ViewFeed, UserLevelReader))
 	r.HandleFunc("/tags/{tag}", handler.Web(handleViewCollectionTag, UserLevelReader))

From db14f04b5900471031ad53907a20a4e64a7cff4b Mon Sep 17 00:00:00 2001
From: Michael Demetriou <accounts@qzx.gr>
Date: Thu, 10 Oct 2019 16:04:43 +0300
Subject: [PATCH 018/127] Redirects from the intermediate page work and if
 there's an old mention there it updates the table to include the handle.

migrations WIP
---
 collections.go           |  9 +++++----
 database.go              | 36 ++++++++++++++++++++++++++++++++++++
 migrations/migrations.go |  1 +
 migrations/v3.go         | 23 +++++++++++++++++++++++
 posts.go                 | 36 ++++--------------------------------
 schema.sql               |  1 +
 sqlite.sql               |  1 +
 7 files changed, 71 insertions(+), 36 deletions(-)
 create mode 100644 migrations/v3.go

diff --git a/collections.go b/collections.go
index 9ce9d8e..431afd1 100644
--- a/collections.go
+++ b/collections.go
@@ -824,13 +824,14 @@ func handleViewMention(app *App, w http.ResponseWriter, r *http.Request) error {
 	vars := mux.Vars(r)
 	handle := vars["handle"]
 
-	remoteUser, err := getRemoteUserFromHandle(app, handle)
+	remoteUser, err := app.db.getProfilePageFromHandle(app, handle)
 	if err != nil {
-		log.Error("Couldn't find this user in our database "+handle, err)
-		return err
+		log.Error("Couldn't find this user "+handle, err)
+		return nil
 	}
 
-	w.Write([]byte("go to " + remoteUser.ActorID))
+	http.Redirect(w, r, remoteUser, http.StatusSeeOther)
+	w.Write([]byte("go to " + remoteUser))
 
 	return nil
 }
diff --git a/database.go b/database.go
index a3235b6..a95bfca 100644
--- a/database.go
+++ b/database.go
@@ -20,6 +20,7 @@ import (
 	"github.com/guregu/null"
 	"github.com/guregu/null/zero"
 	uuid "github.com/nu7hatch/gouuid"
+	"github.com/writeas/activityserve"
 	"github.com/writeas/impart"
 	"github.com/writeas/nerds/store"
 	"github.com/writeas/web-core/activitypub"
@@ -2449,3 +2450,38 @@ func handleFailedPostInsert(err error) error {
 	log.Error("Couldn't insert into posts: %v", err)
 	return err
 }
+
+func (db *datastore) getProfilePageFromHandle(app *App, handle string) (actorIRI string, err error) {
+	remoteuser, errRemoteUser := getRemoteUserFromHandle(app, handle)
+	if errRemoteUser != nil {
+		// can't find using handle in the table but the table may already have this user without
+		// handle from a previous version
+		actorIRI = RemoteLookup(handle)
+		_, errRemoteUser := getRemoteUser(app, actorIRI)
+		// if it exists then we need to update the handle
+		if errRemoteUser == nil {
+			// query := "UPDATE remoteusers SET handle='" + handle + "' WHERE actor_id='" + iri + "';"
+			// log.Info(query)
+			_, err := app.db.Exec("UPDATE remoteusers SET handle=? WHERE actor_id=?;", handle, actorIRI)
+			if err != nil {
+				log.Error("Can't update handle (" + handle + ") in database for user " + actorIRI)
+			}
+		} else {
+			// this probably means we don't have the user in the table so let's try to insert it
+			// here we need to ask the server for the inboxes
+			remoteActor, err := activityserve.NewRemoteActor(actorIRI)
+			if err != nil {
+				log.Error("Couldn't fetch remote actor", err)
+			}
+			fmt.Println(actorIRI, remoteActor.GetInbox(), remoteActor.GetSharedInbox(), handle)
+			_, err = app.db.Exec("INSERT INTO remoteusers (actor_id, inbox, shared_inbox, handle) VALUES( ?, ?, ?, ?)", actorIRI, remoteActor.GetInbox(), remoteActor.GetSharedInbox(), handle)
+			if err != nil {
+				log.Error("Can't insert remote user in database", err)
+				return "", err
+			}
+		}
+	} else {
+		actorIRI = remoteuser.ActorID
+	}
+	return actorIRI, nil
+}
diff --git a/migrations/migrations.go b/migrations/migrations.go
index 70e4b7b..145c6df 100644
--- a/migrations/migrations.go
+++ b/migrations/migrations.go
@@ -57,6 +57,7 @@ func (m *migration) Migrate(db *datastore) error {
 var migrations = []Migration{
 	New("support user invites", supportUserInvites),             // -> V1 (v0.8.0)
 	New("support dynamic instance pages", supportInstancePages), // V1 -> V2 (v0.9.0)
+	New("support activityPub mentions", supportActivityPubMentions), // V2 -> V3 (v0.1x.0)
 }
 
 // CurrentVer returns the current migration version the application is on
diff --git a/migrations/v3.go b/migrations/v3.go
new file mode 100644
index 0000000..5c3f5aa
--- /dev/null
+++ b/migrations/v3.go
@@ -0,0 +1,23 @@
+/*
+ * Copyright © 2019 A Bunch Tell LLC.
+ *
+ * This file is part of WriteFreely.
+ *
+ * WriteFreely is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License, included
+ * in the LICENSE file in this source code package.
+ */
+
+package migrations
+
+func supportActivityPubMentions(db *datastore) error {
+	t, err := db.Begin()
+
+	_, err = t.Exec(`ALTER TABLE remoteusers ADD COLUMN handle ` + db.typeVarChar(255) + ` DEFAULT '' NOT NULL`)
+	if err != nil {
+		t.Rollback()
+		return err
+	}
+
+	return nil
+}
diff --git a/posts.go b/posts.go
index 3eeb232..df8be93 100644
--- a/posts.go
+++ b/posts.go
@@ -25,7 +25,6 @@ import (
 	"github.com/guregu/null/zero"
 	"github.com/kylemcc/twitter-text-go/extract"
 	"github.com/microcosm-cc/bluemonday"
-	"github.com/writeas/activityserve"
 	stripmd "github.com/writeas/go-strip-markdown"
 	"github.com/writeas/impart"
 	"github.com/writeas/monday"
@@ -1118,37 +1117,10 @@ func (p *PublicPost) ActivityObject(app *App) *activitystreams.Object {
 	mentions := mentionRegex.FindAllString(content, -1)
 
 	for _, handle := range mentions {
-		var actorIRI string
-		remoteuser, errRemoteUser := getRemoteUserFromHandle(app, handle)
-		if errRemoteUser != nil {
-			// can't find using handle in the table but the table may already have this user without
-			// handle from a previous version
-			actorIRI = RemoteLookup(handle)
-			_, errRemoteUser := getRemoteUser(app, actorIRI)
-			// if it exists then we need to update the handle
-			if errRemoteUser == nil {
-				// query := "UPDATE remoteusers SET handle='" + handle + "' WHERE actor_id='" + iri + "';"
-				// log.Info(query)
-				_, err := app.db.Exec("UPDATE remoteusers SET handle=? WHERE actor_id=?;", handle, actorIRI)
-				if err != nil {
-					log.Error("Can't update handle (" + handle + ") in database for user " + actorIRI)
-				}
-			} else {
-				// this probably means we don't have the user in the table so let's try to insert it
-				// here we need to ask the server for the inboxes
-				remoteActor, err := activityserve.NewRemoteActor(actorIRI)
-				if err != nil {
-					log.Error("Couldn't fetch remote actor", err)
-				}
-				fmt.Println(actorIRI, remoteActor.GetInbox(), remoteActor.GetSharedInbox(), handle)
-				_, err = app.db.Exec("INSERT INTO remoteusers (actor_id, inbox, shared_inbox, handle) VALUES( ?, ?, ?, ?)", actorIRI, remoteActor.GetInbox(), remoteActor.GetSharedInbox(), handle)
-				if err != nil {
-					log.Error("Can't insert remote user in database", err)
-					return nil
-				}
-			}
-		} else {
-			actorIRI = remoteuser.ActorID
+		actorIRI, err := app.db.getProfilePageFromHandle(app, handle)
+		if err != nil {
+			log.Info("Can't find this user either in the database nor in the remote instance")
+			return nil
 		}
 		mentionedUsers[handle] = actorIRI
 	}
diff --git a/schema.sql b/schema.sql
index b3fae97..ca8ec71 100644
--- a/schema.sql
+++ b/schema.sql
@@ -181,6 +181,7 @@ CREATE TABLE IF NOT EXISTS `remoteusers` (
   `actor_id` varchar(255) NOT NULL,
   `inbox` varchar(255) NOT NULL,
   `shared_inbox` varchar(255) NOT NULL,
+  `handle` varchar(255) DEFAULT '' NOT NULL,
   PRIMARY KEY (`id`),
   UNIQUE KEY `collection_id` (`actor_id`)
 ) ENGINE=InnoDB DEFAULT CHARSET=latin1;
diff --git a/sqlite.sql b/sqlite.sql
index 90989ed..e1a6b96 100644
--- a/sqlite.sql
+++ b/sqlite.sql
@@ -172,6 +172,7 @@ CREATE TABLE IF NOT EXISTS `remoteusers` (
   actor_id TEXT NOT NULL,
   inbox TEXT NOT NULL,
   shared_inbox TEXT NOT NULL,
+  handle TEXT DEFAULT '' NOT NULL,
   CONSTRAINT collection_id UNIQUE (actor_id)
 );
 

From bc2016f00ff2b2fa58f978f489255457af4f46d5 Mon Sep 17 00:00:00 2001
From: Michael Demetriou <accounts@qzx.gr>
Date: Thu, 10 Oct 2019 16:49:44 +0300
Subject: [PATCH 019/127] Fix missing commit statement in migrations/v3.go

---
 migrations/v3.go | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/migrations/v3.go b/migrations/v3.go
index 5c3f5aa..c6f5012 100644
--- a/migrations/v3.go
+++ b/migrations/v3.go
@@ -19,5 +19,11 @@ func supportActivityPubMentions(db *datastore) error {
 		return err
 	}
 
+	err = t.Commit()
+	if err != nil {
+		t.Rollback()
+		return err
+	}
+
 	return nil
 }

From b9d268982848b9d494984ab8cc3d5252762a04d9 Mon Sep 17 00:00:00 2001
From: Michael Demetriou <accounts@qzx.gr>
Date: Fri, 11 Oct 2019 10:05:18 +0300
Subject: [PATCH 020/127] Fix comments on T627 pull request

(https://github.com/writeas/writefreely/pull/195)
---
 activitypub.go |  5 -----
 collections.go |  5 +----
 routes.go      |  4 +++-
 schema.sql     |  1 -
 sqlite.sql     |  1 -
 webfinger.go   | 19 +++++++++++++++++--
 6 files changed, 21 insertions(+), 14 deletions(-)

diff --git a/activitypub.go b/activitypub.go
index 081fcea..a6ef1da 100644
--- a/activitypub.go
+++ b/activitypub.go
@@ -637,16 +637,11 @@ func federatePost(app *App, p *PublicPost, collID int64, isUpdate bool) error {
 			// much logic to catch this at the expense of the odd extra request.
 			// I don't believe we'd ever have too many mentions in a single post that this
 			// could become a burden.
-
-			fmt.Println(tag.HRef)
-			fmt.Println("aaa")
 			remoteUser, err := getRemoteUser(app, tag.HRef)
 			err = makeActivityPost(app.cfg.App.Host, actor, remoteUser.Inbox, activity)
 			if err != nil {
 				log.Error("Couldn't post! %v", err)
 			}
-			// log.Info("Activity", activity)
-
 		}
 	}
 
diff --git a/collections.go b/collections.go
index 431afd1..f0450b5 100644
--- a/collections.go
+++ b/collections.go
@@ -830,10 +830,7 @@ func handleViewMention(app *App, w http.ResponseWriter, r *http.Request) error {
 		return nil
 	}
 
-	http.Redirect(w, r, remoteUser, http.StatusSeeOther)
-	w.Write([]byte("go to " + remoteUser))
-
-	return nil
+	return impart.HTTPError{Status: http.StatusFound, Message: remoteUser} 
 }
 
 func handleViewCollectionTag(app *App, w http.ResponseWriter, r *http.Request) error {
diff --git a/routes.go b/routes.go
index 4c26f47..6f6bd58 100644
--- a/routes.go
+++ b/routes.go
@@ -70,6 +70,9 @@ func InitRoutes(apper Apper, r *mux.Router) *mux.Router {
 	write.HandleFunc(nodeinfo.NodeInfoPath, handler.LogHandlerFunc(http.HandlerFunc(ni.NodeInfoDiscover)))
 	write.HandleFunc(niCfg.InfoURL, handler.LogHandlerFunc(http.HandlerFunc(ni.NodeInfo)))
 
+	// handle mentions
+	write.HandleFunc("/mention:{handle}", handler.Web(handleViewMention, UserLevelReader))
+
 	// Set up dyamic page handlers
 	// Handle auth
 	auth := write.PathPrefix("/api/auth/").Subrouter()
@@ -184,7 +187,6 @@ func InitRoutes(apper Apper, r *mux.Router) *mux.Router {
 
 func RouteCollections(handler *Handler, r *mux.Router) {
 	r.HandleFunc("/page/{page:[0-9]+}", handler.Web(handleViewCollection, UserLevelReader))
-	r.HandleFunc("/mention:{handle}", handler.Web(handleViewMention, UserLevelReader))
 	r.HandleFunc("/tag:{tag}", handler.Web(handleViewCollectionTag, UserLevelReader))
 	r.HandleFunc("/tag:{tag}/feed/", handler.Web(ViewFeed, UserLevelReader))
 	r.HandleFunc("/tags/{tag}", handler.Web(handleViewCollectionTag, UserLevelReader))
diff --git a/schema.sql b/schema.sql
index ca8ec71..b3fae97 100644
--- a/schema.sql
+++ b/schema.sql
@@ -181,7 +181,6 @@ CREATE TABLE IF NOT EXISTS `remoteusers` (
   `actor_id` varchar(255) NOT NULL,
   `inbox` varchar(255) NOT NULL,
   `shared_inbox` varchar(255) NOT NULL,
-  `handle` varchar(255) DEFAULT '' NOT NULL,
   PRIMARY KEY (`id`),
   UNIQUE KEY `collection_id` (`actor_id`)
 ) ENGINE=InnoDB DEFAULT CHARSET=latin1;
diff --git a/sqlite.sql b/sqlite.sql
index e1a6b96..90989ed 100644
--- a/sqlite.sql
+++ b/sqlite.sql
@@ -172,7 +172,6 @@ CREATE TABLE IF NOT EXISTS `remoteusers` (
   actor_id TEXT NOT NULL,
   inbox TEXT NOT NULL,
   shared_inbox TEXT NOT NULL,
-  handle TEXT DEFAULT '' NOT NULL,
   CONSTRAINT collection_id UNIQUE (actor_id)
 );
 
diff --git a/webfinger.go b/webfinger.go
index 715e1cf..72c3f95 100644
--- a/webfinger.go
+++ b/webfinger.go
@@ -106,7 +106,22 @@ func RemoteLookup(handle string) string {
 	var result map[string]interface{}
 	json.Unmarshal(body, &result)
 
-	aliases := result["aliases"].([]interface{})
+	var href string
+	for _, link := range result["links"].([]interface{}) {
+		if link.(map[string]interface{})["rel"] == "self" {
+			href = link.(map[string]interface{})["href"].(string)
+		}
+	}
 
-	return aliases[len(aliases)-1].(string)
+	// if we didn't find it with the above then
+	// try using aliases
+	if href == "" {
+		aliases := result["aliases"].([]interface{})
+		// take the last alias because mastodon has the
+		// https://instance.tld/@user first which
+		// doesn't work as an href
+		href = aliases[len(aliases)-1].(string)
+	}
+
+	return href
 }

From 972ec00c58252ff90e008285242881a3d0a6f886 Mon Sep 17 00:00:00 2001
From: Michael Demetriou <accounts@qzx.gr>
Date: Fri, 11 Oct 2019 10:33:51 +0300
Subject: [PATCH 021/127] Update dependencies and add a comment

---
 go.mod       | 2 +-
 go.sum       | 2 ++
 webfinger.go | 2 ++
 3 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/go.mod b/go.mod
index 6711795..2f66a2d 100644
--- a/go.mod
+++ b/go.mod
@@ -38,7 +38,7 @@ require (
 	github.com/smartystreets/goconvey v0.0.0-20181108003508-044398e4856c // indirect
 	github.com/stretchr/testify v1.3.0 // indirect
 	github.com/writeas/activity v0.1.2
-	github.com/writeas/activityserve v0.0.0-20191008122325-5fc3b48e70c5
+	github.com/writeas/activityserve v0.0.0-20191011072627-3a81f7784d5b
 	github.com/writeas/go-strip-markdown v2.0.1+incompatible
 	github.com/writeas/go-webfinger v0.0.0-20190106002315-85cf805c86d2
 	github.com/writeas/httpsig v1.0.0
diff --git a/go.sum b/go.sum
index 356c06f..75626d2 100644
--- a/go.sum
+++ b/go.sum
@@ -122,6 +122,8 @@ github.com/writeas/activity v0.1.2 h1:Y12B5lIrabfqKE7e7HFCWiXrlfXljr9tlkFm2mp7Dg
 github.com/writeas/activity v0.1.2/go.mod h1:mYYgiewmEM+8tlifirK/vl6tmB2EbjYaxwb+ndUw5T0=
 github.com/writeas/activityserve v0.0.0-20191008122325-5fc3b48e70c5 h1:nG84xWpxBM8YU/FJchezJqg7yZH8ImSRow6NoYtbSII=
 github.com/writeas/activityserve v0.0.0-20191008122325-5fc3b48e70c5/go.mod h1:Kz62mzYsCnrFTSTSFLXFj3fGYBQOntmBWTDDq57b46A=
+github.com/writeas/activityserve v0.0.0-20191011072627-3a81f7784d5b h1:rd2wX/bTqD55hxtBjAhwLcUgaQE36c70KX3NzpDAwVI=
+github.com/writeas/activityserve v0.0.0-20191011072627-3a81f7784d5b/go.mod h1:Kz62mzYsCnrFTSTSFLXFj3fGYBQOntmBWTDDq57b46A=
 github.com/writeas/go-strip-markdown v2.0.1+incompatible h1:IIqxTM5Jr7RzhigcL6FkrCNfXkvbR+Nbu1ls48pXYcw=
 github.com/writeas/go-strip-markdown v2.0.1+incompatible/go.mod h1:Rsyu10ZhbEK9pXdk8V6MVnZmTzRG0alMNLMwa0J01fE=
 github.com/writeas/go-webfinger v0.0.0-20190106002315-85cf805c86d2 h1:DUsp4OhdfI+e6iUqcPQlwx8QYXuUDsToTz/x82D3Zuo=
diff --git a/webfinger.go b/webfinger.go
index 72c3f95..9e6f687 100644
--- a/webfinger.go
+++ b/webfinger.go
@@ -107,6 +107,8 @@ func RemoteLookup(handle string) string {
 	json.Unmarshal(body, &result)
 
 	var href string
+	// iterate over webfinger links and find the one with
+	// a self "rel"
 	for _, link := range result["links"].([]interface{}) {
 		if link.(map[string]interface{})["rel"] == "self" {
 			href = link.(map[string]interface{})["href"].(string)

From 1bda0434de893746182bd35233ae213d57b29bdc Mon Sep 17 00:00:00 2001
From: Michael Demetriou <accounts@qzx.gr>
Date: Tue, 15 Oct 2019 09:59:24 +0300
Subject: [PATCH 022/127] Unmarshal to `webfinger.Resource` instead of
 interface{}

(https://github.com/writeas/writefreely/pull/195#discussion_r334567408)
---
 webfinger.go | 18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)

diff --git a/webfinger.go b/webfinger.go
index 9e6f687..6fd1c59 100644
--- a/webfinger.go
+++ b/webfinger.go
@@ -103,26 +103,30 @@ func RemoteLookup(handle string) string {
 		return ""
 	}
 
-	var result map[string]interface{}
-	json.Unmarshal(body, &result)
+	var result webfinger.Resource
+	err = json.Unmarshal(body, &result)
+
+	if err != nil {
+		log.Error("Unsupported webfinger response received", err)
+		return ""
+	}
 
 	var href string
 	// iterate over webfinger links and find the one with
 	// a self "rel"
-	for _, link := range result["links"].([]interface{}) {
-		if link.(map[string]interface{})["rel"] == "self" {
-			href = link.(map[string]interface{})["href"].(string)
+	for _, link := range result.Links {
+		if link.Rel == "self" {
+			href = link.HRef
 		}
 	}
 
 	// if we didn't find it with the above then
 	// try using aliases
 	if href == "" {
-		aliases := result["aliases"].([]interface{})
 		// take the last alias because mastodon has the
 		// https://instance.tld/@user first which
 		// doesn't work as an href
-		href = aliases[len(aliases)-1].(string)
+		href = result.Aliases[len(result.Aliases)-1]
 	}
 
 	return href

From d2480cb3aa78e6faa4891913b6543c1e8b70340a Mon Sep 17 00:00:00 2001
From: Rob Loranger <dev@loranger.xyz>
Date: Tue, 15 Oct 2019 15:03:45 -0700
Subject: [PATCH 023/127] add basic API endpoint for rendering markdown

---
 postrender.go | 42 ++++++++++++++++++++++++++++++++++++++++++
 routes.go     |  3 +++
 2 files changed, 45 insertions(+)

diff --git a/postrender.go b/postrender.go
index 83fb5ad..2f55896 100644
--- a/postrender.go
+++ b/postrender.go
@@ -11,9 +11,12 @@
 package writefreely
 
 import (
+	"encoding/json"
 	"fmt"
 	"html"
 	"html/template"
+	"io/ioutil"
+	"net/http"
 	"regexp"
 	"strings"
 	"unicode"
@@ -234,3 +237,42 @@ func shortPostDescription(content string) string {
 	}
 	return strings.TrimSpace(fmt.Sprintf(fmtStr, strings.Replace(stringmanip.Substring(content, 0, maxLen-truncation), "\n", " ", -1)))
 }
+
+func handleRenderMarkdown(app *App, w http.ResponseWriter, r *http.Request) error {
+	// TODO: accept header
+	if !IsJSON(r.Header.Get("Content-Type")) {
+		fmt.Println("missing header")
+	}
+
+	in := struct {
+		BaseURL string `json:"base_url"`
+		RawBody string `json:"raw_body"`
+	}{
+		BaseURL: "",
+	}
+
+	body, err := ioutil.ReadAll(r.Body)
+	if err != nil {
+		return ErrInternalGeneral
+	}
+
+	err = json.Unmarshal(body, &in)
+	if err != nil {
+		return ErrInternalGeneral
+	}
+
+	out := struct {
+		Body string `json:"body"`
+	}{
+		Body: applyMarkdown([]byte(in.RawBody), in.BaseURL, nil),
+	}
+
+	js, err := json.Marshal(out)
+	if err != nil {
+		return ErrInternalGeneral
+	}
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(http.StatusOK)
+	w.Write(js)
+	return nil
+}
diff --git a/routes.go b/routes.go
index 0113e93..25a8bf3 100644
--- a/routes.go
+++ b/routes.go
@@ -110,6 +110,9 @@ func InitRoutes(apper Apper, r *mux.Router) *mux.Router {
 	// Sign up validation
 	write.HandleFunc("/api/alias", handler.All(handleUsernameCheck)).Methods("POST")
 
+	apiGenerate := write.PathPrefix("/api/generate/").Subrouter()
+	apiGenerate.HandleFunc("/markdownify", handler.All(handleRenderMarkdown)).Methods("POST")
+
 	// Handle collections
 	write.HandleFunc("/api/collections", handler.All(newCollection)).Methods("POST")
 	apiColls := write.PathPrefix("/api/collections/").Subrouter()

From c87ca11a520c29dfeaf31b330d06c614504dd0df Mon Sep 17 00:00:00 2001
From: Rob Loranger <dev@loranger.xyz>
Date: Thu, 31 Oct 2019 15:16:10 -0700
Subject: [PATCH 024/127] add account deletion

CLI only but backend supports calls from app.db.DeleteAccount already

takes --delete-account user_id_number with optional --posts to also
delete posts. if --posts is omitted all user posts will be updated to
anonymous posts
---
 account.go              |   4 ++
 app.go                  |  45 +++++++++++-
 cmd/writefreely/main.go |  14 +++-
 database.go             | 149 +++++++++++++++++++++++++++-------------
 4 files changed, 161 insertions(+), 51 deletions(-)

diff --git a/account.go b/account.go
index 2a66ecf..c8e946a 100644
--- a/account.go
+++ b/account.go
@@ -1068,3 +1068,7 @@ func getTempInfo(app *App, key string, r *http.Request, w http.ResponseWriter) s
 	// Return value
 	return s
 }
+
+func deleteAccount(app *App, userID int64, posts bool) error {
+	return app.db.DeleteAccount(userID, posts)
+}
diff --git a/app.go b/app.go
index 514c7c8..8e8471f 100644
--- a/app.go
+++ b/app.go
@@ -30,7 +30,7 @@ import (
 	"github.com/gorilla/schema"
 	"github.com/gorilla/sessions"
 	"github.com/manifoldco/promptui"
-	"github.com/writeas/go-strip-markdown"
+	stripmd "github.com/writeas/go-strip-markdown"
 	"github.com/writeas/impart"
 	"github.com/writeas/web-core/auth"
 	"github.com/writeas/web-core/converter"
@@ -681,6 +681,49 @@ func ResetPassword(apper Apper, username string) error {
 	return nil
 }
 
+// DoDeleteAccount runs the confirmation and account delete process.
+func DoDeleteAccount(apper Apper, userID int64, posts bool) error {
+	// Connect to the database
+	apper.LoadConfig()
+	connectToDatabase(apper.App())
+	defer shutdown(apper.App())
+
+	// do not delete the root admin account
+	// TODO: check for other admins and skip?
+	if userID == 1 {
+		log.Error("Can not delete admin account")
+		os.Exit(1)
+	}
+	// check user exists
+	if _, err := apper.App().db.GetUserByID(userID); err != nil {
+		log.Error("%s", err)
+		os.Exit(1)
+	}
+
+	// confirm deletion, w/ w/out posts
+	prompt := promptui.Prompt{
+		Templates: &promptui.PromptTemplates{
+			Success: "{{ . | bold | faint }}: ",
+		},
+		Label:     fmt.Sprintf("Delete user with ID: %d", userID),
+		IsConfirm: true,
+	}
+	_, err := prompt.Run()
+	if err != nil {
+		log.Info("Aborted...")
+		os.Exit(0)
+	}
+
+	log.Info("Deleting...")
+	err = deleteAccount(apper.App(), userID, posts)
+	if err != nil {
+		log.Error("%s", err)
+		os.Exit(1)
+	}
+	log.Info("Success.")
+	return nil
+}
+
 func connectToDatabase(app *App) {
 	log.Info("Connecting to %s database...", app.cfg.Database.Type)
 
diff --git a/cmd/writefreely/main.go b/cmd/writefreely/main.go
index 48993c7..10d8141 100644
--- a/cmd/writefreely/main.go
+++ b/cmd/writefreely/main.go
@@ -13,11 +13,12 @@ package main
 import (
 	"flag"
 	"fmt"
+	"os"
+	"strings"
+
 	"github.com/gorilla/mux"
 	"github.com/writeas/web-core/log"
 	"github.com/writeas/writefreely"
-	"os"
-	"strings"
 )
 
 func main() {
@@ -38,6 +39,8 @@ func main() {
 	// Admin actions
 	createAdmin := flag.String("create-admin", "", "Create an admin with the given username:password")
 	createUser := flag.String("create-user", "", "Create a regular user with the given username:password")
+	deleteUserID := flag.Int64("delete-user", 0, "Delete a user with the given id, does not delete posts. Use `--delete-user id --posts`")
+	deletePosts := flag.Bool("posts", false, "Optionally delete the user's posts during account deletion")
 	resetPassUser := flag.String("reset-pass", "", "Reset the given user's password")
 	outputVersion := flag.Bool("v", false, "Output the current version")
 	flag.Parse()
@@ -102,6 +105,13 @@ func main() {
 			os.Exit(1)
 		}
 		os.Exit(0)
+	} else if *deleteUserID != 0 {
+		err := writefreely.DoDeleteAccount(app, *deleteUserID, *deletePosts)
+		if err != nil {
+			log.Error(err.Error())
+			os.Exit(1)
+		}
+		os.Exit(0)
 	} else if *migrate {
 		err := writefreely.Migrate(app)
 		if err != nil {
diff --git a/database.go b/database.go
index a3235b6..cecd169 100644
--- a/database.go
+++ b/database.go
@@ -61,7 +61,7 @@ type writestore interface {
 	GetAccessToken(userID int64) (string, error)
 	GetTemporaryAccessToken(userID int64, validSecs int) (string, error)
 	GetTemporaryOneTimeAccessToken(userID int64, validSecs int, oneTime bool) (string, error)
-	DeleteAccount(userID int64) (l *string, err error)
+	DeleteAccount(userID int64, posts bool) error
 	ChangeSettings(app *App, u *User, s *userSettings) error
 	ChangePassphrase(userID int64, sudo bool, curPass string, hashedPass []byte) error
 
@@ -2079,22 +2079,14 @@ func (db *datastore) CollectionHasAttribute(id int64, attr string) bool {
 	return true
 }
 
-func (db *datastore) DeleteAccount(userID int64) (l *string, err error) {
-	debug := ""
-	l = &debug
-
-	t, err := db.Begin()
-	if err != nil {
-		stringLogln(l, "Unable to begin: %v", err)
-		return
-	}
-
+// DeleteAccount will delete the entire account for userID, and if posts
+// is true, also all posts associated with the userID
+func (db *datastore) DeleteAccount(userID int64, posts bool) error {
 	// Get all collections
 	rows, err := db.Query("SELECT id, alias FROM collections WHERE owner_id = ?", userID)
 	if err != nil {
-		t.Rollback()
-		stringLogln(l, "Unable to get collections: %v", err)
-		return
+		log.Error("Unable to get collections: %v", err)
+		return err
 	}
 	defer rows.Close()
 	colls := []Collection{}
@@ -2102,13 +2094,20 @@ func (db *datastore) DeleteAccount(userID int64) (l *string, err error) {
 	for rows.Next() {
 		err = rows.Scan(&c.ID, &c.Alias)
 		if err != nil {
-			t.Rollback()
-			stringLogln(l, "Unable to scan collection cols: %v", err)
-			return
+			log.Error("Unable to scan collection cols: %v", err)
+			return err
 		}
 		colls = append(colls, c)
 	}
 
+	// Start transaction
+	t, err := db.Begin()
+	if err != nil {
+		log.Error("Unable to begin: %v", err)
+		return err
+	}
+
+	// Clean up all collection related information
 	var res sql.Result
 	for _, c := range colls {
 		// TODO: user deleteCollection() func
@@ -2116,89 +2115,143 @@ func (db *datastore) DeleteAccount(userID int64) (l *string, err error) {
 		res, err = t.Exec("DELETE FROM collectionattributes WHERE collection_id = ?", c.ID)
 		if err != nil {
 			t.Rollback()
-			stringLogln(l, "Unable to delete attributes on %s: %v", c.Alias, err)
-			return
+			log.Error("Unable to delete attributes on %s: %v", c.Alias, err)
+			return err
 		}
 		rs, _ := res.RowsAffected()
-		stringLogln(l, "Deleted %d for %s from collectionattributes", rs, c.Alias)
+		log.Info("Deleted %d for %s from collectionattributes", rs, c.Alias)
 
 		// Remove any optional collection password
 		res, err = t.Exec("DELETE FROM collectionpasswords WHERE collection_id = ?", c.ID)
 		if err != nil {
 			t.Rollback()
-			stringLogln(l, "Unable to delete passwords on %s: %v", c.Alias, err)
-			return
+			log.Error("Unable to delete passwords on %s: %v", c.Alias, err)
+			return err
 		}
 		rs, _ = res.RowsAffected()
-		stringLogln(l, "Deleted %d for %s from collectionpasswords", rs, c.Alias)
+		log.Info("Deleted %d for %s from collectionpasswords", rs, c.Alias)
 
 		// Remove redirects to this collection
 		res, err = t.Exec("DELETE FROM collectionredirects WHERE new_alias = ?", c.Alias)
 		if err != nil {
 			t.Rollback()
-			stringLogln(l, "Unable to delete redirects on %s: %v", c.Alias, err)
-			return
+			log.Error("Unable to delete redirects on %s: %v", c.Alias, err)
+			return err
 		}
 		rs, _ = res.RowsAffected()
-		stringLogln(l, "Deleted %d for %s from collectionredirects", rs, c.Alias)
+		log.Info("Deleted %d for %s from collectionredirects", rs, c.Alias)
+
+		// Remove any collection keys
+		res, err = t.Exec("DELETE FROM collectionkeys WHERE collection_id = ?", c.ID)
+		if err != nil {
+			t.Rollback()
+			log.Error("Unable to delete keys on %s: %v", c.Alias, err)
+			return err
+		}
+		rs, _ = res.RowsAffected()
+		log.Info("Deleted %d for %s from collectionkeys", rs, c.Alias)
+
+		// only remove collection in posts if not deleting the user posts
+		if !posts {
+			// Float all collection's posts
+			res, err = t.Exec("UPDATE posts SET collection_id = NULL WHERE collection_id = ? AND owner_id = ?", c.ID, userID)
+			if err != nil {
+				t.Rollback()
+				log.Error("Unable to update collection %s for posts: %v", err)
+				return err
+			}
+			rs, _ = res.RowsAffected()
+			log.Info("Removed %d posts from collection %s", rs, c.Alias)
+		}
+
+		// TODO: federate delete collection
+
+		// Remove remote follows
+		res, err = t.Exec("DELETE FROM remotefollows WHERE collection_id = ?", c.ID)
+		if err != nil {
+			t.Rollback()
+			log.Error("Unable to delete remote follows on %s: %v", c.Alias, err)
+			return err
+		}
+		rs, _ = res.RowsAffected()
+		log.Info("Deleted %d for %s from remotefollows", rs, c.Alias)
 	}
 
 	// Delete collections
 	res, err = t.Exec("DELETE FROM collections WHERE owner_id = ?", userID)
 	if err != nil {
 		t.Rollback()
-		stringLogln(l, "Unable to delete collections: %v", err)
-		return
+		log.Error("Unable to delete collections: %v", err)
+		return err
 	}
 	rs, _ := res.RowsAffected()
-	stringLogln(l, "Deleted %d from collections", rs)
+	log.Info("Deleted %d from collections", rs)
 
 	// Delete tokens
 	res, err = t.Exec("DELETE FROM accesstokens WHERE user_id = ?", userID)
 	if err != nil {
 		t.Rollback()
-		stringLogln(l, "Unable to delete access tokens: %v", err)
-		return
+		log.Error("Unable to delete access tokens: %v", err)
+		return err
 	}
 	rs, _ = res.RowsAffected()
-	stringLogln(l, "Deleted %d from accesstokens", rs)
+	log.Info("Deleted %d from accesstokens", rs)
 
 	// Delete posts
-	res, err = t.Exec("DELETE FROM posts WHERE owner_id = ?", userID)
-	if err != nil {
-		t.Rollback()
-		stringLogln(l, "Unable to delete posts: %v", err)
-		return
+	if posts {
+		// TODO: should maybe get each row so we can federate a delete
+		// if so needs to be outside of transaction like collections
+		res, err = t.Exec("DELETE FROM posts WHERE owner_id = ?", userID)
+		if err != nil {
+			t.Rollback()
+			log.Error("Unable to delete posts: %v", err)
+			return err
+		}
+		rs, _ = res.RowsAffected()
+		log.Info("Deleted %d from posts", rs)
 	}
-	rs, _ = res.RowsAffected()
-	stringLogln(l, "Deleted %d from posts", rs)
 
+	// Delete user attributes
 	res, err = t.Exec("DELETE FROM userattributes WHERE user_id = ?", userID)
 	if err != nil {
 		t.Rollback()
-		stringLogln(l, "Unable to delete attributes: %v", err)
-		return
+		log.Error("Unable to delete attributes: %v", err)
+		return err
 	}
 	rs, _ = res.RowsAffected()
-	stringLogln(l, "Deleted %d from userattributes", rs)
+	log.Info("Deleted %d from userattributes", rs)
 
+	// Delete user invites
+	res, err = t.Exec("DELETE FROM userinvites WHERE owner_id = ?", userID)
+	if err != nil {
+		t.Rollback()
+		log.Error("Unable to delete invites: %v", err)
+		return err
+	}
+	rs, _ = res.RowsAffected()
+	log.Info("Deleted %d from userinvites", rs)
+
+	// Delete the user
 	res, err = t.Exec("DELETE FROM users WHERE id = ?", userID)
 	if err != nil {
 		t.Rollback()
-		stringLogln(l, "Unable to delete user: %v", err)
-		return
+		log.Error("Unable to delete user: %v", err)
+		return err
 	}
 	rs, _ = res.RowsAffected()
-	stringLogln(l, "Deleted %d from users", rs)
+	log.Info("Deleted %d from users", rs)
 
+	// Commit all changes to the database
 	err = t.Commit()
 	if err != nil {
 		t.Rollback()
-		stringLogln(l, "Unable to commit: %v", err)
-		return
+		log.Error("Unable to commit: %v", err)
+		return err
 	}
 
-	return
+	// TODO: federate delete actor
+
+	return nil
 }
 
 func (db *datastore) GetAPActorKeys(collectionID int64) ([]byte, []byte) {

From 41166e5c356df10d36237e9296979cae65652504 Mon Sep 17 00:00:00 2001
From: Rob Loranger <dev@loranger.xyz>
Date: Tue, 5 Nov 2019 09:14:20 -0800
Subject: [PATCH 025/127] CLI delete account by username and delete posts

this changed the CLI flag to use the username instead of the userID
leaving the underlying database function as is.

also now posts are all deleted with no option to skip as this is likely
never needed.
---
 account.go              |  4 ++--
 app.go                  | 25 ++++++++++++----------
 cmd/writefreely/main.go |  7 +++---
 database.go             | 47 ++++++++++++++++++-----------------------
 4 files changed, 39 insertions(+), 44 deletions(-)

diff --git a/account.go b/account.go
index c8e946a..5e5f03e 100644
--- a/account.go
+++ b/account.go
@@ -1069,6 +1069,6 @@ func getTempInfo(app *App, key string, r *http.Request, w http.ResponseWriter) s
 	return s
 }
 
-func deleteAccount(app *App, userID int64, posts bool) error {
-	return app.db.DeleteAccount(userID, posts)
+func deleteAccount(app *App, userID int64) error {
+	return app.db.DeleteAccount(userID)
 }
diff --git a/app.go b/app.go
index 8e8471f..e793902 100644
--- a/app.go
+++ b/app.go
@@ -682,21 +682,24 @@ func ResetPassword(apper Apper, username string) error {
 }
 
 // DoDeleteAccount runs the confirmation and account delete process.
-func DoDeleteAccount(apper Apper, userID int64, posts bool) error {
+func DoDeleteAccount(apper Apper, username string) error {
 	// Connect to the database
 	apper.LoadConfig()
 	connectToDatabase(apper.App())
 	defer shutdown(apper.App())
 
-	// do not delete the root admin account
-	// TODO: check for other admins and skip?
-	if userID == 1 {
-		log.Error("Can not delete admin account")
+	// check user exists
+	u, err := apper.App().db.GetUserForAuth(username)
+	if err != nil {
+		log.Error("%s", err)
 		os.Exit(1)
 	}
-	// check user exists
-	if _, err := apper.App().db.GetUserByID(userID); err != nil {
-		log.Error("%s", err)
+	userID := u.ID
+
+	// do not delete the admin account
+	// TODO: check for other admins and skip?
+	if u.IsAdmin() {
+		log.Error("Can not delete admin account")
 		os.Exit(1)
 	}
 
@@ -705,17 +708,17 @@ func DoDeleteAccount(apper Apper, userID int64, posts bool) error {
 		Templates: &promptui.PromptTemplates{
 			Success: "{{ . | bold | faint }}: ",
 		},
-		Label:     fmt.Sprintf("Delete user with ID: %d", userID),
+		Label:     fmt.Sprintf("Really delete user : %s", username),
 		IsConfirm: true,
 	}
-	_, err := prompt.Run()
+	_, err = prompt.Run()
 	if err != nil {
 		log.Info("Aborted...")
 		os.Exit(0)
 	}
 
 	log.Info("Deleting...")
-	err = deleteAccount(apper.App(), userID, posts)
+	err = deleteAccount(apper.App(), userID)
 	if err != nil {
 		log.Error("%s", err)
 		os.Exit(1)
diff --git a/cmd/writefreely/main.go b/cmd/writefreely/main.go
index 10d8141..7fc2342 100644
--- a/cmd/writefreely/main.go
+++ b/cmd/writefreely/main.go
@@ -39,8 +39,7 @@ func main() {
 	// Admin actions
 	createAdmin := flag.String("create-admin", "", "Create an admin with the given username:password")
 	createUser := flag.String("create-user", "", "Create a regular user with the given username:password")
-	deleteUserID := flag.Int64("delete-user", 0, "Delete a user with the given id, does not delete posts. Use `--delete-user id --posts`")
-	deletePosts := flag.Bool("posts", false, "Optionally delete the user's posts during account deletion")
+	deleteUsername := flag.String("delete-user", "", "Delete a user with the given username")
 	resetPassUser := flag.String("reset-pass", "", "Reset the given user's password")
 	outputVersion := flag.Bool("v", false, "Output the current version")
 	flag.Parse()
@@ -105,8 +104,8 @@ func main() {
 			os.Exit(1)
 		}
 		os.Exit(0)
-	} else if *deleteUserID != 0 {
-		err := writefreely.DoDeleteAccount(app, *deleteUserID, *deletePosts)
+	} else if *deleteUsername != "" {
+		err := writefreely.DoDeleteAccount(app, *deleteUsername)
 		if err != nil {
 			log.Error(err.Error())
 			os.Exit(1)
diff --git a/database.go b/database.go
index cecd169..f2888ec 100644
--- a/database.go
+++ b/database.go
@@ -61,7 +61,7 @@ type writestore interface {
 	GetAccessToken(userID int64) (string, error)
 	GetTemporaryAccessToken(userID int64, validSecs int) (string, error)
 	GetTemporaryOneTimeAccessToken(userID int64, validSecs int, oneTime bool) (string, error)
-	DeleteAccount(userID int64, posts bool) error
+	DeleteAccount(userID int64) error
 	ChangeSettings(app *App, u *User, s *userSettings) error
 	ChangePassphrase(userID int64, sudo bool, curPass string, hashedPass []byte) error
 
@@ -2079,9 +2079,8 @@ func (db *datastore) CollectionHasAttribute(id int64, attr string) bool {
 	return true
 }
 
-// DeleteAccount will delete the entire account for userID, and if posts
-// is true, also all posts associated with the userID
-func (db *datastore) DeleteAccount(userID int64, posts bool) error {
+// DeleteAccount will delete the entire account for userID
+func (db *datastore) DeleteAccount(userID int64) error {
 	// Get all collections
 	rows, err := db.Query("SELECT id, alias FROM collections WHERE owner_id = ?", userID)
 	if err != nil {
@@ -2110,7 +2109,6 @@ func (db *datastore) DeleteAccount(userID int64, posts bool) error {
 	// Clean up all collection related information
 	var res sql.Result
 	for _, c := range colls {
-		// TODO: user deleteCollection() func
 		// Delete tokens
 		res, err = t.Exec("DELETE FROM collectionattributes WHERE collection_id = ?", c.ID)
 		if err != nil {
@@ -2151,18 +2149,15 @@ func (db *datastore) DeleteAccount(userID int64, posts bool) error {
 		rs, _ = res.RowsAffected()
 		log.Info("Deleted %d for %s from collectionkeys", rs, c.Alias)
 
-		// only remove collection in posts if not deleting the user posts
-		if !posts {
-			// Float all collection's posts
-			res, err = t.Exec("UPDATE posts SET collection_id = NULL WHERE collection_id = ? AND owner_id = ?", c.ID, userID)
-			if err != nil {
-				t.Rollback()
-				log.Error("Unable to update collection %s for posts: %v", err)
-				return err
-			}
-			rs, _ = res.RowsAffected()
-			log.Info("Removed %d posts from collection %s", rs, c.Alias)
+		// Float all collection's posts
+		res, err = t.Exec("UPDATE posts SET collection_id = NULL WHERE collection_id = ? AND owner_id = ?", c.ID, userID)
+		if err != nil {
+			t.Rollback()
+			log.Error("Unable to update collection %s for posts: %v", c.Alias, err)
+			return err
 		}
+		rs, _ = res.RowsAffected()
+		log.Info("Removed %d posts from collection %s", rs, c.Alias)
 
 		// TODO: federate delete collection
 
@@ -2198,18 +2193,16 @@ func (db *datastore) DeleteAccount(userID int64, posts bool) error {
 	log.Info("Deleted %d from accesstokens", rs)
 
 	// Delete posts
-	if posts {
-		// TODO: should maybe get each row so we can federate a delete
-		// if so needs to be outside of transaction like collections
-		res, err = t.Exec("DELETE FROM posts WHERE owner_id = ?", userID)
-		if err != nil {
-			t.Rollback()
-			log.Error("Unable to delete posts: %v", err)
-			return err
-		}
-		rs, _ = res.RowsAffected()
-		log.Info("Deleted %d from posts", rs)
+	// TODO: should maybe get each row so we can federate a delete
+	// if so needs to be outside of transaction like collections
+	res, err = t.Exec("DELETE FROM posts WHERE owner_id = ?", userID)
+	if err != nil {
+		t.Rollback()
+		log.Error("Unable to delete posts: %v", err)
+		return err
 	}
+	rs, _ = res.RowsAffected()
+	log.Info("Deleted %d from posts", rs)
 
 	// Delete user attributes
 	res, err = t.Exec("DELETE FROM userattributes WHERE user_id = ?", userID)

From b83af955c3fd1926be43968629d81ceb21edcc13 Mon Sep 17 00:00:00 2001
From: Rob Loranger <dev@loranger.xyz>
Date: Tue, 5 Nov 2019 12:20:07 -0800
Subject: [PATCH 026/127] remove wrapper over db.DeleteAccount

---
 account.go | 4 ----
 app.go     | 2 +-
 2 files changed, 1 insertion(+), 5 deletions(-)

diff --git a/account.go b/account.go
index 5e5f03e..2a66ecf 100644
--- a/account.go
+++ b/account.go
@@ -1068,7 +1068,3 @@ func getTempInfo(app *App, key string, r *http.Request, w http.ResponseWriter) s
 	// Return value
 	return s
 }
-
-func deleteAccount(app *App, userID int64) error {
-	return app.db.DeleteAccount(userID)
-}
diff --git a/app.go b/app.go
index e793902..92d5995 100644
--- a/app.go
+++ b/app.go
@@ -718,7 +718,7 @@ func DoDeleteAccount(apper Apper, username string) error {
 	}
 
 	log.Info("Deleting...")
-	err = deleteAccount(apper.App(), userID)
+	err = apper.App().db.DeleteAccount(userID)
 	if err != nil {
 		log.Error("%s", err)
 		os.Exit(1)

From 79f35a0ccdf6bc7b6b5008b33b4d570ba4992f07 Mon Sep 17 00:00:00 2001
From: Matt Baer <matt@write.as>
Date: Tue, 12 Nov 2019 08:03:00 +0900
Subject: [PATCH 027/127] Fix collection template issues introduced in #205

This fixes a template rendering issue caused by bad references to $.Host
in pinned posts links on single-user instances.

Closes #207
---
 templates/chorus-collection-post.tmpl | 2 +-
 templates/chorus-collection.tmpl      | 2 +-
 templates/collection-post.tmpl        | 2 +-
 templates/collection-tags.tmpl        | 2 +-
 templates/collection.tmpl             | 2 +-
 5 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/templates/chorus-collection-post.tmpl b/templates/chorus-collection-post.tmpl
index a6b6102..b9df8ad 100644
--- a/templates/chorus-collection-post.tmpl
+++ b/templates/chorus-collection-post.tmpl
@@ -80,7 +80,7 @@ article time.dt-published {
 			</p>
 			<nav>
 				{{if .PinnedPosts}}
-				{{range .PinnedPosts}}<a class="pinned{{if eq .Slug.String $.Slug.String}} selected{{end}}" href="{{if not $.SingleUser}}/{{$.Collection.Alias}}/{{.Slug.String}}{{else}}{{.CanonicalURL .Host}}{{end}}">{{.PlainDisplayTitle}}</a>{{end}}
+				{{range .PinnedPosts}}<a class="pinned{{if eq .Slug.String $.Slug.String}} selected{{end}}" href="{{if not $.SingleUser}}/{{$.Collection.Alias}}/{{.Slug.String}}{{else}}{{.CanonicalURL $.Host}}{{end}}">{{.PlainDisplayTitle}}</a>{{end}}
 				{{end}}
 			</nav>
 			<hr>
diff --git a/templates/chorus-collection.tmpl b/templates/chorus-collection.tmpl
index 504e54f..8250287 100644
--- a/templates/chorus-collection.tmpl
+++ b/templates/chorus-collection.tmpl
@@ -71,7 +71,7 @@ body#collection header nav.tabs a:first-child {
 			<!--p class="meta-note"><span>Private collection</span>. Only you can see this page.</p-->
 		{{/*end*/}}
 		{{if .PinnedPosts}}<nav class="pinned-posts">
-			{{range .PinnedPosts}}<a class="pinned" href="{{if not $.SingleUser}}/{{$.Alias}}/{{.Slug.String}}{{else}}{{.CanonicalURL .Host}}{{end}}">{{.PlainDisplayTitle}}</a>{{end}}</nav>
+			{{range .PinnedPosts}}<a class="pinned" href="{{if not $.SingleUser}}/{{$.Alias}}/{{.Slug.String}}{{else}}{{.CanonicalURL $.Host}}{{end}}">{{.PlainDisplayTitle}}</a>{{end}}</nav>
 		{{end}}
 		</header>
 		
diff --git a/templates/collection-post.tmpl b/templates/collection-post.tmpl
index e24c6dd..a194cf4 100644
--- a/templates/collection-post.tmpl
+++ b/templates/collection-post.tmpl
@@ -50,7 +50,7 @@
 		<h1 dir="{{.Direction}}" id="blog-title"><a rel="author" href="{{if .IsTopLevel}}/{{else}}/{{.Collection.Alias}}/{{end}}" class="h-card p-author">{{.Collection.DisplayTitle}}</a></h1>
 			<nav>
 				{{if .PinnedPosts}}
-				{{range .PinnedPosts}}<a class="pinned{{if eq .Slug.String $.Slug.String}} selected{{end}}" href="{{if not $.SingleUser}}/{{$.Collection.Alias}}/{{.Slug.String}}{{else}}{{.CanonicalURL .Host}}{{end}}">{{.PlainDisplayTitle}}</a>{{end}}
+				{{range .PinnedPosts}}<a class="pinned{{if eq .Slug.String $.Slug.String}} selected{{end}}" href="{{if not $.SingleUser}}/{{$.Collection.Alias}}/{{.Slug.String}}{{else}}{{.CanonicalURL $.Host}}{{end}}">{{.PlainDisplayTitle}}</a>{{end}}
 				{{end}}
 				{{ if and .IsOwner .IsFound }}<span class="views" dir="ltr"><strong>{{largeNumFmt .Views}}</strong> {{pluralize "view" "views" .Views}}</span>
 				<a class="xtra-feature" href="/{{if not .SingleUser}}{{.Collection.Alias}}/{{end}}{{.Slug.String}}/edit" dir="{{.Direction}}">Edit</a>
diff --git a/templates/collection-tags.tmpl b/templates/collection-tags.tmpl
index 2618f3d..f209162 100644
--- a/templates/collection-tags.tmpl
+++ b/templates/collection-tags.tmpl
@@ -48,7 +48,7 @@
 		<h1 dir="{{.Direction}}" id="blog-title"><a href="{{if .IsTopLevel}}/{{else}}/{{.Collection.Alias}}/{{end}}" class="h-card p-author">{{.Collection.DisplayTitle}}</a></h1>
 			<nav>
 				{{if .PinnedPosts}}
-				{{range .PinnedPosts}}<a class="pinned" href="{{if not $.SingleUser}}/{{$.Collection.Alias}}/{{.Slug.String}}{{else}}{{.CanonicalURL .Host}}{{end}}">{{.DisplayTitle}}</a>{{end}}
+				{{range .PinnedPosts}}<a class="pinned" href="{{if not $.SingleUser}}/{{$.Collection.Alias}}/{{.Slug.String}}{{else}}{{.CanonicalURL $.Host}}{{end}}">{{.DisplayTitle}}</a>{{end}}
 				{{end}}
 			</nav>
 		</header>
diff --git a/templates/collection.tmpl b/templates/collection.tmpl
index 47dc24d..b87ce87 100644
--- a/templates/collection.tmpl
+++ b/templates/collection.tmpl
@@ -71,7 +71,7 @@
 			<!--p class="meta-note"><span>Private collection</span>. Only you can see this page.</p-->
 		{{/*end*/}}
 		{{if .PinnedPosts}}<nav>
-			{{range .PinnedPosts}}<a class="pinned" href="{{if not $.SingleUser}}/{{$.Alias}}/{{.Slug.String}}{{else}}{{.CanonicalURL .Host}}{{end}}">{{.PlainDisplayTitle}}</a>{{end}}</nav>
+			{{range .PinnedPosts}}<a class="pinned" href="{{if not $.SingleUser}}/{{$.Alias}}/{{.Slug.String}}{{else}}{{.CanonicalURL $.Host}}{{end}}">{{.PlainDisplayTitle}}</a>{{end}}</nav>
 		{{end}}
 		</header>
 		

From 3d49baf39a0f84f5282de6dcb7297a88fa1ebbf2 Mon Sep 17 00:00:00 2001
From: Matt Baer <matt@write.as>
Date: Tue, 12 Nov 2019 16:49:38 +0900
Subject: [PATCH 028/127] Improve non-chorus site-wide header

This adds a Reader tab when necessary while logged in, and generally
keeps the navigation consistent for logged-in users, particularly in
regard to the Reader:

- Now includes user buttons and dropdown
- Makes header on user pages consistent with Reader page
---
 templates/base.tmpl                | 6 +++---
 templates/user/include/header.tmpl | 6 ++----
 2 files changed, 5 insertions(+), 7 deletions(-)

diff --git a/templates/base.tmpl b/templates/base.tmpl
index aae7850..3826917 100644
--- a/templates/base.tmpl
+++ b/templates/base.tmpl
@@ -22,7 +22,7 @@
 			{{ end }}
 			{{if not .SingleUser}}
 			<nav id="user-nav">
-				{{if and .Chorus .Username}}
+				{{if .Username}}
 				<nav class="dropdown-nav">
 					<ul><li><a>{{.Username}}</a> <img class="ic-18dp" src="/img/ic_down_arrow_dark@2x.png" /><ul>
 							{{if .IsAdmin}}<li><a href="/admin">Admin dashboard</a></li>{{end}}
@@ -39,10 +39,10 @@
 					{{ if and .SimpleNav (not .SingleUser) }}
 					{{if and (and .LocalTimeline .CanViewReader) .Chorus}}<a href="/"{{if eq .Path "/"}} class="selected"{{end}}>Home</a>{{end}}
 					{{ end }}
-					<a href="/about"{{if eq .Path "/about"}} class="selected"{{end}}>About</a>
+					{{if or .Chorus (not .Username)}}<a href="/about"{{if eq .Path "/about"}} class="selected"{{end}}>About</a>{{end}}
 					{{ if not .SingleUser }}
 						{{ if .Username }}
-					{{if gt .MaxBlogs 1}}<a href="/me/c/"{{if eq .Path "/me/c/"}} class="selected"{{end}}>Blogs</a>{{end}}
+					{{if or (not .Chorus) (gt .MaxBlogs 1)}}<a href="/me/c/"{{if eq .Path "/me/c/"}} class="selected"{{end}}>Blogs</a>{{end}}
 					{{if and (and .Chorus (eq .MaxBlogs 1)) .Username}}<a href="/{{.Username}}/"{{if eq .Path (printf "/%s/" .Username)}} class="selected"{{end}}>My Posts</a>{{end}}
 					{{if not .DisableDrafts}}<a href="/me/posts/"{{if eq .Path "/me/posts/"}} class="selected"{{end}}>Drafts</a>{{end}}
 						{{ end }}
diff --git a/templates/user/include/header.tmpl b/templates/user/include/header.tmpl
index 0feca89..c53ac33 100644
--- a/templates/user/include/header.tmpl
+++ b/templates/user/include/header.tmpl
@@ -22,13 +22,10 @@
 			</nav>
 		</nav>
 		{{else}}
-		{{ if .Chorus }}<nav id="full-nav">
+		<nav id="full-nav">
 			<div class="left-side">
 				<h1><a href="/" title="Return to editor">{{.SiteName}}</a></h1>
 			</div>
-		{{ else }}
-			<h1><a href="/" title="Return to editor">{{.SiteName}}</a></h1>
-		{{ end }}
 		<nav id="user-nav">
 			{{if .Username}}
 			<nav class="dropdown-nav">
@@ -62,6 +59,7 @@
 				{{else}}
 					<a href="/me/c/"{{if eq .Path "/me/c/"}} class="selected"{{end}}>Blogs</a>
 					{{if not .DisableDrafts}}<a href="/me/posts/"{{if eq .Path "/me/posts/"}} class="selected"{{end}}>Drafts</a>{{end}}
+					{{if and (and .LocalTimeline .CanViewReader) (not .Chorus)}}<a href="/read">Reader</a>{{end}}
 				{{end}}
 			</nav>
 		</nav>

From 278e4f6242d1f01d20d2feb811a89c1d25bd6e64 Mon Sep 17 00:00:00 2001
From: Matt Baer <matt@write.as>
Date: Tue, 12 Nov 2019 16:53:52 +0900
Subject: [PATCH 029/127] Bump version to 0.11.1

---
 app.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app.go b/app.go
index 9b01bc6..018ce37 100644
--- a/app.go
+++ b/app.go
@@ -56,7 +56,7 @@ var (
 	debugging bool
 
 	// Software version can be set from git env using -ldflags
-	softwareVer = "0.11.0"
+	softwareVer = "0.11.1"
 
 	// DEPRECATED VARS
 	isSingleUser bool

From 2899d98cfd9f9ae092b962a451c150424de97e2a Mon Sep 17 00:00:00 2001
From: Matt Baer <matt@write.as>
Date: Tue, 12 Nov 2019 19:43:41 +0900
Subject: [PATCH 030/127] Fix collection post 500 when not logged in

This reverts some code from 5429ca4a, which broke collection post
loading on blog posts when not logged in.
---
 posts.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/posts.go b/posts.go
index 2a6fe74..6410735 100644
--- a/posts.go
+++ b/posts.go
@@ -1390,7 +1390,7 @@ Are you sure it was ever here?`,
 			return err
 		}
 	}
-	p.IsOwner = owner != nil && p.OwnerID.Valid && u.ID == p.OwnerID.Int64
+	p.IsOwner = owner != nil && p.OwnerID.Valid && owner.ID == p.OwnerID.Int64
 	p.Collection = coll
 	p.IsTopLevel = app.cfg.App.SingleUser
 

From bd99044e9c92b40ff7f816c667c1adeb72911ff9 Mon Sep 17 00:00:00 2001
From: Matt Baer <matt@write.as>
Date: Tue, 12 Nov 2019 20:01:14 +0900
Subject: [PATCH 031/127] Fix 500 on tags page

This fixes a panic from a nil user when calling u.IsSuspended().
Instead, this checks and calls IsSuspended() on `owner`.
---
 collections.go | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/collections.go b/collections.go
index 54ddc8a..b85f0a4 100644
--- a/collections.go
+++ b/collections.go
@@ -905,11 +905,11 @@ func handleViewCollectionTag(app *App, w http.ResponseWriter, r *http.Request) e
 			// Log the error and just continue
 			log.Error("Error getting user for collection: %v", err)
 		}
+		if owner.IsSilenced() {
+			return ErrCollectionNotFound
+		}
 	}
-	if !isOwner && u.IsSilenced() {
-		return ErrCollectionNotFound
-	}
-	displayPage.Suspended = u.IsSilenced()
+	displayPage.Suspended = owner != nil && owner.IsSilenced()
 	displayPage.Owner = owner
 	coll.Owner = displayPage.Owner
 	// Add more data

From 8d8e671a073d2775e61090cce356e74563ecce47 Mon Sep 17 00:00:00 2001
From: Matt Baer <matt@write.as>
Date: Tue, 19 Nov 2019 09:59:13 +0900
Subject: [PATCH 032/127] Fix suspension check in fetchPost()

Previously, this check would return a "user not found" error when
retrieving a collection post by its post ID, e.g. /api/posts/abc123
instead of /api/collections/demo/posts/my-slug -- this happens
particularly when `Announce`ing a post in the fediverse. This change
fixes that.
---
 posts.go | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/posts.go b/posts.go
index 6410735..4891a8e 100644
--- a/posts.go
+++ b/posts.go
@@ -1039,7 +1039,6 @@ func pinPost(app *App, w http.ResponseWriter, r *http.Request) error {
 
 func fetchPost(app *App, w http.ResponseWriter, r *http.Request) error {
 	var collID int64
-	var ownerID int64
 	var coll *Collection
 	var err error
 	vars := mux.Vars(r)
@@ -1055,14 +1054,13 @@ func fetchPost(app *App, w http.ResponseWriter, r *http.Request) error {
 			return err
 		}
 		collID = coll.ID
-		ownerID = coll.OwnerID
 	}
 
 	p, err := app.db.GetPost(vars["post"], collID)
 	if err != nil {
 		return err
 	}
-	suspended, err := app.db.IsUserSuspended(ownerID)
+	suspended, err := app.db.IsUserSuspended(p.OwnerID.Int64)
 	if err != nil {
 		log.Error("fetch post: %v", err)
 		return ErrInternalGeneral

From 36df095dac85279c16f6d22481a4c7e3abb11c7c Mon Sep 17 00:00:00 2001
From: yalh76 <yalh@yahoo.com>
Date: Thu, 21 Nov 2019 21:45:06 +0100
Subject: [PATCH 033/127] Add ARM64 Build

---
 Makefile | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/Makefile b/Makefile
index 757bcfd..782e680 100644
--- a/Makefile
+++ b/Makefile
@@ -47,6 +47,12 @@ build-arm7: deps
 	fi
 	xgo --targets=linux/arm-7, -dest build/ $(LDFLAGS) -tags='sqlite' -out writefreely ./cmd/writefreely
 
+build-arm64: deps
+	@hash xgo > /dev/null 2>&1; if [ $$? -ne 0 ]; then \
+		$(GOGET) -u github.com/karalabe/xgo; \
+	fi
+	xgo --targets=linux/arm64, -dest build/ $(LDFLAGS) -tags='sqlite' -out writefreely ./cmd/writefreely
+
 build-docker :
 	$(DOCKERCMD) build -t $(IMAGE_NAME):latest -t $(IMAGE_NAME):$(GITREV) .
 
@@ -83,6 +89,10 @@ release : clean ui assets
 	mv build/$(BINARY_NAME)-linux-arm-7 $(BUILDPATH)/$(BINARY_NAME)
 	tar -cvzf $(BINARY_NAME)_$(GITREV)_linux_arm7.tar.gz -C build $(BINARY_NAME)
 	rm $(BUILDPATH)/$(BINARY_NAME)
+	$(MAKE) build-arm64
+	mv build/$(BINARY_NAME)-linux-arm64 $(BUILDPATH)/$(BINARY_NAME)
+	tar -cvzf $(BINARY_NAME)_$(GITREV)_linux_arm64.tar.gz -C build $(BINARY_NAME)
+	rm $(BUILDPATH)/$(BINARY_NAME)
 	$(MAKE) build-darwin
 	mv build/$(BINARY_NAME)-darwin-10.6-amd64 $(BUILDPATH)/$(BINARY_NAME)
 	tar -cvzf $(BINARY_NAME)_$(GITREV)_macos_amd64.tar.gz -C build $(BINARY_NAME)

From c81927a69f04103873a55f220375c3dbe56ca621 Mon Sep 17 00:00:00 2001
From: Matt Baer <matt@write.as>
Date: Tue, 26 Nov 2019 12:59:15 -0500
Subject: [PATCH 034/127] Fix empty hostname when fetching AS post via ID

Previously, fetching ActivityStreams data about a post via
/api/posts/ID, instead of /api/collections/ALIAS/posts/SLUG wouldn't
include the instance's base URL. This fixes that.
---
 posts.go | 28 +++++++++++++++-------------
 1 file changed, 15 insertions(+), 13 deletions(-)

diff --git a/posts.go b/posts.go
index 4891a8e..9440ad8 100644
--- a/posts.go
+++ b/posts.go
@@ -1048,11 +1048,6 @@ func fetchPost(app *App, w http.ResponseWriter, r *http.Request) error {
 		if err != nil {
 			return err
 		}
-		coll.hostName = app.cfg.App.Host
-		_, err = apiCheckCollectionPermissions(app, r, coll)
-		if err != nil {
-			return err
-		}
 		collID = coll.ID
 	}
 
@@ -1060,12 +1055,26 @@ func fetchPost(app *App, w http.ResponseWriter, r *http.Request) error {
 	if err != nil {
 		return err
 	}
+	if coll == nil && p.CollectionID.Valid {
+		// Collection post is getting fetched by post ID, not coll alias + post slug, so get coll info now.
+		coll, err = app.db.GetCollectionByID(p.CollectionID.Int64)
+		if err != nil {
+			return err
+		}
+	}
+	if coll != nil {
+		coll.hostName = app.cfg.App.Host
+		_, err = apiCheckCollectionPermissions(app, r, coll)
+		if err != nil {
+			return err
+		}
+	}
+
 	suspended, err := app.db.IsUserSuspended(p.OwnerID.Int64)
 	if err != nil {
 		log.Error("fetch post: %v", err)
 		return ErrInternalGeneral
 	}
-
 	if suspended {
 		return ErrPostNotFound
 	}
@@ -1074,13 +1083,6 @@ func fetchPost(app *App, w http.ResponseWriter, r *http.Request) error {
 
 	accept := r.Header.Get("Accept")
 	if strings.Contains(accept, "application/activity+json") {
-		// Fetch information about the collection this belongs to
-		if coll == nil && p.CollectionID.Valid {
-			coll, err = app.db.GetCollectionByID(p.CollectionID.Int64)
-			if err != nil {
-				return err
-			}
-		}
 		if coll == nil {
 			// This is a draft post; 404 for now
 			// TODO: return ActivityObject

From 44a670374224d277e7cf3d3b88c926e327773ba2 Mon Sep 17 00:00:00 2001
From: Matt Baer <matt@write.as>
Date: Tue, 26 Nov 2019 13:14:52 -0500
Subject: [PATCH 035/127] Prevent failed requests on failed user silence check

---
 posts.go | 7 -------
 1 file changed, 7 deletions(-)

diff --git a/posts.go b/posts.go
index 6410735..189ea63 100644
--- a/posts.go
+++ b/posts.go
@@ -384,7 +384,6 @@ func handleViewPost(app *App, w http.ResponseWriter, r *http.Request) error {
 	suspended, err := app.db.IsUserSuspended(ownerID.Int64)
 	if err != nil {
 		log.Error("view post: %v", err)
-		return ErrInternalGeneral
 	}
 
 	// Check if post has been unpublished
@@ -511,7 +510,6 @@ func newPost(app *App, w http.ResponseWriter, r *http.Request) error {
 	suspended, err := app.db.IsUserSuspended(userID)
 	if err != nil {
 		log.Error("new post: %v", err)
-		return ErrInternalGeneral
 	}
 	if suspended {
 		return ErrUserSuspended
@@ -685,7 +683,6 @@ func existingPost(app *App, w http.ResponseWriter, r *http.Request) error {
 	suspended, err := app.db.IsUserSuspended(userID)
 	if err != nil {
 		log.Error("existing post: %v", err)
-		return ErrInternalGeneral
 	}
 	if suspended {
 		return ErrUserSuspended
@@ -888,7 +885,6 @@ func addPost(app *App, w http.ResponseWriter, r *http.Request) error {
 	suspended, err := app.db.IsUserSuspended(ownerID)
 	if err != nil {
 		log.Error("add post: %v", err)
-		return ErrInternalGeneral
 	}
 	if suspended {
 		return ErrUserSuspended
@@ -991,7 +987,6 @@ func pinPost(app *App, w http.ResponseWriter, r *http.Request) error {
 	suspended, err := app.db.IsUserSuspended(userID)
 	if err != nil {
 		log.Error("pin post: %v", err)
-		return ErrInternalGeneral
 	}
 	if suspended {
 		return ErrUserSuspended
@@ -1065,7 +1060,6 @@ func fetchPost(app *App, w http.ResponseWriter, r *http.Request) error {
 	suspended, err := app.db.IsUserSuspended(ownerID)
 	if err != nil {
 		log.Error("fetch post: %v", err)
-		return ErrInternalGeneral
 	}
 
 	if suspended {
@@ -1335,7 +1329,6 @@ func viewCollectionPost(app *App, w http.ResponseWriter, r *http.Request) error
 	suspended, err := app.db.IsUserSuspended(c.OwnerID)
 	if err != nil {
 		log.Error("view collection post: %v", err)
-		return ErrInternalGeneral
 	}
 
 	// Check collection permissions

From 342c3cde89d44b20c3e4086ec1cc04bf9a3ebb61 Mon Sep 17 00:00:00 2001
From: Matt Baer <matt@write.as>
Date: Tue, 26 Nov 2019 13:15:31 -0500
Subject: [PATCH 036/127] Bump version to 0.11.2

---
 app.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app.go b/app.go
index 018ce37..d71fb1e 100644
--- a/app.go
+++ b/app.go
@@ -56,7 +56,7 @@ var (
 	debugging bool
 
 	// Software version can be set from git env using -ldflags
-	softwareVer = "0.11.1"
+	softwareVer = "0.11.2"
 
 	// DEPRECATED VARS
 	isSingleUser bool

From bbb7b281109dbdbac239c29b8c2d3ecb9e550f77 Mon Sep 17 00:00:00 2001
From: Matt Baer <matt@write.as>
Date: Tue, 26 Nov 2019 13:32:33 -0500
Subject: [PATCH 037/127] Bump Travis build to Go 1.12

This fixes the `undefined: strings.ReplaceAll` build error.
---
 .travis.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.travis.yml b/.travis.yml
index 1e58d6b..c2ebadb 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -1,7 +1,7 @@
 language: go
 
 go:
-  - "1.11.x"
+  - "1.12.x"
 
 env:
   - GO111MODULE=on

From 181af8c5c8bd07a06359ff375e9e335e9d6db602 Mon Sep 17 00:00:00 2001
From: Matt Baer <matt@write.as>
Date: Wed, 27 Nov 2019 16:37:52 -0500
Subject: [PATCH 038/127] Update httpsig and activityserve

This fixes activityserve crashes caused by mentioning WriteFreely
instances.
---
 go.mod | 6 ++----
 go.sum | 6 ++++++
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/go.mod b/go.mod
index 5ac4a8b..9c02895 100644
--- a/go.mod
+++ b/go.mod
@@ -9,6 +9,7 @@ require (
 	github.com/dchest/uniuri v0.0.0-20160212164326-8902c56451e9 // indirect
 	github.com/dustin/go-humanize v1.0.0
 	github.com/fatih/color v1.7.0
+	github.com/go-fed/httpsig v0.1.1-0.20190924171022-f4c36041199d // indirect
 	github.com/go-sql-driver/mysql v1.4.1
 	github.com/go-test/deep v1.0.1 // indirect
 	github.com/golang/lint v0.0.0-20181217174547-8f45f776aaf1 // indirect
@@ -33,19 +34,17 @@ require (
 	github.com/pelletier/go-toml v1.2.0 // indirect
 	github.com/pkg/errors v0.8.1 // indirect
 	github.com/rainycape/unidecode v0.0.0-20150907023854-cb7f23ec59be // indirect
-	github.com/shurcooL/sanitized_anchor_name v1.0.0 // indirect
 	github.com/smartystreets/assertions v0.0.0-20190116191733-b6c0e53d7304 // indirect
 	github.com/smartystreets/goconvey v0.0.0-20181108003508-044398e4856c // indirect
 	github.com/stretchr/testify v1.3.0 // indirect
 	github.com/writeas/activity v0.1.2
-	github.com/writeas/activityserve v0.0.0-20191011072627-3a81f7784d5b
+	github.com/writeas/activityserve v0.0.0-20191115095800-dd6d19cc8b89
 	github.com/writeas/go-strip-markdown v2.0.1+incompatible
 	github.com/writeas/go-webfinger v0.0.0-20190106002315-85cf805c86d2
 	github.com/writeas/httpsig v1.0.0
 	github.com/writeas/impart v1.1.0
 	github.com/writeas/monday v0.0.0-20181024183321-54a7dd579219
 	github.com/writeas/nerds v1.0.0
-	github.com/writeas/openssl-go v1.0.0 // indirect
 	github.com/writeas/saturday v1.7.1
 	github.com/writeas/slug v1.2.0
 	github.com/writeas/web-core v1.2.0
@@ -58,7 +57,6 @@ require (
 	google.golang.org/appengine v1.4.0 // indirect
 	gopkg.in/alecthomas/kingpin.v3-unstable v3.0.0-20180810215634-df19058c872c // indirect
 	gopkg.in/ini.v1 v1.41.0
-	gopkg.in/yaml.v1 v1.0.0-20140924161607-9f9df34309c0 // indirect
 	gopkg.in/yaml.v2 v2.2.2 // indirect
 )
 
diff --git a/go.sum b/go.sum
index c8b46ff..abebe07 100644
--- a/go.sum
+++ b/go.sum
@@ -33,6 +33,8 @@ github.com/fatih/structs v1.1.0 h1:Q7juDM0QtcnhCpeyLGQKyg4TOIghuNXrkL32pHAUMxo=
 github.com/fatih/structs v1.1.0/go.mod h1:9NiDSp5zOcgEDl+j00MP/WkGVPOlPRLejGD8Ga6PJ7M=
 github.com/go-fed/httpsig v0.1.0 h1:6F2OxRVnNTN4OPN+Mc2jxs2WEay9/qiHT/jphlvAwIY=
 github.com/go-fed/httpsig v0.1.0/go.mod h1:T56HUNYZUQ1AGUzhAYPugZfp36sKApVnGBgKlIY+aIE=
+github.com/go-fed/httpsig v0.1.1-0.20190924171022-f4c36041199d h1:+uoOvOnNDgsYbWtAij4xP6Rgir3eJGjocFPxBJETU/U=
+github.com/go-fed/httpsig v0.1.1-0.20190924171022-f4c36041199d/go.mod h1:T56HUNYZUQ1AGUzhAYPugZfp36sKApVnGBgKlIY+aIE=
 github.com/go-sql-driver/mysql v1.4.1 h1:g24URVg0OFbNUTx9qqY1IRZ9D9z3iPyi5zKhQZpNwpA=
 github.com/go-sql-driver/mysql v1.4.1/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w=
 github.com/go-test/deep v1.0.1 h1:UQhStjbkDClarlmv0am7OXXO4/GaPdCGiUiMTvi28sg=
@@ -124,6 +126,8 @@ github.com/writeas/activityserve v0.0.0-20191008122325-5fc3b48e70c5 h1:nG84xWpxB
 github.com/writeas/activityserve v0.0.0-20191008122325-5fc3b48e70c5/go.mod h1:Kz62mzYsCnrFTSTSFLXFj3fGYBQOntmBWTDDq57b46A=
 github.com/writeas/activityserve v0.0.0-20191011072627-3a81f7784d5b h1:rd2wX/bTqD55hxtBjAhwLcUgaQE36c70KX3NzpDAwVI=
 github.com/writeas/activityserve v0.0.0-20191011072627-3a81f7784d5b/go.mod h1:Kz62mzYsCnrFTSTSFLXFj3fGYBQOntmBWTDDq57b46A=
+github.com/writeas/activityserve v0.0.0-20191115095800-dd6d19cc8b89 h1:NJhzq9aTccL3SSSZMrcnYhkD6sObdY9otNZ1X6/ZKNE=
+github.com/writeas/activityserve v0.0.0-20191115095800-dd6d19cc8b89/go.mod h1:Kz62mzYsCnrFTSTSFLXFj3fGYBQOntmBWTDDq57b46A=
 github.com/writeas/go-strip-markdown v2.0.1+incompatible h1:IIqxTM5Jr7RzhigcL6FkrCNfXkvbR+Nbu1ls48pXYcw=
 github.com/writeas/go-strip-markdown v2.0.1+incompatible/go.mod h1:Rsyu10ZhbEK9pXdk8V6MVnZmTzRG0alMNLMwa0J01fE=
 github.com/writeas/go-webfinger v0.0.0-20190106002315-85cf805c86d2 h1:DUsp4OhdfI+e6iUqcPQlwx8QYXuUDsToTz/x82D3Zuo=
@@ -138,6 +142,7 @@ github.com/writeas/nerds v1.0.0 h1:ZzRcCN+Sr3MWID7o/x1cr1ZbLvdpej9Y1/Ho+JKlqxo=
 github.com/writeas/nerds v1.0.0/go.mod h1:Gn2bHy1EwRcpXeB7ZhVmuUwiweK0e+JllNf66gvNLdU=
 github.com/writeas/openssl-go v1.0.0 h1:YXM1tDXeYOlTyJjoMlYLQH1xOloUimSR1WMF8kjFc5o=
 github.com/writeas/openssl-go v1.0.0/go.mod h1:WsKeK5jYl0B5y8ggOmtVjbmb+3rEGqSD25TppjJnETA=
+github.com/writeas/saturday v1.6.0/go.mod h1:ETE1EK6ogxptJpAgUbcJD0prAtX48bSloie80+tvnzQ=
 github.com/writeas/saturday v1.7.1 h1:lYo1EH6CYyrFObQoA9RNWHVlpZA5iYL5Opxo7PYAnZE=
 github.com/writeas/saturday v1.7.1/go.mod h1:ETE1EK6ogxptJpAgUbcJD0prAtX48bSloie80+tvnzQ=
 github.com/writeas/slug v1.2.0 h1:EMQ+cwLiOcA6EtFwUgyw3Ge18x9uflUnOnR6bp/J+/g=
@@ -150,6 +155,7 @@ github.com/writefreely/go-nodeinfo v1.2.0 h1:La+YbTCvmpTwFhBSlebWDDL81N88Qf/SCAv
 github.com/writefreely/go-nodeinfo v1.2.0/go.mod h1:UTvE78KpcjYOlRHupZIiSEFcXHioTXuacCbHU+CAcPg=
 golang.org/x/crypto v0.0.0-20180527072434-ab813273cd59 h1:hk3yo72LXLapY9EXVttc3Z1rLOxT9IuAPPX3GpY2+jo=
 golang.org/x/crypto v0.0.0-20180527072434-ab813273cd59/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
+golang.org/x/crypto v0.0.0-20190131182504-b8fe1690c613/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190208162236-193df9c0f06f h1:ETU2VEl7TnT5bl7IvuKEzTDpplg5wzGYsOCAPhdoEIg=
 golang.org/x/crypto v0.0.0-20190208162236-193df9c0f06f/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=

From ae5bbd273d55cdf808ec23869f5f1400361a090f Mon Sep 17 00:00:00 2001
From: Matt Baer <matt@write.as>
Date: Wed, 27 Nov 2019 17:54:17 -0500
Subject: [PATCH 039/127] Fix mention URL on multi-user instances

Previously, links would go to /user/mention:@me@this.tld instead of
/mention:@me@this.tld
---
 postrender.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/postrender.go b/postrender.go
index e31c462..0cd9f55 100644
--- a/postrender.go
+++ b/postrender.go
@@ -83,7 +83,7 @@ func applyMarkdownSpecial(data []byte, skipNoFollow bool, baseURL string, cfg *c
 			tagPrefix = "/read/t/"
 		}
 		md = []byte(hashtagReg.ReplaceAll(md, []byte("<a href=\""+tagPrefix+"$1\" class=\"hashtag\"><span>#</span><span class=\"p-category\">$1</span></a>")))
-		handlePrefix := baseURL + "mention:"
+		handlePrefix := "/mention:"
 		md = []byte(mentionReg.ReplaceAll(md, []byte("<a href=\""+handlePrefix+"$0\" class=\"mention\">$0</a>")))
 	}
 	// Strip out bad HTML

From a266d8e0322d3dc40e3b1599d76bf514b06438d2 Mon Sep 17 00:00:00 2001
From: Matt Baer <matt@write.as>
Date: Fri, 29 Nov 2019 08:12:54 -0500
Subject: [PATCH 040/127] Update IsJSON call in handleRenderMarkdown()

---
 postrender.go | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/postrender.go b/postrender.go
index 2f55896..8ab90aa 100644
--- a/postrender.go
+++ b/postrender.go
@@ -239,8 +239,7 @@ func shortPostDescription(content string) string {
 }
 
 func handleRenderMarkdown(app *App, w http.ResponseWriter, r *http.Request) error {
-	// TODO: accept header
-	if !IsJSON(r.Header.Get("Content-Type")) {
+	if !IsJSON(r) {
 		fmt.Println("missing header")
 	}
 

From d8f77585f50917cd8597af448b145dec00e6d24c Mon Sep 17 00:00:00 2001
From: Matt Baer <matt@write.as>
Date: Sun, 1 Dec 2019 06:16:12 -0500
Subject: [PATCH 041/127] Suppress log when editing post or its metadata

This adds the instance's Hostname to the collection data loaded when
editing a collection post or its metadata. While not technically needed
in this situation, it suppresses an alarming error log.

Resolves #216
---
 pad.go | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pad.go b/pad.go
index 37d1c9b..3b0f1c2 100644
--- a/pad.go
+++ b/pad.go
@@ -92,6 +92,7 @@ func handleViewPad(app *App, w http.ResponseWriter, r *http.Request) error {
 		if err != nil {
 			return err
 		}
+		appData.EditCollection.hostName = app.cfg.App.Host
 	} else {
 		// Editing a floating article
 		appData.Post = getRawPost(app, action)
@@ -161,6 +162,7 @@ func handleViewMeta(app *App, w http.ResponseWriter, r *http.Request) error {
 		if err != nil {
 			return err
 		}
+		appData.EditCollection.hostName = app.cfg.App.Host
 	} else {
 		// Editing a floating article
 		appData.Post = getRawPost(app, action)

From acb8f5fe5d55cf728e6d38ae671a9f54b7e6b8f6 Mon Sep 17 00:00:00 2001
From: Matt Baer <matt@write.as>
Date: Sat, 7 Dec 2019 09:06:31 -0500
Subject: [PATCH 042/127] Fix broken password-collection template

Fixed "user-supsended" to "user-suspended"
---
 templates/password-collection.tmpl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/templates/password-collection.tmpl b/templates/password-collection.tmpl
index 73c4465..66a3bef 100644
--- a/templates/password-collection.tmpl
+++ b/templates/password-collection.tmpl
@@ -26,7 +26,7 @@
 	</head>
 	<body id="collection" itemscope itemtype="http://schema.org/WebPage">
 		{{if .Suspended}}
-			{{template "user-supsended"}}
+			{{template "user-suspended"}}
 		{{end}}
 		<header>
 		<h1 dir="{{.Direction}}" id="blog-title"><a href="/{{.Alias}}/" class="h-card p-author u-url" rel="me author">{{.DisplayTitle}}</a></h1>

From 0b701c5f7f36736127c809d71a1bb2b7d9ae495c Mon Sep 17 00:00:00 2001
From: Matt Baer <matt@write.as>
Date: Sat, 7 Dec 2019 09:08:37 -0500
Subject: [PATCH 043/127] Update "account silenced" alert on edit-meta

Use "silenced" phrasing instead of "suspended"
---
 templates/edit-meta.tmpl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/templates/edit-meta.tmpl b/templates/edit-meta.tmpl
index 6707e68..49c7781 100644
--- a/templates/edit-meta.tmpl
+++ b/templates/edit-meta.tmpl
@@ -270,7 +270,7 @@
 		<script>
 function updateMeta() {
 	if ({{.Suspended}}) {
-		alert('Your account is currently supsended, editing posts is disabled.');
+		alert("Your account is silenced, so you can't edit posts.");
 		return
 	}
 	document.getElementById('create-error').style.display = 'none';

From 6f6204a849b52510c42e16c22b29f7f4c993ac0c Mon Sep 17 00:00:00 2001
From: Matt Baer <matt@write.as>
Date: Tue, 17 Dec 2019 13:02:21 -0500
Subject: [PATCH 044/127] Return 404 for suspended pass-protected colls

Previously, any password-protected collection on a suspended account
would prompt visitors for a password, and *then* take them to the "not
found" page. This fixes that.
---
 collections.go | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/collections.go b/collections.go
index b85f0a4..66ad7a0 100644
--- a/collections.go
+++ b/collections.go
@@ -648,6 +648,16 @@ func processCollectionPermissions(app *App, cr *collectionReq, u *User, w http.R
 				uname = u.Username
 			}
 
+			// TODO: move this to all permission checks?
+			suspended, err := app.db.IsUserSuspended(c.OwnerID)
+			if err != nil {
+				log.Error("process protected collection permissions: %v", err)
+				return nil, err
+			}
+			if suspended {
+				return nil, ErrCollectionNotFound
+			}
+
 			// See if we've authorized this collection
 			authd := isAuthorizedForCollection(app, c.Alias, r)
 

From aa405bc57ce390c9b17d9447053a73b762d87845 Mon Sep 17 00:00:00 2001
From: Matt Baer <matt@write.as>
Date: Tue, 17 Dec 2019 13:11:32 -0500
Subject: [PATCH 045/127] Remove "silenced" warning on password-collection.tmpl

Logged-in users never see this particular page, so it's not needed here.
---
 templates/password-collection.tmpl | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/templates/password-collection.tmpl b/templates/password-collection.tmpl
index 66a3bef..e0b755d 100644
--- a/templates/password-collection.tmpl
+++ b/templates/password-collection.tmpl
@@ -25,9 +25,6 @@
 
 	</head>
 	<body id="collection" itemscope itemtype="http://schema.org/WebPage">
-		{{if .Suspended}}
-			{{template "user-suspended"}}
-		{{end}}
 		<header>
 		<h1 dir="{{.Direction}}" id="blog-title"><a href="/{{.Alias}}/" class="h-card p-author u-url" rel="me author">{{.DisplayTitle}}</a></h1>
 		</header>

From 4c0e4d04c14fb9942c28cd04265ffe440eae0278 Mon Sep 17 00:00:00 2001
From: Rob Loranger <dev@loranger.xyz>
Date: Tue, 17 Dec 2019 10:42:31 -0800
Subject: [PATCH 046/127] 404 for protected posts when previously authorized

a user who had previously authenticated on a protected collection would
still see the post after the owner was silenced, with a banner meant for
the owner displayed.
---
 posts.go | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/posts.go b/posts.go
index 9440ad8..62a3ae3 100644
--- a/posts.go
+++ b/posts.go
@@ -1342,8 +1342,13 @@ func viewCollectionPost(app *App, w http.ResponseWriter, r *http.Request) error
 	if c.IsPrivate() && (u == nil || u.ID != c.OwnerID) {
 		return ErrPostNotFound
 	}
-	if c.IsProtected() && ((u == nil || u.ID != c.OwnerID) && !isAuthorizedForCollection(app, c.Alias, r)) {
-		return impart.HTTPError{http.StatusFound, c.CanonicalURL() + "/?g=" + slug}
+	if c.IsProtected() && (u == nil || u.ID != c.OwnerID) {
+		if suspended {
+			return ErrPostNotFound
+		} else if !isAuthorizedForCollection(app, c.Alias, r) {
+			return impart.HTTPError{http.StatusFound, c.CanonicalURL() + "/?g=" + slug}
+
+		}
 	}
 
 	cr.isCollOwner = u != nil && c.OwnerID == u.ID

From 26d906ae92ba4d4079a45f3bcb96bde1f91ad887 Mon Sep 17 00:00:00 2001
From: Rob Loranger <dev@loranger.xyz>
Date: Tue, 17 Dec 2019 12:27:34 -0800
Subject: [PATCH 047/127] clean up responses and logging, change endpoint

- return an error with invalid request types
- simplify json decoding
- return error and success consistent with app conventions
- endpoint change from /api/generate/markdownify to /api/markdown
- fix nil pointer dereference when passing a base_url
---
 postrender.go | 31 ++++++++-----------------------
 routes.go     |  3 +--
 2 files changed, 9 insertions(+), 25 deletions(-)

diff --git a/postrender.go b/postrender.go
index 8ab90aa..f5b5649 100644
--- a/postrender.go
+++ b/postrender.go
@@ -15,7 +15,6 @@ import (
 	"fmt"
 	"html"
 	"html/template"
-	"io/ioutil"
 	"net/http"
 	"regexp"
 	"strings"
@@ -24,7 +23,9 @@ import (
 
 	"github.com/microcosm-cc/bluemonday"
 	stripmd "github.com/writeas/go-strip-markdown"
+	"github.com/writeas/impart"
 	blackfriday "github.com/writeas/saturday"
+	"github.com/writeas/web-core/log"
 	"github.com/writeas/web-core/stringmanip"
 	"github.com/writeas/writefreely/config"
 	"github.com/writeas/writefreely/parse"
@@ -240,7 +241,7 @@ func shortPostDescription(content string) string {
 
 func handleRenderMarkdown(app *App, w http.ResponseWriter, r *http.Request) error {
 	if !IsJSON(r) {
-		fmt.Println("missing header")
+		return impart.HTTPError{Status: http.StatusUnsupportedMediaType, Message: "Markdown API only supports JSON requests"}
 	}
 
 	in := struct {
@@ -250,28 +251,12 @@ func handleRenderMarkdown(app *App, w http.ResponseWriter, r *http.Request) erro
 		BaseURL: "",
 	}
 
-	body, err := ioutil.ReadAll(r.Body)
+	decoder := json.NewDecoder(r.Body)
+	err := decoder.Decode(&in)
 	if err != nil {
-		return ErrInternalGeneral
+		log.Error("Couldn't parse markdown JSON request: %v", err)
+		return ErrBadJSON
 	}
 
-	err = json.Unmarshal(body, &in)
-	if err != nil {
-		return ErrInternalGeneral
-	}
-
-	out := struct {
-		Body string `json:"body"`
-	}{
-		Body: applyMarkdown([]byte(in.RawBody), in.BaseURL, nil),
-	}
-
-	js, err := json.Marshal(out)
-	if err != nil {
-		return ErrInternalGeneral
-	}
-	w.Header().Set("Content-Type", "application/json")
-	w.WriteHeader(http.StatusOK)
-	w.Write(js)
-	return nil
+	return impart.WriteSuccess(w, applyMarkdown([]byte(in.RawBody), in.BaseURL, app.cfg), http.StatusOK)
 }
diff --git a/routes.go b/routes.go
index a37e0de..4334f9f 100644
--- a/routes.go
+++ b/routes.go
@@ -110,8 +110,7 @@ func InitRoutes(apper Apper, r *mux.Router) *mux.Router {
 	// Sign up validation
 	write.HandleFunc("/api/alias", handler.All(handleUsernameCheck)).Methods("POST")
 
-	apiGenerate := write.PathPrefix("/api/generate/").Subrouter()
-	apiGenerate.HandleFunc("/markdownify", handler.All(handleRenderMarkdown)).Methods("POST")
+	write.HandleFunc("/api/markdown", handler.All(handleRenderMarkdown)).Methods("POST")
 
 	// Handle collections
 	write.HandleFunc("/api/collections", handler.All(newCollection)).Methods("POST")

From cfea887b78828d06f1a4b501f64d7ac7dcfbbd88 Mon Sep 17 00:00:00 2001
From: Matt Baer <matt@write.as>
Date: Tue, 17 Dec 2019 20:58:32 -0500
Subject: [PATCH 048/127] Suppress "user not found" log when post not found

This also saves a user suspension check when a post isn't found.
---
 posts.go | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/posts.go b/posts.go
index 189ea63..4da09bc 100644
--- a/posts.go
+++ b/posts.go
@@ -381,9 +381,12 @@ func handleViewPost(app *App, w http.ResponseWriter, r *http.Request) error {
 		}
 	}
 
-	suspended, err := app.db.IsUserSuspended(ownerID.Int64)
-	if err != nil {
-		log.Error("view post: %v", err)
+	var suspended bool
+	if found {
+		suspended, err = app.db.IsUserSuspended(ownerID.Int64)
+		if err != nil {
+			log.Error("view post: %v", err)
+		}
 	}
 
 	// Check if post has been unpublished

From 6afafa4d67d3238378f58565d01197005779bcd8 Mon Sep 17 00:00:00 2001
From: Matt Baer <matt@write.as>
Date: Tue, 17 Dec 2019 21:10:39 -0500
Subject: [PATCH 049/127] Fix whitespace

---
 posts.go | 1 -
 1 file changed, 1 deletion(-)

diff --git a/posts.go b/posts.go
index 62a3ae3..547343b 100644
--- a/posts.go
+++ b/posts.go
@@ -1347,7 +1347,6 @@ func viewCollectionPost(app *App, w http.ResponseWriter, r *http.Request) error
 			return ErrPostNotFound
 		} else if !isAuthorizedForCollection(app, c.Alias, r) {
 			return impart.HTTPError{http.StatusFound, c.CanonicalURL() + "/?g=" + slug}
-
 		}
 	}
 

From dae65b7d1fadc9d6dd3a25b6a98714adf437a80a Mon Sep 17 00:00:00 2001
From: Rob Loranger <dev@loranger.xyz>
Date: Thu, 19 Dec 2019 08:28:06 -0800
Subject: [PATCH 050/127] retain output structure in response

---
 postrender.go | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/postrender.go b/postrender.go
index f5b5649..02b156b 100644
--- a/postrender.go
+++ b/postrender.go
@@ -258,5 +258,11 @@ func handleRenderMarkdown(app *App, w http.ResponseWriter, r *http.Request) erro
 		return ErrBadJSON
 	}
 
-	return impart.WriteSuccess(w, applyMarkdown([]byte(in.RawBody), in.BaseURL, app.cfg), http.StatusOK)
+	out := struct {
+		Body string `json:"body"`
+	}{
+		Body: applyMarkdown([]byte(in.RawBody), in.BaseURL, app.cfg),
+	}
+
+	return impart.WriteSuccess(w, out, http.StatusOK)
 }

From 7a0863f71b2504583e0537aa18664a5073d7f642 Mon Sep 17 00:00:00 2001
From: Nick Gerakines <ngerakines@users.noreply.github.com>
Date: Thu, 19 Dec 2019 11:48:04 -0500
Subject: [PATCH 051/127] Added oauth handlers and tests with mocks. Part of
 T705.

---
 admin.go         |   2 +-
 app.go           |  10 +-
 config/config.go |   9 ++
 database.go      |  80 +++++++++++++++
 go.mod           |   9 +-
 go.sum           |   2 +
 handle.go        |   4 +-
 main_test.go     |  18 ++++
 oauth.go         | 252 +++++++++++++++++++++++++++++++++++++++++++++++
 oauth/state.go   |  10 ++
 oauth_test.go    | 198 +++++++++++++++++++++++++++++++++++++
 11 files changed, 585 insertions(+), 9 deletions(-)
 create mode 100644 main_test.go
 create mode 100644 oauth.go
 create mode 100644 oauth/state.go
 create mode 100644 oauth_test.go

diff --git a/admin.go b/admin.go
index ebb4225..0a73a11 100644
--- a/admin.go
+++ b/admin.go
@@ -260,7 +260,7 @@ func handleAdminToggleUserStatus(app *App, u *User, w http.ResponseWriter, r *ht
 	}
 	if err != nil {
 		log.Error("toggle user suspended: %v", err)
-		return impart.HTTPError{http.StatusInternalServerError, fmt.Sprintf("Could not toggle user status: %v")}
+		return impart.HTTPError{http.StatusInternalServerError, fmt.Sprintf("Could not toggle user status: %v", err)}
 	}
 	return impart.HTTPError{http.StatusFound, fmt.Sprintf("/admin/user/%s#status", username)}
 }
diff --git a/app.go b/app.go
index d71fb1e..d465a3e 100644
--- a/app.go
+++ b/app.go
@@ -70,7 +70,7 @@ type App struct {
 	cfg          *config.Config
 	cfgFile      string
 	keys         *key.Keychain
-	sessionStore *sessions.CookieStore
+	sessionStore sessions.Store
 	formDecoder  *schema.Decoder
 
 	timeline *localTimeline
@@ -101,6 +101,14 @@ func (app *App) SetKeys(k *key.Keychain) {
 	app.keys = k
 }
 
+func (app *App) SessionStore() sessions.Store {
+	return app.sessionStore
+}
+
+func (app *App) SetSessionStore(s sessions.Store) {
+	app.sessionStore = s
+}
+
 // Apper is the interface for getting data into and out of a WriteFreely
 // instance (or "App").
 //
diff --git a/config/config.go b/config/config.go
index 84bae86..4b9586e 100644
--- a/config/config.go
+++ b/config/config.go
@@ -92,6 +92,15 @@ type (
 		LocalTimeline bool   `ini:"local_timeline"`
 		UserInvites   string `ini:"user_invites"`
 
+		// OAuth
+		EnableOAuth bool `ini:"enable_oauth"`
+		OAuthProviderAuthLocation    string `ini:"oauth_auth_location"`
+		OAuthProviderTokenLocation   string `ini:"oauth_token_location"`
+		OAuthProviderInspectLocation string `ini:"oauth_inspect_location"`
+		OAuthClientCallbackLocation  string `ini:"oauth_callback_location"`
+		OAuthClientID                string `ini:"oauth_client_id"`
+		OAuthClientSecret            string `ini:"oauth_client_secret"`
+
 		// Defaults
 		DefaultVisibility string `ini:"default_visibility"`
 	}
diff --git a/database.go b/database.go
index d78d888..735d3f7 100644
--- a/database.go
+++ b/database.go
@@ -11,8 +11,12 @@
 package writefreely
 
 import (
+	"context"
+	"crypto/rand"
 	"database/sql"
 	"fmt"
+	"github.com/pkg/errors"
+	"math/big"
 	"net/http"
 	"strings"
 	"time"
@@ -2453,6 +2457,59 @@ func (db *datastore) GetCollectionLastPostTime(id int64) (*time.Time, error) {
 	return &t, nil
 }
 
+func (db *datastore) GenerateOAuthState(ctx context.Context) (string, error) {
+	state, err := randString(24)
+	if err != nil {
+		return "", err
+	}
+	_, err = db.ExecContext(ctx, "INSERT INTO oauth_client_state (state, used, created_at) VALUES (?, FALSE, NOW())", state)
+	if err != nil {
+		return "", fmt.Errorf("unable to record oauth client state: %w", err)
+	}
+	return state, nil
+}
+
+func (db *datastore) ValidateOAuthState(ctx context.Context, state string) error {
+	res, err := db.ExecContext(ctx, "UPDATE oauth_client_state SET used = TRUE WHERE state = ?", state)
+	if err != nil {
+		return err
+	}
+	rowsAffected, err := res.RowsAffected()
+	if err != nil {
+		return err
+	}
+	if rowsAffected != 1 {
+		return fmt.Errorf("state not found")
+	}
+	return nil
+}
+
+func (db *datastore) RecordRemoteUserID(ctx context.Context, localUserID, remoteUserID int64) error {
+	var err error
+	if db.driverName == driverSQLite {
+		_, err = db.ExecContext(ctx, "INSERT OR REPLACE INTO users_oauth (user_id, remote_user_id) VALUES (?, ?)", localUserID, remoteUserID)
+	} else {
+		_, err = db.ExecContext(ctx, "INSERT INTO users_oauth (user_id, remote_user_id) VALUES (?, ?) "+db.upsert("user_id"), localUserID, remoteUserID)
+	}
+	if err != nil {
+		log.Error("Unable to INSERT users_oauth for '%d': %v", localUserID, err)
+	}
+	return err
+}
+
+// GetIDForRemoteUser returns a user ID associated with a remote user ID.
+func (db *datastore) GetIDForRemoteUser(ctx context.Context, remoteUserID int64) (int64, error) {
+	var userID int64 = -1
+	err := db.
+		QueryRowContext(ctx, "SELECT user_id FROM users_oauth WHERE remote_user_id = ?", remoteUserID).
+		Scan(&userID)
+	// Not finding a record is OK.
+	if err != nil && err != sql.ErrNoRows {
+		return -1, err
+	}
+	return userID, nil
+}
+
 // DatabaseInitialized returns whether or not the current datastore has been
 // initialized with the correct schema.
 // Currently, it checks to see if the `users` table exists.
@@ -2483,3 +2540,26 @@ func handleFailedPostInsert(err error) error {
 	log.Error("Couldn't insert into posts: %v", err)
 	return err
 }
+
+func randString(length int) (string, error) {
+	// every printable character on a US keyboard
+	charset := []rune("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789")
+	out := make([]rune, length)
+
+	setLen := big.NewInt(int64(len(charset)))
+	for idx := 0; idx < length; idx++ {
+		offset, err := rand.Int(rand.Reader, setLen)
+		if err != nil {
+			return "", err
+		}
+
+		if !offset.IsUint64() {
+			// this should (in theory) never happen
+			return "", errors.Errorf("Non-Uint64 offset returned from rand.Int")
+		}
+
+		out[idx] = charset[offset.Uint64()]
+	}
+
+	return string(out), nil
+}
diff --git a/go.mod b/go.mod
index 88af8c9..d34c4c9 100644
--- a/go.mod
+++ b/go.mod
@@ -29,12 +29,11 @@ require (
 	github.com/nicksnyder/go-i18n v1.10.0 // indirect
 	github.com/nu7hatch/gouuid v0.0.0-20131221200532-179d4d0c4d8d
 	github.com/pelletier/go-toml v1.2.0 // indirect
-	github.com/pkg/errors v0.8.1 // indirect
+	github.com/pkg/errors v0.8.1
 	github.com/rainycape/unidecode v0.0.0-20150907023854-cb7f23ec59be // indirect
-	github.com/shurcooL/sanitized_anchor_name v1.0.0 // indirect
 	github.com/smartystreets/assertions v0.0.0-20190116191733-b6c0e53d7304 // indirect
 	github.com/smartystreets/goconvey v0.0.0-20181108003508-044398e4856c // indirect
-	github.com/stretchr/testify v1.3.0 // indirect
+	github.com/stretchr/testify v1.3.0
 	github.com/writeas/activity v0.1.2
 	github.com/writeas/go-strip-markdown v2.0.1+incompatible
 	github.com/writeas/go-webfinger v0.0.0-20190106002315-85cf805c86d2
@@ -42,7 +41,6 @@ require (
 	github.com/writeas/impart v1.1.0
 	github.com/writeas/monday v0.0.0-20181024183321-54a7dd579219
 	github.com/writeas/nerds v1.0.0
-	github.com/writeas/openssl-go v1.0.0 // indirect
 	github.com/writeas/saturday v1.7.1
 	github.com/writeas/slug v1.2.0
 	github.com/writeas/web-core v1.2.0
@@ -55,6 +53,7 @@ require (
 	google.golang.org/appengine v1.4.0 // indirect
 	gopkg.in/alecthomas/kingpin.v3-unstable v3.0.0-20180810215634-df19058c872c // indirect
 	gopkg.in/ini.v1 v1.41.0
-	gopkg.in/yaml.v1 v1.0.0-20140924161607-9f9df34309c0 // indirect
 	gopkg.in/yaml.v2 v2.2.2 // indirect
 )
+
+go 1.13
diff --git a/go.sum b/go.sum
index b256223..035538e 100644
--- a/go.sum
+++ b/go.sum
@@ -129,6 +129,7 @@ github.com/writeas/nerds v1.0.0 h1:ZzRcCN+Sr3MWID7o/x1cr1ZbLvdpej9Y1/Ho+JKlqxo=
 github.com/writeas/nerds v1.0.0/go.mod h1:Gn2bHy1EwRcpXeB7ZhVmuUwiweK0e+JllNf66gvNLdU=
 github.com/writeas/openssl-go v1.0.0 h1:YXM1tDXeYOlTyJjoMlYLQH1xOloUimSR1WMF8kjFc5o=
 github.com/writeas/openssl-go v1.0.0/go.mod h1:WsKeK5jYl0B5y8ggOmtVjbmb+3rEGqSD25TppjJnETA=
+github.com/writeas/saturday v1.6.0/go.mod h1:ETE1EK6ogxptJpAgUbcJD0prAtX48bSloie80+tvnzQ=
 github.com/writeas/saturday v1.7.1 h1:lYo1EH6CYyrFObQoA9RNWHVlpZA5iYL5Opxo7PYAnZE=
 github.com/writeas/saturday v1.7.1/go.mod h1:ETE1EK6ogxptJpAgUbcJD0prAtX48bSloie80+tvnzQ=
 github.com/writeas/slug v1.2.0 h1:EMQ+cwLiOcA6EtFwUgyw3Ge18x9uflUnOnR6bp/J+/g=
@@ -141,6 +142,7 @@ github.com/writefreely/go-nodeinfo v1.2.0 h1:La+YbTCvmpTwFhBSlebWDDL81N88Qf/SCAv
 github.com/writefreely/go-nodeinfo v1.2.0/go.mod h1:UTvE78KpcjYOlRHupZIiSEFcXHioTXuacCbHU+CAcPg=
 golang.org/x/crypto v0.0.0-20180527072434-ab813273cd59 h1:hk3yo72LXLapY9EXVttc3Z1rLOxT9IuAPPX3GpY2+jo=
 golang.org/x/crypto v0.0.0-20180527072434-ab813273cd59/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
+golang.org/x/crypto v0.0.0-20190131182504-b8fe1690c613/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190208162236-193df9c0f06f h1:ETU2VEl7TnT5bl7IvuKEzTDpplg5wzGYsOCAPhdoEIg=
 golang.org/x/crypto v0.0.0-20190208162236-193df9c0f06f/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
diff --git a/handle.go b/handle.go
index 7e410f5..7346f79 100644
--- a/handle.go
+++ b/handle.go
@@ -73,7 +73,7 @@ type (
 
 type Handler struct {
 	errors       *ErrorPages
-	sessionStore *sessions.CookieStore
+	sessionStore sessions.Store
 	app          Apper
 }
 
@@ -96,7 +96,7 @@ func NewHandler(apper Apper) *Handler {
 			InternalServerError: template.Must(template.New("").Parse("{{define \"base\"}}<html><head><title>500</title></head><body><p>Internal server error.</p></body></html>{{end}}")),
 			Blank:               template.Must(template.New("").Parse("{{define \"base\"}}<html><head><title>{{.Title}}</title></head><body><p>{{.Content}}</p></body></html>{{end}}")),
 		},
-		sessionStore: apper.App().sessionStore,
+		sessionStore: apper.App().SessionStore(),
 		app:          apper,
 	}
 
diff --git a/main_test.go b/main_test.go
new file mode 100644
index 0000000..3d16ece
--- /dev/null
+++ b/main_test.go
@@ -0,0 +1,18 @@
+package writefreely
+
+import (
+	"encoding/gob"
+	"math/rand"
+	"os"
+	"testing"
+	"time"
+)
+
+// TestMain provides testing infrastructure within this package.
+func TestMain(m *testing.M) {
+	rand.Seed(time.Now().UTC().UnixNano())
+
+	gob.Register(&User{})
+
+	os.Exit(m.Run())
+}
\ No newline at end of file
diff --git a/oauth.go b/oauth.go
new file mode 100644
index 0000000..4b37277
--- /dev/null
+++ b/oauth.go
@@ -0,0 +1,252 @@
+package writefreely
+
+import (
+	"context"
+	"encoding/json"
+	"github.com/gorilla/sessions"
+	"github.com/guregu/null/zero"
+	"github.com/writeas/impart"
+	"github.com/writeas/web-core/auth"
+	"github.com/writeas/web-core/log"
+	"github.com/writeas/writefreely/config"
+	"io"
+	"io/ioutil"
+	"net/http"
+	"net/url"
+	"strings"
+	"time"
+)
+
+// TokenResponse contains data returned when a token is created either
+// through a code exchange or using a refresh token.
+type TokenResponse struct {
+	AccessToken  string `json:"access_token"`
+	ExpiresIn    int    `json:"expires_in"`
+	RefreshToken string `json:"refresh_token"`
+	TokenType    string `json:"token_type"`
+}
+
+// InspectResponse contains data returned when an access token is inspected.
+type InspectResponse struct {
+	ClientID  string    `json:"client_id"`
+	UserID    int64     `json:"user_id"`
+	ExpiresAt time.Time `json:"expires_at"`
+	Username  string    `json:"username"`
+	Email     string    `json:"email"`
+}
+
+// tokenRequestMaxLen is the most bytes that we'll read from the /oauth/token
+// endpoint. One megabyte is plenty.
+const tokenRequestMaxLen = 1000000
+
+// infoRequestMaxLen is the most bytes that we'll read from the
+// /oauth/inspect endpoint.
+const infoRequestMaxLen = 1000000
+
+// OAuthDatastoreProvider provides a minimal interface of data store, config,
+// and session store for use with the oauth handlers.
+type OAuthDatastoreProvider interface {
+	DB() OAuthDatastore
+	Config() *config.Config
+	SessionStore() sessions.Store
+}
+
+// OAuthDatastore provides a minimal interface of data store methods used in
+// oauth functionality.
+type OAuthDatastore interface {
+	GenerateOAuthState(context.Context) (string, error)
+	ValidateOAuthState(context.Context, string) error
+	GetIDForRemoteUser(context.Context, int64) (int64, error)
+	CreateUser(*config.Config, *User, string) error
+	RecordRemoteUserID(context.Context, int64, int64) error
+	GetUserForAuthByID(int64) (*User, error)
+}
+
+type HttpClient interface {
+	Do(req *http.Request) (*http.Response, error)
+}
+
+type oauthHandler struct {
+	HttpClient HttpClient
+}
+
+// buildAuthURL returns a URL used to initiate authentication.
+func buildAuthURL(app OAuthDatastoreProvider, ctx context.Context, clientID, authLocation, callbackURL string) (string, error) {
+	state, err := app.DB().GenerateOAuthState(ctx)
+	if err != nil {
+		return "", err
+	}
+
+	u, err := url.Parse(authLocation)
+	if err != nil {
+		return "", err
+	}
+	q := u.Query()
+	q.Set("client_id", clientID)
+	q.Set("redirect_uri", callbackURL)
+	q.Set("response_type", "code")
+	q.Set("state", state)
+	u.RawQuery = q.Encode()
+
+	return u.String(), nil
+}
+
+func (h oauthHandler) viewOauthInit(app OAuthDatastoreProvider, w http.ResponseWriter, r *http.Request) error {
+	location, err := buildAuthURL(app, r.Context(), app.Config().App.OAuthClientID, app.Config().App.OAuthProviderAuthLocation, app.Config().App.OAuthClientCallbackLocation)
+	if err != nil {
+		log.ErrorLog.Println(err)
+		return impart.HTTPError{Status: http.StatusInternalServerError, Message: "Could not prepare OAuth redirect URL."}
+	}
+	http.Redirect(w, r, location, http.StatusTemporaryRedirect)
+	return nil
+}
+
+func (h oauthHandler) viewOauthCallback(app OAuthDatastoreProvider, w http.ResponseWriter, r *http.Request) error {
+	ctx := r.Context()
+
+	code := r.FormValue("code")
+	state := r.FormValue("state")
+
+	err := app.DB().ValidateOAuthState(ctx, state)
+	if err != nil {
+		return err
+	}
+
+	tokenResponse, err := h.exchangeOauthCode(app, ctx, code)
+	if err != nil {
+		return err
+	}
+
+	// Now that we have the access token, let's use it real quick to make sur
+	// it really really works.
+	tokenInfo, err := h.inspectOauthAccessToken(app, ctx, tokenResponse.AccessToken)
+	if err != nil {
+		return err
+	}
+
+	localUserID, err := app.DB().GetIDForRemoteUser(ctx, tokenInfo.UserID)
+	if err != nil {
+		return err
+	}
+
+	if localUserID == -1 {
+		// We don't have, nor do we want, the password from the origin, so we
+		//create a random string. If the user needs to set a password, they
+		//can do so through the settings page or through the password reset
+		//flow.
+		randPass, err := randString(14)
+		if err != nil {
+			return err
+		}
+		hashedPass, err := auth.HashPass([]byte(randPass))
+		if err != nil {
+			log.ErrorLog.Println(err)
+			return impart.HTTPError{http.StatusInternalServerError, "Could not create password hash."}
+		}
+		newUser := &User{
+			Username:   tokenInfo.Username,
+			HashedPass: hashedPass,
+			HasPass:    true,
+			Email:      zero.NewString("", tokenInfo.Email != ""),
+			Created:    time.Now().Truncate(time.Second).UTC(),
+		}
+
+		err = app.DB().CreateUser(app.Config(), newUser, newUser.Username)
+		if err != nil {
+			return err
+		}
+
+		err = app.DB().RecordRemoteUserID(ctx, newUser.ID, tokenInfo.UserID)
+		if err != nil {
+			return err
+		}
+
+		return loginOrFail(app, w, r, newUser)
+	}
+
+	user, err := app.DB().GetUserForAuthByID(localUserID)
+	if err != nil {
+		return err
+	}
+	return loginOrFail(app, w, r, user)
+}
+
+func (h oauthHandler) exchangeOauthCode(app OAuthDatastoreProvider, ctx context.Context, code string) (*TokenResponse, error) {
+	form := url.Values{}
+	form.Add("grant_type", "authorization_code")
+	form.Add("redirect_uri", app.Config().App.OAuthClientCallbackLocation)
+	form.Add("code", code)
+	req, err := http.NewRequest("POST", app.Config().App.OAuthProviderTokenLocation, strings.NewReader(form.Encode()))
+	if err != nil {
+		return nil, err
+	}
+	req.WithContext(ctx)
+	req.Header.Set("User-Agent", "writefreely")
+	req.Header.Set("Accept", "application/json")
+	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+	req.SetBasicAuth(app.Config().App.OAuthClientID, app.Config().App.OAuthClientSecret)
+
+	resp, err := h.HttpClient.Do(req)
+	if err != nil {
+		return nil, err
+	}
+
+	// Nick: I like using limited readers to reduce the risk of an endpoint
+	// being broken or compromised.
+	lr := io.LimitReader(resp.Body, tokenRequestMaxLen)
+	body, err := ioutil.ReadAll(lr)
+	if err != nil {
+		return nil, err
+	}
+
+	var tokenResponse TokenResponse
+	err = json.Unmarshal(body, &tokenResponse)
+	if err != nil {
+		return nil, err
+	}
+	return &tokenResponse, nil
+}
+
+func (h oauthHandler) inspectOauthAccessToken(app OAuthDatastoreProvider, ctx context.Context, accessToken string) (*InspectResponse, error) {
+	req, err := http.NewRequest("GET", app.Config().App.OAuthProviderInspectLocation, nil)
+	if err != nil {
+		return nil, err
+	}
+	req.WithContext(ctx)
+	req.Header.Set("User-Agent", "writefreely")
+	req.Header.Set("Accept", "application/json")
+	req.Header.Set("Authorization", "Bearer "+accessToken)
+
+	resp, err := h.HttpClient.Do(req)
+	if err != nil {
+		return nil, err
+	}
+
+	// Nick: I like using limited readers to reduce the risk of an endpoint
+	// being broken or compromised.
+	lr := io.LimitReader(resp.Body, infoRequestMaxLen)
+	body, err := ioutil.ReadAll(lr)
+	if err != nil {
+		return nil, err
+	}
+
+	var inspectResponse InspectResponse
+	err = json.Unmarshal(body, &inspectResponse)
+	if err != nil {
+		return nil, err
+	}
+	return &inspectResponse, nil
+}
+
+func loginOrFail(app OAuthDatastoreProvider, w http.ResponseWriter, r *http.Request, user *User) error {
+	session, err := app.SessionStore().Get(r, cookieName)
+	if err != nil {
+		return err
+	}
+	session.Values[cookieUserVal] = user.Cookie()
+	if err = session.Save(r, w); err != nil {
+		return err
+	}
+	http.Redirect(w, r, "/", http.StatusTemporaryRedirect)
+	return nil
+}
diff --git a/oauth/state.go b/oauth/state.go
new file mode 100644
index 0000000..e8dd154
--- /dev/null
+++ b/oauth/state.go
@@ -0,0 +1,10 @@
+package oauth
+
+import "context"
+
+// ClientStateStore provides state management used by the OAuth client.
+type ClientStateStore interface {
+	Generate(ctx context.Context) (string, error)
+	Validate(ctx context.Context, state string) error
+}
+
diff --git a/oauth_test.go b/oauth_test.go
new file mode 100644
index 0000000..02e357d
--- /dev/null
+++ b/oauth_test.go
@@ -0,0 +1,198 @@
+package writefreely
+
+import (
+	"context"
+	"fmt"
+	"github.com/gorilla/sessions"
+	"github.com/stretchr/testify/assert"
+	"github.com/writeas/impart"
+	"github.com/writeas/writefreely/config"
+	"net/http"
+	"net/http/httptest"
+	"net/url"
+	"strings"
+	"testing"
+)
+
+type MockOAuthDatastoreProvider struct {
+	DoDB           func() OAuthDatastore
+	DoConfig       func() *config.Config
+	DoSessionStore func() sessions.Store
+}
+
+type MockOAuthDatastore struct {
+	DoGenerateOAuthState func(ctx context.Context) (string, error)
+	DoValidateOAuthState func(context.Context, string) error
+	DoGetIDForRemoteUser func(context.Context, int64) (int64, error)
+	DoCreateUser         func(*config.Config, *User, string) error
+	DoRecordRemoteUserID func(context.Context, int64, int64) error
+	DoGetUserForAuthByID func(int64) (*User, error)
+}
+
+type StringReadCloser struct {
+	*strings.Reader
+}
+
+func (src *StringReadCloser) Close() error {
+	return nil
+}
+
+type MockHTTPClient struct {
+	DoDo func(req *http.Request) (*http.Response, error)
+}
+
+func (m *MockHTTPClient) Do(req *http.Request) (*http.Response, error) {
+	if m.DoDo != nil {
+		return m.DoDo(req)
+	}
+	return &http.Response{}, nil
+}
+
+func (m *MockOAuthDatastoreProvider) SessionStore() sessions.Store {
+	if m.DoSessionStore != nil {
+		return m.DoSessionStore()
+	}
+	return sessions.NewCookieStore([]byte("secret-key"))
+}
+
+func (m *MockOAuthDatastoreProvider) DB() OAuthDatastore {
+	if m.DoDB != nil {
+		return m.DoDB()
+	}
+	return &MockOAuthDatastore{}
+}
+
+func (m *MockOAuthDatastoreProvider) Config() *config.Config {
+	if m.DoConfig != nil {
+		return m.DoConfig()
+	}
+	cfg := config.New()
+	cfg.UseSQLite(true)
+	cfg.App.EnableOAuth = true
+	cfg.App.OAuthProviderAuthLocation = "https://write.as/oauth/login"
+	cfg.App.OAuthProviderTokenLocation = "https://write.as/oauth/token"
+	cfg.App.OAuthProviderInspectLocation = "https://write.as/oauth/inspect"
+	cfg.App.OAuthClientCallbackLocation = "http://localhost/oauth/callback"
+	cfg.App.OAuthClientID = "development"
+	cfg.App.OAuthClientSecret = "development"
+	return cfg
+}
+
+func (m *MockOAuthDatastore) ValidateOAuthState(ctx context.Context, state string) error {
+	if m.DoValidateOAuthState != nil {
+		return m.DoValidateOAuthState(ctx, state)
+	}
+	return nil
+}
+
+func (m *MockOAuthDatastore) GetIDForRemoteUser(ctx context.Context, remoteUserID int64) (int64, error) {
+	if m.DoGetIDForRemoteUser != nil {
+		return m.DoGetIDForRemoteUser(ctx, remoteUserID)
+	}
+	return -1, nil
+}
+
+func (m *MockOAuthDatastore) CreateUser(cfg *config.Config, u *User, username string) error {
+	if m.DoCreateUser != nil {
+		return m.DoCreateUser(cfg, u, username)
+	}
+	u.ID = 1
+	return nil
+}
+
+func (m *MockOAuthDatastore) RecordRemoteUserID(ctx context.Context, localUserID int64, remoteUserID int64) error {
+	if m.DoRecordRemoteUserID != nil {
+		return m.DoRecordRemoteUserID(ctx, localUserID, remoteUserID)
+	}
+	return nil
+}
+
+func (m *MockOAuthDatastore) GetUserForAuthByID(userID int64) (*User, error) {
+	if m.DoGetUserForAuthByID != nil {
+		return m.DoGetUserForAuthByID(userID)
+	}
+	user := &User{
+
+	}
+	return user, nil
+}
+
+func (m *MockOAuthDatastore) GenerateOAuthState(ctx context.Context) (string, error) {
+	if m.DoGenerateOAuthState != nil {
+		return m.DoGenerateOAuthState(ctx)
+	}
+	return randString(14)
+}
+
+func TestViewOauthInit(t *testing.T) {
+	h := oauthHandler{}
+	t.Run("success", func(t *testing.T) {
+		app := &MockOAuthDatastoreProvider{}
+		req, err := http.NewRequest("GET", "/oauth/client", nil)
+		assert.NoError(t, err)
+		rr := httptest.NewRecorder()
+		err = h.viewOauthInit(app, rr, req)
+		assert.NoError(t, err)
+		assert.Equal(t, http.StatusTemporaryRedirect, rr.Code)
+		locURI, err := url.Parse(rr.Header().Get("Location"))
+		assert.NoError(t, err)
+		assert.Equal(t, "/oauth/login", locURI.Path)
+		assert.Equal(t, "development", locURI.Query().Get("client_id"))
+		assert.Equal(t, "http://localhost/oauth/callback", locURI.Query().Get("redirect_uri"))
+		assert.Equal(t, "code", locURI.Query().Get("response_type"))
+		assert.NotEmpty(t, locURI.Query().Get("state"))
+	})
+
+	t.Run("state failure", func(t *testing.T) {
+		app := &MockOAuthDatastoreProvider{
+			DoDB: func() OAuthDatastore {
+				return &MockOAuthDatastore{
+					DoGenerateOAuthState: func(ctx context.Context) (string, error) {
+						return "", fmt.Errorf("pretend unable to write state error")
+					},
+				}
+			},
+		}
+		req, err := http.NewRequest("GET", "/oauth/client", nil)
+		assert.NoError(t, err)
+		rr := httptest.NewRecorder()
+		err = h.viewOauthInit(app, rr, req)
+		assert.Error(t, err)
+		assert.Equal(t, impart.HTTPError{Status: http.StatusInternalServerError, Message: "Could not prepare OAuth redirect URL."}, err)
+	})
+}
+
+func TestViewOauthCallback(t *testing.T) {
+	t.Run("success", func(t *testing.T) {
+		app := &MockOAuthDatastoreProvider{}
+		h := oauthHandler{
+			HttpClient: &MockHTTPClient{
+				DoDo: func(req *http.Request) (*http.Response, error) {
+					switch req.URL.String() {
+					case "https://write.as/oauth/token":
+						return &http.Response{
+							StatusCode: 200,
+							Body:       &StringReadCloser{strings.NewReader(`{"access_token": "access_token", "expires_in": 1000, "refresh_token": "refresh_token", "token_type": "access"}`)},
+						}, nil
+					case "https://write.as/oauth/inspect":
+						return &http.Response{
+							StatusCode: 200,
+							Body:       &StringReadCloser{strings.NewReader(`{"client_id": "development", "user_id": 1, "expires_at": "2019-12-19T11:42:01Z", "username": "nick", "email": "nick@testing.write.as"}`)},
+						}, nil
+					}
+
+					return &http.Response{
+						StatusCode: http.StatusNotFound,
+					}, nil
+				},
+			},
+		}
+		req, err := http.NewRequest("GET", "/oauth/callback", nil)
+		assert.NoError(t, err)
+		rr := httptest.NewRecorder()
+		err = h.viewOauthCallback(app, rr, req)
+		assert.NoError(t, err)
+		assert.Equal(t, http.StatusTemporaryRedirect, rr.Code)
+
+	})
+}

From bf3b6a5ba01fbe1c3b726676da326b66e2ad4a4e Mon Sep 17 00:00:00 2001
From: Nick Gerakines <ngerakines@users.noreply.github.com>
Date: Mon, 23 Dec 2019 14:30:32 -0500
Subject: [PATCH 052/127] Unit tests, integration testing, and code cleanup for
 oauth support. Part of T705.

---
 database.go              |   7 +-
 database_test.go         |  43 +++++++
 db/create.go             | 271 +++++++++++++++++++++++++++++++++++++++
 db/create_test.go        | 146 +++++++++++++++++++++
 db/tx.go                 |  26 ++++
 go.mod                   |   2 +-
 go.sum                   |   1 -
 main_test.go             | 139 +++++++++++++++++++-
 migrations/migrations.go |   1 +
 migrations/v4.go         |  46 +++++++
 oauth.go                 | 109 ++++++++++------
 oauth_test.go            |  28 ++--
 routes.go                |  10 ++
 13 files changed, 777 insertions(+), 52 deletions(-)
 create mode 100644 database_test.go
 create mode 100644 db/create.go
 create mode 100644 db/create_test.go
 create mode 100644 db/tx.go
 create mode 100644 migrations/v4.go

diff --git a/database.go b/database.go
index 735d3f7..5b3aaa8 100644
--- a/database.go
+++ b/database.go
@@ -128,6 +128,11 @@ type writestore interface {
 	GetUserLastPostTime(id int64) (*time.Time, error)
 	GetCollectionLastPostTime(id int64) (*time.Time, error)
 
+	GetIDForRemoteUser(ctx context.Context, remoteUserID int64) (int64, error)
+	RecordRemoteUserID(ctx context.Context, localUserID, remoteUserID int64) error
+	ValidateOAuthState(ctx context.Context, state string) error
+	GenerateOAuthState(ctx context.Context) (string, error)
+
 	DatabaseInitialized() bool
 }
 
@@ -2489,7 +2494,7 @@ func (db *datastore) RecordRemoteUserID(ctx context.Context, localUserID, remote
 	if db.driverName == driverSQLite {
 		_, err = db.ExecContext(ctx, "INSERT OR REPLACE INTO users_oauth (user_id, remote_user_id) VALUES (?, ?)", localUserID, remoteUserID)
 	} else {
-		_, err = db.ExecContext(ctx, "INSERT INTO users_oauth (user_id, remote_user_id) VALUES (?, ?) "+db.upsert("user_id"), localUserID, remoteUserID)
+		_, err = db.ExecContext(ctx, "INSERT INTO users_oauth (user_id, remote_user_id) VALUES (?, ?) "+db.upsert("user_id") + " user_id = ?", localUserID, remoteUserID, localUserID)
 	}
 	if err != nil {
 		log.Error("Unable to INSERT users_oauth for '%d': %v", localUserID, err)
diff --git a/database_test.go b/database_test.go
new file mode 100644
index 0000000..4a45dd0
--- /dev/null
+++ b/database_test.go
@@ -0,0 +1,43 @@
+package writefreely
+
+import (
+	"context"
+	"database/sql"
+	"github.com/stretchr/testify/assert"
+	"testing"
+)
+
+func TestOAuthDatastore(t *testing.T) {
+	if !runMySQLTests() {
+		t.Skip("skipping mysql tests")
+	}
+	withTestDB(t, func(db *sql.DB) {
+		ctx := context.Background()
+		ds := &datastore{
+			DB:         db,
+			driverName: "",
+		}
+
+		state, err := ds.GenerateOAuthState(ctx)
+		assert.NoError(t, err)
+		assert.Len(t, state, 24)
+
+		countRows(t, ctx, db, 1, "SELECT COUNT(*) FROM `oauth_client_state` WHERE `state` = ? AND `used` = false", state)
+
+		err = ds.ValidateOAuthState(ctx, state)
+		assert.NoError(t, err)
+
+		countRows(t, ctx, db, 1, "SELECT COUNT(*) FROM `oauth_client_state` WHERE `state` = ? AND `used` = true", state)
+
+		var localUserID int64 = 99
+		var remoteUserID int64 = 100
+		err = ds.RecordRemoteUserID(ctx, localUserID, remoteUserID)
+		assert.NoError(t, err)
+
+		countRows(t, ctx, db, 1, "SELECT COUNT(*) FROM `users_oauth` WHERE `user_id` = ? AND `remote_user_id` = ?", localUserID, remoteUserID)
+
+		foundUserID, err := ds.GetIDForRemoteUser(ctx, remoteUserID)
+		assert.NoError(t, err)
+		assert.Equal(t, localUserID, foundUserID)
+	})
+}
diff --git a/db/create.go b/db/create.go
new file mode 100644
index 0000000..5e4f34e
--- /dev/null
+++ b/db/create.go
@@ -0,0 +1,271 @@
+package db
+
+import (
+	"fmt"
+	"strings"
+)
+
+type DialectType int
+type ColumnType int
+
+type OptionalInt struct {
+	Set   bool
+	Value int
+}
+
+type OptionalString struct {
+	Set   bool
+	Value string
+}
+
+type SQLBuilder interface {
+	ToSQL() (string, error)
+}
+
+type Column struct {
+	Dialect    DialectType
+	Name       string
+	Nullable   bool
+	Default    OptionalString
+	Type       ColumnType
+	Size       OptionalInt
+	PrimaryKey bool
+}
+
+type CreateTableSqlBuilder struct {
+	Dialect     DialectType
+	Name        string
+	IfNotExists bool
+	ColumnOrder []string
+	Columns     map[string]*Column
+	Constraints []string
+}
+
+const (
+	DialectSQLite DialectType = iota
+	DialectMySQL  DialectType = iota
+)
+
+const (
+	ColumnTypeBool     ColumnType = iota
+	ColumnTypeSmallInt ColumnType = iota
+	ColumnTypeInteger  ColumnType = iota
+	ColumnTypeChar     ColumnType = iota
+	ColumnTypeVarChar  ColumnType = iota
+	ColumnTypeText     ColumnType = iota
+	ColumnTypeDateTime ColumnType = iota
+)
+
+var _ SQLBuilder = &CreateTableSqlBuilder{}
+
+var UnsetSize OptionalInt = OptionalInt{Set: false, Value: 0}
+var UnsetDefault OptionalString = OptionalString{Set: false, Value: ""}
+
+func (d DialectType) Column(name string, t ColumnType, size OptionalInt) *Column {
+	switch d {
+	case DialectSQLite:
+		return &Column{Dialect: DialectSQLite, Name: name, Type: t, Size: size}
+	case DialectMySQL:
+		return &Column{Dialect: DialectMySQL, Name: name, Type: t, Size: size}
+	default:
+		panic(fmt.Sprintf("unexpected dialect: %d", d))
+	}
+}
+
+func (d DialectType) Table(name string) *CreateTableSqlBuilder {
+	switch d {
+	case DialectSQLite:
+		return &CreateTableSqlBuilder{Dialect: DialectSQLite, Name: name}
+	case DialectMySQL:
+		return &CreateTableSqlBuilder{Dialect: DialectMySQL, Name: name}
+	default:
+		panic(fmt.Sprintf("unexpected dialect: %d", d))
+	}
+}
+
+func (d ColumnType) Format(dialect DialectType, size OptionalInt) (string, error) {
+	if dialect != DialectMySQL && dialect != DialectSQLite {
+		return "", fmt.Errorf("unsupported column type %d for dialect %d and size %v", d, dialect, size)
+	}
+	switch d {
+	case ColumnTypeSmallInt:
+		{
+			if dialect == DialectSQLite {
+				return "INTEGER", nil
+			}
+			mod := ""
+			if size.Set {
+				mod = fmt.Sprintf("(%d)", size.Value)
+			}
+			return "SMALLINT" + mod, nil
+		}
+	case ColumnTypeInteger:
+		{
+			if dialect == DialectSQLite {
+				return "INTEGER", nil
+			}
+			mod := ""
+			if size.Set {
+				mod = fmt.Sprintf("(%d)", size.Value)
+			}
+			return "INT" + mod, nil
+		}
+	case ColumnTypeChar:
+		{
+			if dialect == DialectSQLite {
+				return "TEXT", nil
+			}
+			mod := ""
+			if size.Set {
+				mod = fmt.Sprintf("(%d)", size.Value)
+			}
+			return "CHAR" + mod, nil
+		}
+	case ColumnTypeVarChar:
+		{
+			if dialect == DialectSQLite {
+				return "TEXT", nil
+			}
+			mod := ""
+			if size.Set {
+				mod = fmt.Sprintf("(%d)", size.Value)
+			}
+			return "VARCHAR" + mod, nil
+		}
+	case ColumnTypeBool:
+		{
+			if dialect == DialectSQLite {
+				return "INTEGER", nil
+			}
+			return "TINYINT(1)", nil
+		}
+	case ColumnTypeDateTime:
+		return "DATETIME", nil
+	case ColumnTypeText:
+		return "TEXT", nil
+	}
+	return "", fmt.Errorf("unsupported column type %d for dialect %d and size %v", d, dialect, size)
+}
+
+func (c *Column) SetName(name string) *Column {
+	c.Name = name
+	return c
+}
+
+func (c *Column) SetNullable(nullable bool) *Column {
+	c.Nullable = nullable
+	return c
+}
+
+func (c *Column) SetPrimaryKey(pk bool) *Column {
+	c.PrimaryKey = pk
+	return c
+}
+
+func (c *Column) SetDefault(value string) *Column {
+	c.Default = OptionalString{Set: true, Value: value}
+	return c
+}
+
+func (c *Column) SetType(t ColumnType) *Column {
+	c.Type = t
+	return c
+}
+
+func (c *Column) SetSize(size int) *Column {
+	c.Size = OptionalInt{Set: true, Value: size}
+	return c
+}
+
+func (c *Column) String() (string, error) {
+	var str strings.Builder
+
+	str.WriteString(c.Name)
+
+	str.WriteString(" ")
+	typeStr, err := c.Type.Format(c.Dialect, c.Size)
+	if err != nil {
+		return "", err
+	}
+
+	str.WriteString(typeStr)
+
+	if !c.Nullable {
+		str.WriteString(" NOT NULL")
+	}
+
+	if c.Default.Set {
+		str.WriteString(" DEFAULT ")
+		str.WriteString(c.Default.Value)
+	}
+
+	if c.PrimaryKey {
+		str.WriteString(" PRIMARY KEY")
+	}
+
+	return str.String(), nil
+}
+
+func (b *CreateTableSqlBuilder) Column(column *Column) *CreateTableSqlBuilder {
+	if b.Columns == nil {
+		b.Columns = make(map[string]*Column)
+	}
+	b.Columns[column.Name] = column
+	b.ColumnOrder = append(b.ColumnOrder, column.Name)
+	return b
+}
+
+func (b *CreateTableSqlBuilder) UniqueConstraint(columns ...string) *CreateTableSqlBuilder {
+	for _, column := range columns {
+		if _, ok := b.Columns[column]; !ok {
+			// This fails silently.
+			return b
+		}
+	}
+	b.Constraints = append(b.Constraints, fmt.Sprintf("UNIQUE(%s)", strings.Join(columns, ",")))
+	return b
+}
+
+func (b *CreateTableSqlBuilder) SetIfNotExists(ine bool) *CreateTableSqlBuilder {
+	b.IfNotExists = ine
+	return b
+}
+
+func (b *CreateTableSqlBuilder) ToSQL() (string, error) {
+	var str strings.Builder
+
+	str.WriteString("CREATE TABLE ")
+	if b.IfNotExists {
+		str.WriteString("IF NOT EXISTS ")
+	}
+	str.WriteString(b.Name)
+
+	var things []string
+	for _, columnName := range b.ColumnOrder {
+		column, ok := b.Columns[columnName]
+		if !ok {
+			return "", fmt.Errorf("column not found: %s", columnName)
+		}
+		columnStr, err := column.String()
+		if err != nil {
+			return "", err
+		}
+		things = append(things, columnStr)
+	}
+	for _, constraint := range b.Constraints {
+		things = append(things, constraint)
+	}
+
+	if thingLen := len(things); thingLen > 0 {
+		str.WriteString(" ( ")
+		for i, thing := range things {
+			str.WriteString(thing)
+			if i < thingLen-1 {
+				str.WriteString(", ")
+			}
+		}
+		str.WriteString(" )")
+	}
+
+	return str.String(), nil
+}
diff --git a/db/create_test.go b/db/create_test.go
new file mode 100644
index 0000000..369d5c1
--- /dev/null
+++ b/db/create_test.go
@@ -0,0 +1,146 @@
+package db
+
+import (
+	"github.com/stretchr/testify/assert"
+	"testing"
+)
+
+func TestDialect_Column(t *testing.T) {
+	c1 := DialectSQLite.Column("foo", ColumnTypeBool, UnsetSize)
+	assert.Equal(t, DialectSQLite, c1.Dialect)
+	c2 := DialectMySQL.Column("foo", ColumnTypeBool, UnsetSize)
+	assert.Equal(t, DialectMySQL, c2.Dialect)
+}
+
+func TestColumnType_Format(t *testing.T) {
+	type args struct {
+		dialect DialectType
+		size    OptionalInt
+	}
+	tests := []struct {
+		name    string
+		d       ColumnType
+		args    args
+		want    string
+		wantErr bool
+	}{
+		{"Sqlite bool", ColumnTypeBool, args{dialect: DialectSQLite}, "INTEGER", false},
+		{"Sqlite small int", ColumnTypeSmallInt, args{dialect: DialectSQLite}, "INTEGER", false},
+		{"Sqlite int", ColumnTypeInteger, args{dialect: DialectSQLite}, "INTEGER", false},
+		{"Sqlite char", ColumnTypeChar, args{dialect: DialectSQLite}, "TEXT", false},
+		{"Sqlite varchar", ColumnTypeVarChar, args{dialect: DialectSQLite}, "TEXT", false},
+		{"Sqlite text", ColumnTypeText, args{dialect: DialectSQLite}, "TEXT", false},
+		{"Sqlite datetime", ColumnTypeDateTime, args{dialect: DialectSQLite}, "DATETIME", false},
+
+		{"MySQL bool", ColumnTypeBool, args{dialect: DialectMySQL}, "TINYINT(1)", false},
+		{"MySQL small int", ColumnTypeSmallInt, args{dialect: DialectMySQL}, "SMALLINT", false},
+		{"MySQL small int with param", ColumnTypeSmallInt, args{dialect: DialectMySQL, size: OptionalInt{true, 3}}, "SMALLINT(3)", false},
+		{"MySQL int", ColumnTypeInteger, args{dialect: DialectMySQL}, "INT", false},
+		{"MySQL int with param", ColumnTypeInteger, args{dialect: DialectMySQL, size: OptionalInt{true, 11}}, "INT(11)", false},
+		{"MySQL char", ColumnTypeChar, args{dialect: DialectMySQL}, "CHAR", false},
+		{"MySQL char with param", ColumnTypeChar, args{dialect: DialectMySQL, size: OptionalInt{true, 4}}, "CHAR(4)", false},
+		{"MySQL varchar", ColumnTypeVarChar, args{dialect: DialectMySQL}, "VARCHAR", false},
+		{"MySQL varchar with param", ColumnTypeVarChar, args{dialect: DialectMySQL, size: OptionalInt{true, 25}}, "VARCHAR(25)", false},
+		{"MySQL text", ColumnTypeText, args{dialect: DialectMySQL}, "TEXT", false},
+		{"MySQL datetime", ColumnTypeDateTime, args{dialect: DialectMySQL}, "DATETIME", false},
+
+		{"invalid column type", 10000, args{dialect: DialectMySQL}, "", true},
+		{"invalid dialect", ColumnTypeBool, args{dialect: 10000}, "", true},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := tt.d.Format(tt.args.dialect, tt.args.size)
+			if (err != nil) != tt.wantErr {
+				t.Errorf("Format() error = %v, wantErr %v", err, tt.wantErr)
+				return
+			}
+			if got != tt.want {
+				t.Errorf("Format() got = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
+
+func TestColumn_Build(t *testing.T) {
+	type fields struct {
+		Dialect    DialectType
+		Name       string
+		Nullable   bool
+		Default    OptionalString
+		Type       ColumnType
+		Size       OptionalInt
+		PrimaryKey bool
+	}
+	tests := []struct {
+		name    string
+		fields  fields
+		want    string
+		wantErr bool
+	}{
+		{"Sqlite bool", fields{DialectSQLite, "foo", false, UnsetDefault, ColumnTypeBool, UnsetSize, false}, "foo INTEGER NOT NULL", false},
+		{"Sqlite bool nullable", fields{DialectSQLite, "foo", true, UnsetDefault, ColumnTypeBool, UnsetSize, false}, "foo INTEGER", false},
+		{"Sqlite small int", fields{DialectSQLite, "foo", false, UnsetDefault, ColumnTypeSmallInt, UnsetSize, true}, "foo INTEGER NOT NULL PRIMARY KEY", false},
+		{"Sqlite small int nullable", fields{DialectSQLite, "foo", true, UnsetDefault, ColumnTypeSmallInt, UnsetSize, false}, "foo INTEGER", false},
+		{"Sqlite int", fields{DialectSQLite, "foo", false, UnsetDefault, ColumnTypeInteger, UnsetSize, false}, "foo INTEGER NOT NULL", false},
+		{"Sqlite int nullable", fields{DialectSQLite, "foo", true, UnsetDefault, ColumnTypeInteger, UnsetSize, false}, "foo INTEGER", false},
+		{"Sqlite char", fields{DialectSQLite, "foo", false, UnsetDefault, ColumnTypeChar, UnsetSize, false}, "foo TEXT NOT NULL", false},
+		{"Sqlite char nullable", fields{DialectSQLite, "foo", true, UnsetDefault, ColumnTypeChar, UnsetSize, false}, "foo TEXT", false},
+		{"Sqlite varchar", fields{DialectSQLite, "foo", false, UnsetDefault, ColumnTypeVarChar, UnsetSize, false}, "foo TEXT NOT NULL", false},
+		{"Sqlite varchar nullable", fields{DialectSQLite, "foo", true, UnsetDefault, ColumnTypeVarChar, UnsetSize, false}, "foo TEXT", false},
+		{"Sqlite text", fields{DialectSQLite, "foo", false, UnsetDefault, ColumnTypeText, UnsetSize, false}, "foo TEXT NOT NULL", false},
+		{"Sqlite text nullable", fields{DialectSQLite, "foo", true, UnsetDefault, ColumnTypeText, UnsetSize, false}, "foo TEXT", false},
+		{"Sqlite datetime", fields{DialectSQLite, "foo", false, UnsetDefault, ColumnTypeDateTime, UnsetSize, false}, "foo DATETIME NOT NULL", false},
+		{"Sqlite datetime nullable", fields{DialectSQLite, "foo", true, UnsetDefault, ColumnTypeDateTime, UnsetSize, false}, "foo DATETIME", false},
+
+		{"MySQL bool", fields{DialectMySQL, "foo", false, UnsetDefault, ColumnTypeBool, UnsetSize, false}, "foo TINYINT(1) NOT NULL", false},
+		{"MySQL bool nullable", fields{DialectMySQL, "foo", true, UnsetDefault, ColumnTypeBool, UnsetSize, false}, "foo TINYINT(1)", false},
+		{"MySQL small int", fields{DialectMySQL, "foo", false, UnsetDefault, ColumnTypeSmallInt, UnsetSize, true}, "foo SMALLINT NOT NULL PRIMARY KEY", false},
+		{"MySQL small int nullable", fields{DialectMySQL, "foo", true, UnsetDefault, ColumnTypeSmallInt, UnsetSize, false}, "foo SMALLINT", false},
+		{"MySQL int", fields{DialectMySQL, "foo", false, UnsetDefault, ColumnTypeInteger, UnsetSize, false}, "foo INT NOT NULL", false},
+		{"MySQL int nullable", fields{DialectMySQL, "foo", true, UnsetDefault, ColumnTypeInteger, UnsetSize, false}, "foo INT", false},
+		{"MySQL char", fields{DialectMySQL, "foo", false, UnsetDefault, ColumnTypeChar, UnsetSize, false}, "foo CHAR NOT NULL", false},
+		{"MySQL char nullable", fields{DialectMySQL, "foo", true, UnsetDefault, ColumnTypeChar, UnsetSize, false}, "foo CHAR", false},
+		{"MySQL varchar", fields{DialectMySQL, "foo", false, UnsetDefault, ColumnTypeVarChar, UnsetSize, false}, "foo VARCHAR NOT NULL", false},
+		{"MySQL varchar nullable", fields{DialectMySQL, "foo", true, UnsetDefault, ColumnTypeVarChar, UnsetSize, false}, "foo VARCHAR", false},
+		{"MySQL text", fields{DialectMySQL, "foo", false, UnsetDefault, ColumnTypeText, UnsetSize, false}, "foo TEXT NOT NULL", false},
+		{"MySQL text nullable", fields{DialectMySQL, "foo", true, UnsetDefault, ColumnTypeText, UnsetSize, false}, "foo TEXT", false},
+		{"MySQL datetime", fields{DialectMySQL, "foo", false, UnsetDefault, ColumnTypeDateTime, UnsetSize, false}, "foo DATETIME NOT NULL", false},
+		{"MySQL datetime nullable", fields{DialectMySQL, "foo", true, UnsetDefault, ColumnTypeDateTime, UnsetSize, false}, "foo DATETIME", false},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			c := &Column{
+				Dialect:    tt.fields.Dialect,
+				Name:       tt.fields.Name,
+				Nullable:   tt.fields.Nullable,
+				Default:    tt.fields.Default,
+				Type:       tt.fields.Type,
+				Size:       tt.fields.Size,
+				PrimaryKey: tt.fields.PrimaryKey,
+			}
+			if got, err := c.String(); got != tt.want {
+				if (err != nil) != tt.wantErr {
+					t.Errorf("String() error = %v, wantErr %v", err, tt.wantErr)
+					return
+				}
+				if got != tt.want {
+					t.Errorf("String() got = %v, want %v", got, tt.want)
+				}
+			}
+		})
+	}
+}
+
+func TestCreateTableSqlBuilder_ToSQL(t *testing.T) {
+	sql, err := DialectMySQL.
+		Table("foo").
+		SetIfNotExists(true).
+		Column(DialectMySQL.Column("bar", ColumnTypeInteger, UnsetSize).SetPrimaryKey(true)).
+		Column(DialectMySQL.Column("baz", ColumnTypeText, UnsetSize)).
+		Column(DialectMySQL.Column("qux", ColumnTypeDateTime, UnsetSize).SetDefault("NOW()")).
+		UniqueConstraint("bar").
+		UniqueConstraint("bar", "baz").
+		ToSQL()
+	assert.NoError(t, err)
+	assert.Equal(t, "CREATE TABLE IF NOT EXISTS foo ( bar INT NOT NULL PRIMARY KEY, baz TEXT NOT NULL, qux DATETIME NOT NULL DEFAULT NOW(), UNIQUE(bar), UNIQUE(bar,baz) )", sql)
+}
diff --git a/db/tx.go b/db/tx.go
new file mode 100644
index 0000000..5c321af
--- /dev/null
+++ b/db/tx.go
@@ -0,0 +1,26 @@
+package db
+
+import (
+	"context"
+	"database/sql"
+)
+
+// TransactionScopedWork describes code executed within a database transaction.
+type TransactionScopedWork func(ctx context.Context, db *sql.Tx) error
+
+// RunTransactionWithOptions executes a block of code within a database transaction.
+func RunTransactionWithOptions(ctx context.Context, db *sql.DB, txOpts *sql.TxOptions, txWork TransactionScopedWork) error {
+	tx, err := db.BeginTx(ctx, txOpts)
+	if err != nil {
+		return err
+	}
+
+	if err = txWork(ctx, tx); err != nil {
+		if txErr := tx.Rollback(); txErr != nil {
+			return txErr
+		}
+		return err
+	}
+	return tx.Commit()
+}
+
diff --git a/go.mod b/go.mod
index d34c4c9..372b7ba 100644
--- a/go.mod
+++ b/go.mod
@@ -49,7 +49,7 @@ require (
 	golang.org/x/lint v0.0.0-20181217174547-8f45f776aaf1 // indirect
 	golang.org/x/net v0.0.0-20190206173232-65e2d4e15006 // indirect
 	golang.org/x/sys v0.0.0-20190209173611-3b5209105503 // indirect
-	golang.org/x/tools v0.0.0-20190208222737-3744606dbb67 // indirect
+	golang.org/x/tools v0.0.0-20190208222737-3744606dbb67
 	google.golang.org/appengine v1.4.0 // indirect
 	gopkg.in/alecthomas/kingpin.v3-unstable v3.0.0-20180810215634-df19058c872c // indirect
 	gopkg.in/ini.v1 v1.41.0
diff --git a/go.sum b/go.sum
index 035538e..ee3a418 100644
--- a/go.sum
+++ b/go.sum
@@ -64,7 +64,6 @@ github.com/jtolds/gls v4.2.1+incompatible h1:fSuqC+Gmlu6l/ZYAoZzx2pyucC8Xza35fpR
 github.com/jtolds/gls v4.2.1+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU=
 github.com/juju/ansiterm v0.0.0-20180109212912-720a0952cc2a h1:FaWFmfWdAUKbSCtOU2QjDaorUexogfaMgbipgYATUMU=
 github.com/juju/ansiterm v0.0.0-20180109212912-720a0952cc2a/go.mod h1:UJSiEoRfvx3hP73CvoARgeLjaIOjybY9vj8PUPPFGeU=
-github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
diff --git a/main_test.go b/main_test.go
index 3d16ece..d600d83 100644
--- a/main_test.go
+++ b/main_test.go
@@ -1,18 +1,153 @@
 package writefreely
 
 import (
+	"context"
+	"database/sql"
 	"encoding/gob"
+	"errors"
+	"fmt"
+	uuid "github.com/nu7hatch/gouuid"
+	"github.com/stretchr/testify/assert"
 	"math/rand"
 	"os"
+	"strings"
 	"testing"
 	"time"
 )
 
+var testDB *sql.DB
+
+type ScopedTestBody func(*sql.DB)
+
 // TestMain provides testing infrastructure within this package.
 func TestMain(m *testing.M) {
 	rand.Seed(time.Now().UTC().UnixNano())
-
 	gob.Register(&User{})
 
-	os.Exit(m.Run())
+	if runMySQLTests() {
+		var err error
+
+		testDB, err = initMySQL(os.Getenv("WF_USER"), os.Getenv("WF_PASSWORD"), os.Getenv("WF_DB"), os.Getenv("WF_HOST"))
+		if err != nil {
+			fmt.Println(err)
+			return
+		}
+	}
+
+	code := m.Run()
+	if runMySQLTests() {
+		if closeErr := testDB.Close(); closeErr != nil {
+			fmt.Println(closeErr)
+		}
+	}
+	os.Exit(code)
+}
+
+func runMySQLTests() bool {
+	return len(os.Getenv("TEST_MYSQL")) > 0
+}
+
+func initMySQL(dbUser, dbPassword, dbName, dbHost string) (*sql.DB, error) {
+	if dbUser == "" || dbPassword == "" {
+		return nil, errors.New("database user or password not set")
+	}
+	if dbHost == "" {
+		dbHost = "localhost"
+	}
+	if dbName == "" {
+		dbName = "writefreely"
+	}
+
+	dsn := fmt.Sprintf("%s:%s@tcp(%s:3306)/%s?charset=utf8mb4&parseTime=true", dbUser, dbPassword, dbHost, dbName)
+	db, err := sql.Open("mysql", dsn)
+	if err != nil {
+		return nil, err
+	}
+	if err := ensureMySQL(db); err != nil {
+		return nil, err
+	}
+	return db, nil
+}
+
+func ensureMySQL(db *sql.DB) error {
+	if err := db.Ping(); err != nil {
+		return err
+	}
+	db.SetMaxOpenConns(250)
+	return nil
+}
+
+// withTestDB provides a scoped database connection.
+func withTestDB(t *testing.T, testBody ScopedTestBody) {
+	db, cleanup, err := newTestDatabase(testDB,
+		os.Getenv("WF_USER"),
+		os.Getenv("WF_PASSWORD"),
+		os.Getenv("WF_DB"),
+		os.Getenv("WF_HOST"),
+	)
+	assert.NoError(t, err)
+	defer func() {
+		assert.NoError(t, cleanup())
+	}()
+
+	testBody(db)
+}
+
+// newTestDatabase creates a new temporary test database. When a test
+// database connection is returned, it will have created a new database and
+// initialized it with tables from a reference database.
+func newTestDatabase(base *sql.DB, dbUser, dbPassword, dbName, dbHost string) (*sql.DB, func() error, error) {
+	var err error
+	var baseName = dbName
+
+	if baseName == "" {
+		row := base.QueryRow("SELECT DATABASE()")
+		err := row.Scan(&baseName)
+		if err != nil {
+			return nil, nil, err
+		}
+	}
+	tUUID, _ := uuid.NewV4()
+	suffix := strings.Replace(tUUID.String(), "-", "_", -1)
+	newDBName := baseName + suffix
+	_, err = base.Exec("CREATE DATABASE " + newDBName)
+	if err != nil {
+		return nil, nil, err
+	}
+	newDB, err := initMySQL(dbUser, dbPassword, newDBName, dbHost)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	rows, err := base.Query("SHOW TABLES IN " + baseName)
+	if err != nil {
+		return nil, nil, err
+	}
+	for rows.Next() {
+		var tableName string
+		if err := rows.Scan(&tableName); err != nil {
+			return nil, nil, err
+		}
+		query := fmt.Sprintf("CREATE TABLE %s LIKE %s.%s", tableName, baseName, tableName)
+		if _, err := newDB.Exec(query); err != nil {
+			return nil, nil, err
+		}
+	}
+
+	cleanup := func() error {
+		if closeErr := newDB.Close(); closeErr != nil {
+			fmt.Println(closeErr)
+		}
+
+		_, err = base.Exec("DROP DATABASE " + newDBName)
+		return err
+	}
+	return newDB, cleanup, nil
+}
+
+func countRows(t *testing.T, ctx context.Context, db *sql.DB, count int, query string, args ...interface{}) {
+	var returned int
+	err := db.QueryRowContext(ctx, query, args...).Scan(&returned)
+	assert.NoError(t, err, "error executing query %s and args %s", query, args)
+	assert.Equal(t, count, returned, "unexpected return count %d, expected %d from %s and args %s", returned, count, query, args)
 }
\ No newline at end of file
diff --git a/migrations/migrations.go b/migrations/migrations.go
index 0799f8e..b9ead23 100644
--- a/migrations/migrations.go
+++ b/migrations/migrations.go
@@ -59,6 +59,7 @@ var migrations = []Migration{
 	New("support user invites", supportUserInvites),             // -> V1 (v0.8.0)
 	New("support dynamic instance pages", supportInstancePages), // V1 -> V2 (v0.9.0)
 	New("support users suspension", supportUserStatus),          // V2 -> V3 (v0.11.0)
+	New("support oauth", oauth), // V3 -> V4
 }
 
 // CurrentVer returns the current migration version the application is on
diff --git a/migrations/v4.go b/migrations/v4.go
new file mode 100644
index 0000000..c123f54
--- /dev/null
+++ b/migrations/v4.go
@@ -0,0 +1,46 @@
+package migrations
+
+import (
+	"context"
+	"database/sql"
+
+	wf_db "github.com/writeas/writefreely/db"
+)
+
+func oauth(db *datastore) error {
+	dialect := wf_db.DialectMySQL
+	if db.driverName == driverSQLite {
+		dialect = wf_db.DialectSQLite
+	}
+	return wf_db.RunTransactionWithOptions(context.Background(), db.DB, &sql.TxOptions{}, func(ctx context.Context, tx *sql.Tx) error {
+		createTableUsersOauth, err := dialect.
+			Table("users_oauth").
+			SetIfNotExists(true).
+			Column(dialect.Column("user_id", wf_db.ColumnTypeInteger, wf_db.UnsetSize)).
+			Column(dialect.Column("remote_user_id", wf_db.ColumnTypeInteger, wf_db.UnsetSize)).
+			UniqueConstraint("user_id").
+			UniqueConstraint("remote_user_id").
+			ToSQL()
+		if err != nil {
+			return err
+		}
+		createTableOauthClientState, err := dialect.
+			Table("oauth_client_state").
+			SetIfNotExists(true).
+			Column(dialect.Column("state", wf_db.ColumnTypeVarChar, wf_db.OptionalInt{Set: true, Value: 255})).
+			Column(dialect.Column("used", wf_db.ColumnTypeBool, wf_db.UnsetSize)).
+			Column(dialect.Column("created_at", wf_db.ColumnTypeDateTime, wf_db.UnsetSize).SetDefault("NOW()")).
+			UniqueConstraint("state").
+			ToSQL()
+		if err != nil {
+			return err
+		}
+
+		for _, table := range []string{createTableUsersOauth, createTableOauthClientState} {
+			if _, err := tx.ExecContext(ctx, table); err != nil {
+				return err
+			}
+		}
+		return nil
+	})
+}
diff --git a/oauth.go b/oauth.go
index 4b37277..aafdb51 100644
--- a/oauth.go
+++ b/oauth.go
@@ -3,9 +3,9 @@ package writefreely
 import (
 	"context"
 	"encoding/json"
+	"fmt"
 	"github.com/gorilla/sessions"
 	"github.com/guregu/null/zero"
-	"github.com/writeas/impart"
 	"github.com/writeas/web-core/auth"
 	"github.com/writeas/web-core/log"
 	"github.com/writeas/writefreely/config"
@@ -67,12 +67,15 @@ type HttpClient interface {
 }
 
 type oauthHandler struct {
+	Config     *config.Config
+	DB         OAuthDatastore
+	Store      sessions.Store
 	HttpClient HttpClient
 }
 
 // buildAuthURL returns a URL used to initiate authentication.
-func buildAuthURL(app OAuthDatastoreProvider, ctx context.Context, clientID, authLocation, callbackURL string) (string, error) {
-	state, err := app.DB().GenerateOAuthState(ctx)
+func buildAuthURL(db OAuthDatastore, ctx context.Context, clientID, authLocation, callbackURL string) (string, error) {
+	state, err := db.GenerateOAuthState(ctx)
 	if err != nil {
 		return "", err
 	}
@@ -91,44 +94,50 @@ func buildAuthURL(app OAuthDatastoreProvider, ctx context.Context, clientID, aut
 	return u.String(), nil
 }
 
-func (h oauthHandler) viewOauthInit(app OAuthDatastoreProvider, w http.ResponseWriter, r *http.Request) error {
-	location, err := buildAuthURL(app, r.Context(), app.Config().App.OAuthClientID, app.Config().App.OAuthProviderAuthLocation, app.Config().App.OAuthClientCallbackLocation)
+// app *App, w http.ResponseWriter, r *http.Request
+func (h oauthHandler) viewOauthInit(w http.ResponseWriter, r *http.Request) {
+	location, err := buildAuthURL(h.DB, r.Context(), h.Config.App.OAuthClientID, h.Config.App.OAuthProviderAuthLocation, h.Config.App.OAuthClientCallbackLocation)
 	if err != nil {
-		log.ErrorLog.Println(err)
-		return impart.HTTPError{Status: http.StatusInternalServerError, Message: "Could not prepare OAuth redirect URL."}
+		failOAuthRequest(w, http.StatusInternalServerError, "could not prepare oauth redirect url")
+		return
 	}
 	http.Redirect(w, r, location, http.StatusTemporaryRedirect)
-	return nil
 }
 
-func (h oauthHandler) viewOauthCallback(app OAuthDatastoreProvider, w http.ResponseWriter, r *http.Request) error {
+func (h oauthHandler) viewOauthCallback(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 
 	code := r.FormValue("code")
 	state := r.FormValue("state")
 
-	err := app.DB().ValidateOAuthState(ctx, state)
+	err := h.DB.ValidateOAuthState(ctx, state)
 	if err != nil {
-		return err
+		failOAuthRequest(w, http.StatusInternalServerError, err.Error())
+		return
 	}
 
-	tokenResponse, err := h.exchangeOauthCode(app, ctx, code)
+	tokenResponse, err := h.exchangeOauthCode(ctx, code)
 	if err != nil {
-		return err
+		failOAuthRequest(w, http.StatusInternalServerError, err.Error())
+		return
 	}
 
 	// Now that we have the access token, let's use it real quick to make sur
 	// it really really works.
-	tokenInfo, err := h.inspectOauthAccessToken(app, ctx, tokenResponse.AccessToken)
+	tokenInfo, err := h.inspectOauthAccessToken(ctx, tokenResponse.AccessToken)
 	if err != nil {
-		return err
+		failOAuthRequest(w, http.StatusInternalServerError, err.Error())
+		return
 	}
 
-	localUserID, err := app.DB().GetIDForRemoteUser(ctx, tokenInfo.UserID)
+	localUserID, err := h.DB.GetIDForRemoteUser(ctx, tokenInfo.UserID)
 	if err != nil {
-		return err
+		failOAuthRequest(w, http.StatusInternalServerError, err.Error())
+		return
 	}
 
+	fmt.Println("local user id", localUserID)
+
 	if localUserID == -1 {
 		// We don't have, nor do we want, the password from the origin, so we
 		//create a random string. If the user needs to set a password, they
@@ -136,12 +145,14 @@ func (h oauthHandler) viewOauthCallback(app OAuthDatastoreProvider, w http.Respo
 		//flow.
 		randPass, err := randString(14)
 		if err != nil {
-			return err
+			failOAuthRequest(w, http.StatusInternalServerError, err.Error())
+			return
 		}
 		hashedPass, err := auth.HashPass([]byte(randPass))
 		if err != nil {
 			log.ErrorLog.Println(err)
-			return impart.HTTPError{http.StatusInternalServerError, "Could not create password hash."}
+			failOAuthRequest(w, http.StatusInternalServerError, "unable to create password hash")
+			return
 		}
 		newUser := &User{
 			Username:   tokenInfo.Username,
@@ -151,32 +162,40 @@ func (h oauthHandler) viewOauthCallback(app OAuthDatastoreProvider, w http.Respo
 			Created:    time.Now().Truncate(time.Second).UTC(),
 		}
 
-		err = app.DB().CreateUser(app.Config(), newUser, newUser.Username)
+		err = h.DB.CreateUser(h.Config, newUser, newUser.Username)
 		if err != nil {
-			return err
+			failOAuthRequest(w, http.StatusInternalServerError, err.Error())
+			return
 		}
 
-		err = app.DB().RecordRemoteUserID(ctx, newUser.ID, tokenInfo.UserID)
+		err = h.DB.RecordRemoteUserID(ctx, newUser.ID, tokenInfo.UserID)
 		if err != nil {
-			return err
+			failOAuthRequest(w, http.StatusInternalServerError, err.Error())
+			return
 		}
 
-		return loginOrFail(app, w, r, newUser)
+		if err := loginOrFail(h.Store, w, r, newUser); err != nil {
+			failOAuthRequest(w, http.StatusInternalServerError, err.Error())
+		}
+		return
 	}
 
-	user, err := app.DB().GetUserForAuthByID(localUserID)
+	user, err := h.DB.GetUserForAuthByID(localUserID)
 	if err != nil {
-		return err
+		failOAuthRequest(w, http.StatusInternalServerError, err.Error())
+		return
+	}
+	if err = loginOrFail(h.Store, w, r, user); err != nil {
+		failOAuthRequest(w, http.StatusInternalServerError, err.Error())
 	}
-	return loginOrFail(app, w, r, user)
 }
 
-func (h oauthHandler) exchangeOauthCode(app OAuthDatastoreProvider, ctx context.Context, code string) (*TokenResponse, error) {
+func (h oauthHandler) exchangeOauthCode(ctx context.Context, code string) (*TokenResponse, error) {
 	form := url.Values{}
 	form.Add("grant_type", "authorization_code")
-	form.Add("redirect_uri", app.Config().App.OAuthClientCallbackLocation)
+	form.Add("redirect_uri", h.Config.App.OAuthClientCallbackLocation)
 	form.Add("code", code)
-	req, err := http.NewRequest("POST", app.Config().App.OAuthProviderTokenLocation, strings.NewReader(form.Encode()))
+	req, err := http.NewRequest("POST", h.Config.App.OAuthProviderTokenLocation, strings.NewReader(form.Encode()))
 	if err != nil {
 		return nil, err
 	}
@@ -184,7 +203,7 @@ func (h oauthHandler) exchangeOauthCode(app OAuthDatastoreProvider, ctx context.
 	req.Header.Set("User-Agent", "writefreely")
 	req.Header.Set("Accept", "application/json")
 	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
-	req.SetBasicAuth(app.Config().App.OAuthClientID, app.Config().App.OAuthClientSecret)
+	req.SetBasicAuth(h.Config.App.OAuthClientID, h.Config.App.OAuthClientSecret)
 
 	resp, err := h.HttpClient.Do(req)
 	if err != nil {
@@ -207,8 +226,8 @@ func (h oauthHandler) exchangeOauthCode(app OAuthDatastoreProvider, ctx context.
 	return &tokenResponse, nil
 }
 
-func (h oauthHandler) inspectOauthAccessToken(app OAuthDatastoreProvider, ctx context.Context, accessToken string) (*InspectResponse, error) {
-	req, err := http.NewRequest("GET", app.Config().App.OAuthProviderInspectLocation, nil)
+func (h oauthHandler) inspectOauthAccessToken(ctx context.Context, accessToken string) (*InspectResponse, error) {
+	req, err := http.NewRequest("GET", h.Config.App.OAuthProviderInspectLocation, nil)
 	if err != nil {
 		return nil, err
 	}
@@ -238,15 +257,27 @@ func (h oauthHandler) inspectOauthAccessToken(app OAuthDatastoreProvider, ctx co
 	return &inspectResponse, nil
 }
 
-func loginOrFail(app OAuthDatastoreProvider, w http.ResponseWriter, r *http.Request, user *User) error {
-	session, err := app.SessionStore().Get(r, cookieName)
-	if err != nil {
-		return err
-	}
+func loginOrFail(store sessions.Store, w http.ResponseWriter, r *http.Request, user *User) error {
+	// An error may be returned, but a valid session should always be returned.
+	session, _ := store.Get(r, cookieName)
 	session.Values[cookieUserVal] = user.Cookie()
-	if err = session.Save(r, w); err != nil {
+	if err := session.Save(r, w); err != nil {
+		fmt.Println("error saving session", err)
 		return err
 	}
 	http.Redirect(w, r, "/", http.StatusTemporaryRedirect)
 	return nil
 }
+
+// failOAuthRequest is an HTTP handler helper that formats returned error
+// messages.
+func failOAuthRequest(w http.ResponseWriter, statusCode int, message string) {
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(statusCode)
+	err := json.NewEncoder(w).Encode(map[string]interface{}{
+		"error": message,
+	})
+	if err != nil {
+		panic(err)
+	}
+}
diff --git a/oauth_test.go b/oauth_test.go
index 02e357d..9418721 100644
--- a/oauth_test.go
+++ b/oauth_test.go
@@ -5,7 +5,6 @@ import (
 	"fmt"
 	"github.com/gorilla/sessions"
 	"github.com/stretchr/testify/assert"
-	"github.com/writeas/impart"
 	"github.com/writeas/writefreely/config"
 	"net/http"
 	"net/http/httptest"
@@ -125,14 +124,18 @@ func (m *MockOAuthDatastore) GenerateOAuthState(ctx context.Context) (string, er
 }
 
 func TestViewOauthInit(t *testing.T) {
-	h := oauthHandler{}
+
 	t.Run("success", func(t *testing.T) {
 		app := &MockOAuthDatastoreProvider{}
+		h := oauthHandler{
+			Config: app.Config(),
+			DB:     app.DB(),
+			Store:  app.SessionStore(),
+		}
 		req, err := http.NewRequest("GET", "/oauth/client", nil)
 		assert.NoError(t, err)
 		rr := httptest.NewRecorder()
-		err = h.viewOauthInit(app, rr, req)
-		assert.NoError(t, err)
+		h.viewOauthInit(rr, req)
 		assert.Equal(t, http.StatusTemporaryRedirect, rr.Code)
 		locURI, err := url.Parse(rr.Header().Get("Location"))
 		assert.NoError(t, err)
@@ -153,12 +156,18 @@ func TestViewOauthInit(t *testing.T) {
 				}
 			},
 		}
+		h := oauthHandler{
+			Config: app.Config(),
+			DB:     app.DB(),
+			Store:  app.SessionStore(),
+		}
 		req, err := http.NewRequest("GET", "/oauth/client", nil)
 		assert.NoError(t, err)
 		rr := httptest.NewRecorder()
-		err = h.viewOauthInit(app, rr, req)
-		assert.Error(t, err)
-		assert.Equal(t, impart.HTTPError{Status: http.StatusInternalServerError, Message: "Could not prepare OAuth redirect URL."}, err)
+		h.viewOauthInit(rr, req)
+		assert.Equal(t, http.StatusInternalServerError, rr.Code)
+		expected := `{"error":"could not prepare oauth redirect url"}` + "\n"
+		assert.Equal(t, expected, rr.Body.String())
 	})
 }
 
@@ -166,6 +175,9 @@ func TestViewOauthCallback(t *testing.T) {
 	t.Run("success", func(t *testing.T) {
 		app := &MockOAuthDatastoreProvider{}
 		h := oauthHandler{
+			Config: app.Config(),
+			DB:     app.DB(),
+			Store:  app.SessionStore(),
 			HttpClient: &MockHTTPClient{
 				DoDo: func(req *http.Request) (*http.Response, error) {
 					switch req.URL.String() {
@@ -190,7 +202,7 @@ func TestViewOauthCallback(t *testing.T) {
 		req, err := http.NewRequest("GET", "/oauth/callback", nil)
 		assert.NoError(t, err)
 		rr := httptest.NewRecorder()
-		err = h.viewOauthCallback(app, rr, req)
+		h.viewOauthCallback(rr, req)
 		assert.NoError(t, err)
 		assert.Equal(t, http.StatusTemporaryRedirect, rr.Code)
 
diff --git a/routes.go b/routes.go
index 64c6c0f..e286c3e 100644
--- a/routes.go
+++ b/routes.go
@@ -80,6 +80,16 @@ func InitRoutes(apper Apper, r *mux.Router) *mux.Router {
 	auth.HandleFunc("/read", handler.WebErrors(handleWebCollectionUnlock, UserLevelNone)).Methods("POST")
 	auth.HandleFunc("/me", handler.All(handleAPILogout)).Methods("DELETE")
 
+	oauthHandler := oauthHandler{
+		HttpClient: &http.Client{},
+		Config:     apper.App().Config(),
+		DB:         apper.App().DB(),
+		Store:      apper.App().SessionStore(),
+	}
+
+	write.HandleFunc("/oauth/write.as", oauthHandler.viewOauthInit).Methods("GET")
+	write.HandleFunc("/oauth/callback", oauthHandler.viewOauthCallback).Methods("GET")
+
 	// Handle logged in user sections
 	me := write.PathPrefix("/me").Subrouter()
 	me.HandleFunc("/", handler.Redirect("/me", UserLevelUser))

From 426615474920db1e481d24ad6b5822deed1d34aa Mon Sep 17 00:00:00 2001
From: Nick Gerakines <ngerakines@users.noreply.github.com>
Date: Fri, 27 Dec 2019 13:35:48 -0500
Subject: [PATCH 053/127] Code cleanup from PR 255 feedback. T705

---
 database.go   | 35 +++--------------------------------
 oauth.go      |  7 ++-----
 oauth_test.go |  3 ++-
 3 files changed, 7 insertions(+), 38 deletions(-)

diff --git a/database.go b/database.go
index 5b3aaa8..56035dd 100644
--- a/database.go
+++ b/database.go
@@ -12,11 +12,8 @@ package writefreely
 
 import (
 	"context"
-	"crypto/rand"
 	"database/sql"
 	"fmt"
-	"github.com/pkg/errors"
-	"math/big"
 	"net/http"
 	"strings"
 	"time"
@@ -2463,11 +2460,8 @@ func (db *datastore) GetCollectionLastPostTime(id int64) (*time.Time, error) {
 }
 
 func (db *datastore) GenerateOAuthState(ctx context.Context) (string, error) {
-	state, err := randString(24)
-	if err != nil {
-		return "", err
-	}
-	_, err = db.ExecContext(ctx, "INSERT INTO oauth_client_state (state, used, created_at) VALUES (?, FALSE, NOW())", state)
+	state := store.Generate62RandomString(24)
+	_, err := db.ExecContext(ctx, "INSERT INTO oauth_client_state (state, used, created_at) VALUES (?, FALSE, NOW())", state)
 	if err != nil {
 		return "", fmt.Errorf("unable to record oauth client state: %w", err)
 	}
@@ -2494,7 +2488,7 @@ func (db *datastore) RecordRemoteUserID(ctx context.Context, localUserID, remote
 	if db.driverName == driverSQLite {
 		_, err = db.ExecContext(ctx, "INSERT OR REPLACE INTO users_oauth (user_id, remote_user_id) VALUES (?, ?)", localUserID, remoteUserID)
 	} else {
-		_, err = db.ExecContext(ctx, "INSERT INTO users_oauth (user_id, remote_user_id) VALUES (?, ?) "+db.upsert("user_id") + " user_id = ?", localUserID, remoteUserID, localUserID)
+		_, err = db.ExecContext(ctx, "INSERT INTO users_oauth (user_id, remote_user_id) VALUES (?, ?) "+db.upsert("user_id")+" user_id = ?", localUserID, remoteUserID, localUserID)
 	}
 	if err != nil {
 		log.Error("Unable to INSERT users_oauth for '%d': %v", localUserID, err)
@@ -2545,26 +2539,3 @@ func handleFailedPostInsert(err error) error {
 	log.Error("Couldn't insert into posts: %v", err)
 	return err
 }
-
-func randString(length int) (string, error) {
-	// every printable character on a US keyboard
-	charset := []rune("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789")
-	out := make([]rune, length)
-
-	setLen := big.NewInt(int64(len(charset)))
-	for idx := 0; idx < length; idx++ {
-		offset, err := rand.Int(rand.Reader, setLen)
-		if err != nil {
-			return "", err
-		}
-
-		if !offset.IsUint64() {
-			// this should (in theory) never happen
-			return "", errors.Errorf("Non-Uint64 offset returned from rand.Int")
-		}
-
-		out[idx] = charset[offset.Uint64()]
-	}
-
-	return string(out), nil
-}
diff --git a/oauth.go b/oauth.go
index aafdb51..d918f7f 100644
--- a/oauth.go
+++ b/oauth.go
@@ -6,6 +6,7 @@ import (
 	"fmt"
 	"github.com/gorilla/sessions"
 	"github.com/guregu/null/zero"
+	"github.com/writeas/nerds/store"
 	"github.com/writeas/web-core/auth"
 	"github.com/writeas/web-core/log"
 	"github.com/writeas/writefreely/config"
@@ -143,11 +144,7 @@ func (h oauthHandler) viewOauthCallback(w http.ResponseWriter, r *http.Request)
 		//create a random string. If the user needs to set a password, they
 		//can do so through the settings page or through the password reset
 		//flow.
-		randPass, err := randString(14)
-		if err != nil {
-			failOAuthRequest(w, http.StatusInternalServerError, err.Error())
-			return
-		}
+		randPass := store.Generate62RandomString(14)
 		hashedPass, err := auth.HashPass([]byte(randPass))
 		if err != nil {
 			log.ErrorLog.Println(err)
diff --git a/oauth_test.go b/oauth_test.go
index 9418721..482a846 100644
--- a/oauth_test.go
+++ b/oauth_test.go
@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"github.com/gorilla/sessions"
 	"github.com/stretchr/testify/assert"
+	"github.com/writeas/nerds/store"
 	"github.com/writeas/writefreely/config"
 	"net/http"
 	"net/http/httptest"
@@ -120,7 +121,7 @@ func (m *MockOAuthDatastore) GenerateOAuthState(ctx context.Context) (string, er
 	if m.DoGenerateOAuthState != nil {
 		return m.DoGenerateOAuthState(ctx)
 	}
-	return randString(14)
+	return store.Generate62RandomString(14), nil
 }
 
 func TestViewOauthInit(t *testing.T) {

From 13121cb26677decb75ae1a8da435c3dee4cd855a Mon Sep 17 00:00:00 2001
From: Nick Gerakines <ngerakines@users.noreply.github.com>
Date: Fri, 27 Dec 2019 13:40:11 -0500
Subject: [PATCH 054/127] Merging T705-oauth into T710-oauth-slack. T705,T710

---
 config/config.go |  30 +++++---
 database.go      |  18 ++---
 database_test.go |   2 +-
 go.mod           |   1 +
 go.sum           |   1 +
 oauth.go         | 181 ++++++++++++++++++++++++++++-------------------
 routes.go        |   4 +-
 7 files changed, 144 insertions(+), 93 deletions(-)

diff --git a/config/config.go b/config/config.go
index 4b9586e..7a539f1 100644
--- a/config/config.go
+++ b/config/config.go
@@ -56,6 +56,25 @@ type (
 		Port     int    `ini:"port"`
 	}
 
+	OAuthCfg struct {
+		Enabled bool `ini:"enable"`
+
+		// write.as
+		WriteAsProviderAuthLocation    string `ini:"wa_auth_location"`
+		WriteAsProviderTokenLocation   string `ini:"wa_token_location"`
+		WriteAsProviderInspectLocation string `ini:"wa_inspect_location"`
+		WriteAsClientCallbackLocation  string `ini:"wa_callback_location"`
+		WriteAsClientID                string `ini:"wa_client_id"`
+		WriteAsClientSecret            string `ini:"wa_client_secret"`
+		WriteAsAuthLocation            string
+
+		// slack
+		SlackClientID     string `ini:"slack_client_id"`
+		SlackClientSecret string `ini:"slack_client_secret"`
+		SlackTeamID       string `init:"slack_team_id"`
+		SlackAuthLocation string
+	}
+
 	// AppCfg holds values that affect how the application functions
 	AppCfg struct {
 		SiteName string `ini:"site_name"`
@@ -92,17 +111,10 @@ type (
 		LocalTimeline bool   `ini:"local_timeline"`
 		UserInvites   string `ini:"user_invites"`
 
-		// OAuth
-		EnableOAuth bool `ini:"enable_oauth"`
-		OAuthProviderAuthLocation    string `ini:"oauth_auth_location"`
-		OAuthProviderTokenLocation   string `ini:"oauth_token_location"`
-		OAuthProviderInspectLocation string `ini:"oauth_inspect_location"`
-		OAuthClientCallbackLocation  string `ini:"oauth_callback_location"`
-		OAuthClientID                string `ini:"oauth_client_id"`
-		OAuthClientSecret            string `ini:"oauth_client_secret"`
-
 		// Defaults
 		DefaultVisibility string `ini:"default_visibility"`
+
+		OAuth OAuthCfg `ini:"oauth"`
 	}
 
 	// Config holds the complete configuration for running a writefreely instance
diff --git a/database.go b/database.go
index 56035dd..a4c79d4 100644
--- a/database.go
+++ b/database.go
@@ -125,10 +125,10 @@ type writestore interface {
 	GetUserLastPostTime(id int64) (*time.Time, error)
 	GetCollectionLastPostTime(id int64) (*time.Time, error)
 
-	GetIDForRemoteUser(ctx context.Context, remoteUserID int64) (int64, error)
-	RecordRemoteUserID(ctx context.Context, localUserID, remoteUserID int64) error
-	ValidateOAuthState(ctx context.Context, state string) error
-	GenerateOAuthState(ctx context.Context) (string, error)
+	GetIDForRemoteUser(context.Context, int64) (int64, error)
+	RecordRemoteUserID(context.Context, int64, int64) error
+	ValidateOAuthState(context.Context, string, string, string) error
+	GenerateOAuthState(context.Context, string, string) (string, error)
 
 	DatabaseInitialized() bool
 }
@@ -138,6 +138,8 @@ type datastore struct {
 	driverName string
 }
 
+var _ writestore = &datastore{}
+
 func (db *datastore) now() string {
 	if db.driverName == driverSQLite {
 		return "strftime('%Y-%m-%d %H:%M:%S','now')"
@@ -2459,17 +2461,17 @@ func (db *datastore) GetCollectionLastPostTime(id int64) (*time.Time, error) {
 	return &t, nil
 }
 
-func (db *datastore) GenerateOAuthState(ctx context.Context) (string, error) {
+func (db *datastore) GenerateOAuthState(ctx context.Context, provider, clientID string) (string, error) {
 	state := store.Generate62RandomString(24)
-	_, err := db.ExecContext(ctx, "INSERT INTO oauth_client_state (state, used, created_at) VALUES (?, FALSE, NOW())", state)
+	_, err := db.ExecContext(ctx, "INSERT INTO oauth_client_state (state, provider, client_id, used, created_at) VALUES (?, ?, ?, FALSE, NOW())", state, provider, clientID)
 	if err != nil {
 		return "", fmt.Errorf("unable to record oauth client state: %w", err)
 	}
 	return state, nil
 }
 
-func (db *datastore) ValidateOAuthState(ctx context.Context, state string) error {
-	res, err := db.ExecContext(ctx, "UPDATE oauth_client_state SET used = TRUE WHERE state = ?", state)
+func (db *datastore) ValidateOAuthState(ctx context.Context, state, provider, clientID string) error {
+	res, err := db.ExecContext(ctx, "UPDATE oauth_client_state SET used = TRUE WHERE state = ? AND provider = ? AND client_id = ?", state, provider, clientID)
 	if err != nil {
 		return err
 	}
diff --git a/database_test.go b/database_test.go
index 4a45dd0..b19c861 100644
--- a/database_test.go
+++ b/database_test.go
@@ -18,7 +18,7 @@ func TestOAuthDatastore(t *testing.T) {
 			driverName: "",
 		}
 
-		state, err := ds.GenerateOAuthState(ctx)
+		state, err := ds.GenerateOAuthState(ctx, "", "")
 		assert.NoError(t, err)
 		assert.Len(t, state, 24)
 
diff --git a/go.mod b/go.mod
index 372b7ba..29c08db 100644
--- a/go.mod
+++ b/go.mod
@@ -19,6 +19,7 @@ require (
 	github.com/guregu/null v3.4.0+incompatible
 	github.com/ikeikeikeike/go-sitemap-generator/v2 v2.0.2
 	github.com/jtolds/gls v4.2.1+incompatible // indirect
+	github.com/kr/pretty v0.1.0
 	github.com/kylemcc/twitter-text-go v0.0.0-20180726194232-7f582f6736ec
 	github.com/lunixbochs/vtclean v1.0.0 // indirect
 	github.com/manifoldco/promptui v0.3.2
diff --git a/go.sum b/go.sum
index ee3a418..035538e 100644
--- a/go.sum
+++ b/go.sum
@@ -64,6 +64,7 @@ github.com/jtolds/gls v4.2.1+incompatible h1:fSuqC+Gmlu6l/ZYAoZzx2pyucC8Xza35fpR
 github.com/jtolds/gls v4.2.1+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU=
 github.com/juju/ansiterm v0.0.0-20180109212912-720a0952cc2a h1:FaWFmfWdAUKbSCtOU2QjDaorUexogfaMgbipgYATUMU=
 github.com/juju/ansiterm v0.0.0-20180109212912-720a0952cc2a/go.mod h1:UJSiEoRfvx3hP73CvoARgeLjaIOjybY9vj8PUPPFGeU=
+github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
diff --git a/oauth.go b/oauth.go
index d918f7f..70ae064 100644
--- a/oauth.go
+++ b/oauth.go
@@ -2,14 +2,17 @@ package writefreely
 
 import (
 	"context"
+	"encoding/hex"
 	"encoding/json"
 	"fmt"
+	"github.com/gorilla/mux"
 	"github.com/gorilla/sessions"
 	"github.com/guregu/null/zero"
 	"github.com/writeas/nerds/store"
 	"github.com/writeas/web-core/auth"
 	"github.com/writeas/web-core/log"
 	"github.com/writeas/writefreely/config"
+	"hash/fnv"
 	"io"
 	"io/ioutil"
 	"net/http"
@@ -55,11 +58,12 @@ type OAuthDatastoreProvider interface {
 // OAuthDatastore provides a minimal interface of data store methods used in
 // oauth functionality.
 type OAuthDatastore interface {
-	GenerateOAuthState(context.Context) (string, error)
-	ValidateOAuthState(context.Context, string) error
 	GetIDForRemoteUser(context.Context, int64) (int64, error)
-	CreateUser(*config.Config, *User, string) error
 	RecordRemoteUserID(context.Context, int64, int64) error
+	ValidateOAuthState(context.Context, string, string, string) error
+	GenerateOAuthState(context.Context, string, string) (string, error)
+
+	CreateUser(*config.Config, *User, string) error
 	GetUserForAuthByID(int64) (*User, error)
 }
 
@@ -75,8 +79,8 @@ type oauthHandler struct {
 }
 
 // buildAuthURL returns a URL used to initiate authentication.
-func buildAuthURL(db OAuthDatastore, ctx context.Context, clientID, authLocation, callbackURL string) (string, error) {
-	state, err := db.GenerateOAuthState(ctx)
+func buildAuthURL(db OAuthDatastore, ctx context.Context, provider, clientID, authLocation, callbackURL string) (string, error) {
+	state, err := db.GenerateOAuthState(ctx, provider, clientID)
 	if err != nil {
 		return "", err
 	}
@@ -95,9 +99,8 @@ func buildAuthURL(db OAuthDatastore, ctx context.Context, clientID, authLocation
 	return u.String(), nil
 }
 
-// app *App, w http.ResponseWriter, r *http.Request
-func (h oauthHandler) viewOauthInit(w http.ResponseWriter, r *http.Request) {
-	location, err := buildAuthURL(h.DB, r.Context(), h.Config.App.OAuthClientID, h.Config.App.OAuthProviderAuthLocation, h.Config.App.OAuthClientCallbackLocation)
+func (h oauthHandler) viewOauthInitWriteAs(w http.ResponseWriter, r *http.Request) {
+	location, err := buildAuthURL(h.DB, r.Context(), "write.as", h.Config.App.OAuth.WriteAsClientID, h.Config.App.OAuth.WriteAsProviderAuthLocation, h.Config.App.OAuth.WriteAsClientCallbackLocation)
 	if err != nil {
 		failOAuthRequest(w, http.StatusInternalServerError, "could not prepare oauth redirect url")
 		return
@@ -105,94 +108,128 @@ func (h oauthHandler) viewOauthInit(w http.ResponseWriter, r *http.Request) {
 	http.Redirect(w, r, location, http.StatusTemporaryRedirect)
 }
 
-func (h oauthHandler) viewOauthCallback(w http.ResponseWriter, r *http.Request) {
-	ctx := r.Context()
-
-	code := r.FormValue("code")
-	state := r.FormValue("state")
-
-	err := h.DB.ValidateOAuthState(ctx, state)
+func (h oauthHandler) viewOauthInitSlack(w http.ResponseWriter, r *http.Request) {
+	location, err := buildAuthURL(h.DB, r.Context(), "slack", h.Config.App.OAuth.WriteAsClientID, h.Config.App.OAuth.WriteAsProviderAuthLocation, h.Config.App.OAuth.WriteAsClientCallbackLocation)
 	if err != nil {
-		failOAuthRequest(w, http.StatusInternalServerError, err.Error())
+		failOAuthRequest(w, http.StatusInternalServerError, "could not prepare oauth redirect url")
 		return
 	}
+	http.Redirect(w, r, location, http.StatusTemporaryRedirect)
+}
 
-	tokenResponse, err := h.exchangeOauthCode(ctx, code)
-	if err != nil {
-		failOAuthRequest(w, http.StatusInternalServerError, err.Error())
-		return
-	}
-
-	// Now that we have the access token, let's use it real quick to make sur
-	// it really really works.
-	tokenInfo, err := h.inspectOauthAccessToken(ctx, tokenResponse.AccessToken)
-	if err != nil {
-		failOAuthRequest(w, http.StatusInternalServerError, err.Error())
-		return
-	}
-
-	localUserID, err := h.DB.GetIDForRemoteUser(ctx, tokenInfo.UserID)
-	if err != nil {
-		failOAuthRequest(w, http.StatusInternalServerError, err.Error())
-		return
-	}
-
-	fmt.Println("local user id", localUserID)
-
-	if localUserID == -1 {
-		// We don't have, nor do we want, the password from the origin, so we
-		//create a random string. If the user needs to set a password, they
-		//can do so through the settings page or through the password reset
-		//flow.
-		randPass := store.Generate62RandomString(14)
-		hashedPass, err := auth.HashPass([]byte(randPass))
-		if err != nil {
-			log.ErrorLog.Println(err)
-			failOAuthRequest(w, http.StatusInternalServerError, "unable to create password hash")
-			return
+func (h oauthHandler) configureRoutes(r *mux.Router) {
+	if h.Config.App.OAuth.Enabled {
+		if h.Config.App.OAuth.WriteAsClientID != "" {
+			callbackHash := oauthProviderHash("write.as", h.Config.App.OAuth.WriteAsClientID)
+			log.InfoLog.Println("write.as oauth callback URL", "/oauth/callback/"+callbackHash)
+			r.HandleFunc("/oauth/write.as", h.viewOauthInitWriteAs).Methods("GET")
+			r.HandleFunc("/oauth/callback/"+callbackHash, h.viewOauthCallback("write.as", h.Config.App.OAuth.WriteAsClientID)).Methods("GET")
 		}
-		newUser := &User{
-			Username:   tokenInfo.Username,
-			HashedPass: hashedPass,
-			HasPass:    true,
-			Email:      zero.NewString("", tokenInfo.Email != ""),
-			Created:    time.Now().Truncate(time.Second).UTC(),
+		if h.Config.App.OAuth.SlackClientID != "" {
+			callbackHash := oauthProviderHash("slack", h.Config.App.OAuth.SlackClientID)
+			log.InfoLog.Println("slack oauth callback URL", "/oauth/callback/"+callbackHash)
+			r.HandleFunc("/oauth/slack", h.viewOauthInitSlack).Methods("GET")
+			r.HandleFunc("/oauth/callback/"+callbackHash, h.viewOauthCallback("slack", h.Config.App.OAuth.SlackClientID)).Methods("GET")
 		}
+	}
 
-		err = h.DB.CreateUser(h.Config, newUser, newUser.Username)
+}
+
+func oauthProviderHash(provider, clientID string) string {
+	hasher := fnv.New32()
+	return hex.EncodeToString(hasher.Sum([]byte(provider + clientID)))
+}
+
+func (h oauthHandler) viewOauthCallback(provider, clientID string) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		ctx := r.Context()
+
+		code := r.FormValue("code")
+		state := r.FormValue("state")
+
+		err := h.DB.ValidateOAuthState(ctx, state, provider, clientID)
 		if err != nil {
 			failOAuthRequest(w, http.StatusInternalServerError, err.Error())
 			return
 		}
 
-		err = h.DB.RecordRemoteUserID(ctx, newUser.ID, tokenInfo.UserID)
+		tokenResponse, err := h.exchangeOauthCode(ctx, code)
 		if err != nil {
 			failOAuthRequest(w, http.StatusInternalServerError, err.Error())
 			return
 		}
 
-		if err := loginOrFail(h.Store, w, r, newUser); err != nil {
+		// Now that we have the access token, let's use it real quick to make sur
+		// it really really works.
+		tokenInfo, err := h.inspectOauthAccessToken(ctx, tokenResponse.AccessToken)
+		if err != nil {
+			failOAuthRequest(w, http.StatusInternalServerError, err.Error())
+			return
+		}
+
+		localUserID, err := h.DB.GetIDForRemoteUser(ctx, tokenInfo.UserID)
+		if err != nil {
+			failOAuthRequest(w, http.StatusInternalServerError, err.Error())
+			return
+		}
+
+		fmt.Println("local user id", localUserID)
+
+		if localUserID == -1 {
+			// We don't have, nor do we want, the password from the origin, so we
+			//create a random string. If the user needs to set a password, they
+			//can do so through the settings page or through the password reset
+			//flow.
+			randPass := store.Generate62RandomString(14)
+			hashedPass, err := auth.HashPass([]byte(randPass))
+			if err != nil {
+				log.ErrorLog.Println(err)
+				failOAuthRequest(w, http.StatusInternalServerError, "unable to create password hash")
+				return
+			}
+			newUser := &User{
+				Username:   tokenInfo.Username,
+				HashedPass: hashedPass,
+				HasPass:    true,
+				Email:      zero.NewString("", tokenInfo.Email != ""),
+				Created:    time.Now().Truncate(time.Second).UTC(),
+			}
+
+			err = h.DB.CreateUser(h.Config, newUser, newUser.Username)
+			if err != nil {
+				failOAuthRequest(w, http.StatusInternalServerError, err.Error())
+				return
+			}
+
+			err = h.DB.RecordRemoteUserID(ctx, newUser.ID, tokenInfo.UserID)
+			if err != nil {
+				failOAuthRequest(w, http.StatusInternalServerError, err.Error())
+				return
+			}
+
+			if err := loginOrFail(h.Store, w, r, newUser); err != nil {
+				failOAuthRequest(w, http.StatusInternalServerError, err.Error())
+			}
+			return
+		}
+
+		user, err := h.DB.GetUserForAuthByID(localUserID)
+		if err != nil {
+			failOAuthRequest(w, http.StatusInternalServerError, err.Error())
+			return
+		}
+		if err = loginOrFail(h.Store, w, r, user); err != nil {
 			failOAuthRequest(w, http.StatusInternalServerError, err.Error())
 		}
-		return
-	}
-
-	user, err := h.DB.GetUserForAuthByID(localUserID)
-	if err != nil {
-		failOAuthRequest(w, http.StatusInternalServerError, err.Error())
-		return
-	}
-	if err = loginOrFail(h.Store, w, r, user); err != nil {
-		failOAuthRequest(w, http.StatusInternalServerError, err.Error())
 	}
 }
 
 func (h oauthHandler) exchangeOauthCode(ctx context.Context, code string) (*TokenResponse, error) {
 	form := url.Values{}
 	form.Add("grant_type", "authorization_code")
-	form.Add("redirect_uri", h.Config.App.OAuthClientCallbackLocation)
+	form.Add("redirect_uri", h.Config.App.OAuth.WriteAsClientCallbackLocation)
 	form.Add("code", code)
-	req, err := http.NewRequest("POST", h.Config.App.OAuthProviderTokenLocation, strings.NewReader(form.Encode()))
+	req, err := http.NewRequest("POST", h.Config.App.OAuth.WriteAsProviderTokenLocation, strings.NewReader(form.Encode()))
 	if err != nil {
 		return nil, err
 	}
@@ -200,7 +237,7 @@ func (h oauthHandler) exchangeOauthCode(ctx context.Context, code string) (*Toke
 	req.Header.Set("User-Agent", "writefreely")
 	req.Header.Set("Accept", "application/json")
 	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
-	req.SetBasicAuth(h.Config.App.OAuthClientID, h.Config.App.OAuthClientSecret)
+	req.SetBasicAuth(h.Config.App.OAuth.WriteAsClientID, h.Config.App.OAuth.WriteAsClientSecret)
 
 	resp, err := h.HttpClient.Do(req)
 	if err != nil {
@@ -224,7 +261,7 @@ func (h oauthHandler) exchangeOauthCode(ctx context.Context, code string) (*Toke
 }
 
 func (h oauthHandler) inspectOauthAccessToken(ctx context.Context, accessToken string) (*InspectResponse, error) {
-	req, err := http.NewRequest("GET", h.Config.App.OAuthProviderInspectLocation, nil)
+	req, err := http.NewRequest("GET", h.Config.App.OAuth.WriteAsProviderInspectLocation, nil)
 	if err != nil {
 		return nil, err
 	}
diff --git a/routes.go b/routes.go
index e286c3e..2bca288 100644
--- a/routes.go
+++ b/routes.go
@@ -86,9 +86,7 @@ func InitRoutes(apper Apper, r *mux.Router) *mux.Router {
 		DB:         apper.App().DB(),
 		Store:      apper.App().SessionStore(),
 	}
-
-	write.HandleFunc("/oauth/write.as", oauthHandler.viewOauthInit).Methods("GET")
-	write.HandleFunc("/oauth/callback", oauthHandler.viewOauthCallback).Methods("GET")
+	oauthHandler.configureRoutes(write)
 
 	// Handle logged in user sections
 	me := write.PathPrefix("/me").Subrouter()

From 462f87919a6758a79900c13c3c60230ca93356ca Mon Sep 17 00:00:00 2001
From: Nick Gerakines <ngerakines@users.noreply.github.com>
Date: Sat, 28 Dec 2019 15:15:47 -0500
Subject: [PATCH 055/127] Feature complete on MVP slack auth integration. T710

---
 config/config.go         |  37 ++---
 database.go              |  46 ++++--
 database_test.go         |   6 +-
 db/alter.go              |  40 +++++
 db/alter_test.go         |  56 +++++++
 db/create.go             |  29 +---
 db/dialect.go            |  43 ++++++
 migrations/migrations.go |   1 +
 migrations/v5.go         |  41 ++++++
 oauth.go                 | 310 +++++++++++++++------------------------
 oauth_slack.go           | 148 +++++++++++++++++++
 oauth_test.go            | 104 ++++++++-----
 oauth_writeas.go         |  91 ++++++++++++
 routes.go                |  12 +-
 14 files changed, 664 insertions(+), 300 deletions(-)
 create mode 100644 db/alter.go
 create mode 100644 db/alter_test.go
 create mode 100644 db/dialect.go
 create mode 100644 migrations/v5.go
 create mode 100644 oauth_slack.go
 create mode 100644 oauth_writeas.go

diff --git a/config/config.go b/config/config.go
index 7a539f1..996c1df 100644
--- a/config/config.go
+++ b/config/config.go
@@ -56,23 +56,18 @@ type (
 		Port     int    `ini:"port"`
 	}
 
-	OAuthCfg struct {
-		Enabled bool `ini:"enable"`
+	WriteAsOauthCfg struct {
+		ClientID        string `ini:"client_id"`
+		ClientSecret    string `ini:"client_secret"`
+		AuthLocation    string `ini:"auth_location"`
+		TokenLocation   string `ini:"token_location"`
+		InspectLocation string `ini:"inspect_location"`
+	}
 
-		// write.as
-		WriteAsProviderAuthLocation    string `ini:"wa_auth_location"`
-		WriteAsProviderTokenLocation   string `ini:"wa_token_location"`
-		WriteAsProviderInspectLocation string `ini:"wa_inspect_location"`
-		WriteAsClientCallbackLocation  string `ini:"wa_callback_location"`
-		WriteAsClientID                string `ini:"wa_client_id"`
-		WriteAsClientSecret            string `ini:"wa_client_secret"`
-		WriteAsAuthLocation            string
-
-		// slack
-		SlackClientID     string `ini:"slack_client_id"`
-		SlackClientSecret string `ini:"slack_client_secret"`
-		SlackTeamID       string `init:"slack_team_id"`
-		SlackAuthLocation string
+	SlackOauthCfg struct {
+		ClientID     string `ini:"client_id"`
+		ClientSecret string `ini:"client_secret"`
+		TeamID       string `ini:"team_id"`
 	}
 
 	// AppCfg holds values that affect how the application functions
@@ -113,15 +108,15 @@ type (
 
 		// Defaults
 		DefaultVisibility string `ini:"default_visibility"`
-
-		OAuth OAuthCfg `ini:"oauth"`
 	}
 
 	// Config holds the complete configuration for running a writefreely instance
 	Config struct {
-		Server   ServerCfg   `ini:"server"`
-		Database DatabaseCfg `ini:"database"`
-		App      AppCfg      `ini:"app"`
+		Server       ServerCfg       `ini:"server"`
+		Database     DatabaseCfg     `ini:"database"`
+		App          AppCfg          `ini:"app"`
+		SlackOauth   SlackOauthCfg   `ini:"oauth.slack"`
+		WriteAsOauth WriteAsOauthCfg `ini:"oauth.writeas"`
 	}
 )
 
diff --git a/database.go b/database.go
index a4c79d4..6fc07a8 100644
--- a/database.go
+++ b/database.go
@@ -14,6 +14,7 @@ import (
 	"context"
 	"database/sql"
 	"fmt"
+	wf_db "github.com/writeas/writefreely/db"
 	"net/http"
 	"strings"
 	"time"
@@ -125,9 +126,9 @@ type writestore interface {
 	GetUserLastPostTime(id int64) (*time.Time, error)
 	GetCollectionLastPostTime(id int64) (*time.Time, error)
 
-	GetIDForRemoteUser(context.Context, int64) (int64, error)
-	RecordRemoteUserID(context.Context, int64, int64) error
-	ValidateOAuthState(context.Context, string, string, string) error
+	GetIDForRemoteUser(context.Context, string) (int64, error)
+	RecordRemoteUserID(context.Context, int64, string) error
+	ValidateOAuthState(context.Context, string) (string, string, error)
 	GenerateOAuthState(context.Context, string, string) (string, error)
 
 	DatabaseInitialized() bool
@@ -2470,22 +2471,35 @@ func (db *datastore) GenerateOAuthState(ctx context.Context, provider, clientID
 	return state, nil
 }
 
-func (db *datastore) ValidateOAuthState(ctx context.Context, state, provider, clientID string) error {
-	res, err := db.ExecContext(ctx, "UPDATE oauth_client_state SET used = TRUE WHERE state = ? AND provider = ? AND client_id = ?", state, provider, clientID)
+func (db *datastore) ValidateOAuthState(ctx context.Context, state string) (string, string, error) {
+	var provider string
+	var clientID string
+	err := wf_db.RunTransactionWithOptions(ctx, db.DB, &sql.TxOptions{}, func(ctx context.Context, tx *sql.Tx) error {
+		err := tx.QueryRow("SELECT provider, client_id FROM oauth_client_state WHERE state = ? AND used = FALSE", state).Scan(&provider, &clientID)
+		if err != nil {
+			return err
+		}
+
+		res, err := tx.ExecContext(ctx, "UPDATE oauth_client_state SET used = TRUE WHERE state = ?", state)
+		if err != nil {
+			return err
+		}
+		rowsAffected, err := res.RowsAffected()
+		if err != nil {
+			return err
+		}
+		if rowsAffected != 1 {
+			return fmt.Errorf("state not found")
+		}
+		return nil
+	})
 	if err != nil {
-		return err
+		return "", "", nil
 	}
-	rowsAffected, err := res.RowsAffected()
-	if err != nil {
-		return err
-	}
-	if rowsAffected != 1 {
-		return fmt.Errorf("state not found")
-	}
-	return nil
+	return provider, clientID, nil
 }
 
-func (db *datastore) RecordRemoteUserID(ctx context.Context, localUserID, remoteUserID int64) error {
+func (db *datastore) RecordRemoteUserID(ctx context.Context, localUserID int64, remoteUserID string) error {
 	var err error
 	if db.driverName == driverSQLite {
 		_, err = db.ExecContext(ctx, "INSERT OR REPLACE INTO users_oauth (user_id, remote_user_id) VALUES (?, ?)", localUserID, remoteUserID)
@@ -2499,7 +2513,7 @@ func (db *datastore) RecordRemoteUserID(ctx context.Context, localUserID, remote
 }
 
 // GetIDForRemoteUser returns a user ID associated with a remote user ID.
-func (db *datastore) GetIDForRemoteUser(ctx context.Context, remoteUserID int64) (int64, error) {
+func (db *datastore) GetIDForRemoteUser(ctx context.Context, remoteUserID string) (int64, error) {
 	var userID int64 = -1
 	err := db.
 		QueryRowContext(ctx, "SELECT user_id FROM users_oauth WHERE remote_user_id = ?", remoteUserID).
diff --git a/database_test.go b/database_test.go
index b19c861..82f87c2 100644
--- a/database_test.go
+++ b/database_test.go
@@ -18,19 +18,19 @@ func TestOAuthDatastore(t *testing.T) {
 			driverName: "",
 		}
 
-		state, err := ds.GenerateOAuthState(ctx, "", "")
+		state, err := ds.GenerateOAuthState(ctx, "test", "development")
 		assert.NoError(t, err)
 		assert.Len(t, state, 24)
 
 		countRows(t, ctx, db, 1, "SELECT COUNT(*) FROM `oauth_client_state` WHERE `state` = ? AND `used` = false", state)
 
-		err = ds.ValidateOAuthState(ctx, state)
+		_, _, err = ds.ValidateOAuthState(ctx, state)
 		assert.NoError(t, err)
 
 		countRows(t, ctx, db, 1, "SELECT COUNT(*) FROM `oauth_client_state` WHERE `state` = ? AND `used` = true", state)
 
 		var localUserID int64 = 99
-		var remoteUserID int64 = 100
+		var remoteUserID = "100"
 		err = ds.RecordRemoteUserID(ctx, localUserID, remoteUserID)
 		assert.NoError(t, err)
 
diff --git a/db/alter.go b/db/alter.go
new file mode 100644
index 0000000..3a44e1f
--- /dev/null
+++ b/db/alter.go
@@ -0,0 +1,40 @@
+package db
+
+import (
+	"fmt"
+	"strings"
+)
+
+type AlterTableSqlBuilder struct {
+	Dialect DialectType
+	Name    string
+	Changes []string
+}
+
+func (b *AlterTableSqlBuilder) AddColumn(col *Column) *AlterTableSqlBuilder {
+	if colVal, err := col.String(); err == nil {
+		b.Changes = append(b.Changes, fmt.Sprintf("ADD COLUMN %s", colVal))
+	}
+	return b
+}
+
+func (b *AlterTableSqlBuilder) ToSQL() (string, error) {
+	var str strings.Builder
+
+	str.WriteString("ALTER TABLE ")
+	str.WriteString(b.Name)
+	str.WriteString(" ")
+
+	if len(b.Changes) == 0 {
+		return "", fmt.Errorf("no changes provide for table: %s", b.Name)
+	}
+	changeCount := len(b.Changes)
+	for i, thing := range b.Changes {
+		str.WriteString(thing)
+		if i < changeCount-1 {
+			str.WriteString(", ")
+		}
+	}
+
+	return str.String(), nil
+}
diff --git a/db/alter_test.go b/db/alter_test.go
new file mode 100644
index 0000000..4bd58ac
--- /dev/null
+++ b/db/alter_test.go
@@ -0,0 +1,56 @@
+package db
+
+import "testing"
+
+func TestAlterTableSqlBuilder_ToSQL(t *testing.T) {
+	type fields struct {
+		Dialect DialectType
+		Name    string
+		Changes []string
+	}
+	tests := []struct {
+		name    string
+		builder *AlterTableSqlBuilder
+		want    string
+		wantErr bool
+	}{
+		{
+			name: "MySQL add int",
+			builder: DialectMySQL.
+				AlterTable("the_table").
+				AddColumn(DialectMySQL.Column("the_col", ColumnTypeInteger, UnsetSize)),
+			want:    "ALTER TABLE the_table ADD COLUMN the_col INT NOT NULL",
+			wantErr: false,
+		},
+		{
+			name: "MySQL add string",
+			builder: DialectMySQL.
+				AlterTable("the_table").
+				AddColumn(DialectMySQL.Column("the_col", ColumnTypeVarChar, OptionalInt{true, 128})),
+			want:    "ALTER TABLE the_table ADD COLUMN the_col VARCHAR(128) NOT NULL",
+			wantErr: false,
+		},
+
+		{
+			name: "MySQL add int and string",
+			builder: DialectMySQL.
+				AlterTable("the_table").
+				AddColumn(DialectMySQL.Column("first_col", ColumnTypeInteger, UnsetSize)).
+				AddColumn(DialectMySQL.Column("second_col", ColumnTypeVarChar, OptionalInt{true, 128})),
+			want:    "ALTER TABLE the_table ADD COLUMN first_col INT NOT NULL, ADD COLUMN second_col VARCHAR(128) NOT NULL",
+			wantErr: false,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := tt.builder.ToSQL()
+			if (err != nil) != tt.wantErr {
+				t.Errorf("ToSQL() error = %v, wantErr %v", err, tt.wantErr)
+				return
+			}
+			if got != tt.want {
+				t.Errorf("ToSQL() got = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
diff --git a/db/create.go b/db/create.go
index 5e4f34e..c384778 100644
--- a/db/create.go
+++ b/db/create.go
@@ -5,7 +5,6 @@ import (
 	"strings"
 )
 
-type DialectType int
 type ColumnType int
 
 type OptionalInt struct {
@@ -41,11 +40,6 @@ type CreateTableSqlBuilder struct {
 	Constraints []string
 }
 
-const (
-	DialectSQLite DialectType = iota
-	DialectMySQL  DialectType = iota
-)
-
 const (
 	ColumnTypeBool     ColumnType = iota
 	ColumnTypeSmallInt ColumnType = iota
@@ -61,28 +55,6 @@ var _ SQLBuilder = &CreateTableSqlBuilder{}
 var UnsetSize OptionalInt = OptionalInt{Set: false, Value: 0}
 var UnsetDefault OptionalString = OptionalString{Set: false, Value: ""}
 
-func (d DialectType) Column(name string, t ColumnType, size OptionalInt) *Column {
-	switch d {
-	case DialectSQLite:
-		return &Column{Dialect: DialectSQLite, Name: name, Type: t, Size: size}
-	case DialectMySQL:
-		return &Column{Dialect: DialectMySQL, Name: name, Type: t, Size: size}
-	default:
-		panic(fmt.Sprintf("unexpected dialect: %d", d))
-	}
-}
-
-func (d DialectType) Table(name string) *CreateTableSqlBuilder {
-	switch d {
-	case DialectSQLite:
-		return &CreateTableSqlBuilder{Dialect: DialectSQLite, Name: name}
-	case DialectMySQL:
-		return &CreateTableSqlBuilder{Dialect: DialectMySQL, Name: name}
-	default:
-		panic(fmt.Sprintf("unexpected dialect: %d", d))
-	}
-}
-
 func (d ColumnType) Format(dialect DialectType, size OptionalInt) (string, error) {
 	if dialect != DialectMySQL && dialect != DialectSQLite {
 		return "", fmt.Errorf("unsupported column type %d for dialect %d and size %v", d, dialect, size)
@@ -269,3 +241,4 @@ func (b *CreateTableSqlBuilder) ToSQL() (string, error) {
 
 	return str.String(), nil
 }
+
diff --git a/db/dialect.go b/db/dialect.go
new file mode 100644
index 0000000..db1f5c4
--- /dev/null
+++ b/db/dialect.go
@@ -0,0 +1,43 @@
+package db
+
+import "fmt"
+
+type DialectType int
+
+const (
+	DialectSQLite DialectType = iota
+	DialectMySQL  DialectType = iota
+)
+
+func (d DialectType) Column(name string, t ColumnType, size OptionalInt) *Column {
+	switch d {
+	case DialectSQLite:
+		return &Column{Dialect: DialectSQLite, Name: name, Type: t, Size: size}
+	case DialectMySQL:
+		return &Column{Dialect: DialectMySQL, Name: name, Type: t, Size: size}
+	default:
+		panic(fmt.Sprintf("unexpected dialect: %d", d))
+	}
+}
+
+func (d DialectType) Table(name string) *CreateTableSqlBuilder {
+	switch d {
+	case DialectSQLite:
+		return &CreateTableSqlBuilder{Dialect: DialectSQLite, Name: name}
+	case DialectMySQL:
+		return &CreateTableSqlBuilder{Dialect: DialectMySQL, Name: name}
+	default:
+		panic(fmt.Sprintf("unexpected dialect: %d", d))
+	}
+}
+
+func (d DialectType) AlterTable(name string) *AlterTableSqlBuilder {
+	switch d {
+	case DialectSQLite:
+		return &AlterTableSqlBuilder{Dialect: DialectSQLite, Name: name}
+	case DialectMySQL:
+		return &AlterTableSqlBuilder{Dialect: DialectMySQL, Name: name}
+	default:
+		panic(fmt.Sprintf("unexpected dialect: %d", d))
+	}
+}
diff --git a/migrations/migrations.go b/migrations/migrations.go
index b9ead23..acb136d 100644
--- a/migrations/migrations.go
+++ b/migrations/migrations.go
@@ -60,6 +60,7 @@ var migrations = []Migration{
 	New("support dynamic instance pages", supportInstancePages), // V1 -> V2 (v0.9.0)
 	New("support users suspension", supportUserStatus),          // V2 -> V3 (v0.11.0)
 	New("support oauth", oauth), // V3 -> V4
+	New("support slack oauth", oauth_slack), // V4 -> v5
 }
 
 // CurrentVer returns the current migration version the application is on
diff --git a/migrations/v5.go b/migrations/v5.go
new file mode 100644
index 0000000..d421e2f
--- /dev/null
+++ b/migrations/v5.go
@@ -0,0 +1,41 @@
+package migrations
+
+import (
+	"context"
+	"database/sql"
+
+	wf_db "github.com/writeas/writefreely/db"
+)
+
+func oauth_slack(db *datastore) error {
+	dialect := wf_db.DialectMySQL
+	if db.driverName == driverSQLite {
+		dialect = wf_db.DialectSQLite
+	}
+	return wf_db.RunTransactionWithOptions(context.Background(), db.DB, &sql.TxOptions{}, func(ctx context.Context, tx *sql.Tx) error {
+		builders := []wf_db.SQLBuilder{
+			dialect.
+				AlterTable("oauth_client_state").
+				AddColumn(dialect.
+					Column(
+						"provider",
+						wf_db.ColumnTypeVarChar,
+						wf_db.OptionalInt{Set: true, Value: 24,})).
+				AddColumn(dialect.
+					Column(
+						"client_id",
+						wf_db.ColumnTypeVarChar,
+						wf_db.OptionalInt{Set: true, Value: 128,})),
+		}
+		for _, builder := range builders {
+			query, err := builder.ToSQL()
+			if err != nil {
+				return err
+			}
+			if _, err := tx.ExecContext(ctx, query); err != nil {
+				return err
+			}
+		}
+		return nil
+	})
+}
diff --git a/oauth.go b/oauth.go
index 70ae064..e94f4be 100644
--- a/oauth.go
+++ b/oauth.go
@@ -2,7 +2,6 @@ package writefreely
 
 import (
 	"context"
-	"encoding/hex"
 	"encoding/json"
 	"fmt"
 	"github.com/gorilla/mux"
@@ -10,14 +9,10 @@ import (
 	"github.com/guregu/null/zero"
 	"github.com/writeas/nerds/store"
 	"github.com/writeas/web-core/auth"
-	"github.com/writeas/web-core/log"
 	"github.com/writeas/writefreely/config"
-	"hash/fnv"
 	"io"
 	"io/ioutil"
 	"net/http"
-	"net/url"
-	"strings"
 	"time"
 )
 
@@ -33,7 +28,7 @@ type TokenResponse struct {
 // InspectResponse contains data returned when an access token is inspected.
 type InspectResponse struct {
 	ClientID  string    `json:"client_id"`
-	UserID    int64     `json:"user_id"`
+	UserID    string    `json:"user_id"`
 	ExpiresAt time.Time `json:"expires_at"`
 	Username  string    `json:"username"`
 	Email     string    `json:"email"`
@@ -58,9 +53,9 @@ type OAuthDatastoreProvider interface {
 // OAuthDatastore provides a minimal interface of data store methods used in
 // oauth functionality.
 type OAuthDatastore interface {
-	GetIDForRemoteUser(context.Context, int64) (int64, error)
-	RecordRemoteUserID(context.Context, int64, int64) error
-	ValidateOAuthState(context.Context, string, string, string) error
+	GetIDForRemoteUser(context.Context, string) (int64, error)
+	RecordRemoteUserID(context.Context, int64, string) error
+	ValidateOAuthState(context.Context, string) (string, string, error)
 	GenerateOAuthState(context.Context, string, string) (string, error)
 
 	CreateUser(*config.Config, *User, string) error
@@ -71,36 +66,28 @@ type HttpClient interface {
 	Do(req *http.Request) (*http.Response, error)
 }
 
+type oauthClient interface {
+	GetProvider() string
+	GetClientID() string
+	buildLoginURL(state string) (string, error)
+	exchangeOauthCode(ctx context.Context, code string) (*TokenResponse, error)
+	inspectOauthAccessToken(ctx context.Context, accessToken string) (*InspectResponse, error)
+}
+
 type oauthHandler struct {
-	Config     *config.Config
-	DB         OAuthDatastore
-	Store      sessions.Store
-	HttpClient HttpClient
+	Config      *config.Config
+	DB          OAuthDatastore
+	Store       sessions.Store
+	oauthClient oauthClient
 }
 
-// buildAuthURL returns a URL used to initiate authentication.
-func buildAuthURL(db OAuthDatastore, ctx context.Context, provider, clientID, authLocation, callbackURL string) (string, error) {
-	state, err := db.GenerateOAuthState(ctx, provider, clientID)
+func (h oauthHandler) viewOauthInit(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+	state, err := h.DB.GenerateOAuthState(ctx, h.oauthClient.GetProvider(), h.oauthClient.GetClientID())
 	if err != nil {
-		return "", err
+		failOAuthRequest(w, http.StatusInternalServerError, "could not prepare oauth redirect url")
 	}
-
-	u, err := url.Parse(authLocation)
-	if err != nil {
-		return "", err
-	}
-	q := u.Query()
-	q.Set("client_id", clientID)
-	q.Set("redirect_uri", callbackURL)
-	q.Set("response_type", "code")
-	q.Set("state", state)
-	u.RawQuery = q.Encode()
-
-	return u.String(), nil
-}
-
-func (h oauthHandler) viewOauthInitWriteAs(w http.ResponseWriter, r *http.Request) {
-	location, err := buildAuthURL(h.DB, r.Context(), "write.as", h.Config.App.OAuth.WriteAsClientID, h.Config.App.OAuth.WriteAsProviderAuthLocation, h.Config.App.OAuth.WriteAsClientCallbackLocation)
+	location, err := h.oauthClient.buildLoginURL(state)
 	if err != nil {
 		failOAuthRequest(w, http.StatusInternalServerError, "could not prepare oauth redirect url")
 		return
@@ -108,187 +95,134 @@ func (h oauthHandler) viewOauthInitWriteAs(w http.ResponseWriter, r *http.Reques
 	http.Redirect(w, r, location, http.StatusTemporaryRedirect)
 }
 
-func (h oauthHandler) viewOauthInitSlack(w http.ResponseWriter, r *http.Request) {
-	location, err := buildAuthURL(h.DB, r.Context(), "slack", h.Config.App.OAuth.WriteAsClientID, h.Config.App.OAuth.WriteAsProviderAuthLocation, h.Config.App.OAuth.WriteAsClientCallbackLocation)
+func configureSlackOauth(r *mux.Router, app *App) {
+	if app.Config().SlackOauth.ClientID != "" {
+		oauthClient := slackOauthClient{
+			ClientID:         app.Config().SlackOauth.ClientID,
+			ClientSecret:     app.Config().SlackOauth.ClientSecret,
+			TeamID:           app.Config().SlackOauth.TeamID,
+			CallbackLocation: app.Config().App.Host + "/oauth/callback",
+			HttpClient:       &http.Client{Timeout: 10 * time.Second},
+		}
+		configureOauthRoutes(r, app, oauthClient)
+	}
+}
+
+func configureWriteAsOauth(r *mux.Router, app *App) {
+	if app.Config().WriteAsOauth.ClientID != "" {
+		oauthClient := writeAsOauthClient{
+			ClientID:         app.Config().WriteAsOauth.ClientID,
+			ClientSecret:     app.Config().WriteAsOauth.ClientSecret,
+			ExchangeLocation: app.Config().WriteAsOauth.TokenLocation,
+			InspectLocation:  app.Config().WriteAsOauth.InspectLocation,
+			AuthLocation:     app.Config().WriteAsOauth.AuthLocation,
+			HttpClient:       &http.Client{Timeout: 10 * time.Second},
+			CallbackLocation: app.Config().App.Host + "/oauth/callback",
+		}
+		configureOauthRoutes(r, app, oauthClient)
+	}
+}
+
+func configureOauthRoutes(r *mux.Router, app *App, oauthClient oauthClient) {
+	handler := &oauthHandler{
+		Config:      app.Config(),
+		DB:          app.DB(),
+		Store:       app.SessionStore(),
+		oauthClient: oauthClient,
+	}
+	r.HandleFunc("/oauth/"+oauthClient.GetProvider(), handler.viewOauthInit).Methods("GET")
+	r.HandleFunc("/oauth/callback", handler.viewOauthCallback).Methods("GET")
+}
+
+func (h oauthHandler) viewOauthCallback(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+
+	code := r.FormValue("code")
+	state := r.FormValue("state")
+
+	_, _, err := h.DB.ValidateOAuthState(ctx, state)
 	if err != nil {
-		failOAuthRequest(w, http.StatusInternalServerError, "could not prepare oauth redirect url")
+		failOAuthRequest(w, http.StatusInternalServerError, err.Error())
 		return
 	}
-	http.Redirect(w, r, location, http.StatusTemporaryRedirect)
-}
 
-func (h oauthHandler) configureRoutes(r *mux.Router) {
-	if h.Config.App.OAuth.Enabled {
-		if h.Config.App.OAuth.WriteAsClientID != "" {
-			callbackHash := oauthProviderHash("write.as", h.Config.App.OAuth.WriteAsClientID)
-			log.InfoLog.Println("write.as oauth callback URL", "/oauth/callback/"+callbackHash)
-			r.HandleFunc("/oauth/write.as", h.viewOauthInitWriteAs).Methods("GET")
-			r.HandleFunc("/oauth/callback/"+callbackHash, h.viewOauthCallback("write.as", h.Config.App.OAuth.WriteAsClientID)).Methods("GET")
-		}
-		if h.Config.App.OAuth.SlackClientID != "" {
-			callbackHash := oauthProviderHash("slack", h.Config.App.OAuth.SlackClientID)
-			log.InfoLog.Println("slack oauth callback URL", "/oauth/callback/"+callbackHash)
-			r.HandleFunc("/oauth/slack", h.viewOauthInitSlack).Methods("GET")
-			r.HandleFunc("/oauth/callback/"+callbackHash, h.viewOauthCallback("slack", h.Config.App.OAuth.SlackClientID)).Methods("GET")
-		}
+	tokenResponse, err := h.oauthClient.exchangeOauthCode(ctx, code)
+	if err != nil {
+		failOAuthRequest(w, http.StatusInternalServerError, err.Error())
+		return
 	}
 
-}
+	// Now that we have the access token, let's use it real quick to make sur
+	// it really really works.
+	tokenInfo, err := h.oauthClient.inspectOauthAccessToken(ctx, tokenResponse.AccessToken)
+	if err != nil {
+		failOAuthRequest(w, http.StatusInternalServerError, err.Error())
+		return
+	}
 
-func oauthProviderHash(provider, clientID string) string {
-	hasher := fnv.New32()
-	return hex.EncodeToString(hasher.Sum([]byte(provider + clientID)))
-}
+	localUserID, err := h.DB.GetIDForRemoteUser(ctx, tokenInfo.UserID)
+	if err != nil {
+		failOAuthRequest(w, http.StatusInternalServerError, err.Error())
+		return
+	}
 
-func (h oauthHandler) viewOauthCallback(provider, clientID string) http.HandlerFunc {
-	return func(w http.ResponseWriter, r *http.Request) {
-		ctx := r.Context()
+	if localUserID == -1 {
+		// We don't have, nor do we want, the password from the origin, so we
+		//create a random string. If the user needs to set a password, they
+		//can do so through the settings page or through the password reset
+		//flow.
+		randPass := store.Generate62RandomString(14)
+		hashedPass, err := auth.HashPass([]byte(randPass))
+		if err != nil {
+			failOAuthRequest(w, http.StatusInternalServerError, "unable to create password hash")
+			return
+		}
+		newUser := &User{
+			Username:   tokenInfo.Username,
+			HashedPass: hashedPass,
+			HasPass:    true,
+			Email:      zero.NewString(tokenInfo.Email, tokenInfo.Email != ""),
+			Created:    time.Now().Truncate(time.Second).UTC(),
+		}
 
-		code := r.FormValue("code")
-		state := r.FormValue("state")
-
-		err := h.DB.ValidateOAuthState(ctx, state, provider, clientID)
+		err = h.DB.CreateUser(h.Config, newUser, newUser.Username)
 		if err != nil {
 			failOAuthRequest(w, http.StatusInternalServerError, err.Error())
 			return
 		}
 
-		tokenResponse, err := h.exchangeOauthCode(ctx, code)
+		err = h.DB.RecordRemoteUserID(ctx, newUser.ID, tokenInfo.UserID)
 		if err != nil {
 			failOAuthRequest(w, http.StatusInternalServerError, err.Error())
 			return
 		}
 
-		// Now that we have the access token, let's use it real quick to make sur
-		// it really really works.
-		tokenInfo, err := h.inspectOauthAccessToken(ctx, tokenResponse.AccessToken)
-		if err != nil {
-			failOAuthRequest(w, http.StatusInternalServerError, err.Error())
-			return
-		}
-
-		localUserID, err := h.DB.GetIDForRemoteUser(ctx, tokenInfo.UserID)
-		if err != nil {
-			failOAuthRequest(w, http.StatusInternalServerError, err.Error())
-			return
-		}
-
-		fmt.Println("local user id", localUserID)
-
-		if localUserID == -1 {
-			// We don't have, nor do we want, the password from the origin, so we
-			//create a random string. If the user needs to set a password, they
-			//can do so through the settings page or through the password reset
-			//flow.
-			randPass := store.Generate62RandomString(14)
-			hashedPass, err := auth.HashPass([]byte(randPass))
-			if err != nil {
-				log.ErrorLog.Println(err)
-				failOAuthRequest(w, http.StatusInternalServerError, "unable to create password hash")
-				return
-			}
-			newUser := &User{
-				Username:   tokenInfo.Username,
-				HashedPass: hashedPass,
-				HasPass:    true,
-				Email:      zero.NewString("", tokenInfo.Email != ""),
-				Created:    time.Now().Truncate(time.Second).UTC(),
-			}
-
-			err = h.DB.CreateUser(h.Config, newUser, newUser.Username)
-			if err != nil {
-				failOAuthRequest(w, http.StatusInternalServerError, err.Error())
-				return
-			}
-
-			err = h.DB.RecordRemoteUserID(ctx, newUser.ID, tokenInfo.UserID)
-			if err != nil {
-				failOAuthRequest(w, http.StatusInternalServerError, err.Error())
-				return
-			}
-
-			if err := loginOrFail(h.Store, w, r, newUser); err != nil {
-				failOAuthRequest(w, http.StatusInternalServerError, err.Error())
-			}
-			return
-		}
-
-		user, err := h.DB.GetUserForAuthByID(localUserID)
-		if err != nil {
-			failOAuthRequest(w, http.StatusInternalServerError, err.Error())
-			return
-		}
-		if err = loginOrFail(h.Store, w, r, user); err != nil {
+		if err := loginOrFail(h.Store, w, r, newUser); err != nil {
 			failOAuthRequest(w, http.StatusInternalServerError, err.Error())
 		}
+		return
+	}
+
+	user, err := h.DB.GetUserForAuthByID(localUserID)
+	if err != nil {
+		failOAuthRequest(w, http.StatusInternalServerError, err.Error())
+		return
+	}
+	if err = loginOrFail(h.Store, w, r, user); err != nil {
+		failOAuthRequest(w, http.StatusInternalServerError, err.Error())
 	}
 }
 
-func (h oauthHandler) exchangeOauthCode(ctx context.Context, code string) (*TokenResponse, error) {
-	form := url.Values{}
-	form.Add("grant_type", "authorization_code")
-	form.Add("redirect_uri", h.Config.App.OAuth.WriteAsClientCallbackLocation)
-	form.Add("code", code)
-	req, err := http.NewRequest("POST", h.Config.App.OAuth.WriteAsProviderTokenLocation, strings.NewReader(form.Encode()))
+func limitedJsonUnmarshal(body io.ReadCloser, n int, thing interface{}) error {
+	lr := io.LimitReader(body, int64(n+1))
+	data, err := ioutil.ReadAll(lr)
 	if err != nil {
-		return nil, err
+		return err
 	}
-	req.WithContext(ctx)
-	req.Header.Set("User-Agent", "writefreely")
-	req.Header.Set("Accept", "application/json")
-	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
-	req.SetBasicAuth(h.Config.App.OAuth.WriteAsClientID, h.Config.App.OAuth.WriteAsClientSecret)
-
-	resp, err := h.HttpClient.Do(req)
-	if err != nil {
-		return nil, err
+	if len(data) == n+1 {
+		return fmt.Errorf("content larger than max read allowance: %d", n)
 	}
-
-	// Nick: I like using limited readers to reduce the risk of an endpoint
-	// being broken or compromised.
-	lr := io.LimitReader(resp.Body, tokenRequestMaxLen)
-	body, err := ioutil.ReadAll(lr)
-	if err != nil {
-		return nil, err
-	}
-
-	var tokenResponse TokenResponse
-	err = json.Unmarshal(body, &tokenResponse)
-	if err != nil {
-		return nil, err
-	}
-	return &tokenResponse, nil
-}
-
-func (h oauthHandler) inspectOauthAccessToken(ctx context.Context, accessToken string) (*InspectResponse, error) {
-	req, err := http.NewRequest("GET", h.Config.App.OAuth.WriteAsProviderInspectLocation, nil)
-	if err != nil {
-		return nil, err
-	}
-	req.WithContext(ctx)
-	req.Header.Set("User-Agent", "writefreely")
-	req.Header.Set("Accept", "application/json")
-	req.Header.Set("Authorization", "Bearer "+accessToken)
-
-	resp, err := h.HttpClient.Do(req)
-	if err != nil {
-		return nil, err
-	}
-
-	// Nick: I like using limited readers to reduce the risk of an endpoint
-	// being broken or compromised.
-	lr := io.LimitReader(resp.Body, infoRequestMaxLen)
-	body, err := ioutil.ReadAll(lr)
-	if err != nil {
-		return nil, err
-	}
-
-	var inspectResponse InspectResponse
-	err = json.Unmarshal(body, &inspectResponse)
-	if err != nil {
-		return nil, err
-	}
-	return &inspectResponse, nil
+	return json.Unmarshal(data, thing)
 }
 
 func loginOrFail(store sessions.Store, w http.ResponseWriter, r *http.Request, user *User) error {
diff --git a/oauth_slack.go b/oauth_slack.go
new file mode 100644
index 0000000..9c8508e
--- /dev/null
+++ b/oauth_slack.go
@@ -0,0 +1,148 @@
+package writefreely
+
+import (
+	"context"
+	"github.com/writeas/slug"
+	"net/http"
+	"net/url"
+	"strings"
+)
+
+type slackOauthClient struct {
+	ClientID         string
+	ClientSecret     string
+	TeamID           string
+	CallbackLocation string
+	HttpClient       HttpClient
+}
+
+type slackExchangeResponse struct {
+	AccessToken string `json:"access_token"`
+	Scope       string `json:"scope"`
+	TeamName    string `json:"team_name"`
+	TeamID      string `json:"team_id"`
+}
+
+type slackIdentity struct {
+	Name  string `json:"name"`
+	ID    string `json:"id"`
+	Email string `json:"email"`
+}
+
+type slackTeam struct {
+	Name string `json:"name"`
+	ID   string `json:"id"`
+}
+
+type slackUserIdentityResponse struct {
+	OK    bool          `json:"ok"`
+	User  slackIdentity `json:"user"`
+	Team  slackTeam     `json:"team"`
+	Error string        `json:"error"`
+}
+
+const (
+	slackAuthLocation     = "https://slack.com/oauth/authorize"
+	slackExchangeLocation = "https://slack.com/api/oauth.access"
+	slackIdentityLocation = "https://slack.com/api/users.identity"
+)
+
+var _ oauthClient = slackOauthClient{}
+
+func (c slackOauthClient) GetProvider() string {
+	return "slack"
+}
+
+func (c slackOauthClient) GetClientID() string {
+	return c.ClientID
+}
+
+func (c slackOauthClient) buildLoginURL(state string) (string, error) {
+	u, err := url.Parse(slackAuthLocation)
+	if err != nil {
+		return "", err
+	}
+	q := u.Query()
+	q.Set("client_id", c.ClientID)
+	q.Set("scope", "identity.basic identity.email identity.team")
+	q.Set("redirect_uri", c.CallbackLocation)
+	q.Set("state", state)
+
+	// If this param is not set, the user can select which team they
+	// authenticate through and then we'd have to match the configured team
+	// against the profile get. That is extra work in the post-auth phase
+	// that we don't want to do.
+	q.Set("team", c.TeamID)
+
+	// The Slack OAuth docs don't explicitly list this one, but it is part of
+	// the spec, so we include it anyway.
+	q.Set("response_type", "code")
+	u.RawQuery = q.Encode()
+	return u.String(), nil
+}
+
+func (c slackOauthClient) exchangeOauthCode(ctx context.Context, code string) (*TokenResponse, error) {
+	form := url.Values{}
+	// The oauth.access documentation doesn't explicitly mention this
+	// parameter, but it is part of the spec, so we include it anyway.
+	// https://api.slack.com/methods/oauth.access
+	form.Add("grant_type", "authorization_code")
+	form.Add("redirect_uri", c.CallbackLocation)
+	form.Add("code", code)
+	req, err := http.NewRequest("POST", slackExchangeLocation, strings.NewReader(form.Encode()))
+	if err != nil {
+		return nil, err
+	}
+	req.WithContext(ctx)
+	req.Header.Set("User-Agent", "writefreely")
+	req.Header.Set("Accept", "application/json")
+	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+	req.SetBasicAuth(c.ClientID, c.ClientSecret)
+
+	resp, err := c.HttpClient.Do(req)
+	if err != nil {
+		return nil, err
+	}
+
+	var tokenResponse slackExchangeResponse
+	if err := limitedJsonUnmarshal(resp.Body, tokenRequestMaxLen, &tokenResponse); err != nil {
+		return nil, err
+	}
+	return tokenResponse.TokenResponse(), nil
+}
+
+func (c slackOauthClient) inspectOauthAccessToken(ctx context.Context, accessToken string) (*InspectResponse, error) {
+	req, err := http.NewRequest("GET", slackIdentityLocation, nil)
+	if err != nil {
+		return nil, err
+	}
+	req.WithContext(ctx)
+	req.Header.Set("User-Agent", "writefreely")
+	req.Header.Set("Accept", "application/json")
+	req.Header.Set("Authorization", "Bearer "+accessToken)
+
+	resp, err := c.HttpClient.Do(req)
+	if err != nil {
+		return nil, err
+	}
+
+	var inspectResponse slackUserIdentityResponse
+	if err := limitedJsonUnmarshal(resp.Body, infoRequestMaxLen, &inspectResponse); err != nil {
+		return nil, err
+	}
+	return inspectResponse.InspectResponse(), nil
+}
+
+func (resp slackUserIdentityResponse) InspectResponse() *InspectResponse {
+	return &InspectResponse{
+		UserID:   resp.User.ID,
+		Username: slug.Make(resp.User.Name),
+		Email:    resp.User.Email,
+	}
+}
+
+func (resp slackExchangeResponse) TokenResponse() *TokenResponse {
+	return &TokenResponse{
+		AccessToken: resp.AccessToken,
+	}
+}
diff --git a/oauth_test.go b/oauth_test.go
index 482a846..4916dee 100644
--- a/oauth_test.go
+++ b/oauth_test.go
@@ -21,14 +21,16 @@ type MockOAuthDatastoreProvider struct {
 }
 
 type MockOAuthDatastore struct {
-	DoGenerateOAuthState func(ctx context.Context) (string, error)
-	DoValidateOAuthState func(context.Context, string) error
-	DoGetIDForRemoteUser func(context.Context, int64) (int64, error)
+	DoGenerateOAuthState func(context.Context, string, string) (string, error)
+	DoValidateOAuthState func(context.Context, string) (string, string, error)
+	DoGetIDForRemoteUser func(context.Context, string) (int64, error)
 	DoCreateUser         func(*config.Config, *User, string) error
-	DoRecordRemoteUserID func(context.Context, int64, int64) error
+	DoRecordRemoteUserID func(context.Context, int64, string) error
 	DoGetUserForAuthByID func(int64) (*User, error)
 }
 
+var _ OAuthDatastore = &MockOAuthDatastore{}
+
 type StringReadCloser struct {
 	*strings.Reader
 }
@@ -68,24 +70,29 @@ func (m *MockOAuthDatastoreProvider) Config() *config.Config {
 	}
 	cfg := config.New()
 	cfg.UseSQLite(true)
-	cfg.App.EnableOAuth = true
-	cfg.App.OAuthProviderAuthLocation = "https://write.as/oauth/login"
-	cfg.App.OAuthProviderTokenLocation = "https://write.as/oauth/token"
-	cfg.App.OAuthProviderInspectLocation = "https://write.as/oauth/inspect"
-	cfg.App.OAuthClientCallbackLocation = "http://localhost/oauth/callback"
-	cfg.App.OAuthClientID = "development"
-	cfg.App.OAuthClientSecret = "development"
+	cfg.WriteAsOauth = config.WriteAsOauthCfg{
+		ClientID:        "development",
+		ClientSecret:    "development",
+		AuthLocation:    "https://write.as/oauth/login",
+		TokenLocation:   "https://write.as/oauth/token",
+		InspectLocation: "https://write.as/oauth/inspect",
+	}
+	cfg.SlackOauth = config.SlackOauthCfg{
+		ClientID:     "development",
+		ClientSecret: "development",
+		TeamID:       "development",
+	}
 	return cfg
 }
 
-func (m *MockOAuthDatastore) ValidateOAuthState(ctx context.Context, state string) error {
+func (m *MockOAuthDatastore) ValidateOAuthState(ctx context.Context, state string) (string, string, error) {
 	if m.DoValidateOAuthState != nil {
 		return m.DoValidateOAuthState(ctx, state)
 	}
-	return nil
+	return "", "", nil
 }
 
-func (m *MockOAuthDatastore) GetIDForRemoteUser(ctx context.Context, remoteUserID int64) (int64, error) {
+func (m *MockOAuthDatastore) GetIDForRemoteUser(ctx context.Context, remoteUserID string) (int64, error) {
 	if m.DoGetIDForRemoteUser != nil {
 		return m.DoGetIDForRemoteUser(ctx, remoteUserID)
 	}
@@ -100,7 +107,7 @@ func (m *MockOAuthDatastore) CreateUser(cfg *config.Config, u *User, username st
 	return nil
 }
 
-func (m *MockOAuthDatastore) RecordRemoteUserID(ctx context.Context, localUserID int64, remoteUserID int64) error {
+func (m *MockOAuthDatastore) RecordRemoteUserID(ctx context.Context, localUserID int64, remoteUserID string) error {
 	if m.DoRecordRemoteUserID != nil {
 		return m.DoRecordRemoteUserID(ctx, localUserID, remoteUserID)
 	}
@@ -117,9 +124,9 @@ func (m *MockOAuthDatastore) GetUserForAuthByID(userID int64) (*User, error) {
 	return user, nil
 }
 
-func (m *MockOAuthDatastore) GenerateOAuthState(ctx context.Context) (string, error) {
+func (m *MockOAuthDatastore) GenerateOAuthState(ctx context.Context, provider string, clientID string) (string, error) {
 	if m.DoGenerateOAuthState != nil {
-		return m.DoGenerateOAuthState(ctx)
+		return m.DoGenerateOAuthState(ctx, provider, clientID)
 	}
 	return store.Generate62RandomString(14), nil
 }
@@ -132,6 +139,15 @@ func TestViewOauthInit(t *testing.T) {
 			Config: app.Config(),
 			DB:     app.DB(),
 			Store:  app.SessionStore(),
+			oauthClient:writeAsOauthClient{
+				ClientID:         app.Config().WriteAsOauth.ClientID,
+				ClientSecret:     app.Config().WriteAsOauth.ClientSecret,
+				ExchangeLocation: app.Config().WriteAsOauth.TokenLocation,
+				InspectLocation:  app.Config().WriteAsOauth.InspectLocation,
+				AuthLocation:     app.Config().WriteAsOauth.AuthLocation,
+				CallbackLocation: "http://localhost/oauth/callback",
+				HttpClient:       nil,
+			},
 		}
 		req, err := http.NewRequest("GET", "/oauth/client", nil)
 		assert.NoError(t, err)
@@ -151,7 +167,7 @@ func TestViewOauthInit(t *testing.T) {
 		app := &MockOAuthDatastoreProvider{
 			DoDB: func() OAuthDatastore {
 				return &MockOAuthDatastore{
-					DoGenerateOAuthState: func(ctx context.Context) (string, error) {
+					DoGenerateOAuthState: func(ctx context.Context, provider, clientID string) (string, error) {
 						return "", fmt.Errorf("pretend unable to write state error")
 					},
 				}
@@ -161,6 +177,15 @@ func TestViewOauthInit(t *testing.T) {
 			Config: app.Config(),
 			DB:     app.DB(),
 			Store:  app.SessionStore(),
+			oauthClient:writeAsOauthClient{
+				ClientID:         app.Config().WriteAsOauth.ClientID,
+				ClientSecret:     app.Config().WriteAsOauth.ClientSecret,
+				ExchangeLocation: app.Config().WriteAsOauth.TokenLocation,
+				InspectLocation:  app.Config().WriteAsOauth.InspectLocation,
+				AuthLocation:     app.Config().WriteAsOauth.AuthLocation,
+				CallbackLocation: "http://localhost/oauth/callback",
+				HttpClient:       nil,
+			},
 		}
 		req, err := http.NewRequest("GET", "/oauth/client", nil)
 		assert.NoError(t, err)
@@ -179,24 +204,32 @@ func TestViewOauthCallback(t *testing.T) {
 			Config: app.Config(),
 			DB:     app.DB(),
 			Store:  app.SessionStore(),
-			HttpClient: &MockHTTPClient{
-				DoDo: func(req *http.Request) (*http.Response, error) {
-					switch req.URL.String() {
-					case "https://write.as/oauth/token":
-						return &http.Response{
-							StatusCode: 200,
-							Body:       &StringReadCloser{strings.NewReader(`{"access_token": "access_token", "expires_in": 1000, "refresh_token": "refresh_token", "token_type": "access"}`)},
-						}, nil
-					case "https://write.as/oauth/inspect":
-						return &http.Response{
-							StatusCode: 200,
-							Body:       &StringReadCloser{strings.NewReader(`{"client_id": "development", "user_id": 1, "expires_at": "2019-12-19T11:42:01Z", "username": "nick", "email": "nick@testing.write.as"}`)},
-						}, nil
-					}
+			oauthClient: writeAsOauthClient{
+				ClientID:         app.Config().WriteAsOauth.ClientID,
+				ClientSecret:     app.Config().WriteAsOauth.ClientSecret,
+				ExchangeLocation: app.Config().WriteAsOauth.TokenLocation,
+				InspectLocation:  app.Config().WriteAsOauth.InspectLocation,
+				AuthLocation:     app.Config().WriteAsOauth.AuthLocation,
+				CallbackLocation: "http://localhost/oauth/callback",
+				HttpClient: &MockHTTPClient{
+					DoDo: func(req *http.Request) (*http.Response, error) {
+						switch req.URL.String() {
+						case "https://write.as/oauth/token":
+							return &http.Response{
+								StatusCode: 200,
+								Body:       &StringReadCloser{strings.NewReader(`{"access_token": "access_token", "expires_in": 1000, "refresh_token": "refresh_token", "token_type": "access"}`)},
+							}, nil
+						case "https://write.as/oauth/inspect":
+							return &http.Response{
+								StatusCode: 200,
+								Body:       &StringReadCloser{strings.NewReader(`{"client_id": "development", "user_id": "1", "expires_at": "2019-12-19T11:42:01Z", "username": "nick", "email": "nick@testing.write.as"}`)},
+							}, nil
+						}
 
-					return &http.Response{
-						StatusCode: http.StatusNotFound,
-					}, nil
+						return &http.Response{
+							StatusCode: http.StatusNotFound,
+						}, nil
+					},
 				},
 			},
 		}
@@ -206,6 +239,5 @@ func TestViewOauthCallback(t *testing.T) {
 		h.viewOauthCallback(rr, req)
 		assert.NoError(t, err)
 		assert.Equal(t, http.StatusTemporaryRedirect, rr.Code)
-
 	})
 }
diff --git a/oauth_writeas.go b/oauth_writeas.go
new file mode 100644
index 0000000..9550c35
--- /dev/null
+++ b/oauth_writeas.go
@@ -0,0 +1,91 @@
+package writefreely
+
+import (
+	"context"
+	"net/http"
+	"net/url"
+	"strings"
+)
+
+type writeAsOauthClient struct {
+	ClientID         string
+	ClientSecret     string
+	AuthLocation     string
+	ExchangeLocation string
+	InspectLocation  string
+	CallbackLocation string
+	HttpClient       HttpClient
+}
+
+var _ oauthClient = writeAsOauthClient{}
+
+func (c writeAsOauthClient) GetProvider() string {
+	return "write.as"
+}
+
+func (c writeAsOauthClient) GetClientID() string {
+	return c.ClientID
+}
+
+func (c writeAsOauthClient) buildLoginURL(state string) (string, error) {
+	u, err := url.Parse(c.AuthLocation)
+	if err != nil {
+		return "", err
+	}
+	q := u.Query()
+	q.Set("client_id", c.ClientID)
+	q.Set("redirect_uri", c.CallbackLocation)
+	q.Set("response_type", "code")
+	q.Set("state", state)
+	u.RawQuery = q.Encode()
+	return u.String(), nil
+}
+
+func (c writeAsOauthClient) exchangeOauthCode(ctx context.Context, code string) (*TokenResponse, error) {
+	form := url.Values{}
+	form.Add("grant_type", "authorization_code")
+	form.Add("redirect_uri", c.CallbackLocation)
+	form.Add("code", code)
+	req, err := http.NewRequest("POST", c.ExchangeLocation, strings.NewReader(form.Encode()))
+	if err != nil {
+		return nil, err
+	}
+	req.WithContext(ctx)
+	req.Header.Set("User-Agent", "writefreely")
+	req.Header.Set("Accept", "application/json")
+	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+	req.SetBasicAuth(c.ClientID, c.ClientSecret)
+
+	resp, err := c.HttpClient.Do(req)
+	if err != nil {
+		return nil, err
+	}
+
+	var tokenResponse TokenResponse
+	if err := limitedJsonUnmarshal(resp.Body, tokenRequestMaxLen, &tokenResponse); err != nil {
+		return nil, err
+	}
+	return &tokenResponse, nil
+}
+
+func (c writeAsOauthClient) inspectOauthAccessToken(ctx context.Context, accessToken string) (*InspectResponse, error) {
+	req, err := http.NewRequest("GET", c.InspectLocation, nil)
+	if err != nil {
+		return nil, err
+	}
+	req.WithContext(ctx)
+	req.Header.Set("User-Agent", "writefreely")
+	req.Header.Set("Accept", "application/json")
+	req.Header.Set("Authorization", "Bearer "+accessToken)
+
+	resp, err := c.HttpClient.Do(req)
+	if err != nil {
+		return nil, err
+	}
+
+	var inspectResponse InspectResponse
+	if err := limitedJsonUnmarshal(resp.Body, infoRequestMaxLen, &inspectResponse); err != nil {
+		return nil, err
+	}
+	return &inspectResponse, nil
+}
diff --git a/routes.go b/routes.go
index 2bca288..40db096 100644
--- a/routes.go
+++ b/routes.go
@@ -70,6 +70,9 @@ func InitRoutes(apper Apper, r *mux.Router) *mux.Router {
 	write.HandleFunc(nodeinfo.NodeInfoPath, handler.LogHandlerFunc(http.HandlerFunc(ni.NodeInfoDiscover)))
 	write.HandleFunc(niCfg.InfoURL, handler.LogHandlerFunc(http.HandlerFunc(ni.NodeInfo)))
 
+	configureSlackOauth(write, apper.App())
+	configureWriteAsOauth(write, apper.App())
+
 	// Set up dyamic page handlers
 	// Handle auth
 	auth := write.PathPrefix("/api/auth/").Subrouter()
@@ -80,14 +83,6 @@ func InitRoutes(apper Apper, r *mux.Router) *mux.Router {
 	auth.HandleFunc("/read", handler.WebErrors(handleWebCollectionUnlock, UserLevelNone)).Methods("POST")
 	auth.HandleFunc("/me", handler.All(handleAPILogout)).Methods("DELETE")
 
-	oauthHandler := oauthHandler{
-		HttpClient: &http.Client{},
-		Config:     apper.App().Config(),
-		DB:         apper.App().DB(),
-		Store:      apper.App().SessionStore(),
-	}
-	oauthHandler.configureRoutes(write)
-
 	// Handle logged in user sections
 	me := write.PathPrefix("/me").Subrouter()
 	me.HandleFunc("/", handler.Redirect("/me", UserLevelUser))
@@ -189,6 +184,7 @@ func InitRoutes(apper Apper, r *mux.Router) *mux.Router {
 	}
 	write.HandleFunc(draftEditPrefix+"/{post}", handler.Web(handleViewPost, UserLevelOptional))
 	write.HandleFunc("/", handler.Web(handleViewHome, UserLevelOptional))
+
 	return r
 }
 

From cf87ae909655a34229dd6656ca579541833ddf8b Mon Sep 17 00:00:00 2001
From: Nick Gerakines <ngerakines@users.noreply.github.com>
Date: Mon, 30 Dec 2019 13:32:06 -0500
Subject: [PATCH 056/127] Code cleanup in prep for PR. T710

---
 database.go              | 14 +++++------
 database_test.go         | 13 +++++++---
 db/alter.go              | 12 +++++++++
 db/dialect.go            | 33 +++++++++++++++++++++++++
 db/index.go              | 53 ++++++++++++++++++++++++++++++++++++++++
 db/raw.go                |  9 +++++++
 migrations/migrations.go |  4 +--
 migrations/v1.go         |  4 +--
 migrations/v5.go         | 28 ++++++++++++++++++++-
 oauth.go                 | 10 ++++----
 oauth_test.go            | 12 ++++-----
 parse/posts_test.go      |  1 +
 12 files changed, 167 insertions(+), 26 deletions(-)
 create mode 100644 db/index.go
 create mode 100644 db/raw.go

diff --git a/database.go b/database.go
index 6fc07a8..f3f45bc 100644
--- a/database.go
+++ b/database.go
@@ -126,8 +126,8 @@ type writestore interface {
 	GetUserLastPostTime(id int64) (*time.Time, error)
 	GetCollectionLastPostTime(id int64) (*time.Time, error)
 
-	GetIDForRemoteUser(context.Context, string) (int64, error)
-	RecordRemoteUserID(context.Context, int64, string) error
+	GetIDForRemoteUser(context.Context, string, string, string) (int64, error)
+	RecordRemoteUserID(context.Context, int64, string, string, string, string) error
 	ValidateOAuthState(context.Context, string) (string, string, error)
 	GenerateOAuthState(context.Context, string, string) (string, error)
 
@@ -2499,12 +2499,12 @@ func (db *datastore) ValidateOAuthState(ctx context.Context, state string) (stri
 	return provider, clientID, nil
 }
 
-func (db *datastore) RecordRemoteUserID(ctx context.Context, localUserID int64, remoteUserID string) error {
+func (db *datastore) RecordRemoteUserID(ctx context.Context, localUserID int64, remoteUserID, provider, clientID, accessToken string) error {
 	var err error
 	if db.driverName == driverSQLite {
-		_, err = db.ExecContext(ctx, "INSERT OR REPLACE INTO users_oauth (user_id, remote_user_id) VALUES (?, ?)", localUserID, remoteUserID)
+		_, err = db.ExecContext(ctx, "INSERT OR REPLACE INTO users_oauth (user_id, remote_user_id, provider, client_id, access_token) VALUES (?, ?, ?, ?, ?)", localUserID, remoteUserID, provider, clientID, accessToken)
 	} else {
-		_, err = db.ExecContext(ctx, "INSERT INTO users_oauth (user_id, remote_user_id) VALUES (?, ?) "+db.upsert("user_id")+" user_id = ?", localUserID, remoteUserID, localUserID)
+		_, err = db.ExecContext(ctx, "INSERT INTO users_oauth (user_id, remote_user_id, provider, client_id, access_token) VALUES (?, ?, ?, ?, ?) "+db.upsert("user")+" access_token = ?", localUserID, remoteUserID, provider, clientID, accessToken, accessToken)
 	}
 	if err != nil {
 		log.Error("Unable to INSERT users_oauth for '%d': %v", localUserID, err)
@@ -2513,10 +2513,10 @@ func (db *datastore) RecordRemoteUserID(ctx context.Context, localUserID int64,
 }
 
 // GetIDForRemoteUser returns a user ID associated with a remote user ID.
-func (db *datastore) GetIDForRemoteUser(ctx context.Context, remoteUserID string) (int64, error) {
+func (db *datastore) GetIDForRemoteUser(ctx context.Context, remoteUserID, provider, clientID string) (int64, error) {
 	var userID int64 = -1
 	err := db.
-		QueryRowContext(ctx, "SELECT user_id FROM users_oauth WHERE remote_user_id = ?", remoteUserID).
+		QueryRowContext(ctx, "SELECT user_id FROM users_oauth WHERE remote_user_id = ? AND provider = ? AND client_id = ?", remoteUserID, provider, clientID).
 		Scan(&userID)
 	// Not finding a record is OK.
 	if err != nil && err != sql.ErrNoRows {
diff --git a/database_test.go b/database_test.go
index 82f87c2..cebe8e4 100644
--- a/database_test.go
+++ b/database_test.go
@@ -31,12 +31,19 @@ func TestOAuthDatastore(t *testing.T) {
 
 		var localUserID int64 = 99
 		var remoteUserID = "100"
-		err = ds.RecordRemoteUserID(ctx, localUserID, remoteUserID)
+		err = ds.RecordRemoteUserID(ctx, localUserID, remoteUserID, "test", "test", "access_token_a")
 		assert.NoError(t, err)
 
-		countRows(t, ctx, db, 1, "SELECT COUNT(*) FROM `users_oauth` WHERE `user_id` = ? AND `remote_user_id` = ?", localUserID, remoteUserID)
+		countRows(t, ctx, db, 1, "SELECT COUNT(*) FROM `users_oauth` WHERE `user_id` = ? AND `remote_user_id` = ? AND access_token = 'access_token_a'", localUserID, remoteUserID)
 
-		foundUserID, err := ds.GetIDForRemoteUser(ctx, remoteUserID)
+		err = ds.RecordRemoteUserID(ctx, localUserID, remoteUserID, "test", "test", "access_token_b")
+		assert.NoError(t, err)
+
+		countRows(t, ctx, db, 1, "SELECT COUNT(*) FROM `users_oauth` WHERE `user_id` = ? AND `remote_user_id` = ? AND access_token = 'access_token_b'", localUserID, remoteUserID)
+
+		countRows(t, ctx, db, 1, "SELECT COUNT(*) FROM `users_oauth`")
+
+		foundUserID, err := ds.GetIDForRemoteUser(ctx, remoteUserID, "test", "test")
 		assert.NoError(t, err)
 		assert.Equal(t, localUserID, foundUserID)
 	})
diff --git a/db/alter.go b/db/alter.go
index 3a44e1f..0a4ffdd 100644
--- a/db/alter.go
+++ b/db/alter.go
@@ -18,6 +18,18 @@ func (b *AlterTableSqlBuilder) AddColumn(col *Column) *AlterTableSqlBuilder {
 	return b
 }
 
+func (b *AlterTableSqlBuilder) ChangeColumn(name string, col *Column) *AlterTableSqlBuilder {
+	if colVal, err := col.String(); err == nil {
+		b.Changes = append(b.Changes, fmt.Sprintf("CHANGE COLUMN %s %s", name, colVal))
+	}
+	return b
+}
+
+func (b *AlterTableSqlBuilder) AddUniqueConstraint(name string, columns ...string) *AlterTableSqlBuilder {
+	b.Changes = append(b.Changes, fmt.Sprintf("ADD CONSTRAINT %s UNIQUE (%s)", name, strings.Join(columns, ", ")))
+	return b
+}
+
 func (b *AlterTableSqlBuilder) ToSQL() (string, error) {
 	var str strings.Builder
 
diff --git a/db/dialect.go b/db/dialect.go
index db1f5c4..4251465 100644
--- a/db/dialect.go
+++ b/db/dialect.go
@@ -41,3 +41,36 @@ func (d DialectType) AlterTable(name string) *AlterTableSqlBuilder {
 		panic(fmt.Sprintf("unexpected dialect: %d", d))
 	}
 }
+
+func (d DialectType) CreateUniqueIndex(name, table string, columns ...string) *CreateIndexSqlBuilder {
+	switch d {
+	case DialectSQLite:
+		return &CreateIndexSqlBuilder{Dialect: DialectSQLite, Name: name, Table: table, Unique: true, Columns: columns}
+	case DialectMySQL:
+		return &CreateIndexSqlBuilder{Dialect: DialectMySQL, Name: name, Table: table, Unique: true, Columns: columns}
+	default:
+		panic(fmt.Sprintf("unexpected dialect: %d", d))
+	}
+}
+
+func (d DialectType) CreateIndex(name, table string, columns ...string) *CreateIndexSqlBuilder {
+	switch d {
+	case DialectSQLite:
+		return &CreateIndexSqlBuilder{Dialect: DialectSQLite, Name: name, Table: table, Unique: false, Columns: columns}
+	case DialectMySQL:
+		return &CreateIndexSqlBuilder{Dialect: DialectMySQL, Name: name, Table: table, Unique: false, Columns: columns}
+	default:
+		panic(fmt.Sprintf("unexpected dialect: %d", d))
+	}
+}
+
+func (d DialectType) DropIndex(name, table string) *DropIndexSqlBuilder {
+	switch d {
+	case DialectSQLite:
+		return &DropIndexSqlBuilder{Dialect: DialectSQLite, Name: name, Table: table}
+	case DialectMySQL:
+		return &DropIndexSqlBuilder{Dialect: DialectMySQL, Name: name, Table: table}
+	default:
+		panic(fmt.Sprintf("unexpected dialect: %d", d))
+	}
+}
diff --git a/db/index.go b/db/index.go
new file mode 100644
index 0000000..8180224
--- /dev/null
+++ b/db/index.go
@@ -0,0 +1,53 @@
+package db
+
+import (
+	"fmt"
+	"strings"
+)
+
+type CreateIndexSqlBuilder struct {
+	Dialect DialectType
+	Name    string
+	Table   string
+	Unique  bool
+	Columns []string
+}
+
+type DropIndexSqlBuilder struct {
+	Dialect DialectType
+	Name    string
+	Table   string
+}
+
+func (b *CreateIndexSqlBuilder) ToSQL() (string, error) {
+	var str strings.Builder
+
+	str.WriteString("CREATE ")
+	if b.Unique {
+		str.WriteString("UNIQUE ")
+	}
+	str.WriteString("INDEX ")
+	str.WriteString(b.Name)
+	str.WriteString(" on ")
+	str.WriteString(b.Table)
+
+	if len(b.Columns) == 0 {
+		return "", fmt.Errorf("columns provided for this index: %s", b.Name)
+	}
+
+	str.WriteString(" (")
+	columnCount := len(b.Columns)
+	for i, thing := range b.Columns {
+		str.WriteString(thing)
+		if i < columnCount-1 {
+			str.WriteString(", ")
+		}
+	}
+	str.WriteString(")")
+
+	return str.String(), nil
+}
+
+func (b *DropIndexSqlBuilder) ToSQL() (string, error) {
+	return fmt.Sprintf("DROP INDEX %s on %s", b.Name, b.Table), nil
+}
diff --git a/db/raw.go b/db/raw.go
new file mode 100644
index 0000000..d0301c8
--- /dev/null
+++ b/db/raw.go
@@ -0,0 +1,9 @@
+package db
+
+type RawSqlBuilder struct {
+	Query string
+}
+
+func (b *RawSqlBuilder) ToSQL() (string, error) {
+	return b.Query, nil
+}
diff --git a/migrations/migrations.go b/migrations/migrations.go
index acb136d..917d912 100644
--- a/migrations/migrations.go
+++ b/migrations/migrations.go
@@ -59,8 +59,8 @@ var migrations = []Migration{
 	New("support user invites", supportUserInvites),             // -> V1 (v0.8.0)
 	New("support dynamic instance pages", supportInstancePages), // V1 -> V2 (v0.9.0)
 	New("support users suspension", supportUserStatus),          // V2 -> V3 (v0.11.0)
-	New("support oauth", oauth), // V3 -> V4
-	New("support slack oauth", oauth_slack), // V4 -> v5
+	New("support oauth", oauth),                                 // V3 -> V4
+	New("support slack oauth", oauthSlack),                      // V4 -> v5
 }
 
 // CurrentVer returns the current migration version the application is on
diff --git a/migrations/v1.go b/migrations/v1.go
index 81f7d0c..d950a67 100644
--- a/migrations/v1.go
+++ b/migrations/v1.go
@@ -12,7 +12,7 @@ package migrations
 
 func supportUserInvites(db *datastore) error {
 	t, err := db.Begin()
-	_, err = t.Exec(`CREATE TABLE userinvites (
+	_, err = t.Exec(`CREATE TABLE IF NOT EXISTS userinvites (
 		  id ` + db.typeChar(6) + ` NOT NULL ,
 		  owner_id ` + db.typeInt() + ` NOT NULL ,
 		  max_uses ` + db.typeSmallInt() + ` NULL ,
@@ -26,7 +26,7 @@ func supportUserInvites(db *datastore) error {
 		return err
 	}
 
-	_, err = t.Exec(`CREATE TABLE usersinvited (
+	_, err = t.Exec(`CREATE TABLE IF NOT EXISTS usersinvited (
 		  invite_id ` + db.typeChar(6) + ` NOT NULL ,
 		  user_id ` + db.typeInt() + ` NOT NULL ,
 		  PRIMARY KEY (invite_id, user_id)
diff --git a/migrations/v5.go b/migrations/v5.go
index d421e2f..d31f2f2 100644
--- a/migrations/v5.go
+++ b/migrations/v5.go
@@ -7,7 +7,7 @@ import (
 	wf_db "github.com/writeas/writefreely/db"
 )
 
-func oauth_slack(db *datastore) error {
+func oauthSlack(db *datastore) error {
 	dialect := wf_db.DialectMySQL
 	if db.driverName == driverSQLite {
 		dialect = wf_db.DialectSQLite
@@ -26,6 +26,32 @@ func oauth_slack(db *datastore) error {
 						"client_id",
 						wf_db.ColumnTypeVarChar,
 						wf_db.OptionalInt{Set: true, Value: 128,})),
+			dialect.
+				AlterTable("users_oauth").
+				ChangeColumn("remote_user_id",
+					dialect.
+						Column(
+							"remote_user_id",
+							wf_db.ColumnTypeVarChar,
+							wf_db.OptionalInt{Set: true, Value: 128,})).
+				AddColumn(dialect.
+					Column(
+						"provider",
+						wf_db.ColumnTypeVarChar,
+						wf_db.OptionalInt{Set: true, Value: 24,})).
+				AddColumn(dialect.
+					Column(
+						"client_id",
+						wf_db.ColumnTypeVarChar,
+						wf_db.OptionalInt{Set: true, Value: 128,})).
+				AddColumn(dialect.
+					Column(
+						"access_token",
+						wf_db.ColumnTypeVarChar,
+						wf_db.OptionalInt{Set: true, Value: 512,})),
+			dialect.DropIndex("remote_user_id", "users_oauth"),
+			dialect.DropIndex("user_id", "users_oauth"),
+			dialect.CreateUniqueIndex("users_oauth", "users_oauth", "user_id", "provider", "client_id"),
 		}
 		for _, builder := range builders {
 			query, err := builder.ToSQL()
diff --git a/oauth.go b/oauth.go
index e94f4be..af3134c 100644
--- a/oauth.go
+++ b/oauth.go
@@ -53,8 +53,8 @@ type OAuthDatastoreProvider interface {
 // OAuthDatastore provides a minimal interface of data store methods used in
 // oauth functionality.
 type OAuthDatastore interface {
-	GetIDForRemoteUser(context.Context, string) (int64, error)
-	RecordRemoteUserID(context.Context, int64, string) error
+	GetIDForRemoteUser(context.Context, string, string, string) (int64, error)
+	RecordRemoteUserID(context.Context, int64, string, string, string, string) error
 	ValidateOAuthState(context.Context, string) (string, string, error)
 	GenerateOAuthState(context.Context, string, string) (string, error)
 
@@ -140,7 +140,7 @@ func (h oauthHandler) viewOauthCallback(w http.ResponseWriter, r *http.Request)
 	code := r.FormValue("code")
 	state := r.FormValue("state")
 
-	_, _, err := h.DB.ValidateOAuthState(ctx, state)
+	provider, clientID, err := h.DB.ValidateOAuthState(ctx, state)
 	if err != nil {
 		failOAuthRequest(w, http.StatusInternalServerError, err.Error())
 		return
@@ -160,7 +160,7 @@ func (h oauthHandler) viewOauthCallback(w http.ResponseWriter, r *http.Request)
 		return
 	}
 
-	localUserID, err := h.DB.GetIDForRemoteUser(ctx, tokenInfo.UserID)
+	localUserID, err := h.DB.GetIDForRemoteUser(ctx, tokenInfo.UserID, provider, clientID)
 	if err != nil {
 		failOAuthRequest(w, http.StatusInternalServerError, err.Error())
 		return
@@ -191,7 +191,7 @@ func (h oauthHandler) viewOauthCallback(w http.ResponseWriter, r *http.Request)
 			return
 		}
 
-		err = h.DB.RecordRemoteUserID(ctx, newUser.ID, tokenInfo.UserID)
+		err = h.DB.RecordRemoteUserID(ctx, newUser.ID, tokenInfo.UserID, provider, clientID, tokenResponse.AccessToken)
 		if err != nil {
 			failOAuthRequest(w, http.StatusInternalServerError, err.Error())
 			return
diff --git a/oauth_test.go b/oauth_test.go
index 4916dee..2efc46d 100644
--- a/oauth_test.go
+++ b/oauth_test.go
@@ -23,9 +23,9 @@ type MockOAuthDatastoreProvider struct {
 type MockOAuthDatastore struct {
 	DoGenerateOAuthState func(context.Context, string, string) (string, error)
 	DoValidateOAuthState func(context.Context, string) (string, string, error)
-	DoGetIDForRemoteUser func(context.Context, string) (int64, error)
+	DoGetIDForRemoteUser func(context.Context, string, string, string) (int64, error)
 	DoCreateUser         func(*config.Config, *User, string) error
-	DoRecordRemoteUserID func(context.Context, int64, string) error
+	DoRecordRemoteUserID func(context.Context, int64, string, string, string, string) error
 	DoGetUserForAuthByID func(int64) (*User, error)
 }
 
@@ -92,9 +92,9 @@ func (m *MockOAuthDatastore) ValidateOAuthState(ctx context.Context, state strin
 	return "", "", nil
 }
 
-func (m *MockOAuthDatastore) GetIDForRemoteUser(ctx context.Context, remoteUserID string) (int64, error) {
+func (m *MockOAuthDatastore) GetIDForRemoteUser(ctx context.Context, remoteUserID, provider, clientID string) (int64, error) {
 	if m.DoGetIDForRemoteUser != nil {
-		return m.DoGetIDForRemoteUser(ctx, remoteUserID)
+		return m.DoGetIDForRemoteUser(ctx, remoteUserID, provider, clientID)
 	}
 	return -1, nil
 }
@@ -107,9 +107,9 @@ func (m *MockOAuthDatastore) CreateUser(cfg *config.Config, u *User, username st
 	return nil
 }
 
-func (m *MockOAuthDatastore) RecordRemoteUserID(ctx context.Context, localUserID int64, remoteUserID string) error {
+func (m *MockOAuthDatastore) RecordRemoteUserID(ctx context.Context, localUserID int64, remoteUserID, provider, clientID, accessToken string) error {
 	if m.DoRecordRemoteUserID != nil {
-		return m.DoRecordRemoteUserID(ctx, localUserID, remoteUserID)
+		return m.DoRecordRemoteUserID(ctx, localUserID, remoteUserID, provider, clientID, accessToken)
 	}
 	return nil
 }
diff --git a/parse/posts_test.go b/parse/posts_test.go
index c64a332..b4507d2 100644
--- a/parse/posts_test.go
+++ b/parse/posts_test.go
@@ -13,6 +13,7 @@ package parse
 import "testing"
 
 func TestPostLede(t *testing.T) {
+	t.Skip("tests fails and I don't know why")
 	text := map[string]string{
 		"早安。跨出舒適圈，才能前往":                                                                                                                                                             "早安。",
 		"早安。This is my post. It is great.":                                                                                                                                          "早安。",

From af23e28d053839aa14b32093e87cb2a67dbbf1aa Mon Sep 17 00:00:00 2001
From: Matt Baer <matt@write.as>
Date: Mon, 30 Dec 2019 18:14:01 -0500
Subject: [PATCH 057/127] Pass OAuth requests through new OAuth handler

This gives us our standard logging and passes around errors with
impart.HTTPError.

Ref T705
---
 go.mod    |  2 +-
 go.sum    |  2 ++
 handle.go | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++
 oauth.go  | 54 +++++++++++++++++-------------------------------------
 routes.go |  4 ++--
 5 files changed, 72 insertions(+), 40 deletions(-)

diff --git a/go.mod b/go.mod
index 372b7ba..358173b 100644
--- a/go.mod
+++ b/go.mod
@@ -38,7 +38,7 @@ require (
 	github.com/writeas/go-strip-markdown v2.0.1+incompatible
 	github.com/writeas/go-webfinger v0.0.0-20190106002315-85cf805c86d2
 	github.com/writeas/httpsig v1.0.0
-	github.com/writeas/impart v1.1.0
+	github.com/writeas/impart v1.1.1-0.20191230230525-d3c45ced010d
 	github.com/writeas/monday v0.0.0-20181024183321-54a7dd579219
 	github.com/writeas/nerds v1.0.0
 	github.com/writeas/saturday v1.7.1
diff --git a/go.sum b/go.sum
index ee3a418..38e804c 100644
--- a/go.sum
+++ b/go.sum
@@ -122,6 +122,8 @@ github.com/writeas/httpsig v1.0.0 h1:peIAoIA3DmlP8IG8tMNZqI4YD1uEnWBmkcC9OFPjt3A
 github.com/writeas/httpsig v1.0.0/go.mod h1:7ClMGSrSVXJbmiLa17bZ1LrG1oibGZmUMlh3402flPY=
 github.com/writeas/impart v1.1.0 h1:nPnoO211VscNkp/gnzir5UwCDEvdHThL5uELU60NFSE=
 github.com/writeas/impart v1.1.0/go.mod h1:g0MpxdnTOHHrl+Ca/2oMXUHJ0PcRAEWtkCzYCJUXC9Y=
+github.com/writeas/impart v1.1.1-0.20191230230525-d3c45ced010d h1:PK7DOj3JE6MGf647esPrKzXEHFjGWX2hl22uX79ixaE=
+github.com/writeas/impart v1.1.1-0.20191230230525-d3c45ced010d/go.mod h1:g0MpxdnTOHHrl+Ca/2oMXUHJ0PcRAEWtkCzYCJUXC9Y=
 github.com/writeas/monday v0.0.0-20181024183321-54a7dd579219 h1:baEp0631C8sT2r/hqwypIw2snCFZa6h7U6TojoLHu/c=
 github.com/writeas/monday v0.0.0-20181024183321-54a7dd579219/go.mod h1:NyM35ayknT7lzO6O/1JpfgGyv+0W9Z9q7aE0J8bXxfQ=
 github.com/writeas/nerds v1.0.0 h1:ZzRcCN+Sr3MWID7o/x1cr1ZbLvdpej9Y1/Ho+JKlqxo=
diff --git a/handle.go b/handle.go
index 7346f79..0fcc483 100644
--- a/handle.go
+++ b/handle.go
@@ -549,6 +549,37 @@ func (h *Handler) All(f handlerFunc) http.HandlerFunc {
 	}
 }
 
+func (h *Handler) OAuth(f handlerFunc) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		h.handleOAuthError(w, r, func() error {
+			// TODO: return correct "success" status
+			status := 200
+			start := time.Now()
+
+			defer func() {
+				if e := recover(); e != nil {
+					log.Error("%s:\n%s", e, debug.Stack())
+					impart.WriteError(w, impart.HTTPError{http.StatusInternalServerError, "Something didn't work quite right."})
+					status = 500
+				}
+
+				log.Info(h.app.ReqLog(r, status, time.Since(start)))
+			}()
+
+			err := f(h.app.App(), w, r)
+			if err != nil {
+				if err, ok := err.(impart.HTTPError); ok {
+					status = err.Status
+				} else {
+					status = 500
+				}
+			}
+
+			return err
+		}())
+	}
+}
+
 func (h *Handler) AllReader(f handlerFunc) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 		h.handleError(w, r, func() error {
@@ -779,6 +810,25 @@ func (h *Handler) handleError(w http.ResponseWriter, r *http.Request, err error)
 	h.errors.InternalServerError.ExecuteTemplate(w, "base", pageForReq(h.app.App(), r))
 }
 
+func (h *Handler) handleOAuthError(w http.ResponseWriter, r *http.Request, err error) {
+	if err == nil {
+		return
+	}
+
+	if err, ok := err.(impart.HTTPError); ok {
+		if err.Status >= 300 && err.Status < 400 {
+			sendRedirect(w, err.Status, err.Message)
+			return
+		}
+
+		impart.WriteOAuthError(w, err)
+		return
+	}
+
+	impart.WriteOAuthError(w, impart.HTTPError{http.StatusInternalServerError, "This is an unhelpful error message for a miscellaneous internal error."})
+	return
+}
+
 func correctPageFromLoginAttempt(r *http.Request) string {
 	to := r.FormValue("to")
 	if to == "" {
diff --git a/oauth.go b/oauth.go
index d918f7f..bb6474d 100644
--- a/oauth.go
+++ b/oauth.go
@@ -6,6 +6,7 @@ import (
 	"fmt"
 	"github.com/gorilla/sessions"
 	"github.com/guregu/null/zero"
+	"github.com/writeas/impart"
 	"github.com/writeas/nerds/store"
 	"github.com/writeas/web-core/auth"
 	"github.com/writeas/web-core/log"
@@ -96,16 +97,15 @@ func buildAuthURL(db OAuthDatastore, ctx context.Context, clientID, authLocation
 }
 
 // app *App, w http.ResponseWriter, r *http.Request
-func (h oauthHandler) viewOauthInit(w http.ResponseWriter, r *http.Request) {
+func (h oauthHandler) viewOauthInit(app *App, w http.ResponseWriter, r *http.Request) error {
 	location, err := buildAuthURL(h.DB, r.Context(), h.Config.App.OAuthClientID, h.Config.App.OAuthProviderAuthLocation, h.Config.App.OAuthClientCallbackLocation)
 	if err != nil {
-		failOAuthRequest(w, http.StatusInternalServerError, "could not prepare oauth redirect url")
-		return
+		return impart.HTTPError{http.StatusInternalServerError, "could not prepare oauth redirect url"}
 	}
-	http.Redirect(w, r, location, http.StatusTemporaryRedirect)
+	return impart.HTTPError{http.StatusTemporaryRedirect, location}
 }
 
-func (h oauthHandler) viewOauthCallback(w http.ResponseWriter, r *http.Request) {
+func (h oauthHandler) viewOauthCallback(app *App, w http.ResponseWriter, r *http.Request) error {
 	ctx := r.Context()
 
 	code := r.FormValue("code")
@@ -113,28 +113,24 @@ func (h oauthHandler) viewOauthCallback(w http.ResponseWriter, r *http.Request)
 
 	err := h.DB.ValidateOAuthState(ctx, state)
 	if err != nil {
-		failOAuthRequest(w, http.StatusInternalServerError, err.Error())
-		return
+		return impart.HTTPError{http.StatusInternalServerError, err.Error()}
 	}
 
 	tokenResponse, err := h.exchangeOauthCode(ctx, code)
 	if err != nil {
-		failOAuthRequest(w, http.StatusInternalServerError, err.Error())
-		return
+		return impart.HTTPError{http.StatusInternalServerError, err.Error()}
 	}
 
 	// Now that we have the access token, let's use it real quick to make sur
 	// it really really works.
 	tokenInfo, err := h.inspectOauthAccessToken(ctx, tokenResponse.AccessToken)
 	if err != nil {
-		failOAuthRequest(w, http.StatusInternalServerError, err.Error())
-		return
+		return impart.HTTPError{http.StatusInternalServerError, err.Error()}
 	}
 
 	localUserID, err := h.DB.GetIDForRemoteUser(ctx, tokenInfo.UserID)
 	if err != nil {
-		failOAuthRequest(w, http.StatusInternalServerError, err.Error())
-		return
+		return impart.HTTPError{http.StatusInternalServerError, err.Error()}
 	}
 
 	fmt.Println("local user id", localUserID)
@@ -148,8 +144,7 @@ func (h oauthHandler) viewOauthCallback(w http.ResponseWriter, r *http.Request)
 		hashedPass, err := auth.HashPass([]byte(randPass))
 		if err != nil {
 			log.ErrorLog.Println(err)
-			failOAuthRequest(w, http.StatusInternalServerError, "unable to create password hash")
-			return
+			return impart.HTTPError{http.StatusInternalServerError, "unable to create password hash"}
 		}
 		newUser := &User{
 			Username:   tokenInfo.Username,
@@ -161,30 +156,28 @@ func (h oauthHandler) viewOauthCallback(w http.ResponseWriter, r *http.Request)
 
 		err = h.DB.CreateUser(h.Config, newUser, newUser.Username)
 		if err != nil {
-			failOAuthRequest(w, http.StatusInternalServerError, err.Error())
-			return
+			return impart.HTTPError{http.StatusInternalServerError, err.Error()}
 		}
 
 		err = h.DB.RecordRemoteUserID(ctx, newUser.ID, tokenInfo.UserID)
 		if err != nil {
-			failOAuthRequest(w, http.StatusInternalServerError, err.Error())
-			return
+			return impart.HTTPError{http.StatusInternalServerError, err.Error()}
 		}
 
 		if err := loginOrFail(h.Store, w, r, newUser); err != nil {
-			failOAuthRequest(w, http.StatusInternalServerError, err.Error())
+			return impart.HTTPError{http.StatusInternalServerError, err.Error()}
 		}
-		return
+		return nil
 	}
 
 	user, err := h.DB.GetUserForAuthByID(localUserID)
 	if err != nil {
-		failOAuthRequest(w, http.StatusInternalServerError, err.Error())
-		return
+		return impart.HTTPError{http.StatusInternalServerError, err.Error()}
 	}
 	if err = loginOrFail(h.Store, w, r, user); err != nil {
-		failOAuthRequest(w, http.StatusInternalServerError, err.Error())
+		return impart.HTTPError{http.StatusInternalServerError, err.Error()}
 	}
+	return nil
 }
 
 func (h oauthHandler) exchangeOauthCode(ctx context.Context, code string) (*TokenResponse, error) {
@@ -265,16 +258,3 @@ func loginOrFail(store sessions.Store, w http.ResponseWriter, r *http.Request, u
 	http.Redirect(w, r, "/", http.StatusTemporaryRedirect)
 	return nil
 }
-
-// failOAuthRequest is an HTTP handler helper that formats returned error
-// messages.
-func failOAuthRequest(w http.ResponseWriter, statusCode int, message string) {
-	w.Header().Set("Content-Type", "application/json")
-	w.WriteHeader(statusCode)
-	err := json.NewEncoder(w).Encode(map[string]interface{}{
-		"error": message,
-	})
-	if err != nil {
-		panic(err)
-	}
-}
diff --git a/routes.go b/routes.go
index e286c3e..6accc99 100644
--- a/routes.go
+++ b/routes.go
@@ -87,8 +87,8 @@ func InitRoutes(apper Apper, r *mux.Router) *mux.Router {
 		Store:      apper.App().SessionStore(),
 	}
 
-	write.HandleFunc("/oauth/write.as", oauthHandler.viewOauthInit).Methods("GET")
-	write.HandleFunc("/oauth/callback", oauthHandler.viewOauthCallback).Methods("GET")
+	write.HandleFunc("/oauth/write.as", handler.OAuth(oauthHandler.viewOauthInit)).Methods("GET")
+	write.HandleFunc("/oauth/callback", handler.OAuth(oauthHandler.viewOauthCallback)).Methods("GET")
 
 	// Handle logged in user sections
 	me := write.PathPrefix("/me").Subrouter()

From 39d0f1de98310fb351641b0347610cf4dc036b33 Mon Sep 17 00:00:00 2001
From: Matt Baer <matt@write.as>
Date: Mon, 30 Dec 2019 18:23:45 -0500
Subject: [PATCH 058/127] Add logging in viewOauthCallback()

Ref T705
---
 oauth.go | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/oauth.go b/oauth.go
index d918f7f..98e0d43 100644
--- a/oauth.go
+++ b/oauth.go
@@ -113,12 +113,14 @@ func (h oauthHandler) viewOauthCallback(w http.ResponseWriter, r *http.Request)
 
 	err := h.DB.ValidateOAuthState(ctx, state)
 	if err != nil {
+		log.Error("Unable to ValidateOAuthState: %s", err)
 		failOAuthRequest(w, http.StatusInternalServerError, err.Error())
 		return
 	}
 
 	tokenResponse, err := h.exchangeOauthCode(ctx, code)
 	if err != nil {
+		log.Error("Unable to exchangeOauthCode: %s", err)
 		failOAuthRequest(w, http.StatusInternalServerError, err.Error())
 		return
 	}
@@ -127,12 +129,14 @@ func (h oauthHandler) viewOauthCallback(w http.ResponseWriter, r *http.Request)
 	// it really really works.
 	tokenInfo, err := h.inspectOauthAccessToken(ctx, tokenResponse.AccessToken)
 	if err != nil {
+		log.Error("Unable to inspectOauthAccessToken: %s", err)
 		failOAuthRequest(w, http.StatusInternalServerError, err.Error())
 		return
 	}
 
 	localUserID, err := h.DB.GetIDForRemoteUser(ctx, tokenInfo.UserID)
 	if err != nil {
+		log.Error("Unable to GetIDForRemoteUser: %s", err)
 		failOAuthRequest(w, http.StatusInternalServerError, err.Error())
 		return
 	}

From 6bcc4cfa46b681f3d1341e4166ac38ae91d6068b Mon Sep 17 00:00:00 2001
From: Matt Baer <matt@write.as>
Date: Mon, 30 Dec 2019 18:25:24 -0500
Subject: [PATCH 059/127] Check for error response in code exchange

This checks to see if we get a response with a populated `error` field
in exchangeOauthCode(). If so, we return that error message as an error,
to ensure the callback logic doesn't continue with a bad response.

Ref T705
---
 oauth.go | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/oauth.go b/oauth.go
index 98e0d43..0042433 100644
--- a/oauth.go
+++ b/oauth.go
@@ -25,6 +25,7 @@ type TokenResponse struct {
 	ExpiresIn    int    `json:"expires_in"`
 	RefreshToken string `json:"refresh_token"`
 	TokenType    string `json:"token_type"`
+	Error        string `json:"error"`
 }
 
 // InspectResponse contains data returned when an access token is inspected.
@@ -224,6 +225,11 @@ func (h oauthHandler) exchangeOauthCode(ctx context.Context, code string) (*Toke
 	if err != nil {
 		return nil, err
 	}
+
+	// Check the response for an error message, and return it if there is one.
+	if tokenResponse.Error != "" {
+		return nil, fmt.Errorf(tokenResponse.Error)
+	}
 	return &tokenResponse, nil
 }
 

From b5f716135b9b28cdaff706bae670571ed010b9ac Mon Sep 17 00:00:00 2001
From: Nick Gerakines <ngerakines@users.noreply.github.com>
Date: Tue, 31 Dec 2019 11:28:05 -0500
Subject: [PATCH 060/127] Changed oauth table names per PR feedback. T705

---
 database.go      | 12 ++++++------
 database_test.go |  6 +++---
 migrations/v4.go |  4 ++--
 3 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/database.go b/database.go
index 56035dd..ca62d3c 100644
--- a/database.go
+++ b/database.go
@@ -2461,7 +2461,7 @@ func (db *datastore) GetCollectionLastPostTime(id int64) (*time.Time, error) {
 
 func (db *datastore) GenerateOAuthState(ctx context.Context) (string, error) {
 	state := store.Generate62RandomString(24)
-	_, err := db.ExecContext(ctx, "INSERT INTO oauth_client_state (state, used, created_at) VALUES (?, FALSE, NOW())", state)
+	_, err := db.ExecContext(ctx, "INSERT INTO oauth_client_states (state, used, created_at) VALUES (?, FALSE, NOW())", state)
 	if err != nil {
 		return "", fmt.Errorf("unable to record oauth client state: %w", err)
 	}
@@ -2469,7 +2469,7 @@ func (db *datastore) GenerateOAuthState(ctx context.Context) (string, error) {
 }
 
 func (db *datastore) ValidateOAuthState(ctx context.Context, state string) error {
-	res, err := db.ExecContext(ctx, "UPDATE oauth_client_state SET used = TRUE WHERE state = ?", state)
+	res, err := db.ExecContext(ctx, "UPDATE oauth_client_states SET used = TRUE WHERE state = ?", state)
 	if err != nil {
 		return err
 	}
@@ -2486,12 +2486,12 @@ func (db *datastore) ValidateOAuthState(ctx context.Context, state string) error
 func (db *datastore) RecordRemoteUserID(ctx context.Context, localUserID, remoteUserID int64) error {
 	var err error
 	if db.driverName == driverSQLite {
-		_, err = db.ExecContext(ctx, "INSERT OR REPLACE INTO users_oauth (user_id, remote_user_id) VALUES (?, ?)", localUserID, remoteUserID)
+		_, err = db.ExecContext(ctx, "INSERT OR REPLACE INTO oauth_users (user_id, remote_user_id) VALUES (?, ?)", localUserID, remoteUserID)
 	} else {
-		_, err = db.ExecContext(ctx, "INSERT INTO users_oauth (user_id, remote_user_id) VALUES (?, ?) "+db.upsert("user_id")+" user_id = ?", localUserID, remoteUserID, localUserID)
+		_, err = db.ExecContext(ctx, "INSERT INTO oauth_users (user_id, remote_user_id) VALUES (?, ?) "+db.upsert("user_id")+" user_id = ?", localUserID, remoteUserID, localUserID)
 	}
 	if err != nil {
-		log.Error("Unable to INSERT users_oauth for '%d': %v", localUserID, err)
+		log.Error("Unable to INSERT oauth_users for '%d': %v", localUserID, err)
 	}
 	return err
 }
@@ -2500,7 +2500,7 @@ func (db *datastore) RecordRemoteUserID(ctx context.Context, localUserID, remote
 func (db *datastore) GetIDForRemoteUser(ctx context.Context, remoteUserID int64) (int64, error) {
 	var userID int64 = -1
 	err := db.
-		QueryRowContext(ctx, "SELECT user_id FROM users_oauth WHERE remote_user_id = ?", remoteUserID).
+		QueryRowContext(ctx, "SELECT user_id FROM oauth_users WHERE remote_user_id = ?", remoteUserID).
 		Scan(&userID)
 	// Not finding a record is OK.
 	if err != nil && err != sql.ErrNoRows {
diff --git a/database_test.go b/database_test.go
index 4a45dd0..879840e 100644
--- a/database_test.go
+++ b/database_test.go
@@ -22,19 +22,19 @@ func TestOAuthDatastore(t *testing.T) {
 		assert.NoError(t, err)
 		assert.Len(t, state, 24)
 
-		countRows(t, ctx, db, 1, "SELECT COUNT(*) FROM `oauth_client_state` WHERE `state` = ? AND `used` = false", state)
+		countRows(t, ctx, db, 1, "SELECT COUNT(*) FROM `oauth_client_states` WHERE `state` = ? AND `used` = false", state)
 
 		err = ds.ValidateOAuthState(ctx, state)
 		assert.NoError(t, err)
 
-		countRows(t, ctx, db, 1, "SELECT COUNT(*) FROM `oauth_client_state` WHERE `state` = ? AND `used` = true", state)
+		countRows(t, ctx, db, 1, "SELECT COUNT(*) FROM `oauth_client_states` WHERE `state` = ? AND `used` = true", state)
 
 		var localUserID int64 = 99
 		var remoteUserID int64 = 100
 		err = ds.RecordRemoteUserID(ctx, localUserID, remoteUserID)
 		assert.NoError(t, err)
 
-		countRows(t, ctx, db, 1, "SELECT COUNT(*) FROM `users_oauth` WHERE `user_id` = ? AND `remote_user_id` = ?", localUserID, remoteUserID)
+		countRows(t, ctx, db, 1, "SELECT COUNT(*) FROM `oauth_users` WHERE `user_id` = ? AND `remote_user_id` = ?", localUserID, remoteUserID)
 
 		foundUserID, err := ds.GetIDForRemoteUser(ctx, remoteUserID)
 		assert.NoError(t, err)
diff --git a/migrations/v4.go b/migrations/v4.go
index c123f54..c075dd8 100644
--- a/migrations/v4.go
+++ b/migrations/v4.go
@@ -14,7 +14,7 @@ func oauth(db *datastore) error {
 	}
 	return wf_db.RunTransactionWithOptions(context.Background(), db.DB, &sql.TxOptions{}, func(ctx context.Context, tx *sql.Tx) error {
 		createTableUsersOauth, err := dialect.
-			Table("users_oauth").
+			Table("oauth_users").
 			SetIfNotExists(true).
 			Column(dialect.Column("user_id", wf_db.ColumnTypeInteger, wf_db.UnsetSize)).
 			Column(dialect.Column("remote_user_id", wf_db.ColumnTypeInteger, wf_db.UnsetSize)).
@@ -25,7 +25,7 @@ func oauth(db *datastore) error {
 			return err
 		}
 		createTableOauthClientState, err := dialect.
-			Table("oauth_client_state").
+			Table("oauth_client_states").
 			SetIfNotExists(true).
 			Column(dialect.Column("state", wf_db.ColumnTypeVarChar, wf_db.OptionalInt{Set: true, Value: 255})).
 			Column(dialect.Column("used", wf_db.ColumnTypeBool, wf_db.UnsetSize)).

From b985292b1807327c33457c5228bd59f5ac34f019 Mon Sep 17 00:00:00 2001
From: Nick Gerakines <ngerakines@users.noreply.github.com>
Date: Thu, 2 Jan 2020 15:33:39 -0500
Subject: [PATCH 061/127] First take at template updates. T712

---
 pages/login.tmpl        |  10 +++
 pages/signup-oauth.tmpl | 163 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 173 insertions(+)
 create mode 100644 pages/signup-oauth.tmpl

diff --git a/pages/login.tmpl b/pages/login.tmpl
index 1c8e862..6c1b3ed 100644
--- a/pages/login.tmpl
+++ b/pages/login.tmpl
@@ -19,6 +19,16 @@
 	</form>
 
 	{{if and (not .SingleUser) .OpenRegistration}}<p style="text-align:center;font-size:0.9em;margin:3em auto;max-width:26em;">{{if .Message}}{{.Message}}{{else}}<em>No account yet?</em> <a href="/">Sign up</a> to start a blog.{{end}}</p>{{end}}
+	{{ if .OauthSlack }}
+	<p style="text-align:center;font-size:0.9em;margin:3em auto;max-width:26em;">
+	    <a href="/oauth/slack">Sign-in with Slack.</a>
+	</p>
+	{{ end }}
+	{{ if .OauthWriteAs }}
+    <p style="text-align:center;font-size:0.9em;margin:3em auto;max-width:26em;">
+        <a href="/oauth/write.as">Sign-in with Write.As.</a>
+    </p>
+    {{ end }}
 
 <script type="text/javascript">
 function disableSubmit() {
diff --git a/pages/signup-oauth.tmpl b/pages/signup-oauth.tmpl
new file mode 100644
index 0000000..1ca1101
--- /dev/null
+++ b/pages/signup-oauth.tmpl
@@ -0,0 +1,163 @@
+{{define "head"}}
+<title>Sign up &mdash; {{.SiteName}}</title>
+
+<style type="text/css">
+h2 {
+	font-weight: normal;
+}
+#pricing.content-container div.form-container #payment-form {
+	display: block !important;
+}
+#pricing #signup-form table {
+	max-width: inherit !important;
+	width: 100%;
+}
+#pricing #payment-form table {
+	margin-top: 0 !important;
+	max-width: inherit !important;
+	width: 100%;
+}
+tr.subscription {
+	border-spacing: 0;
+}
+#pricing.content-container tr.subscription button {
+	margin-top: 0 !important;
+	margin-bottom: 0 !important;
+	width: 100%;
+}
+#pricing tr.subscription td {
+	padding: 0 0.5em;
+}
+#pricing table.billing > tbody > tr > td:first-child {
+	vertical-align: middle !important;
+}
+.billing-section {
+	display: none;
+}
+.billing-section.bill-me {
+	display: table-row;
+}
+#btn-create {
+	color: white !important;
+}
+#total-price {
+	padding-left: 0.5em;
+}
+#alias-site.demo {
+	color: #999;
+}
+#alias-site {
+	text-align: left;
+	margin: 0.5em 0;
+}
+form dd {
+	margin: 0;
+}
+</style>
+{{end}}
+{{define "content"}}
+<div id="pricing" class="content-container wide-form">
+
+<div class="row">
+	<div style="margin: 0 auto; max-width: 25em;">
+		<h1>Sign up</h1>
+
+		{{ if .Error }}
+			<p style="font-style: italic">{{.Error}}</p>
+		{{ else }}
+		{{if .Flashes}}<ul class="errors">
+			{{range .Flashes}}<li class="urgent">{{.}}</li>{{end}}
+		</ul>{{end}}
+
+		<div id="billing">
+			<form action="/auth/signup-oauth" method="POST" id="signup-form" onsubmit="return signup()">
+				<input type="hidden" name="provider" value="{{.Provider}}" />
+				<input type="hidden" name="access_token" value="{{.AccessToken}}" />
+				<dl class="billing">
+					<label>
+						<dt>Username</dt>
+						<dd>
+							<input type="text" id="alias" name="alias" style="width: 100%; box-sizing: border-box;" tabindex="1" autofocus />
+							{{if .Federation}}<p id="alias-site" class="demo">@<strong>your-username</strong>@{{.FriendlyHost}}</p>{{else}}<p id="alias-site" class="demo">{{.FriendlyHost}}/<strong>your-username</strong></p>{{end}}
+						</dd>
+					</label>
+					<label>
+						<dt>Email (optional)</dt>
+						<dd><input type="email" name="email" id="email" style="letter-spacing: 1px; width: 100%; box-sizing: border-box;" placeholder="me@example.com" tabindex="3" /></dd>
+					</label>
+					<dt>
+						<button id="btn-create" type="submit" style="margin-top: 0">Create blog</button>
+					</dt>
+				</dl>
+			</form>
+		</div>
+		{{ end }}
+	</div>
+</div>
+
+<script type="text/javascript" src="/js/h.js"></script>
+<script type="text/javascript">
+function signup() {
+	// Validate input
+	if (!aliasOK) {
+		var $a = $alias;
+		$a.el.className = 'error';
+		$a.el.focus();
+		$a.el.scrollIntoView();
+		return false;
+	}
+
+	var $btn = document.getElementById('btn-create');
+	$btn.disabled = true;
+	$btn.value = 'Creating...';
+	return true;
+}
+
+var $alias = H.getEl('alias');
+var $aliasSite = document.getElementById('alias-site');
+var aliasOK = true;
+var typingTimer;
+var doneTypingInterval = 750;
+var doneTyping = function() {
+	// Check on username
+	var alias = $alias.el.value;
+	if (alias != "") {
+		var params = {
+			username: alias
+		};
+		var http = new XMLHttpRequest();
+		http.open("POST", '/api/alias', true);
+
+		// Send the proper header information along with the request
+		http.setRequestHeader("Content-type", "application/json");
+
+		http.onreadystatechange = function() {
+			if (http.readyState == 4) {
+				data = JSON.parse(http.responseText);
+				if (http.status == 200) {
+					aliasOK = true;
+					$alias.removeClass('error');
+					$aliasSite.className = $aliasSite.className.replace(/(?:^|\s)demo(?!\S)/g, '');
+					$aliasSite.className = $aliasSite.className.replace(/(?:^|\s)error(?!\S)/g, '');
+					$aliasSite.innerHTML = '{{ if .Federation }}@<strong>' + data.data + '</strong>@{{.FriendlyHost}}{{ else }}{{.FriendlyHost}}/<strong>' + data.data + '</strong>/{{ end }}';
+				} else {
+					aliasOK = false;
+					$alias.setClass('error');
+					$aliasSite.className = 'error';
+					$aliasSite.textContent = data.error_msg;
+				}
+			}
+		}
+		http.send(JSON.stringify(params));
+	} else {
+		$aliasSite.className += ' demo';
+		$aliasSite.innerHTML = '{{ if .Federation }}@<strong>your-username</strong>@{{.FriendlyHost}}{{ else }}{{.FriendlyHost}}/<strong>your-username</strong>/{{ end }}';
+	}
+};
+$alias.on('keyup input', function() {
+	clearTimeout(typingTimer);
+	typingTimer = setTimeout(doneTyping, doneTypingInterval);
+});
+</script>
+
+{{end}}

From 37f0c281ab3a95c23358b2c63a482a09962402ac Mon Sep 17 00:00:00 2001
From: Nick Gerakines <ngerakines@users.noreply.github.com>
Date: Thu, 2 Jan 2020 15:35:15 -0500
Subject: [PATCH 062/127] Removing test skip as per PR feedback. T710

---
 parse/posts_test.go | 1 -
 1 file changed, 1 deletion(-)

diff --git a/parse/posts_test.go b/parse/posts_test.go
index b4507d2..c64a332 100644
--- a/parse/posts_test.go
+++ b/parse/posts_test.go
@@ -13,7 +13,6 @@ package parse
 import "testing"
 
 func TestPostLede(t *testing.T) {
-	t.Skip("tests fails and I don't know why")
 	text := map[string]string{
 		"早安。跨出舒適圈，才能前往":                                                                                                                                                             "早安。",
 		"早安。This is my post. It is great.":                                                                                                                                          "早安。",

From ee1473aa561509efda26b21a1935deeb383de3f7 Mon Sep 17 00:00:00 2001
From: Nick Gerakines <ngerakines@users.noreply.github.com>
Date: Thu, 2 Jan 2020 15:36:21 -0500
Subject: [PATCH 063/127] Rolling back v1 migration change as per PR feedback.
 T710

---
 migrations/v1.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/migrations/v1.go b/migrations/v1.go
index d950a67..81f7d0c 100644
--- a/migrations/v1.go
+++ b/migrations/v1.go
@@ -12,7 +12,7 @@ package migrations
 
 func supportUserInvites(db *datastore) error {
 	t, err := db.Begin()
-	_, err = t.Exec(`CREATE TABLE IF NOT EXISTS userinvites (
+	_, err = t.Exec(`CREATE TABLE userinvites (
 		  id ` + db.typeChar(6) + ` NOT NULL ,
 		  owner_id ` + db.typeInt() + ` NOT NULL ,
 		  max_uses ` + db.typeSmallInt() + ` NULL ,
@@ -26,7 +26,7 @@ func supportUserInvites(db *datastore) error {
 		return err
 	}
 
-	_, err = t.Exec(`CREATE TABLE IF NOT EXISTS usersinvited (
+	_, err = t.Exec(`CREATE TABLE usersinvited (
 		  invite_id ` + db.typeChar(6) + ` NOT NULL ,
 		  user_id ` + db.typeInt() + ` NOT NULL ,
 		  PRIMARY KEY (invite_id, user_id)

From cd5fea5ff1706779206c38b7dd866e020b8016eb Mon Sep 17 00:00:00 2001
From: Nick Gerakines <ngerakines@users.noreply.github.com>
Date: Thu, 2 Jan 2020 15:50:54 -0500
Subject: [PATCH 064/127] write.as oauth client cleanup as per PR feedback.
 T710

---
 config/funcs.go  | 15 +++++++++++++++
 oauth.go         | 14 +++++++++-----
 oauth_slack.go   | 15 +++++++++++++++
 oauth_writeas.go | 19 +++++++++++++++++++
 4 files changed, 58 insertions(+), 5 deletions(-)

diff --git a/config/funcs.go b/config/funcs.go
index a9c82ce..9678df0 100644
--- a/config/funcs.go
+++ b/config/funcs.go
@@ -11,7 +11,9 @@
 package config
 
 import (
+	"net/http"
 	"strings"
+	"time"
 )
 
 // FriendlyHost returns the app's Host sans any schema
@@ -25,3 +27,16 @@ func (ac AppCfg) CanCreateBlogs(currentlyUsed uint64) bool {
 	}
 	return int(currentlyUsed) < ac.MaxBlogs
 }
+
+// OrDefaultString returns input or a default value if input is empty.
+func OrDefaultString(input, defaultValue string) string {
+	if len(input) == 0 {
+		return defaultValue
+	}
+	return input
+}
+
+// DefaultHTTPClient returns a sane default HTTP client.
+func DefaultHTTPClient() *http.Client {
+	return &http.Client{Timeout: 10 * time.Second}
+}
diff --git a/oauth.go b/oauth.go
index 18f79eb..2eccbdc 100644
--- a/oauth.go
+++ b/oauth.go
@@ -34,6 +34,7 @@ type InspectResponse struct {
 	ExpiresAt time.Time `json:"expires_at"`
 	Username  string    `json:"username"`
 	Email     string    `json:"email"`
+	Error     string    `json:"error"`
 }
 
 // tokenRequestMaxLen is the most bytes that we'll read from the /oauth/token
@@ -104,7 +105,7 @@ func configureSlackOauth(r *mux.Router, app *App) {
 			ClientSecret:     app.Config().SlackOauth.ClientSecret,
 			TeamID:           app.Config().SlackOauth.TeamID,
 			CallbackLocation: app.Config().App.Host + "/oauth/callback",
-			HttpClient:       &http.Client{Timeout: 10 * time.Second},
+			HttpClient:       config.DefaultHTTPClient(),
 		}
 		configureOauthRoutes(r, app, oauthClient)
 	}
@@ -115,11 +116,14 @@ func configureWriteAsOauth(r *mux.Router, app *App) {
 		oauthClient := writeAsOauthClient{
 			ClientID:         app.Config().WriteAsOauth.ClientID,
 			ClientSecret:     app.Config().WriteAsOauth.ClientSecret,
-			ExchangeLocation: app.Config().WriteAsOauth.TokenLocation,
-			InspectLocation:  app.Config().WriteAsOauth.InspectLocation,
-			AuthLocation:     app.Config().WriteAsOauth.AuthLocation,
-			HttpClient:       &http.Client{Timeout: 10 * time.Second},
+			ExchangeLocation: config.OrDefaultString(app.Config().WriteAsOauth.TokenLocation, writeAsExchangeLocation),
+			InspectLocation:  config.OrDefaultString(app.Config().WriteAsOauth.InspectLocation, writeAsIdentityLocation),
+			AuthLocation:     config.OrDefaultString(app.Config().WriteAsOauth.AuthLocation, writeAsAuthLocation),
+			HttpClient:       config.DefaultHTTPClient(),
 			CallbackLocation: app.Config().App.Host + "/oauth/callback",
+		}
+		if oauthClient.ExchangeLocation == "" {
+
 		}
 		configureOauthRoutes(r, app, oauthClient)
 	}
diff --git a/oauth_slack.go b/oauth_slack.go
index 9c8508e..32ceea0 100644
--- a/oauth_slack.go
+++ b/oauth_slack.go
@@ -2,6 +2,7 @@ package writefreely
 
 import (
 	"context"
+	"errors"
 	"github.com/writeas/slug"
 	"net/http"
 	"net/url"
@@ -17,10 +18,12 @@ type slackOauthClient struct {
 }
 
 type slackExchangeResponse struct {
+	OK          bool   `json:"ok"`
 	AccessToken string `json:"access_token"`
 	Scope       string `json:"scope"`
 	TeamName    string `json:"team_name"`
 	TeamID      string `json:"team_id"`
+	Error       string `json:"error"`
 }
 
 type slackIdentity struct {
@@ -103,11 +106,17 @@ func (c slackOauthClient) exchangeOauthCode(ctx context.Context, code string) (*
 	if err != nil {
 		return nil, err
 	}
+	if resp.StatusCode != http.StatusOK {
+		return nil, errors.New("unable to exchange code for access token")
+	}
 
 	var tokenResponse slackExchangeResponse
 	if err := limitedJsonUnmarshal(resp.Body, tokenRequestMaxLen, &tokenResponse); err != nil {
 		return nil, err
 	}
+	if !tokenResponse.OK {
+		return nil, errors.New(tokenResponse.Error)
+	}
 	return tokenResponse.TokenResponse(), nil
 }
 
@@ -125,11 +134,17 @@ func (c slackOauthClient) inspectOauthAccessToken(ctx context.Context, accessTok
 	if err != nil {
 		return nil, err
 	}
+	if resp.StatusCode != http.StatusOK {
+		return nil, errors.New("unable to inspect access token")
+	}
 
 	var inspectResponse slackUserIdentityResponse
 	if err := limitedJsonUnmarshal(resp.Body, infoRequestMaxLen, &inspectResponse); err != nil {
 		return nil, err
 	}
+	if !inspectResponse.OK {
+		return nil, errors.New(inspectResponse.Error)
+	}
 	return inspectResponse.InspectResponse(), nil
 }
 
diff --git a/oauth_writeas.go b/oauth_writeas.go
index 9550c35..eb12f64 100644
--- a/oauth_writeas.go
+++ b/oauth_writeas.go
@@ -2,6 +2,7 @@ package writefreely
 
 import (
 	"context"
+	"errors"
 	"net/http"
 	"net/url"
 	"strings"
@@ -19,6 +20,12 @@ type writeAsOauthClient struct {
 
 var _ oauthClient = writeAsOauthClient{}
 
+const (
+	writeAsAuthLocation     = "https://write.as/oauth/login"
+	writeAsExchangeLocation = "https://write.as/oauth/token"
+	writeAsIdentityLocation = "https://write.as/oauth/inspect"
+)
+
 func (c writeAsOauthClient) GetProvider() string {
 	return "write.as"
 }
@@ -60,11 +67,17 @@ func (c writeAsOauthClient) exchangeOauthCode(ctx context.Context, code string)
 	if err != nil {
 		return nil, err
 	}
+	if resp.StatusCode != http.StatusOK {
+		return nil, errors.New("unable to exchange code for access token")
+	}
 
 	var tokenResponse TokenResponse
 	if err := limitedJsonUnmarshal(resp.Body, tokenRequestMaxLen, &tokenResponse); err != nil {
 		return nil, err
 	}
+	if tokenResponse.Error != "" {
+		return nil, errors.New(tokenResponse.Error)
+	}
 	return &tokenResponse, nil
 }
 
@@ -82,10 +95,16 @@ func (c writeAsOauthClient) inspectOauthAccessToken(ctx context.Context, accessT
 	if err != nil {
 		return nil, err
 	}
+	if resp.StatusCode != http.StatusOK {
+		return nil, errors.New("unable to inspect access token")
+	}
 
 	var inspectResponse InspectResponse
 	if err := limitedJsonUnmarshal(resp.Body, infoRequestMaxLen, &inspectResponse); err != nil {
 		return nil, err
 	}
+	if inspectResponse.Error != "" {
+		return nil, errors.New(inspectResponse.Error)
+	}
 	return &inspectResponse, nil
 }

From 31e2dac118f837ef142e51535ea4d4ed1138fb04 Mon Sep 17 00:00:00 2001
From: Nick Gerakines <ngerakines@users.noreply.github.com>
Date: Thu, 2 Jan 2020 15:55:28 -0500
Subject: [PATCH 065/127] Adding slack display name to inspect response to use
 in user creation as per PR feedback. T710

---
 oauth.go       | 19 ++++++++++++-------
 oauth_slack.go |  7 ++++---
 2 files changed, 16 insertions(+), 10 deletions(-)

diff --git a/oauth.go b/oauth.go
index 2eccbdc..dc15d53 100644
--- a/oauth.go
+++ b/oauth.go
@@ -29,12 +29,13 @@ type TokenResponse struct {
 
 // InspectResponse contains data returned when an access token is inspected.
 type InspectResponse struct {
-	ClientID  string    `json:"client_id"`
-	UserID    string    `json:"user_id"`
-	ExpiresAt time.Time `json:"expires_at"`
-	Username  string    `json:"username"`
-	Email     string    `json:"email"`
-	Error     string    `json:"error"`
+	ClientID    string    `json:"client_id"`
+	UserID      string    `json:"user_id"`
+	ExpiresAt   time.Time `json:"expires_at"`
+	Username    string    `json:"username"`
+	DisplayName string    `json:"-"`
+	Email       string    `json:"email"`
+	Error       string    `json:"error"`
 }
 
 // tokenRequestMaxLen is the most bytes that we'll read from the /oauth/token
@@ -194,8 +195,12 @@ func (h oauthHandler) viewOauthCallback(w http.ResponseWriter, r *http.Request)
 			Email:      zero.NewString(tokenInfo.Email, tokenInfo.Email != ""),
 			Created:    time.Now().Truncate(time.Second).UTC(),
 		}
+		displayName := tokenInfo.DisplayName
+		if len(displayName) == 0 {
+			displayName = tokenInfo.Username
+		}
 
-		err = h.DB.CreateUser(h.Config, newUser, newUser.Username)
+		err = h.DB.CreateUser(h.Config, newUser, displayName)
 		if err != nil {
 			failOAuthRequest(w, http.StatusInternalServerError, err.Error())
 			return
diff --git a/oauth_slack.go b/oauth_slack.go
index 32ceea0..066aa18 100644
--- a/oauth_slack.go
+++ b/oauth_slack.go
@@ -150,9 +150,10 @@ func (c slackOauthClient) inspectOauthAccessToken(ctx context.Context, accessTok
 
 func (resp slackUserIdentityResponse) InspectResponse() *InspectResponse {
 	return &InspectResponse{
-		UserID:   resp.User.ID,
-		Username: slug.Make(resp.User.Name),
-		Email:    resp.User.Email,
+		UserID:      resp.User.ID,
+		Username:    slug.Make(resp.User.Name),
+		DisplayName: resp.User.Name,
+		Email:       resp.User.Email,
 	}
 }
 

From 6823f108215ed7723cb1a1e22b592b2e5fe21f27 Mon Sep 17 00:00:00 2001
From: Nick Gerakines <ngerakines@users.noreply.github.com>
Date: Thu, 2 Jan 2020 16:29:23 -0500
Subject: [PATCH 066/127] Updated unit tests to reflect handler wrapper.

---
 oauth_test.go | 25 ++++++++++++++++---------
 1 file changed, 16 insertions(+), 9 deletions(-)

diff --git a/oauth_test.go b/oauth_test.go
index 838af9a..1daabd5 100644
--- a/oauth_test.go
+++ b/oauth_test.go
@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"github.com/gorilla/sessions"
 	"github.com/stretchr/testify/assert"
+	"github.com/writeas/impart"
 	"github.com/writeas/nerds/store"
 	"github.com/writeas/writefreely/config"
 	"net/http"
@@ -139,7 +140,7 @@ func TestViewOauthInit(t *testing.T) {
 			Config: app.Config(),
 			DB:     app.DB(),
 			Store:  app.SessionStore(),
-			oauthClient:writeAsOauthClient{
+			oauthClient: writeAsOauthClient{
 				ClientID:         app.Config().WriteAsOauth.ClientID,
 				ClientSecret:     app.Config().WriteAsOauth.ClientSecret,
 				ExchangeLocation: app.Config().WriteAsOauth.TokenLocation,
@@ -152,9 +153,13 @@ func TestViewOauthInit(t *testing.T) {
 		req, err := http.NewRequest("GET", "/oauth/client", nil)
 		assert.NoError(t, err)
 		rr := httptest.NewRecorder()
-		h.viewOauthInit(nil, rr, req)
-		assert.Equal(t, http.StatusTemporaryRedirect, rr.Code)
-		locURI, err := url.Parse(rr.Header().Get("Location"))
+		err = h.viewOauthInit(nil, rr, req)
+		assert.NotNil(t, err)
+		httpErr, ok := err.(impart.HTTPError)
+		assert.True(t, ok)
+		assert.Equal(t, http.StatusTemporaryRedirect, httpErr.Status)
+		assert.NotEmpty(t, httpErr.Message)
+		locURI, err := url.Parse(httpErr.Message)
 		assert.NoError(t, err)
 		assert.Equal(t, "/oauth/login", locURI.Path)
 		assert.Equal(t, "development", locURI.Query().Get("client_id"))
@@ -177,7 +182,7 @@ func TestViewOauthInit(t *testing.T) {
 			Config: app.Config(),
 			DB:     app.DB(),
 			Store:  app.SessionStore(),
-			oauthClient:writeAsOauthClient{
+			oauthClient: writeAsOauthClient{
 				ClientID:         app.Config().WriteAsOauth.ClientID,
 				ClientSecret:     app.Config().WriteAsOauth.ClientSecret,
 				ExchangeLocation: app.Config().WriteAsOauth.TokenLocation,
@@ -190,10 +195,12 @@ func TestViewOauthInit(t *testing.T) {
 		req, err := http.NewRequest("GET", "/oauth/client", nil)
 		assert.NoError(t, err)
 		rr := httptest.NewRecorder()
-		h.viewOauthInit(nil, rr, req)
-		assert.Equal(t, http.StatusInternalServerError, rr.Code)
-		expected := `{"error":"could not prepare oauth redirect url"}` + "\n"
-		assert.Equal(t, expected, rr.Body.String())
+		err = h.viewOauthInit(nil, rr, req)
+		httpErr, ok := err.(impart.HTTPError)
+		assert.True(t, ok)
+		assert.NotEmpty(t, httpErr.Message)
+		assert.Equal(t, http.StatusInternalServerError, httpErr.Status)
+		assert.Equal(t, "could not prepare oauth redirect url", httpErr.Message)
 	})
 }
 

From 6d8da2bffd6ae7ee52488fb158ed2cdc6aae01a6 Mon Sep 17 00:00:00 2001
From: Nick Gerakines <ngerakines@users.noreply.github.com>
Date: Fri, 3 Jan 2020 11:28:06 -0500
Subject: [PATCH 067/127] Encrypting email from oauth signup as per PR
 feedback. T710

---
 account.go    | 23 ++++++++++++++---------
 oauth.go      |  8 +++-----
 oauth_test.go |  5 ++++-
 3 files changed, 21 insertions(+), 15 deletions(-)

diff --git a/account.go b/account.go
index c41f24d..6fb8053 100644
--- a/account.go
+++ b/account.go
@@ -156,17 +156,9 @@ func signupWithRegistration(app *App, signup userRegistration, w http.ResponseWr
 		Username:   signup.Alias,
 		HashedPass: hashedPass,
 		HasPass:    createdWithPass,
-		Email:      zero.NewString("", signup.Email != ""),
+		Email:      prepareUserEmail(signup.Email, app.keys.EmailKey),
 		Created:    time.Now().Truncate(time.Second).UTC(),
 	}
-	if signup.Email != "" {
-		encEmail, err := data.Encrypt(app.keys.EmailKey, signup.Email)
-		if err != nil {
-			log.Error("Unable to encrypt email: %s\n", err)
-		} else {
-			u.Email.String = string(encEmail)
-		}
-	}
 
 	// Create actual user
 	if err := app.db.CreateUser(app.cfg, u, desiredUsername); err != nil {
@@ -1097,3 +1089,16 @@ func getTempInfo(app *App, key string, r *http.Request, w http.ResponseWriter) s
 	// Return value
 	return s
 }
+
+func prepareUserEmail(input string, emailKey []byte) zero.String {
+	email := zero.NewString("", input != "")
+	if len(input) > 0 {
+		encEmail, err := data.Encrypt(emailKey, input)
+		if err != nil {
+			log.Error("Unable to encrypt email: %s\n", err)
+		} else {
+			email.String = string(encEmail)
+		}
+	}
+	return email
+}
diff --git a/oauth.go b/oauth.go
index 7dfc4c7..f9d9e99 100644
--- a/oauth.go
+++ b/oauth.go
@@ -6,7 +6,6 @@ import (
 	"fmt"
 	"github.com/gorilla/mux"
 	"github.com/gorilla/sessions"
-	"github.com/guregu/null/zero"
 	"github.com/writeas/impart"
 	"github.com/writeas/nerds/store"
 	"github.com/writeas/web-core/auth"
@@ -83,6 +82,7 @@ type oauthHandler struct {
 	Config      *config.Config
 	DB          OAuthDatastore
 	Store       sessions.Store
+	EmailKey    []byte
 	oauthClient oauthClient
 }
 
@@ -122,9 +122,6 @@ func configureWriteAsOauth(parentHandler *Handler, r *mux.Router, app *App) {
 			AuthLocation:     config.OrDefaultString(app.Config().WriteAsOauth.AuthLocation, writeAsAuthLocation),
 			HttpClient:       config.DefaultHTTPClient(),
 			CallbackLocation: app.Config().App.Host + "/oauth/callback",
-		}
-		if oauthClient.ExchangeLocation == "" {
-
 		}
 		configureOauthRoutes(parentHandler, r, app, oauthClient)
 	}
@@ -136,6 +133,7 @@ func configureOauthRoutes(parentHandler *Handler, r *mux.Router, app *App, oauth
 		DB:          app.DB(),
 		Store:       app.SessionStore(),
 		oauthClient: oauthClient,
+		EmailKey:    app.keys.EmailKey,
 	}
 	r.HandleFunc("/oauth/"+oauthClient.GetProvider(), parentHandler.OAuth(handler.viewOauthInit)).Methods("GET")
 	r.HandleFunc("/oauth/callback", parentHandler.OAuth(handler.viewOauthCallback)).Methods("GET")
@@ -187,7 +185,7 @@ func (h oauthHandler) viewOauthCallback(app *App, w http.ResponseWriter, r *http
 			Username:   tokenInfo.Username,
 			HashedPass: hashedPass,
 			HasPass:    true,
-			Email:      zero.NewString(tokenInfo.Email, tokenInfo.Email != ""),
+			Email:      prepareUserEmail(tokenInfo.Email, h.EmailKey),
 			Created:    time.Now().Truncate(time.Second).UTC(),
 		}
 		displayName := tokenInfo.DisplayName
diff --git a/oauth_test.go b/oauth_test.go
index 1daabd5..f8ffcf5 100644
--- a/oauth_test.go
+++ b/oauth_test.go
@@ -140,6 +140,7 @@ func TestViewOauthInit(t *testing.T) {
 			Config: app.Config(),
 			DB:     app.DB(),
 			Store:  app.SessionStore(),
+			EmailKey: []byte{0xd, 0xe, 0xc, 0xa, 0xf, 0xf, 0xb, 0xa, 0xd},
 			oauthClient: writeAsOauthClient{
 				ClientID:         app.Config().WriteAsOauth.ClientID,
 				ClientSecret:     app.Config().WriteAsOauth.ClientSecret,
@@ -182,6 +183,7 @@ func TestViewOauthInit(t *testing.T) {
 			Config: app.Config(),
 			DB:     app.DB(),
 			Store:  app.SessionStore(),
+			EmailKey: []byte{0xd, 0xe, 0xc, 0xa, 0xf, 0xf, 0xb, 0xa, 0xd},
 			oauthClient: writeAsOauthClient{
 				ClientID:         app.Config().WriteAsOauth.ClientID,
 				ClientSecret:     app.Config().WriteAsOauth.ClientSecret,
@@ -211,6 +213,7 @@ func TestViewOauthCallback(t *testing.T) {
 			Config: app.Config(),
 			DB:     app.DB(),
 			Store:  app.SessionStore(),
+			EmailKey: []byte{0xd, 0xe, 0xc, 0xa, 0xf, 0xf, 0xb, 0xa, 0xd},
 			oauthClient: writeAsOauthClient{
 				ClientID:         app.Config().WriteAsOauth.ClientID,
 				ClientSecret:     app.Config().WriteAsOauth.ClientSecret,
@@ -243,7 +246,7 @@ func TestViewOauthCallback(t *testing.T) {
 		req, err := http.NewRequest("GET", "/oauth/callback", nil)
 		assert.NoError(t, err)
 		rr := httptest.NewRecorder()
-		h.viewOauthCallback(nil, rr, req)
+		err = h.viewOauthCallback(nil, rr, req)
 		assert.NoError(t, err)
 		assert.Equal(t, http.StatusTemporaryRedirect, rr.Code)
 	})

From 0b229a5ede6200d650d4906c50609812bbdae696 Mon Sep 17 00:00:00 2001
From: Nick Gerakines <ngerakines@users.noreply.github.com>
Date: Fri, 3 Jan 2020 11:31:38 -0500
Subject: [PATCH 068/127] Updating oauth user lookup call as per PR feedback.
 T710

---
 oauth.go      |  4 ++--
 oauth_test.go | 26 +++++++++++++-------------
 2 files changed, 15 insertions(+), 15 deletions(-)

diff --git a/oauth.go b/oauth.go
index f9d9e99..4758e0f 100644
--- a/oauth.go
+++ b/oauth.go
@@ -63,7 +63,7 @@ type OAuthDatastore interface {
 	GenerateOAuthState(context.Context, string, string) (string, error)
 
 	CreateUser(*config.Config, *User, string) error
-	GetUserForAuthByID(int64) (*User, error)
+	GetUserByID(int64) (*User, error)
 }
 
 type HttpClient interface {
@@ -209,7 +209,7 @@ func (h oauthHandler) viewOauthCallback(app *App, w http.ResponseWriter, r *http
 		return nil
 	}
 
-	user, err := h.DB.GetUserForAuthByID(localUserID)
+	user, err := h.DB.GetUserByID(localUserID)
 	if err != nil {
 		return impart.HTTPError{http.StatusInternalServerError, err.Error()}
 	}
diff --git a/oauth_test.go b/oauth_test.go
index f8ffcf5..2e293e7 100644
--- a/oauth_test.go
+++ b/oauth_test.go
@@ -27,7 +27,7 @@ type MockOAuthDatastore struct {
 	DoGetIDForRemoteUser func(context.Context, string, string, string) (int64, error)
 	DoCreateUser         func(*config.Config, *User, string) error
 	DoRecordRemoteUserID func(context.Context, int64, string, string, string, string) error
-	DoGetUserForAuthByID func(int64) (*User, error)
+	DoGetUserByID        func(int64) (*User, error)
 }
 
 var _ OAuthDatastore = &MockOAuthDatastore{}
@@ -115,9 +115,9 @@ func (m *MockOAuthDatastore) RecordRemoteUserID(ctx context.Context, localUserID
 	return nil
 }
 
-func (m *MockOAuthDatastore) GetUserForAuthByID(userID int64) (*User, error) {
-	if m.DoGetUserForAuthByID != nil {
-		return m.DoGetUserForAuthByID(userID)
+func (m *MockOAuthDatastore) GetUserByID(userID int64) (*User, error) {
+	if m.DoGetUserByID != nil {
+		return m.DoGetUserByID(userID)
 	}
 	user := &User{
 
@@ -137,9 +137,9 @@ func TestViewOauthInit(t *testing.T) {
 	t.Run("success", func(t *testing.T) {
 		app := &MockOAuthDatastoreProvider{}
 		h := oauthHandler{
-			Config: app.Config(),
-			DB:     app.DB(),
-			Store:  app.SessionStore(),
+			Config:   app.Config(),
+			DB:       app.DB(),
+			Store:    app.SessionStore(),
 			EmailKey: []byte{0xd, 0xe, 0xc, 0xa, 0xf, 0xf, 0xb, 0xa, 0xd},
 			oauthClient: writeAsOauthClient{
 				ClientID:         app.Config().WriteAsOauth.ClientID,
@@ -180,9 +180,9 @@ func TestViewOauthInit(t *testing.T) {
 			},
 		}
 		h := oauthHandler{
-			Config: app.Config(),
-			DB:     app.DB(),
-			Store:  app.SessionStore(),
+			Config:   app.Config(),
+			DB:       app.DB(),
+			Store:    app.SessionStore(),
 			EmailKey: []byte{0xd, 0xe, 0xc, 0xa, 0xf, 0xf, 0xb, 0xa, 0xd},
 			oauthClient: writeAsOauthClient{
 				ClientID:         app.Config().WriteAsOauth.ClientID,
@@ -210,9 +210,9 @@ func TestViewOauthCallback(t *testing.T) {
 	t.Run("success", func(t *testing.T) {
 		app := &MockOAuthDatastoreProvider{}
 		h := oauthHandler{
-			Config: app.Config(),
-			DB:     app.DB(),
-			Store:  app.SessionStore(),
+			Config:   app.Config(),
+			DB:       app.DB(),
+			Store:    app.SessionStore(),
 			EmailKey: []byte{0xd, 0xe, 0xc, 0xa, 0xf, 0xf, 0xb, 0xa, 0xd},
 			oauthClient: writeAsOauthClient{
 				ClientID:         app.Config().WriteAsOauth.ClientID,

From 6429d495a2e9f2c3cef69cdb421603be45c7c340 Mon Sep 17 00:00:00 2001
From: Nick Gerakines <ngerakines@users.noreply.github.com>
Date: Fri, 3 Jan 2020 13:50:21 -0500
Subject: [PATCH 069/127] Implemented /oauth/signup. T712

---
 account.go              |   4 +
 config/config.go        |   2 +
 oauth.go                |  56 ++++-------
 oauth_signup.go         | 209 ++++++++++++++++++++++++++++++++++++++++
 oauth_slack.go          |   4 +-
 pages/signup-oauth.tmpl | 179 ++++++----------------------------
 6 files changed, 262 insertions(+), 192 deletions(-)
 create mode 100644 oauth_signup.go

diff --git a/account.go b/account.go
index 6fb8053..2dcfd27 100644
--- a/account.go
+++ b/account.go
@@ -306,12 +306,16 @@ func viewLogin(app *App, w http.ResponseWriter, r *http.Request) error {
 		Message       template.HTML
 		Flashes       []template.HTML
 		LoginUsername string
+		OauthSlack    bool
+		OauthWriteAs  bool
 	}{
 		pageForReq(app, r),
 		r.FormValue("to"),
 		template.HTML(""),
 		[]template.HTML{},
 		getTempInfo(app, "login-user", r, w),
+		app.Config().SlackOauth.ClientID != "",
+		app.Config().WriteAsOauth.ClientID != "",
 	}
 
 	if earlyError != "" {
diff --git a/config/config.go b/config/config.go
index 996c1df..6aee69b 100644
--- a/config/config.go
+++ b/config/config.go
@@ -42,6 +42,8 @@ type (
 		PagesParentDir     string `ini:"pages_parent_dir"`
 		KeysParentDir      string `ini:"keys_parent_dir"`
 
+		HashSeed string `ini:"hash_seed"`
+
 		Dev bool `ini:"-"`
 	}
 
diff --git a/oauth.go b/oauth.go
index 4758e0f..67c4ac8 100644
--- a/oauth.go
+++ b/oauth.go
@@ -7,8 +7,6 @@ import (
 	"github.com/gorilla/mux"
 	"github.com/gorilla/sessions"
 	"github.com/writeas/impart"
-	"github.com/writeas/nerds/store"
-	"github.com/writeas/web-core/auth"
 	"github.com/writeas/web-core/log"
 	"github.com/writeas/writefreely/config"
 	"io"
@@ -137,6 +135,7 @@ func configureOauthRoutes(parentHandler *Handler, r *mux.Router, app *App, oauth
 	}
 	r.HandleFunc("/oauth/"+oauthClient.GetProvider(), parentHandler.OAuth(handler.viewOauthInit)).Methods("GET")
 	r.HandleFunc("/oauth/callback", parentHandler.OAuth(handler.viewOauthCallback)).Methods("GET")
+	r.HandleFunc("/oauth/signup", parentHandler.OAuth(handler.viewOauthSignup)).Methods("POST")
 }
 
 func (h oauthHandler) viewOauthCallback(app *App, w http.ResponseWriter, r *http.Request) error {
@@ -171,52 +170,31 @@ func (h oauthHandler) viewOauthCallback(app *App, w http.ResponseWriter, r *http
 		return impart.HTTPError{http.StatusInternalServerError, err.Error()}
 	}
 
-	if localUserID == -1 {
-		// We don't have, nor do we want, the password from the origin, so we
-		//create a random string. If the user needs to set a password, they
-		//can do so through the settings page or through the password reset
-		//flow.
-		randPass := store.Generate62RandomString(14)
-		hashedPass, err := auth.HashPass([]byte(randPass))
-		if err != nil {
-			return impart.HTTPError{http.StatusInternalServerError, "unable to create password hash"}
-		}
-		newUser := &User{
-			Username:   tokenInfo.Username,
-			HashedPass: hashedPass,
-			HasPass:    true,
-			Email:      prepareUserEmail(tokenInfo.Email, h.EmailKey),
-			Created:    time.Now().Truncate(time.Second).UTC(),
-		}
-		displayName := tokenInfo.DisplayName
-		if len(displayName) == 0 {
-			displayName = tokenInfo.Username
-		}
-
-		err = h.DB.CreateUser(h.Config, newUser, displayName)
+	if localUserID != -1 {
+		user, err := h.DB.GetUserByID(localUserID)
 		if err != nil {
+			log.Error("Unable to GetUserByID %d: %s", localUserID, err)
 			return impart.HTTPError{http.StatusInternalServerError, err.Error()}
 		}
-
-		err = h.DB.RecordRemoteUserID(ctx, newUser.ID, tokenInfo.UserID, provider, clientID, tokenResponse.AccessToken)
-		if err != nil {
-			return impart.HTTPError{http.StatusInternalServerError, err.Error()}
-		}
-
-		if err := loginOrFail(h.Store, w, r, newUser); err != nil {
+		if err = loginOrFail(h.Store, w, r, user); err != nil {
+			log.Error("Unable to loginOrFail %d: %s", localUserID, err)
 			return impart.HTTPError{http.StatusInternalServerError, err.Error()}
 		}
 		return nil
 	}
 
-	user, err := h.DB.GetUserByID(localUserID)
-	if err != nil {
-		return impart.HTTPError{http.StatusInternalServerError, err.Error()}
+	tp := &oauthSignupPageParams{
+		AccessToken:     tokenResponse.AccessToken,
+		TokenUsername:   tokenInfo.Username,
+		TokenAlias:      tokenInfo.DisplayName,
+		TokenEmail:      tokenInfo.Email,
+		TokenRemoteUser: tokenInfo.UserID,
+		Provider:        provider,
+		ClientID:        clientID,
 	}
-	if err = loginOrFail(h.Store, w, r, user); err != nil {
-		return impart.HTTPError{http.StatusInternalServerError, err.Error()}
-	}
-	return nil
+	tp.TokenHash = tp.HashTokenParams(h.Config.Server.HashSeed)
+
+	return h.showOauthSignupPage(app, w, r, tp, nil)
 }
 
 func limitedJsonUnmarshal(body io.ReadCloser, n int, thing interface{}) error {
diff --git a/oauth_signup.go b/oauth_signup.go
new file mode 100644
index 0000000..53ad5c4
--- /dev/null
+++ b/oauth_signup.go
@@ -0,0 +1,209 @@
+package writefreely
+
+import (
+	"crypto/sha256"
+	"encoding/hex"
+	"fmt"
+	"github.com/writeas/impart"
+	"github.com/writeas/web-core/auth"
+	"github.com/writeas/web-core/log"
+	"github.com/writeas/writefreely/page"
+	"html/template"
+	"net/http"
+	"strings"
+	"time"
+)
+
+type viewOauthSignupVars struct {
+	page.StaticPage
+	To      string
+	Message template.HTML
+	Flashes []template.HTML
+
+	AccessToken     string
+	TokenUsername   string
+	TokenAlias      string
+	TokenEmail      string
+	TokenRemoteUser string
+	Provider        string
+	ClientID        string
+	TokenHash       string
+
+	Username string
+	Alias    string
+	Email    string
+}
+
+const (
+	oauthParamAccessToken       = "access_token"
+	oauthParamTokenUsername     = "token_username"
+	oauthParamTokenAlias        = "token_alias"
+	oauthParamTokenEmail        = "token_email"
+	oauthParamTokenRemoteUserID = "token_remote_user"
+	oauthParamClientID          = "client_id"
+	oauthParamProvider          = "provider"
+	oauthParamHash              = "signature"
+	oauthParamUsername          = "username"
+	oauthParamAlias             = "alias"
+	oauthParamEmail             = "email"
+	oauthParamPassword          = "password"
+)
+
+type oauthSignupPageParams struct {
+	AccessToken     string
+	TokenUsername   string
+	TokenAlias      string
+	TokenEmail      string
+	TokenRemoteUser string
+	ClientID        string
+	Provider        string
+	TokenHash       string
+}
+
+func (p oauthSignupPageParams) HashTokenParams(key string) string {
+	hasher := sha256.New()
+	hasher.Write([]byte(key))
+	hasher.Write([]byte(p.AccessToken))
+	hasher.Write([]byte(p.TokenUsername))
+	hasher.Write([]byte(p.TokenAlias))
+	hasher.Write([]byte(p.TokenEmail))
+	hasher.Write([]byte(p.TokenRemoteUser))
+	hasher.Write([]byte(p.ClientID))
+	hasher.Write([]byte(p.Provider))
+	return hex.EncodeToString(hasher.Sum(nil))
+}
+
+func (h oauthHandler) viewOauthSignup(app *App, w http.ResponseWriter, r *http.Request) error {
+	tp := &oauthSignupPageParams{
+		AccessToken:     r.FormValue(oauthParamAccessToken),
+		TokenUsername:   r.FormValue(oauthParamTokenUsername),
+		TokenAlias:      r.FormValue(oauthParamTokenAlias),
+		TokenEmail:      r.FormValue(oauthParamTokenEmail),
+		TokenRemoteUser: r.FormValue(oauthParamTokenRemoteUserID),
+		ClientID:        r.FormValue(oauthParamClientID),
+		Provider:        r.FormValue(oauthParamProvider),
+	}
+	if tp.HashTokenParams(h.Config.Server.HashSeed) != r.FormValue(oauthParamHash) {
+		return impart.HTTPError{Status: http.StatusBadRequest, Message: "Request has been tampered with."}
+	}
+	tp.TokenHash = tp.HashTokenParams(h.Config.Server.HashSeed)
+	if err := h.validateOauthSignup(r); err != nil {
+		return h.showOauthSignupPage(app, w, r, tp, err)
+	}
+
+	hashedPass, err := auth.HashPass([]byte(r.FormValue(oauthParamPassword)))
+	if err != nil {
+		return h.showOauthSignupPage(app, w, r, tp, fmt.Errorf("unable to hash password"))
+	}
+	newUser := &User{
+		Username:   r.FormValue(oauthParamUsername),
+		HashedPass: hashedPass,
+		HasPass:    true,
+		Email:      prepareUserEmail(r.FormValue(oauthParamEmail), h.EmailKey),
+		Created:    time.Now().Truncate(time.Second).UTC(),
+	}
+	displayName := r.FormValue(oauthParamAlias)
+	if len(displayName) == 0 {
+		displayName = r.FormValue(oauthParamUsername)
+	}
+
+	err = h.DB.CreateUser(h.Config, newUser, displayName)
+	if err != nil {
+		return h.showOauthSignupPage(app, w, r, tp, err)
+	}
+
+	err = h.DB.RecordRemoteUserID(r.Context(), newUser.ID, r.FormValue(oauthParamTokenRemoteUserID), r.FormValue(oauthParamProvider), r.FormValue(oauthParamClientID), r.FormValue(oauthParamAccessToken))
+	if err != nil {
+		return h.showOauthSignupPage(app, w, r, tp, err)
+	}
+
+	if err := loginOrFail(h.Store, w, r, newUser); err != nil {
+		return h.showOauthSignupPage(app, w, r, tp, err)
+	}
+	return nil
+}
+
+func (h oauthHandler) validateOauthSignup(r *http.Request) error {
+	username := r.FormValue(oauthParamUsername)
+	if len(username) < 5 {
+		return impart.HTTPError{Status: http.StatusBadRequest, Message: "Username is too short."}
+	}
+	if len(username) > 20 {
+		return impart.HTTPError{Status: http.StatusBadRequest, Message: "Username is too long."}
+	}
+	alias := r.FormValue(oauthParamAlias)
+	if len(alias) < 5 {
+		return impart.HTTPError{Status: http.StatusBadRequest, Message: "Alias is too short."}
+	}
+	if len(alias) > 20 {
+		return impart.HTTPError{Status: http.StatusBadRequest, Message: "Alias is too long."}
+	}
+	password := r.FormValue("password")
+	if len(password) < 5 {
+		return impart.HTTPError{Status: http.StatusBadRequest, Message: "Password is too short."}
+	}
+	email := r.FormValue(oauthParamEmail)
+	if len(email) > 0 {
+		parts := strings.Split(email, "@")
+		if len(parts) != 2 || (len(parts[0]) < 1 || len(parts[1]) < 1) {
+			return impart.HTTPError{Status: http.StatusBadRequest, Message: "Invalid email address"}
+		}
+	}
+	return nil
+}
+
+func (h oauthHandler) showOauthSignupPage(app *App, w http.ResponseWriter, r *http.Request, tp *oauthSignupPageParams, errMsg error) error {
+	username := tp.TokenUsername
+	alias := tp.TokenAlias
+	email := tp.TokenEmail
+
+	session, err := app.sessionStore.Get(r, cookieName)
+	if err != nil {
+		// Ignore this
+		log.Error("Unable to get session; ignoring: %v", err)
+	}
+
+	if tmpValue := r.FormValue(oauthParamUsername); len(tmpValue) > 0 {
+		username = tmpValue
+	}
+	if tmpValue := r.FormValue(oauthParamAlias); len(tmpValue) > 0 {
+		alias = tmpValue
+	}
+	if tmpValue := r.FormValue(oauthParamEmail); len(tmpValue) > 0 {
+		email = tmpValue
+	}
+
+	p := &viewOauthSignupVars{
+		StaticPage: pageForReq(app, r),
+		To:         r.FormValue("to"),
+		Flashes:    []template.HTML{},
+
+		AccessToken:     tp.AccessToken,
+		TokenUsername:   tp.TokenUsername,
+		TokenAlias:      tp.TokenAlias,
+		TokenEmail:      tp.TokenEmail,
+		TokenRemoteUser: tp.TokenRemoteUser,
+		Provider:        tp.Provider,
+		ClientID:        tp.ClientID,
+		TokenHash:       tp.TokenHash,
+
+		Username: username,
+		Alias:    alias,
+		Email:    email,
+	}
+
+	// Display any error messages
+	flashes, _ := getSessionFlashes(app, w, r, session)
+	for _, flash := range flashes {
+		p.Flashes = append(p.Flashes, template.HTML(flash))
+	}
+	if errMsg != nil {
+		p.Flashes = append(p.Flashes, template.HTML(errMsg.Error()))
+	}
+	err = pages["signup-oauth.tmpl"].ExecuteTemplate(w, "base", p)
+	if err != nil {
+		log.Error("Unable to render signup-oauth: %v", err)
+		return err
+	}
+	return nil
+}
diff --git a/oauth_slack.go b/oauth_slack.go
index 066aa18..5a6f4ed 100644
--- a/oauth_slack.go
+++ b/oauth_slack.go
@@ -3,6 +3,8 @@ package writefreely
 import (
 	"context"
 	"errors"
+	"fmt"
+	"github.com/writeas/nerds/store"
 	"github.com/writeas/slug"
 	"net/http"
 	"net/url"
@@ -151,7 +153,7 @@ func (c slackOauthClient) inspectOauthAccessToken(ctx context.Context, accessTok
 func (resp slackUserIdentityResponse) InspectResponse() *InspectResponse {
 	return &InspectResponse{
 		UserID:      resp.User.ID,
-		Username:    slug.Make(resp.User.Name),
+		Username:    fmt.Sprintf("%s-%s", slug.Make(resp.User.Name), store.Generate62RandomString(5)),
 		DisplayName: resp.User.Name,
 		Email:       resp.User.Email,
 	}
diff --git a/pages/signup-oauth.tmpl b/pages/signup-oauth.tmpl
index 1ca1101..35810bb 100644
--- a/pages/signup-oauth.tmpl
+++ b/pages/signup-oauth.tmpl
@@ -1,163 +1,38 @@
-{{define "head"}}
-<title>Sign up &mdash; {{.SiteName}}</title>
-
-<style type="text/css">
-h2 {
-	font-weight: normal;
-}
-#pricing.content-container div.form-container #payment-form {
-	display: block !important;
-}
-#pricing #signup-form table {
-	max-width: inherit !important;
-	width: 100%;
-}
-#pricing #payment-form table {
-	margin-top: 0 !important;
-	max-width: inherit !important;
-	width: 100%;
-}
-tr.subscription {
-	border-spacing: 0;
-}
-#pricing.content-container tr.subscription button {
-	margin-top: 0 !important;
-	margin-bottom: 0 !important;
-	width: 100%;
-}
-#pricing tr.subscription td {
-	padding: 0 0.5em;
-}
-#pricing table.billing > tbody > tr > td:first-child {
-	vertical-align: middle !important;
-}
-.billing-section {
-	display: none;
-}
-.billing-section.bill-me {
-	display: table-row;
-}
-#btn-create {
-	color: white !important;
-}
-#total-price {
-	padding-left: 0.5em;
-}
-#alias-site.demo {
-	color: #999;
-}
-#alias-site {
-	text-align: left;
-	margin: 0.5em 0;
-}
-form dd {
-	margin: 0;
-}
-</style>
+{{define "head"}}<title>Log in &mdash; {{.SiteName}}</title>
+<meta name="description" content="Log in to {{.SiteName}}.">
+<meta itemprop="description" content="Log in to {{.SiteName}}.">
+<style>input{margin-bottom:0.5em;}</style>
 {{end}}
 {{define "content"}}
-<div id="pricing" class="content-container wide-form">
+<div class="tight content-container">
+	<h1>Log in to {{.SiteName}}</h1>
 
-<div class="row">
-	<div style="margin: 0 auto; max-width: 25em;">
-		<h1>Sign up</h1>
+	{{if .Flashes}}<ul class="errors">
+		{{range .Flashes}}<li class="urgent">{{.}}</li>{{end}}
+	</ul>{{end}}
 
-		{{ if .Error }}
-			<p style="font-style: italic">{{.Error}}</p>
-		{{ else }}
-		{{if .Flashes}}<ul class="errors">
-			{{range .Flashes}}<li class="urgent">{{.}}</li>{{end}}
-		</ul>{{end}}
+	<form action="/oauth/signup" method="post" style="text-align: center;margin-top:1em;" onsubmit="disableSubmit()">
+	    <input type="hidden" name="access_token" value="{{ .AccessToken }}" />
+	    <input type="hidden" name="token_username" value="{{ .TokenUsername }}" />
+	    <input type="hidden" name="token_alias" value="{{ .TokenAlias }}" />
+	    <input type="hidden" name="token_email" value="{{ .TokenEmail }}" />
+	    <input type="hidden" name="token_remote_user" value="{{ .TokenRemoteUser }}" />
+	    <input type="hidden" name="provider" value="{{ .Provider }}" />
+	    <input type="hidden" name="client_id" value="{{ .ClientID }}" />
+	    <input type="hidden" name="signature" value="{{ .TokenHash }}" />
 
-		<div id="billing">
-			<form action="/auth/signup-oauth" method="POST" id="signup-form" onsubmit="return signup()">
-				<input type="hidden" name="provider" value="{{.Provider}}" />
-				<input type="hidden" name="access_token" value="{{.AccessToken}}" />
-				<dl class="billing">
-					<label>
-						<dt>Username</dt>
-						<dd>
-							<input type="text" id="alias" name="alias" style="width: 100%; box-sizing: border-box;" tabindex="1" autofocus />
-							{{if .Federation}}<p id="alias-site" class="demo">@<strong>your-username</strong>@{{.FriendlyHost}}</p>{{else}}<p id="alias-site" class="demo">{{.FriendlyHost}}/<strong>your-username</strong></p>{{end}}
-						</dd>
-					</label>
-					<label>
-						<dt>Email (optional)</dt>
-						<dd><input type="email" name="email" id="email" style="letter-spacing: 1px; width: 100%; box-sizing: border-box;" placeholder="me@example.com" tabindex="3" /></dd>
-					</label>
-					<dt>
-						<button id="btn-create" type="submit" style="margin-top: 0">Create blog</button>
-					</dt>
-				</dl>
-			</form>
-		</div>
-		{{ end }}
-	</div>
-</div>
+		<input type="text" name="username" placeholder="Username" value="{{.Username}}" /><br />
+		<input type="text" name="alias" placeholder="Alias"{{ if .Alias }} value="{{.Alias}}"{{ end }} /><br />
+		<input type="text" name="email" placeholder="Email"{{ if .Email }} value="{{.Email}}"{{ end }} /><br />
+		<input type="password" name="password" placeholder="Password" /><br />
+		<input type="submit" id="btn-login" value="Login" />
+	</form>
 
-<script type="text/javascript" src="/js/h.js"></script>
 <script type="text/javascript">
-function signup() {
-	// Validate input
-	if (!aliasOK) {
-		var $a = $alias;
-		$a.el.className = 'error';
-		$a.el.focus();
-		$a.el.scrollIntoView();
-		return false;
-	}
-
-	var $btn = document.getElementById('btn-create');
+function disableSubmit() {
+	var $btn = document.getElementById("btn-login");
+	$btn.value = "Logging in...";
 	$btn.disabled = true;
-	$btn.value = 'Creating...';
-	return true;
 }
-
-var $alias = H.getEl('alias');
-var $aliasSite = document.getElementById('alias-site');
-var aliasOK = true;
-var typingTimer;
-var doneTypingInterval = 750;
-var doneTyping = function() {
-	// Check on username
-	var alias = $alias.el.value;
-	if (alias != "") {
-		var params = {
-			username: alias
-		};
-		var http = new XMLHttpRequest();
-		http.open("POST", '/api/alias', true);
-
-		// Send the proper header information along with the request
-		http.setRequestHeader("Content-type", "application/json");
-
-		http.onreadystatechange = function() {
-			if (http.readyState == 4) {
-				data = JSON.parse(http.responseText);
-				if (http.status == 200) {
-					aliasOK = true;
-					$alias.removeClass('error');
-					$aliasSite.className = $aliasSite.className.replace(/(?:^|\s)demo(?!\S)/g, '');
-					$aliasSite.className = $aliasSite.className.replace(/(?:^|\s)error(?!\S)/g, '');
-					$aliasSite.innerHTML = '{{ if .Federation }}@<strong>' + data.data + '</strong>@{{.FriendlyHost}}{{ else }}{{.FriendlyHost}}/<strong>' + data.data + '</strong>/{{ end }}';
-				} else {
-					aliasOK = false;
-					$alias.setClass('error');
-					$aliasSite.className = 'error';
-					$aliasSite.textContent = data.error_msg;
-				}
-			}
-		}
-		http.send(JSON.stringify(params));
-	} else {
-		$aliasSite.className += ' demo';
-		$aliasSite.innerHTML = '{{ if .Federation }}@<strong>your-username</strong>@{{.FriendlyHost}}{{ else }}{{.FriendlyHost}}/<strong>your-username</strong>/{{ end }}';
-	}
-};
-$alias.on('keyup input', function() {
-	clearTimeout(typingTimer);
-	typingTimer = setTimeout(doneTyping, doneTypingInterval);
-});
 </script>
-
 {{end}}

From 5249456ec6791f19ce117535f2d0117c4fb5ada4 Mon Sep 17 00:00:00 2001
From: Matt Baer <matt@write.as>
Date: Sun, 5 Jan 2020 11:00:11 -0500
Subject: [PATCH 070/127] Add .btn.cta link styles

---
 less/core.less | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/less/core.less b/less/core.less
index 8844c84..3669d76 100644
--- a/less/core.less
+++ b/less/core.less
@@ -684,18 +684,19 @@ select.inputform, textarea.inputform {
 	border: 1px solid #999;
 }
 
-input, button, select.inputform, textarea.inputform {
+input, button, select.inputform, textarea.inputform, a.btn {
 	padding: 0.5em;
 	font-family: @serifFont;
 	font-size: 100%;
 	.rounded(.25em);
-	&[type=submit], &.submit {
+	&[type=submit], &.submit, &.cta {
 		border: 1px solid @primary;
 		background: @primary;
 		color: white;
 		.transition(0.2s);
 		&:hover {
 			background-color: lighten(@primary, 3%);
+			text-decoration: none;
 		}
 		&:disabled {
 			cursor: default;

From 77e012680853d023678e76fa784c061d852b531c Mon Sep 17 00:00:00 2001
From: Matt Baer <matt@write.as>
Date: Sun, 5 Jan 2020 11:00:58 -0500
Subject: [PATCH 071/127] Move and restyle OAuth login links

- Move them above local login form
- Restyle as side-by-side buttons

Ref T712
---
 pages/login.tmpl                     |  59 ++++++++++++++++++++++-----
 static/img/sign_in_with_slack.png    | Bin 0 -> 2604 bytes
 static/img/sign_in_with_slack@2x.png | Bin 0 -> 5120 bytes
 3 files changed, 48 insertions(+), 11 deletions(-)
 create mode 100644 static/img/sign_in_with_slack.png
 create mode 100644 static/img/sign_in_with_slack@2x.png

diff --git a/pages/login.tmpl b/pages/login.tmpl
index 6c1b3ed..345b171 100644
--- a/pages/login.tmpl
+++ b/pages/login.tmpl
@@ -1,7 +1,38 @@
 {{define "head"}}<title>Log in &mdash; {{.SiteName}}</title>
 <meta name="description" content="Log in to {{.SiteName}}.">
 <meta itemprop="description" content="Log in to {{.SiteName}}.">
-<style>input{margin-bottom:0.5em;}</style>
+<style>
+input{margin-bottom:0.5em;}
+.or {
+	text-align: center;
+	margin-bottom: 3.5em;
+}
+.or p {
+	display: inline-block;
+	background-color: white;
+	padding: 0 1em;
+}
+.or hr {
+	margin-top: -1.6em;
+	margin-bottom: 0;
+}
+hr.short {
+	max-width: 30rem;
+}
+.row.signinbtns {
+	justify-content: space-evenly;
+	font-size: 1em;
+	margin-top: 3em;
+	margin-bottom: 2em;
+}
+.loginbtn {
+	height: 40px;
+}
+#writeas-login {
+	box-sizing: border-box;
+	font-size: 17px;
+}
+</style>
 {{end}}
 {{define "content"}}
 <div class="tight content-container">
@@ -11,6 +42,22 @@
 		{{range .Flashes}}<li class="urgent">{{.}}</li>{{end}}
 	</ul>{{end}}
 
+	{{ if or .OauthSlack .OauthWriteAs }}
+		<div class="row content-container signinbtns">
+		{{ if .OauthSlack }}
+			<a class="loginbtn" href="/oauth/slack"><img alt="Sign in with Slack" height="40" width="172" src="/img/sign_in_with_slack.png" srcset="/img/sign_in_with_slack.png 1x, /img/sign_in_with_slack@2x.png 2x" /></a>
+		{{ end }}
+		{{ if .OauthWriteAs }}
+			<a class="btn cta loginbtn" id="writeas-login" href="/oauth/write.as">Sign in with <strong>Write.as</strong></a>
+		{{ end }}
+		</div>
+
+		<div class="or">
+			<p>or</p>
+			<hr class="short" />
+		</div>
+	{{ end }}
+
 	<form action="/auth/login" method="post" style="text-align: center;margin-top:1em;" onsubmit="disableSubmit()">
 		<input type="text" name="alias" placeholder="Username" value="{{.LoginUsername}}" {{if not .LoginUsername}}autofocus{{end}} /><br />
 		<input type="password" name="pass" placeholder="Password" {{if .LoginUsername}}autofocus{{end}} /><br />
@@ -19,16 +66,6 @@
 	</form>
 
 	{{if and (not .SingleUser) .OpenRegistration}}<p style="text-align:center;font-size:0.9em;margin:3em auto;max-width:26em;">{{if .Message}}{{.Message}}{{else}}<em>No account yet?</em> <a href="/">Sign up</a> to start a blog.{{end}}</p>{{end}}
-	{{ if .OauthSlack }}
-	<p style="text-align:center;font-size:0.9em;margin:3em auto;max-width:26em;">
-	    <a href="/oauth/slack">Sign-in with Slack.</a>
-	</p>
-	{{ end }}
-	{{ if .OauthWriteAs }}
-    <p style="text-align:center;font-size:0.9em;margin:3em auto;max-width:26em;">
-        <a href="/oauth/write.as">Sign-in with Write.As.</a>
-    </p>
-    {{ end }}
 
 <script type="text/javascript">
 function disableSubmit() {
diff --git a/static/img/sign_in_with_slack.png b/static/img/sign_in_with_slack.png
new file mode 100644
index 0000000000000000000000000000000000000000..66e4298e6c5e55d0c1bd16fb239f6a0e2088f958
GIT binary patch
literal 2604
zcmV+{3e)w8P)<h;3K|Lk000e1NJLTq00682001Zm1^@s6V-OJ*000T|Nkl<ZcmeF1
z)tB2?*2U}3_@2J!c^P<VhA=ZTGcz+YGbfE<W@ad62p40DnfBB#J=d$%vMa8nQ%=ul
zuXR$^m26AbKb^bJQT%?dCjmht`~yRR9|r`NJn|2cufho@VDK%AL7~HI!q3FpfBd7O
z{_ja($i0ZD*n*s#T$Pts$dMyo3I<^jCSemsYr+p${TN70O8F!yb>s*(VYDXRX4v6S
ztWQ{u97ROM6u_z<K7rKxDa(-~7==|o%<W&nvpRA-Ev))ck^L3q$PuhMz&dh(b>!%i
z1@>Ncg*pZ0tGR!^eoQWt(ZQGZ)!_O{wZ6Sxx6@<g$dS*1Evk|lJkHbS4{}`*Sx~9)
z+(iB3;yhP;d3A}3D$C@^kxzk*FR21jOPok6(~)?8K($14Ua}lH@+q)YlKO@gSb#m2
zTBgJCPi(+O<|fJKa^!f}yoze=Ni5Z(XT^m4b1NKR9r+$u<5^=0D-~T}kL1#78Px`C
zwW{^HFzdZM?TeQ$b@1SiTDNYajvhOq)U-4i?cB9TbLK8kadEN!Y*kiPYRS?Se6Q+5
zWo2bruwaR{Y}u~b#Qp&Thbk$_`(%)jk)gf&4lq|*w0N0LojT*1vpswEt9^&AnlopC
zK2%$`?%=buc=2-I082N(6j+{OR$Ni7z~+?~tK0o;rVy)B_u%5i%lhv7Ci?2@2Cit>
zsJTKy!&FsO<=Ph%6rw*{ujAug-<h4At&gpkm{`6`Uw_k3MMcFz&z?Qk<SEltSXd~d
zS+nPf<G7K%QA9+Pnl@|2do0nX??9pT8#asW(PJj)L$!RxYCel|_6e}Gu7L8L@i51;
zCD`%ore%zlm$w<Gag&y6*{Z#wqhrL6`1tV?&6~f-l^yQhy{{ujj;Xr3S|3BF&z#eh
zE7w$CI)415Zrr>jqo02{3;;Y+e{Wz14IVCz?>}IOE?vH&BS(*`XRm(x`R8B%`+#lk
z?;Wt$v&wZjHNpmLQgM#vhMlmCHN3G>-ssh<*W%*GjGgHDVjevaK(Txq1qKD{mtT(v
z*jP5-ym_Pi`~sDfl!#-=mg(skI&t!}&R@8wyu3Vl(zWY1bo=&QA&%qy1qB6sF7^Zf
zOg6OX{)30WXStdD{R4IX{zLs<ckbTPgNKiV`22hK9=J06q)F4n99+G2T@N2VR%vOe
z3)tt+U+D1@e;unikI2X<xf9?0?RSmE@tm(+Zh_^ynIG&2e{Gg4KR;hw`|jQQboT6d
zWoBl11eWVNeE6uYUcLVDf#spVyI}1ZQUgPkR9soEPWQIBz?>3tSm=+y@^HZ$0oeBq
znu;ZI<HjvYOic2aJ<O6x_GP<myUrFXv2@u=;eB~MaL_O{YTQD6F54YCb`wCm6ZWHh
zhb}_V|5>t!4jaX1yWZccSASLmd$w7=O6=zbLPbSIu5(IDOBVt<wpXlNBjDn7kDh&n
zIIll0<4H-$E@1gya}ET))SWta?!kU+fp+cQOJ=SW*h7bYve_`s$v_(w70vuw_BU_Q
zRxe+^vH{CYYitgyW4#nzJQSeMdMwo**Rsli)g_?4k{YS|nNMZ(IO_#=fj%t{7wWu3
znhZe<88U*b;uhE!FJAJRLP>}$%EXhUfWZLUrfnw$2ZxXuDL_p2@fz4JU3+3t$h4X=
zbp~T(Vz(KVeLHsS7P@}@CfA~GzHLO-Vu)p#V^}F{z_Mx#A2FISWoBloyu93E2{vus
z#&s(+G@Na~^i&5}z$QkG9!COj3oP?Hea39vxN(cjuNE!avY+3Ax<S4B3}9R1$4_QX
zxGrtowv+R>080{R*Zw!KH*eWie_evIkmoA+@w)O4T~*1w2pN^!3RThh$Eq$al}nYy
zDoehs(pQJ=@%o4=a>7+tVGXE0J9p`6?pBH{8?Xrpi55V}2xOJH^A-vjU?)tRVuNbK
zhRt3ByKvD`8J#<Skuka$ZasLDrmZx1$OxhN^A~f&v8_pyrwfgrFs0@kTdSg?!UilF
zF><U|9=3arKFkY{dn&xRImv_uT6`?uS*wS|J~7VzwQD!HY#I?88|Tr(cI?#6{5B*E
zuCIQ8&D(iium8WdE3zi-5Xv02$u*YJbUM%it8#C3Qr6jj)EXtv59)n|HDD4}tzPHW
z5-eV_oD8PXqsNnRfI)F_Pdx#Pr(}%Q)q4Sp=VWaE{zGyn+DM!aKDt@+Hh``D2M(!0
z!)D6P$>A>`3w;Q%efth#>|J26-^`)07&c(z;}bY1uHBNASFT!X=8IrHJp#*hQ84qG
z-=f}%uEc+humM|<kYO1kiq1V!S;`fFd}m}|X&^7fk7_G|-U7CMlUra}CTZ9F^wY1p
zaN&}2b904!1T4jpIbZ&gp^R@e;82)-Oki2!%}t9aA`NuRj|Es(1+$DZCjo&$nmB2y
z3)qyDRP$b}Ky6(DEQj&JtVHz#Z1T4gEnwzuIH9tz7dBwA3+3teyaG1odTV*3o40P0
zoy?t0l?jYY00!PIu-w_S!6<m}Rlojv6hM3hEQJ<@BcEdd5g$z9$2iu-6R<O8&M|#v
zD)%}A`}%dfDO|a3icdVe@v$}!Yitz}5)z6(#)`RsMc5j)yLInPmxUrtLxzsTKG=#b
zYy{hF+H~YM`uM;WUk_Ho-v<A-^tYU)s@y`4z@mb{DYe4-=HizsPrEH|6!-L*0n`LV
z3#}B7U4m)TXW`TEQ20mo0X=~G1XzS$<(Tc;cgbkurmc)=+O%0ho`B^hHP=qIqL8cu
zu&hu9dP~rgO-@d+0gDIj+iwutuDKgKZlVQPx&d9g^<vBf+gJ%3ut03A0oPnFMOSrU
zi7H;CFrz}X0gI}NlT?`#X^-4!sj^6Q5kF#BSh!A}JPjPS$B_X6fh?&^G<{blhKaNE
z02$-4Bt1-y<tdpF6UrDjhdZ%+n!YK$M~<bfV?=w3F_wA{;s@p!ONODROBGHA{GB+C
zj)Coo8`ox*_3(&DaU9v(=*g1+SI^g-SjsP5x<c!V4hi#RNesM~annw`eEF)5pE$+&
z(HY<Yjit!q82ZI@SLh^|8-=HJd={D6i0%#7dgsnP-~8tnkCq_wu?j=xiYSiTq3ZHH
z)u(vk1)QtbtQQl^Byp!>6P^O(rz=N30G8I3W%<v&(~TUd`VyId|HwgifTfI<*0^z#
z6doQSNB_&fhQItHu=Hu^v)VjsRpD#-Lcr_D0oHh0Q;3=1;Q|i@Yy}pc)sZ8g0&BVl
zw7lrk@^Hb3hXV9jX<d2S4fuC^cWeUy2*W^-{ig;O=_zCBUJ4U@%Ny{`8-xW2iw_7}
z6@!BqTvcupa+?)FV<3*k)d<^@jE7`=o~BU_80DB-H+$sF9>vLbXYK+(5H6|i9pnoD
O0000<MNUMnLSTXfbPdS>

literal 0
HcmV?d00001

diff --git a/static/img/sign_in_with_slack@2x.png b/static/img/sign_in_with_slack@2x.png
new file mode 100644
index 0000000000000000000000000000000000000000..14a674ae1f0340cc739451794b182e78d4f1ed02
GIT binary patch
literal 5120
zcmV+b6#wgqP)<h;3K|Lk000e1NJLTq00CG4002-31^@s6Tu5!1000xmNkl<ZcmeF&
z1FS4(9ES0UZ5FZBMzw9*He=OpgW9%jyItejHrAZQ+xh4A+k0%E=a;<4#*@kHtT&KQ
zI=y>18ox0VO?(rIBo_Z0O%(r)#Kjn6vvJlyYoRsK+Gvdo=JmHeUzkWFb`3tzOTh<h
z_V<YxV~klN6E9jbgLysI>jj}`@)UQZ8jdB}OO~zBw(S{JYc;i6EzMQ{U=6euS`)2}
z)<}0`8|>s@Uf1n>#uiK59E$FE2YcsQt**WS0IZSLN^7RI(;6DgbL%`|^|d#!ZP>V3
zLjwS?X1acMJ(9Ht?wo7UDok7fU__C1=Vc4l)Xq6rJ4x$K3ycf^z@09zrUu(_DVE(5
zW+!Vo=L!I$Iw$LH_-a~P?W%zrIC=$uu|0~lwt9BKtUY6w9gGeDz*=fewYGY8uLOI>
zuI(Bf0D!gBnrdzJ+|>i4zY_rfz*_3=eBjv=HUPlba9t&^06<^?fWQL4NDx>60D%Pn
z0=wOB>%L_boslT&$Z%da%rEJWOhf(ob@M`96@FC*{`i1S{QWWAIrmd-s}}_T1h$K%
z<(7_$6twr>xn6r}byYn*w)h9_@y+eMcF<1`YDr;}0D!;-TEQ+%6?=u%ZJ&SgishSf
zBHLGJ&u{PO6<4>j{(4$1wfXG=Ah3%|t$yR`W~UAuI~CAhT-_GtH}cyBKw!V#;tv|w
zi_=9p=luQbpn?5tU4q{(00NuLHwO*u*~y}uQ~r2j(7?X8I?Qhu0D-NxWH)dTSO5fe
zJp8oHC$Inr?0ES*+t4ZT0)YiUV8_d*dRx(4v)kqtn*<gBfgNwtHL&G!Sql~}(xy$D
zHJE0zsV~0xN-w_nik2-~uIXm$)~$N=wKw$6yYH)1Dru%!yLO#kdihm-^zo;v*XtUo
zdGqG${`(*9Y{7zs8gH3QM$uSY_V@Mk&%esP2K#&K%a$!$bmdjob=&8kf2ql~e8q}h
zU)RsS{5tyr+xq`H*Dp8w`fy`?$op=qua%Y7m<G1e^cByn(wFN~cAe~m+!-O8&FO&$
zAJJ*2pRN7&KcurGk2+3QU46aYc;hYkzOSC{xZ|GA+a7fA5n338dAi8w^E%<g(>h=O
zg%@7tzQ-A1{rU|$;>hDV-`@>4-l~!M{`()h{ayU{)6e>ky|emq9M{(PUvlrk$HV7o
zm}i=qnVFfHnVFfHnVFfnJ5xQy%=^smL0O8*E<0|gAeC>e-C!$;ZAqWDHaQX~EG(35
z+ja!|#gy-Vs3eTJ$B&<gj(6|g6=}P4*$OFbuqc?<wRP+Eibb%bzp4x^uhQdwhQ#F*
zelo!x4&0Nkk4-c)z9O1d%ZmC-rRsEkvC^<nGr4l*n)b@yZ298L??T$loH<9z3rx~L
zZr!>g(Sr5sHx{|SckkX?YJX_BO#IZ;)KVkZxVVqfwrxkg-%&pQ;#-+FZy~QcDa!;K
zBUlQzn4wo*rP0ka$u0CwuxCF$v1>=|f`}A|dH(!`eDm#3bi6C+)w`eQs8qQ|$oaMF
zHb{BFwd*&EOj@?o(Sk#Vj)dGF{hXGTCML#?n;2~K^5v^iAy_omE?s)?-L3^Pj%l!E
zoM1_9g&h5oweNF06KtiE(~E6O>aE{s)v8@c=Z_jaPO!hGrlz6oFp)431PSQTqsOA-
z-1!UgOQmYU`M&)IDm!1f!K_(x1uY!%*|cd()V<7Z<jAo?zhNpkc<8WLp?QlorB1M$
zw`{ZBHDUAZ-Dd#i0sR~cWQ<_TI>AzM&`*Nx`!K^3!3MID9otgs&`;pR(mTFizd>S$
zvuDrS8t0kF<=H`$m6auVd3h48z-ejY9OAyQotHYncIn#FB%%;=6kv?4Sh-qi)vhm7
zrp_o2HrN=!QqR>-f^B;zT@;#KT;fQY``_Oda5>?HV_WLU`iWDg&V+RQjvc!shKhwJ
zPoC2ErAn}v2XLn9-`}!TJ8^^$1e=_kEZCsEf(42N%my)nrC7F~1UvObmMBcPzt530
zU!?yg;Bx$P$F>yh_7f*ho(}2w$y26FxWMDf_DxAbLV~R$t^a_*(ztO8VXKE0f<5=Z
zfkX26$<q*F&@20}`d-=ry!;H%PMy08p62=un##~&BLxlH3x<yv9sG^yGiHm9bLTDy
z$1#0ezkX8yrjzB%S4rzO9i(!Vn$oO!YZ)_Uf?!q&2W!@@5B~0i36mu=GgGW^?AQtE
z(W4I$0L9w3=Py{KzK?clXA#mjglj3>zyCm3PzMYg5;6wx&`+B-GbpcKy|yJ-`U11c
z;330_K9R;vTFA&zW98<p+Y%1Yu5~RMp>H|vH^CAugL91MS*2>tVB4R6sU|&p^=15t
z6V6|_D5J-Wr|*N;U8hb%o~7*Ex!V)LZvVY6nlx?6yih`)mVbghotWnvxqfjmMV@68
zh{DsfIQj3P(YA!y>FR0$ZVC2OoWCJZuV23j>G-d|`7vxQcIvd5A>Z-gL%`G!3_Gv0
zs6l%3=B<$9ckbSUplv@lYxX<|7y2Y?)w;dtz_YH-RjXb{Zrr#jRjbyr{B0&0*X<Vj
z_8$oOJh7fus9vK^h!ZY8KEY8-+Q0vxBCe3*{re9V1tznbzPNn(swKfP`I|OtW%-#e
zzxrO*t=lN!z^Y$yV$tV*5G;!g$^b-awln(C))vnqNGPMzGwas9mjr(O)iuEq>r3D2
zZR*u;jAk4aVOqS2fMVI7Os>1)a>c~<x7RF5w)WY%5|@?YhF~e$&6^P-;smKtvu=?A
z(4b*cv>?dxlL(dxj;5fWCmd|xprLj|MN|S>lO@42_|1Qta_RCFe+kz8@3TN@_wT$l
zg^1K=hYcSk2GBA&=SajWR;<>^jrd+if<>eCPOwVsp9PLXb|5Z+Gp^Y1z$HtT^L?HP
zmhtR%f#(^b$(nP8U5nfAz<KISu-L~l(SFV6N#93Tq5*FrAfkYJt_^Ow7i_LmUSuiF
z)e>m3<L~d2<`<VrkL&AY)r)hITaYh0?j*g%DHbBslO=M1HzPy}Y<G$qC}f_XZ4n(1
zF2NF0s-Ii6YAusq4=C5q^MCa_mIRC74B<HKm~ay(O$|BUv18YW5iG*ikYoz(gRL;;
zgAg;z<Z0p-`r?DR!NkHvON;zI+fWnSv#vb>CxYeqqai^AS{pL7IIe{6uqD_*gNFsP
ztN44!&=DLr77h0qXWxGJvm<eFua_=e4x3<ckg*F<=P+kL+FO1nyYAh4D-F`}IRbWe
z=J&I^z+8kG2a`|TdW|^Fj*ao@ieMQp=6Sv=mMR-X*t>VX%J{JrY@K)R+zpFh*(R#v
zOdd1R02`j3;6PwJup?MP$j~HA`<=e+`|kT+B1W(*5GL3P>TTK(o9PlvZvC?=JIUO}
zW3#4z)crAeHR8}UVHPQ8f;DWnUYuO><}VTxBq?w$`j`m^2M->0MY0I?;c#uRZ{ED6
z4+$+46WCw*j6RN7gp`(P#(T3M5`|+rye?k6%yV#MgJpMMoWtJE??xHH#=u}<(wJL!
zbL#>LxFT3Hwvla+6<TWcS=tvzu<JK$vUODH?Wivh34*oKoPcJFgzUYB$+3;KB#a(C
z`|1S1uER1C1T74Yc;pDyIf|fTr*8Uq;TpnDeCgA7fR-U>FN_zT!nClv+Gf33?WEXU
zcn#BHo?W<bNw=>fnCp~{J^BbX`@(&R@4rL>Rfo#^@B4*F&JDw}n3E?di}uOKHq#_f
zd!!@|UnRMZ-iRIYQ=dxu-3gL%wwWZItm#^k&oq?uTO%be{z{1kr!%0~I<iWeg9EL~
zCBb4#)z9(0W{41zP~V<<B3Qh_dOLo%#0b`~XF?3&0K1+}qzV+DQOBA5n>TM&|JP$c
ziTp4#n@Wvf&Ds<Q+MgG&GvK~4qu7wG(&jxAED;5_Z{HyT#Wa;5$_|S2(mcml@IbKk
zf>SFH2t;Qsf~1KX<@Fz$%B%lxVkueY?ukNvAVEI-IG{+I*MDsxX&X)yCGOYTC1Kxx
zC4SF8JWImfe@e!KSyIwq%d=p?VskK{CAlJ4Q=?(~M|;SE0j<YA_U_%Etx<&|ShlSC
z^HGG+xl8xpaV8$mRsFwat@@%+r*0#|b{7o<YgRmqXHl^vChXzi5G-SN(c-0qL7DCC
z2-b>xsT}7g!D0eJ!H7PB%{+2VBT8q2jcYc^wjCs^X|iapid=n>++R;gDL^9-V~grc
zuoQ%G^jLT3*hS^YS2%)&(9G;5A`JK*J>cF<X~oNpV@UffVRz9-unv(1r2o1hSQc-z
zeSOE|mS7hzS!SMt480O8<}zYvG3l7mJNPA{i(um#k9SS5c~9Rvw#8hakbZZ(Z{&)k
zTxc()0qUjd1A(A>w*-q8JZbW@ptA-$6Phb_O9Ir-oH-{76_H>8VMyxpXjjCss{a#$
zr9jPHb(}ugwQEm^R~$qg!8%k2qaJ|^f`wcy9Jfsvzu3NI#>_dk1bgJ@G4mWrI-i^>
zyKvzW^BiSCql;kQ{=L03!JfY_Absa~$F_l5BSj(QTytLuHu2Dx;xh=IcXSGk8$U@O
z1b9hZ5v&=8!X$M-g(O(r3`59}9`2;aeo|;h9mj+~2AKLkT2?tGSQc%f4hZeSx#Z*!
zRYJ_KBf(-~aSDYxedeq!!D0?D&T*fgOt3r~ZTu-Eg!vdf1pEH$K8~cB|2|$o>gpqo
zZE=bzq+aRaE5RlmuO@zi_&sI&W94K!Z-T850rY0*jT?eB3yBcJNf^tE7ca4^F~DL3
zYa|rlSp4bdszD9QfU+I(Tyc!3&q2PP2-ei1?%us$;si^)ZH=1s^n?u-51dc*CEB97
z$Rq56oTCV|ajuK$P+GluogKmQ9I<tq5j8{tm~(~nZ$jmq2-YrC55W`?H3UoKK(U1R
z?(?1kybx^GvsJzlED;5MR#-B_L<rHMG#v4(Y{$qeXCRsOSC<59rh3|Wg0V-D<_hsv
zNP-25V07WWOiZ6Xt4KTQ001upYX;C0@&;KQIdY7wxCj%haZm1r=S&2EGr?-($c(8b
z5eChb<Pm!ttbIZbF~3xxn=^Mle{)TSZP=M$Q9=yzMo40b4uUQCm@IGq(ZSw4aPpRC
zf|Y_?Nj_QIC-cBpQkWg@Bf(}eD8d@l6lMlt5G+|>ZXF9~(r5)0l3=G9&k?c8!@qj<
z8t2TnNO&b!oMoJ|OIya_7HNWo%#B*F&N6rI0@sNKBxA5Ea6{S#!P>-II|~}P8-fLp
zvDv0Y%eI6}Mn{-d?!!0oq0-<GqI~<$j*_wOk^rv+3ktI0B=u6KPa@ak)Ac1k^+`nD
ze?%1@CoPi@61Fn54~JkGAdn)&sj^hCF+yaR8q5-PNTbHhD<r`h#7SBw&)bqT4YJ@l
zc_vsu0TUa-VS$V^!KzeQv`Uo;W+znH!s!%lsw|)3ery+Zw)L~;%rBN;8P9~(nF@pX
zU8-uCTY{yZ^#~Cq%+2V@<SHnX+<UJiefwF-zWh)MGqVMFCRhXcX)h$_-G0e_xyik}
z*(LcY54kvrB#6BvBZyU(w->NwApjnY6;k6}Np|4PokNF?3`$~BlGVgz(Aib=G7G{`
z5>SOOY2R&Mk`N6*Zx@b}fO}S-Gt)mIRQ-ENjIaXsJJp8Li5>tMLQXii_#ShMXqHi=
z9fBFhR@33Qe*MMexbOPCA4zl|pPqbwB0ru!eWury(7($vZ5j~cthZxqg#*SKW(y)r
zSnx1^@G2P=atMd9VFk)$>c5L%do{DfC@sm@#+FT5GfqC0^2%a>sfy3?Y$1Is;Pj%7
z0d*({xk4!*`;2G=uER{vHLnXlgb8fI#QO5PN^lTEzEPVh>z!a@;4K0AwvR#V;@wfa
ze#UuF#SlXbF@nuYx+8hNU6!E4UzUQ*fK&jWY3SQM;yG>872CG!^uPA*0#~Xa2%~Us
z16d34gc$4t+YqdPIPNZ^{W4M9-QA(NC!~;Z!`_@PsV5^5<j<YD-PQ5B@vZ<R8L-R~
z=)2tN(Ax6h{;9Iu@e!(f2Mad}xNFR61$wgdvwnV_7Q@se8L(0B@9Zzj7(FeHb|E~+
zn)AucDM@o-z&_cxrj$=_%5uk%7<}}P^SI(}E9+lr=F{|-G*<>J_3?4LESjFBJCY38
zSKE(|3|QvL2Ijer3fT8Iclx(0$$({@?5Kcc>uq3b>!^TbovTWbwBP~DW`x-B)vp-Z
z&B+LXlL#1=J#2>-n+PPyfc>_ucHry+PDbd$NdyCD3$XoFk__0c0Wq`!7<I@zS%!AM
zIoKW?%J+^kESq_*j2xtO5QAGJ$$*t416Gn`z)F$<D@g{dB*}pN=SVVOoB1U_%zj>t
zB#A5~Q_0p;Yvl9%@|Gi}B}p?OOUYESHPxDV55GKm{G>>dW<!>esbp)aHJ3K>%Y{o<
ziX>?^WGR_Swx(LAv%31_Q@xeHynFY)NRp;QhLWXZD%ncFrn8N_)vMU~kmS`XnOap!
ze91YljMW5p?%pqwq{)z-v3h_^ttutHP}PI$YR&wGGGrxbvT%+3BulGG6kmQ+D{tWi
z(JrtjD@lWqk<k_)JIT<hQWRf)DbhFE1vG1UGs_NG+vR2iNsEjOBn!zzvXP98wm_}9
zw7#nJbMd9Sq9?nJJ7K)JZ&{XQS)a(t=(%<mUj`P-4C>AHCKk-HD<Q6I7qKkMvdBQP
ikW3^S$;hhGp!y0prNEzRPc1C~0000<MNUMnLSTXd)e)Nj

literal 0
HcmV?d00001


From 9fb8de48d4c672db315e501e6183edc50832a946 Mon Sep 17 00:00:00 2001
From: Matt Baer <matt@write.as>
Date: Sun, 5 Jan 2020 11:22:22 -0500
Subject: [PATCH 072/127] Rename base_url to collection_url in MD API

Ref T519
---
 postrender.go | 12 +++++-------
 1 file changed, 5 insertions(+), 7 deletions(-)

diff --git a/postrender.go b/postrender.go
index 02b156b..312de58 100644
--- a/postrender.go
+++ b/postrender.go
@@ -1,5 +1,5 @@
 /*
- * Copyright © 2018 A Bunch Tell LLC.
+ * Copyright © 2018-2020 A Bunch Tell LLC.
  *
  * This file is part of WriteFreely.
  *
@@ -245,11 +245,9 @@ func handleRenderMarkdown(app *App, w http.ResponseWriter, r *http.Request) erro
 	}
 
 	in := struct {
-		BaseURL string `json:"base_url"`
-		RawBody string `json:"raw_body"`
-	}{
-		BaseURL: "",
-	}
+		CollectionURL string `json:"collection_url"`
+		RawBody       string `json:"raw_body"`
+	}{}
 
 	decoder := json.NewDecoder(r.Body)
 	err := decoder.Decode(&in)
@@ -261,7 +259,7 @@ func handleRenderMarkdown(app *App, w http.ResponseWriter, r *http.Request) erro
 	out := struct {
 		Body string `json:"body"`
 	}{
-		Body: applyMarkdown([]byte(in.RawBody), in.BaseURL, app.cfg),
+		Body: applyMarkdown([]byte(in.RawBody), in.CollectionURL, app.cfg),
 	}
 
 	return impart.WriteSuccess(w, out, http.StatusOK)

From 28cf4dd5f57472a2376877276e138422d7329bbd Mon Sep 17 00:00:00 2001
From: Nick Gerakines <ngerakines@users.noreply.github.com>
Date: Tue, 7 Jan 2020 15:22:25 -0500
Subject: [PATCH 073/127] Added state location register hook. T712.

---
 config/config.go | 18 +++++----
 oauth.go         | 99 ++++++++++++++++++++++++++++++++++++++----------
 oauth_slack.go   |  4 ++
 oauth_writeas.go |  4 ++
 4 files changed, 97 insertions(+), 28 deletions(-)

diff --git a/config/config.go b/config/config.go
index 6aee69b..56f83a5 100644
--- a/config/config.go
+++ b/config/config.go
@@ -59,17 +59,19 @@ type (
 	}
 
 	WriteAsOauthCfg struct {
-		ClientID        string `ini:"client_id"`
-		ClientSecret    string `ini:"client_secret"`
-		AuthLocation    string `ini:"auth_location"`
-		TokenLocation   string `ini:"token_location"`
-		InspectLocation string `ini:"inspect_location"`
+		ClientID              string `ini:"client_id"`
+		ClientSecret          string `ini:"client_secret"`
+		AuthLocation          string `ini:"auth_location"`
+		TokenLocation         string `ini:"token_location"`
+		InspectLocation       string `ini:"inspect_location"`
+		StateRegisterLocation string `ini:"state_register_location"`
 	}
 
 	SlackOauthCfg struct {
-		ClientID     string `ini:"client_id"`
-		ClientSecret string `ini:"client_secret"`
-		TeamID       string `ini:"team_id"`
+		ClientID              string `ini:"client_id"`
+		ClientSecret          string `ini:"client_secret"`
+		TeamID                string `ini:"team_id"`
+		StateRegisterLocation string `ini:"state_register_location"`
 	}
 
 	// AppCfg holds values that affect how the application functions
diff --git a/oauth.go b/oauth.go
index 67c4ac8..363999a 100644
--- a/oauth.go
+++ b/oauth.go
@@ -3,6 +3,7 @@ package writefreely
 import (
 	"context"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"github.com/gorilla/mux"
 	"github.com/gorilla/sessions"
@@ -12,6 +13,8 @@ import (
 	"io"
 	"io/ioutil"
 	"net/http"
+	"net/url"
+	"strings"
 	"time"
 )
 
@@ -71,17 +74,25 @@ type HttpClient interface {
 type oauthClient interface {
 	GetProvider() string
 	GetClientID() string
+	GetCallbackLocation() string
 	buildLoginURL(state string) (string, error)
 	exchangeOauthCode(ctx context.Context, code string) (*TokenResponse, error)
 	inspectOauthAccessToken(ctx context.Context, accessToken string) (*InspectResponse, error)
 }
 
+type oauthStateRegisterer struct {
+	location         string
+	callbackLocation string
+	httpClient       HttpClient
+}
+
 type oauthHandler struct {
-	Config      *config.Config
-	DB          OAuthDatastore
-	Store       sessions.Store
-	EmailKey    []byte
-	oauthClient oauthClient
+	Config               *config.Config
+	DB                   OAuthDatastore
+	Store                sessions.Store
+	EmailKey             []byte
+	oauthClient          oauthClient
+	oauthStateRegisterer *oauthStateRegisterer
 }
 
 func (h oauthHandler) viewOauthInit(app *App, w http.ResponseWriter, r *http.Request) error {
@@ -90,6 +101,13 @@ func (h oauthHandler) viewOauthInit(app *App, w http.ResponseWriter, r *http.Req
 	if err != nil {
 		return impart.HTTPError{http.StatusInternalServerError, "could not prepare oauth redirect url"}
 	}
+
+	if h.oauthStateRegisterer != nil {
+		if err := h.oauthStateRegisterer.register(ctx, state); err != nil {
+			return impart.HTTPError{http.StatusInternalServerError, "could not register state location"}
+		}
+	}
+
 	location, err := h.oauthClient.buildLoginURL(state)
 	if err != nil {
 		return impart.HTTPError{http.StatusInternalServerError, "could not prepare oauth redirect url"}
@@ -99,19 +117,36 @@ func (h oauthHandler) viewOauthInit(app *App, w http.ResponseWriter, r *http.Req
 
 func configureSlackOauth(parentHandler *Handler, r *mux.Router, app *App) {
 	if app.Config().SlackOauth.ClientID != "" {
-		oauthClient := slackOauthClient{
-			ClientID:         app.Config().SlackOauth.ClientID,
-			ClientSecret:     app.Config().SlackOauth.ClientSecret,
-			TeamID:           app.Config().SlackOauth.TeamID,
-			CallbackLocation: app.Config().App.Host + "/oauth/callback",
-			HttpClient:       config.DefaultHTTPClient(),
+		var stateRegisterClient *oauthStateRegisterer = nil
+		if app.Config().SlackOauth.StateRegisterLocation != "" {
+			stateRegisterClient = &oauthStateRegisterer{
+				location:         app.Config().SlackOauth.StateRegisterLocation,
+				callbackLocation: app.Config().App.Host + "/oauth/callback",
+				httpClient:       config.DefaultHTTPClient(),
+			}
 		}
-		configureOauthRoutes(parentHandler, r, app, oauthClient)
+		oauthClient := slackOauthClient{
+			ClientID:     app.Config().SlackOauth.ClientID,
+			ClientSecret: app.Config().SlackOauth.ClientSecret,
+			TeamID:       app.Config().SlackOauth.TeamID,
+			HttpClient:   config.DefaultHTTPClient(),
+			//CallbackLocation: app.Config().App.Host + "/oauth/callback",
+			CallbackLocation: "http://localhost:5000/callback",
+		}
+		configureOauthRoutes(parentHandler, r, app, oauthClient, stateRegisterClient)
 	}
 }
 
 func configureWriteAsOauth(parentHandler *Handler, r *mux.Router, app *App) {
 	if app.Config().WriteAsOauth.ClientID != "" {
+		var stateRegisterClient *oauthStateRegisterer = nil
+		if app.Config().WriteAsOauth.StateRegisterLocation != "" {
+			stateRegisterClient = &oauthStateRegisterer{
+				location:         app.Config().WriteAsOauth.StateRegisterLocation,
+				callbackLocation: app.Config().App.Host + "/oauth/callback",
+				httpClient:       config.DefaultHTTPClient(),
+			}
+		}
 		oauthClient := writeAsOauthClient{
 			ClientID:         app.Config().WriteAsOauth.ClientID,
 			ClientSecret:     app.Config().WriteAsOauth.ClientSecret,
@@ -119,19 +154,20 @@ func configureWriteAsOauth(parentHandler *Handler, r *mux.Router, app *App) {
 			InspectLocation:  config.OrDefaultString(app.Config().WriteAsOauth.InspectLocation, writeAsIdentityLocation),
 			AuthLocation:     config.OrDefaultString(app.Config().WriteAsOauth.AuthLocation, writeAsAuthLocation),
 			HttpClient:       config.DefaultHTTPClient(),
-			CallbackLocation: app.Config().App.Host + "/oauth/callback",
+			CallbackLocation: "http://localhost:5000/callback",
 		}
-		configureOauthRoutes(parentHandler, r, app, oauthClient)
+		configureOauthRoutes(parentHandler, r, app, oauthClient, stateRegisterClient)
 	}
 }
 
-func configureOauthRoutes(parentHandler *Handler, r *mux.Router, app *App, oauthClient oauthClient) {
+func configureOauthRoutes(parentHandler *Handler, r *mux.Router, app *App, oauthClient oauthClient, stateRegisterClient *oauthStateRegisterer) {
 	handler := &oauthHandler{
-		Config:      app.Config(),
-		DB:          app.DB(),
-		Store:       app.SessionStore(),
-		oauthClient: oauthClient,
-		EmailKey:    app.keys.EmailKey,
+		Config:               app.Config(),
+		DB:                   app.DB(),
+		Store:                app.SessionStore(),
+		oauthClient:          oauthClient,
+		EmailKey:             app.keys.EmailKey,
+		oauthStateRegisterer: stateRegisterClient,
 	}
 	r.HandleFunc("/oauth/"+oauthClient.GetProvider(), parentHandler.OAuth(handler.viewOauthInit)).Methods("GET")
 	r.HandleFunc("/oauth/callback", parentHandler.OAuth(handler.viewOauthCallback)).Methods("GET")
@@ -197,6 +233,29 @@ func (h oauthHandler) viewOauthCallback(app *App, w http.ResponseWriter, r *http
 	return h.showOauthSignupPage(app, w, r, tp, nil)
 }
 
+func (r *oauthStateRegisterer) register(ctx context.Context, state string) error {
+	form := url.Values{}
+	form.Add("state", state)
+	form.Add("location", r.callbackLocation)
+	req, err := http.NewRequestWithContext(ctx, "POST", r.location, strings.NewReader(form.Encode()))
+	if err != nil {
+		return err
+	}
+	req.Header.Set("User-Agent", "writefreely")
+	req.Header.Set("Accept", "application/json")
+	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+
+	resp, err := r.httpClient.Do(req)
+	if err != nil {
+		return err
+	}
+	if resp.StatusCode != http.StatusCreated {
+		return errors.New("register state and location")
+	}
+
+	return nil
+}
+
 func limitedJsonUnmarshal(body io.ReadCloser, n int, thing interface{}) error {
 	lr := io.LimitReader(body, int64(n+1))
 	data, err := ioutil.ReadAll(lr)
diff --git a/oauth_slack.go b/oauth_slack.go
index 5a6f4ed..8cf4992 100644
--- a/oauth_slack.go
+++ b/oauth_slack.go
@@ -62,6 +62,10 @@ func (c slackOauthClient) GetClientID() string {
 	return c.ClientID
 }
 
+func (c slackOauthClient) GetCallbackLocation() string {
+	return c.CallbackLocation
+}
+
 func (c slackOauthClient) buildLoginURL(state string) (string, error) {
 	u, err := url.Parse(slackAuthLocation)
 	if err != nil {
diff --git a/oauth_writeas.go b/oauth_writeas.go
index eb12f64..6251a16 100644
--- a/oauth_writeas.go
+++ b/oauth_writeas.go
@@ -34,6 +34,10 @@ func (c writeAsOauthClient) GetClientID() string {
 	return c.ClientID
 }
 
+func (c writeAsOauthClient) GetCallbackLocation() string {
+	return c.CallbackLocation
+}
+
 func (c writeAsOauthClient) buildLoginURL(state string) (string, error) {
 	u, err := url.Parse(c.AuthLocation)
 	if err != nil {

From d66091a356fa1a1b22a83cd227cc7093b3de59db Mon Sep 17 00:00:00 2001
From: Matt Baer <matt@write.as>
Date: Tue, 7 Jan 2020 16:27:25 -0500
Subject: [PATCH 074/127] Bump Travis build to Go 1.13

---
 .travis.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.travis.yml b/.travis.yml
index 1e58d6b..fddc71c 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -1,7 +1,7 @@
 language: go
 
 go:
-  - "1.11.x"
+  - "1.13.x"
 
 env:
   - GO111MODULE=on

From e5671cd1e6f811e210c00b0c228da9c59f3b6314 Mon Sep 17 00:00:00 2001
From: Matt Baer <matt@write.as>
Date: Tue, 7 Jan 2020 16:51:40 -0500
Subject: [PATCH 075/127] Fix GetCollections() call

---
 account_import.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/account_import.go b/account_import.go
index 88a9a91..8d8a6e7 100644
--- a/account_import.go
+++ b/account_import.go
@@ -20,7 +20,7 @@ func viewImport(app *App, u *User, w http.ResponseWriter, r *http.Request) error
 	// Fetch extra user data
 	p := NewUserPage(app, r, u, "Import", nil)
 
-	c, err := app.db.GetCollections(u)
+	c, err := app.db.GetCollections(u, app.Config().App.Host)
 	if err != nil {
 		return impart.HTTPError{http.StatusInternalServerError, fmt.Sprintf("unable to fetch collections: %v", err)}
 	}

From 5e765652719d7bbdaa5ff96a678fcf2bc1328708 Mon Sep 17 00:00:00 2001
From: Nick Gerakines <ngerakines@users.noreply.github.com>
Date: Tue, 7 Jan 2020 21:47:23 -0500
Subject: [PATCH 076/127] Code cleanup per PR feedback. T712

---
 config/config.go | 22 +++++++------
 oauth.go         | 81 +++++++++++++++++++++++++-----------------------
 2 files changed, 55 insertions(+), 48 deletions(-)

diff --git a/config/config.go b/config/config.go
index 56f83a5..2616e9e 100644
--- a/config/config.go
+++ b/config/config.go
@@ -59,19 +59,21 @@ type (
 	}
 
 	WriteAsOauthCfg struct {
-		ClientID              string `ini:"client_id"`
-		ClientSecret          string `ini:"client_secret"`
-		AuthLocation          string `ini:"auth_location"`
-		TokenLocation         string `ini:"token_location"`
-		InspectLocation       string `ini:"inspect_location"`
-		StateRegisterLocation string `ini:"state_register_location"`
+		ClientID         string `ini:"client_id"`
+		ClientSecret     string `ini:"client_secret"`
+		AuthLocation     string `ini:"auth_location"`
+		TokenLocation    string `ini:"token_location"`
+		InspectLocation  string `ini:"inspect_location"`
+		CallbackProxy    string `ini:"callback_proxy"`
+		CallbackProxyAPI string `ini:"callback_proxy_api"`
 	}
 
 	SlackOauthCfg struct {
-		ClientID              string `ini:"client_id"`
-		ClientSecret          string `ini:"client_secret"`
-		TeamID                string `ini:"team_id"`
-		StateRegisterLocation string `ini:"state_register_location"`
+		ClientID         string `ini:"client_id"`
+		ClientSecret     string `ini:"client_secret"`
+		TeamID           string `ini:"team_id"`
+		CallbackProxy    string `ini:"callback_proxy"`
+		CallbackProxyAPI string `ini:"callback_proxy_api"`
 	}
 
 	// AppCfg holds values that affect how the application functions
diff --git a/oauth.go b/oauth.go
index 363999a..eb47c91 100644
--- a/oauth.go
+++ b/oauth.go
@@ -3,7 +3,6 @@ package writefreely
 import (
 	"context"
 	"encoding/json"
-	"errors"
 	"fmt"
 	"github.com/gorilla/mux"
 	"github.com/gorilla/sessions"
@@ -80,19 +79,19 @@ type oauthClient interface {
 	inspectOauthAccessToken(ctx context.Context, accessToken string) (*InspectResponse, error)
 }
 
-type oauthStateRegisterer struct {
-	location         string
+type callbackProxyClient struct {
+	server           string
 	callbackLocation string
 	httpClient       HttpClient
 }
 
 type oauthHandler struct {
-	Config               *config.Config
-	DB                   OAuthDatastore
-	Store                sessions.Store
-	EmailKey             []byte
-	oauthClient          oauthClient
-	oauthStateRegisterer *oauthStateRegisterer
+	Config        *config.Config
+	DB            OAuthDatastore
+	Store         sessions.Store
+	EmailKey      []byte
+	oauthClient   oauthClient
+	callbackProxy *callbackProxyClient
 }
 
 func (h oauthHandler) viewOauthInit(app *App, w http.ResponseWriter, r *http.Request) error {
@@ -102,9 +101,9 @@ func (h oauthHandler) viewOauthInit(app *App, w http.ResponseWriter, r *http.Req
 		return impart.HTTPError{http.StatusInternalServerError, "could not prepare oauth redirect url"}
 	}
 
-	if h.oauthStateRegisterer != nil {
-		if err := h.oauthStateRegisterer.register(ctx, state); err != nil {
-			return impart.HTTPError{http.StatusInternalServerError, "could not register state location"}
+	if h.callbackProxy != nil {
+		if err := h.callbackProxy.register(ctx, state); err != nil {
+			return impart.HTTPError{http.StatusInternalServerError, "could not register state server"}
 		}
 	}
 
@@ -117,21 +116,23 @@ func (h oauthHandler) viewOauthInit(app *App, w http.ResponseWriter, r *http.Req
 
 func configureSlackOauth(parentHandler *Handler, r *mux.Router, app *App) {
 	if app.Config().SlackOauth.ClientID != "" {
-		var stateRegisterClient *oauthStateRegisterer = nil
-		if app.Config().SlackOauth.StateRegisterLocation != "" {
-			stateRegisterClient = &oauthStateRegisterer{
-				location:         app.Config().SlackOauth.StateRegisterLocation,
+		callbackLocation := app.Config().App.Host + "/oauth/callback"
+
+		var stateRegisterClient *callbackProxyClient = nil
+		if app.Config().SlackOauth.CallbackProxyAPI != "" {
+			stateRegisterClient = &callbackProxyClient{
+				server:           app.Config().SlackOauth.CallbackProxyAPI,
 				callbackLocation: app.Config().App.Host + "/oauth/callback",
 				httpClient:       config.DefaultHTTPClient(),
 			}
+			callbackLocation = app.Config().SlackOauth.CallbackProxy
 		}
 		oauthClient := slackOauthClient{
-			ClientID:     app.Config().SlackOauth.ClientID,
-			ClientSecret: app.Config().SlackOauth.ClientSecret,
-			TeamID:       app.Config().SlackOauth.TeamID,
-			HttpClient:   config.DefaultHTTPClient(),
-			//CallbackLocation: app.Config().App.Host + "/oauth/callback",
-			CallbackLocation: "http://localhost:5000/callback",
+			ClientID:         app.Config().SlackOauth.ClientID,
+			ClientSecret:     app.Config().SlackOauth.ClientSecret,
+			TeamID:           app.Config().SlackOauth.TeamID,
+			HttpClient:       config.DefaultHTTPClient(),
+			CallbackLocation: callbackLocation,
 		}
 		configureOauthRoutes(parentHandler, r, app, oauthClient, stateRegisterClient)
 	}
@@ -139,14 +140,18 @@ func configureSlackOauth(parentHandler *Handler, r *mux.Router, app *App) {
 
 func configureWriteAsOauth(parentHandler *Handler, r *mux.Router, app *App) {
 	if app.Config().WriteAsOauth.ClientID != "" {
-		var stateRegisterClient *oauthStateRegisterer = nil
-		if app.Config().WriteAsOauth.StateRegisterLocation != "" {
-			stateRegisterClient = &oauthStateRegisterer{
-				location:         app.Config().WriteAsOauth.StateRegisterLocation,
+		callbackLocation := app.Config().App.Host + "/oauth/callback"
+
+		var callbackProxy *callbackProxyClient = nil
+		if app.Config().WriteAsOauth.CallbackProxy != "" {
+			callbackProxy = &callbackProxyClient{
+				server:           app.Config().WriteAsOauth.CallbackProxyAPI,
 				callbackLocation: app.Config().App.Host + "/oauth/callback",
 				httpClient:       config.DefaultHTTPClient(),
 			}
+			callbackLocation = app.Config().SlackOauth.CallbackProxy
 		}
+
 		oauthClient := writeAsOauthClient{
 			ClientID:         app.Config().WriteAsOauth.ClientID,
 			ClientSecret:     app.Config().WriteAsOauth.ClientSecret,
@@ -154,20 +159,20 @@ func configureWriteAsOauth(parentHandler *Handler, r *mux.Router, app *App) {
 			InspectLocation:  config.OrDefaultString(app.Config().WriteAsOauth.InspectLocation, writeAsIdentityLocation),
 			AuthLocation:     config.OrDefaultString(app.Config().WriteAsOauth.AuthLocation, writeAsAuthLocation),
 			HttpClient:       config.DefaultHTTPClient(),
-			CallbackLocation: "http://localhost:5000/callback",
+			CallbackLocation: callbackLocation,
 		}
-		configureOauthRoutes(parentHandler, r, app, oauthClient, stateRegisterClient)
+		configureOauthRoutes(parentHandler, r, app, oauthClient, callbackProxy)
 	}
 }
 
-func configureOauthRoutes(parentHandler *Handler, r *mux.Router, app *App, oauthClient oauthClient, stateRegisterClient *oauthStateRegisterer) {
+func configureOauthRoutes(parentHandler *Handler, r *mux.Router, app *App, oauthClient oauthClient, callbackProxy *callbackProxyClient) {
 	handler := &oauthHandler{
-		Config:               app.Config(),
-		DB:                   app.DB(),
-		Store:                app.SessionStore(),
-		oauthClient:          oauthClient,
-		EmailKey:             app.keys.EmailKey,
-		oauthStateRegisterer: stateRegisterClient,
+		Config:        app.Config(),
+		DB:            app.DB(),
+		Store:         app.SessionStore(),
+		oauthClient:   oauthClient,
+		EmailKey:      app.keys.EmailKey,
+		callbackProxy: callbackProxy,
 	}
 	r.HandleFunc("/oauth/"+oauthClient.GetProvider(), parentHandler.OAuth(handler.viewOauthInit)).Methods("GET")
 	r.HandleFunc("/oauth/callback", parentHandler.OAuth(handler.viewOauthCallback)).Methods("GET")
@@ -233,11 +238,11 @@ func (h oauthHandler) viewOauthCallback(app *App, w http.ResponseWriter, r *http
 	return h.showOauthSignupPage(app, w, r, tp, nil)
 }
 
-func (r *oauthStateRegisterer) register(ctx context.Context, state string) error {
+func (r *callbackProxyClient) register(ctx context.Context, state string) error {
 	form := url.Values{}
 	form.Add("state", state)
 	form.Add("location", r.callbackLocation)
-	req, err := http.NewRequestWithContext(ctx, "POST", r.location, strings.NewReader(form.Encode()))
+	req, err := http.NewRequestWithContext(ctx, "POST", r.server, strings.NewReader(form.Encode()))
 	if err != nil {
 		return err
 	}
@@ -250,7 +255,7 @@ func (r *oauthStateRegisterer) register(ctx context.Context, state string) error
 		return err
 	}
 	if resp.StatusCode != http.StatusCreated {
-		return errors.New("register state and location")
+		return fmt.Errorf("unable register state location: %d", resp.StatusCode)
 	}
 
 	return nil

From 6d79ed3cfdf3e2fcc80ed4938c68a5b04d85dcb0 Mon Sep 17 00:00:00 2001
From: Nick Gerakines <ngerakines@users.noreply.github.com>
Date: Tue, 7 Jan 2020 21:52:51 -0500
Subject: [PATCH 077/127] Updating oauth form validation per PR feedback. T712

---
 oauth_signup.go | 11 ++++-------
 1 file changed, 4 insertions(+), 7 deletions(-)

diff --git a/oauth_signup.go b/oauth_signup.go
index 53ad5c4..cf90af6 100644
--- a/oauth_signup.go
+++ b/oauth_signup.go
@@ -125,21 +125,18 @@ func (h oauthHandler) viewOauthSignup(app *App, w http.ResponseWriter, r *http.R
 
 func (h oauthHandler) validateOauthSignup(r *http.Request) error {
 	username := r.FormValue(oauthParamUsername)
-	if len(username) < 5 {
+	if len(username) < h.Config.App.MinUsernameLen {
 		return impart.HTTPError{Status: http.StatusBadRequest, Message: "Username is too short."}
 	}
-	if len(username) > 20 {
+	if len(username) > 100 {
 		return impart.HTTPError{Status: http.StatusBadRequest, Message: "Username is too long."}
 	}
 	alias := r.FormValue(oauthParamAlias)
-	if len(alias) < 5 {
+	if len(alias) == 0 {
 		return impart.HTTPError{Status: http.StatusBadRequest, Message: "Alias is too short."}
 	}
-	if len(alias) > 20 {
-		return impart.HTTPError{Status: http.StatusBadRequest, Message: "Alias is too long."}
-	}
 	password := r.FormValue("password")
-	if len(password) < 5 {
+	if len(password) == 0 {
 		return impart.HTTPError{Status: http.StatusBadRequest, Message: "Password is too short."}
 	}
 	email := r.FormValue(oauthParamEmail)

From 8ddfce4f199a85aee3a205a91f7f229967132dee Mon Sep 17 00:00:00 2001
From: Nick Gerakines <ngerakines@users.noreply.github.com>
Date: Tue, 7 Jan 2020 22:13:29 -0500
Subject: [PATCH 078/127] oauth signup page changes per PR feedback. T712

---
 pages/signup-oauth.tmpl | 112 ++++++++++++++++++++++++++++++++++------
 1 file changed, 96 insertions(+), 16 deletions(-)

diff --git a/pages/signup-oauth.tmpl b/pages/signup-oauth.tmpl
index 35810bb..34081cf 100644
--- a/pages/signup-oauth.tmpl
+++ b/pages/signup-oauth.tmpl
@@ -2,31 +2,111 @@
 <meta name="description" content="Log in to {{.SiteName}}.">
 <meta itemprop="description" content="Log in to {{.SiteName}}.">
 <style>input{margin-bottom:0.5em;}</style>
+<style type="text/css">
+h2 {
+	font-weight: normal;
+}
+#pricing.content-container div.form-container #payment-form {
+	display: block !important;
+}
+#pricing #signup-form table {
+	max-width: inherit !important;
+	width: 100%;
+}
+#pricing #payment-form table {
+	margin-top: 0 !important;
+	max-width: inherit !important;
+	width: 100%;
+}
+tr.subscription {
+	border-spacing: 0;
+}
+#pricing.content-container tr.subscription button {
+	margin-top: 0 !important;
+	margin-bottom: 0 !important;
+	width: 100%;
+}
+#pricing tr.subscription td {
+	padding: 0 0.5em;
+}
+#pricing table.billing > tbody > tr > td:first-child {
+	vertical-align: middle !important;
+}
+.billing-section {
+	display: none;
+}
+.billing-section.bill-me {
+	display: table-row;
+}
+#btn-create {
+	color: white !important;
+}
+#total-price {
+	padding-left: 0.5em;
+}
+#alias-site.demo {
+	color: #999;
+}
+#alias-site {
+	text-align: left;
+	margin: 0.5em 0;
+}
+form dd {
+	margin: 0;
+}
+</style>
 {{end}}
 {{define "content"}}
-<div class="tight content-container">
+<div id="pricing" class="tight content-container">
 	<h1>Log in to {{.SiteName}}</h1>
 
 	{{if .Flashes}}<ul class="errors">
 		{{range .Flashes}}<li class="urgent">{{.}}</li>{{end}}
 	</ul>{{end}}
 
-	<form action="/oauth/signup" method="post" style="text-align: center;margin-top:1em;" onsubmit="disableSubmit()">
-	    <input type="hidden" name="access_token" value="{{ .AccessToken }}" />
-	    <input type="hidden" name="token_username" value="{{ .TokenUsername }}" />
-	    <input type="hidden" name="token_alias" value="{{ .TokenAlias }}" />
-	    <input type="hidden" name="token_email" value="{{ .TokenEmail }}" />
-	    <input type="hidden" name="token_remote_user" value="{{ .TokenRemoteUser }}" />
-	    <input type="hidden" name="provider" value="{{ .Provider }}" />
-	    <input type="hidden" name="client_id" value="{{ .ClientID }}" />
-	    <input type="hidden" name="signature" value="{{ .TokenHash }}" />
+    <div id="billing">
+	    <form action="/oauth/signup" method="post" style="text-align: center;margin-top:1em;" onsubmit="disableSubmit()">
+	        <input type="hidden" name="access_token" value="{{ .AccessToken }}" />
+	        <input type="hidden" name="token_username" value="{{ .TokenUsername }}" />
+	        <input type="hidden" name="token_alias" value="{{ .TokenAlias }}" />
+	        <input type="hidden" name="token_email" value="{{ .TokenEmail }}" />
+	        <input type="hidden" name="token_remote_user" value="{{ .TokenRemoteUser }}" />
+	        <input type="hidden" name="provider" value="{{ .Provider }}" />
+	        <input type="hidden" name="client_id" value="{{ .ClientID }}" />
+	        <input type="hidden" name="signature" value="{{ .TokenHash }}" />
 
-		<input type="text" name="username" placeholder="Username" value="{{.Username}}" /><br />
-		<input type="text" name="alias" placeholder="Alias"{{ if .Alias }} value="{{.Alias}}"{{ end }} /><br />
-		<input type="text" name="email" placeholder="Email"{{ if .Email }} value="{{.Email}}"{{ end }} /><br />
-		<input type="password" name="password" placeholder="Password" /><br />
-		<input type="submit" id="btn-login" value="Login" />
-	</form>
+            <dl class="billing">
+                <label>
+                    <dt>Blog Title</dt>
+                    <dd>
+                        <input type="text" style="width: 100%; box-sizing: border-box;" name="alias" placeholder="Alias"{{ if .Alias }} value="{{.Alias}}"{{ end }} />
+                    </dd>
+                </label>
+                <label>
+                    <dt>Username</dt>
+					<dd>
+		<input type="text" name="username" style="width: 100%; box-sizing: border-box;" placeholder="Username" value="{{.Username}}" /><br />
+		{{if .Federation}}<p id="alias-site" class="demo">@<strong>your-username</strong>@{{.FriendlyHost}}</p>{{else}}<p id="alias-site" class="demo">{{.FriendlyHost}}/<strong>your-username</strong></p>{{end}}
+                    </dd>
+                </label>
+                <label>
+                    <dt>Email</dt>
+                    <dd>
+<input type="text" name="email" style="width: 100%; box-sizing: border-box;" placeholder="Email"{{ if .Email }} value="{{.Email}}"{{ end }} />
+                    </dd>
+                </label>
+                <label>
+                    <dt>Password</dt>
+                    <dd>
+<input type="password" name="password" style="width: 100%; box-sizing: border-box;" placeholder="Password" /><br />
+                    </dd>
+                </label>
+                <dt>
+                    <input type="submit" id="btn-login" value="Login" />
+                </dt>
+            </dl>
+        </form>
+    </div>
 
 <script type="text/javascript">
 function disableSubmit() {

From 5b7f37aed8f70273c8d5fcd49abb6d4507476b86 Mon Sep 17 00:00:00 2001
From: Matt Baer <matt@write.as>
Date: Thu, 9 Jan 2020 11:16:26 -0500
Subject: [PATCH 079/127] Restyle Import page

- Changes Import link location in dropdown menu
- Makes design consistent with Invite People page (and extracts some
  common CSS into core.less)
- Selects the user's first blog by default in the dropdown
- Changes the copy a bit

Ref T609
---
 account_import.go                  |  2 +-
 less/core.less                     | 18 ++++++++++
 templates/user/import.tmpl         | 53 ++++++++++++++++++------------
 templates/user/include/header.tmpl |  4 +--
 templates/user/invite.tmpl         | 15 ++-------
 5 files changed, 55 insertions(+), 37 deletions(-)

diff --git a/account_import.go b/account_import.go
index 8d8a6e7..87882c6 100644
--- a/account_import.go
+++ b/account_import.go
@@ -18,7 +18,7 @@ import (
 
 func viewImport(app *App, u *User, w http.ResponseWriter, r *http.Request) error {
 	// Fetch extra user data
-	p := NewUserPage(app, r, u, "Import", nil)
+	p := NewUserPage(app, r, u, "Import Posts", nil)
 
 	c, err := app.db.GetCollections(u, app.Config().App.Host)
 	if err != nil {
diff --git a/less/core.less b/less/core.less
index 8844c84..c963e1a 100644
--- a/less/core.less
+++ b/less/core.less
@@ -1317,6 +1317,24 @@ form {
 		font-size: 0.86em;
 		line-height: 2;
 	}
+
+	&.prominent {
+		margin: 1em 0;
+
+		label {
+			font-weight: bold;
+		}
+		input, select {
+			width: 100%;
+		}
+		select {
+			font-size: 1em;
+			padding: 0.5rem;
+			display: block;
+			border-radius: 0.25rem;
+			margin: 0.5rem 0;
+		}
+	}
 }
 div.row {
 	display: flex;
diff --git a/templates/user/import.tmpl b/templates/user/import.tmpl
index 0fd8a93..2b6a4c3 100644
--- a/templates/user/import.tmpl
+++ b/templates/user/import.tmpl
@@ -1,37 +1,48 @@
 {{define "import"}}
 {{template "header" .}}
+	<style>
+		input[type=file] {
+			padding: 0;
+			font-size: 0.86em;
+			display: block;
+			margin: 0.5rem 0;
+		}
+		label {
+			display: block;
+			margin: 1em 0;
+		}
+	</style>
 
 <div class="snug content-container">
+	<h1 id="import-header">Import posts</h1>
 	{{if .Message}}
 	<div class="alert {{if .InfoMsg}}info{{else}}success{{end}}">
 		<p>{{.Message}}</p>
 	</div>
 	{{end}}
-	<h2 id="posts-header">Import</h2>
-	<p>Upload text or markdown files to import as posts.</p>
+	{{if .Flashes}}
+		<ul class="errors">
+			{{range .Flashes}}<li class="urgent">{{.}}</li>{{end}}
+		</ul>
+	{{end}}
+	<p>Publish plain text or Markdown files to your account by uploading them below.</p>
 	<div class="formContainer">
-		<form id="importPosts" class="import" enctype="multipart/form-data" action="/api/me/import" method="POST">
-			<label for="file" hidden>Browse files to upload</label>
-			<input class="fileInput" name="files" type="file" multiple accept="text/markdown, text/plain"/>
-			<br />
-			<label for="collection">Select a blog to import the posts under.</label>
-			<select name="collection">
-				{{range $i, $el := .Collections}}
-				<option value={{.Alias}}>
-					{{if .Title}}{{.Title}}{{else}}{{.Alias}}{{end}}
-				</option>
-				{{end}}
-				<option value="" selected>drafts</option>
-			</select>
-			<br />
+		<form id="importPosts" class="prominent" enctype="multipart/form-data" action="/api/me/import" method="POST">
+			<label>Select some files to import:
+				<input class="fileInput" name="files" type="file" multiple accept="text/markdown, text/plain"/>
+			</label>
+			<label>
+				Import these posts to:
+				<select name="collection">
+					{{range $i, $el := .Collections}}
+						<option value="{{.Alias}}" {{if eq $i 0}}selected{{end}}>{{.DisplayTitle}}</option>
+					{{end}}
+					<option value="">Drafts</option>
+				</select>
+			</label>
 			<input type="submit" value="Import" />
 		</form>
 	</div>
-	{{if .Flashes}}
-	<ul class="errors">
-		{{range .Flashes}}<li class="urgent">{{.}}</li>{{end}}
-	</ul>
-	{{end}}
 </div>
 
 {{template "footer" .}}
diff --git a/templates/user/include/header.tmpl b/templates/user/include/header.tmpl
index 3b57387..0704854 100644
--- a/templates/user/include/header.tmpl
+++ b/templates/user/include/header.tmpl
@@ -10,8 +10,8 @@
 						<li class="separator"><hr /></li>
 						{{if .IsAdmin}}<li><a href="/admin">Admin</a></li>{{end}}
 						<li><a href="/me/settings">Settings</a></li>
+						<li><a href="/me/import">Import posts</a></li>
 						<li><a href="/me/export">Export</a></li>
-						<li><a href="/me/import">Import</a></li>
 						<li class="separator"><hr /></li>
 						<li><a href="/me/logout">Log out</a></li>
 					</ul></li>
@@ -33,8 +33,8 @@
 				<ul><li><a>{{.Username}}</a> <img class="ic-18dp" src="/img/ic_down_arrow_dark@2x.png" /><ul>
 						{{if .IsAdmin}}<li><a href="/admin">Admin dashboard</a></li>{{end}}
 						<li><a href="/me/settings">Account settings</a></li>
+						<li><a href="/me/import">Import posts</a></li>
 						<li><a href="/me/export">Export</a></li>
-						<li><a href="/me/import">Import</a></li>
 						{{if .CanInvite}}<li><a href="/me/invites">Invite people</a></li>{{end}}
 						<li class="separator"><hr /></li>
 						<li><a href="/me/logout">Log out</a></li>
diff --git a/templates/user/invite.tmpl b/templates/user/invite.tmpl
index 1985bd5..4365e07 100644
--- a/templates/user/invite.tmpl
+++ b/templates/user/invite.tmpl
@@ -8,18 +8,7 @@
 	margin-left: 0.5em;
 	margin-right: 0;
 }
-label {
-	font-weight: bold;
-}
-select {
-	font-size: 1em;
-	width: 100%;
-	padding: 0.5rem;
-	display: block;
-	border-radius: 0.25rem;
-	margin: 0.5rem 0;
-}
-input, table.classy {
+table.classy {
 	width: 100%;
 }
 table.classy.export a {
@@ -34,7 +23,7 @@ table td {
 	<h1>Invite people</h1>
 	<p>Invite others to join <em>{{.SiteName}}</em> by generating and sharing invite links below.</p>
 
-	<form style="margin: 2em 0" action="/api/me/invites" method="post">
+	<form style="margin: 2em 0" class="prominent" action="/api/me/invites" method="post">
 		<div class="row">
 			<div class="half">
 				<label for="uses">Maximum number of uses:</label>

From 6860c0a3ff2352ee4c906c0be615f21495e5b304 Mon Sep 17 00:00:00 2001
From: Matt Baer <matt@write.as>
Date: Thu, 9 Jan 2020 12:08:06 -0500
Subject: [PATCH 080/127] Fix collection logic on import

- Only retrieve a collection from database if an alias is submitted
- Only call GetCollection() once (previously, it was inside the loop)
- Return error if user doesn't own the collection

Ref T609
---
 account_import.go | 30 +++++++++++++++++++++++-------
 1 file changed, 23 insertions(+), 7 deletions(-)

diff --git a/account_import.go b/account_import.go
index 87882c6..6a8d807 100644
--- a/account_import.go
+++ b/account_import.go
@@ -56,6 +56,27 @@ func viewImport(app *App, u *User, w http.ResponseWriter, r *http.Request) error
 func handleImport(app *App, u *User, w http.ResponseWriter, r *http.Request) error {
 	// limit 10MB per submission
 	r.ParseMultipartForm(10 << 20)
+
+	collAlias := r.PostFormValue("collection")
+	coll := &Collection{
+		ID: 0,
+	}
+	var err error
+	if collAlias != "" {
+		coll, err = app.db.GetCollection(collAlias)
+		if err != nil {
+			log.Error("Unable to get collection for import: %s", err)
+			return err
+		}
+		// Only allow uploading to collection if current user is owner
+		if coll.OwnerID != u.ID {
+			err := ErrUnauthorizedGeneral
+			_ = addSessionFlash(app, w, r, err.Message, nil)
+			return err
+		}
+		coll.hostName = app.cfg.App.Host
+	}
+
 	files := r.MultipartForm.File["files"]
 	var fileErrs []error
 	filesSubmitted := len(files)
@@ -105,14 +126,9 @@ func handleImport(app *App, u *User, w http.ResponseWriter, r *http.Request) err
 			continue
 		}
 
-		post.Collection = r.PostFormValue("collection")
-		coll, _ := app.db.GetCollection(post.Collection)
-		if coll == nil {
-			coll = &Collection{
-				ID: 0,
-			}
+		if collAlias != "" {
+			post.Collection = collAlias
 		}
-		coll.hostName = app.cfg.App.Host
 		created := post.Created.Format("2006-01-02T15:04:05Z")
 		submittedPost := SubmittedPost{
 			Title:   &post.Title,

From 03eeca179e00d045bce79b0377b587068f5dd31a Mon Sep 17 00:00:00 2001
From: Matt Baer <matt@write.as>
Date: Thu, 9 Jan 2020 12:36:58 -0500
Subject: [PATCH 081/127] Fix potential resource leaks from defer calls in for
 loop

This moves file operations inside the `for` loop into an anonymous func,
so the `defer` calls don't wait until the end of the handler call to
actually execute.

Ref T609
---
 account_import.go | 59 +++++++++++++++++++++++++++--------------------
 1 file changed, 34 insertions(+), 25 deletions(-)

diff --git a/account_import.go b/account_import.go
index 6a8d807..d0f0f8f 100644
--- a/account_import.go
+++ b/account_import.go
@@ -82,36 +82,45 @@ func handleImport(app *App, u *User, w http.ResponseWriter, r *http.Request) err
 	filesSubmitted := len(files)
 	var filesImported int
 	for _, formFile := range files {
-		file, err := formFile.Open()
-		if err != nil {
-			fileErrs = append(fileErrs, fmt.Errorf("failed to open form file: %s", formFile.Filename))
-			log.Error("import textfile: open from form: %v", err)
-			continue
-		}
-		defer file.Close()
+		fname := ""
+		ok := func() bool {
+			file, err := formFile.Open()
+			if err != nil {
+				fileErrs = append(fileErrs, fmt.Errorf("failed to open form file: %s", formFile.Filename))
+				log.Error("import textfile: open from form: %v", err)
+				return false
+			}
+			defer file.Close()
 
-		tempFile, err := ioutil.TempFile("", "post-upload-*.txt")
-		if err != nil {
-			fileErrs = append(fileErrs, fmt.Errorf("failed to create temporary file for: %s", formFile.Filename))
-			log.Error("import textfile: create temp file: %v", err)
-			continue
-		}
-		defer tempFile.Close()
+			tempFile, err := ioutil.TempFile("", "post-upload-*.txt")
+			if err != nil {
+				fileErrs = append(fileErrs, fmt.Errorf("failed to create temporary file for: %s", formFile.Filename))
+				log.Error("import textfile: create temp file: %v", err)
+				return false
+			}
+			defer tempFile.Close()
 
-		_, err = io.Copy(tempFile, file)
-		if err != nil {
-			fileErrs = append(fileErrs, fmt.Errorf("failed to copy file into temporary location: %s", formFile.Filename))
-			log.Error("import textfile: copy to temp: %v", err)
+			_, err = io.Copy(tempFile, file)
+			if err != nil {
+				fileErrs = append(fileErrs, fmt.Errorf("failed to copy file into temporary location: %s", formFile.Filename))
+				log.Error("import textfile: copy to temp: %v", err)
+				return false
+			}
+
+			info, err := tempFile.Stat()
+			if err != nil {
+				fileErrs = append(fileErrs, fmt.Errorf("failed to get file info of: %s", formFile.Filename))
+				log.Error("import textfile: stat temp file: %v", err)
+				return false
+			}
+			fname = info.Name()
+			return true
+		}()
+		if !ok {
 			continue
 		}
 
-		info, err := tempFile.Stat()
-		if err != nil {
-			fileErrs = append(fileErrs, fmt.Errorf("failed to get file info of: %s", formFile.Filename))
-			log.Error("import textfile: stat temp file: %v", err)
-			continue
-		}
-		post, err := wfimport.FromFile(filepath.Join(os.TempDir(), info.Name()))
+		post, err := wfimport.FromFile(filepath.Join(os.TempDir(), fname))
 		if err == wfimport.ErrEmptyFile {
 			// not a real error so don't log
 			_ = addSessionFlash(app, w, r, fmt.Sprintf("%s was empty, import skipped", formFile.Filename), nil)

From 18d3456a23be89229220e6dfc269ba64057ce137 Mon Sep 17 00:00:00 2001
From: Matt Baer <matt@write.as>
Date: Thu, 9 Jan 2020 13:29:07 -0500
Subject: [PATCH 082/127] Tweak user-facing upload errors + internal logs

Ref T609
---
 account_import.go | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/account_import.go b/account_import.go
index d0f0f8f..38cfcc3 100644
--- a/account_import.go
+++ b/account_import.go
@@ -86,31 +86,31 @@ func handleImport(app *App, u *User, w http.ResponseWriter, r *http.Request) err
 		ok := func() bool {
 			file, err := formFile.Open()
 			if err != nil {
-				fileErrs = append(fileErrs, fmt.Errorf("failed to open form file: %s", formFile.Filename))
-				log.Error("import textfile: open from form: %v", err)
+				fileErrs = append(fileErrs, fmt.Errorf("Unable to read file %s", formFile.Filename))
+				log.Error("import file: open from form: %v", err)
 				return false
 			}
 			defer file.Close()
 
 			tempFile, err := ioutil.TempFile("", "post-upload-*.txt")
 			if err != nil {
-				fileErrs = append(fileErrs, fmt.Errorf("failed to create temporary file for: %s", formFile.Filename))
-				log.Error("import textfile: create temp file: %v", err)
+				fileErrs = append(fileErrs, fmt.Errorf("Internal error for %s", formFile.Filename))
+				log.Error("import file: create temp file %s: %v", formFile.Filename, err)
 				return false
 			}
 			defer tempFile.Close()
 
 			_, err = io.Copy(tempFile, file)
 			if err != nil {
-				fileErrs = append(fileErrs, fmt.Errorf("failed to copy file into temporary location: %s", formFile.Filename))
-				log.Error("import textfile: copy to temp: %v", err)
+				fileErrs = append(fileErrs, fmt.Errorf("Internal error for %s", formFile.Filename))
+				log.Error("import file: copy to temp location %s: %v", formFile.Filename, err)
 				return false
 			}
 
 			info, err := tempFile.Stat()
 			if err != nil {
-				fileErrs = append(fileErrs, fmt.Errorf("failed to get file info of: %s", formFile.Filename))
-				log.Error("import textfile: stat temp file: %v", err)
+				fileErrs = append(fileErrs, fmt.Errorf("Internal error for %s", formFile.Filename))
+				log.Error("import file: stat temp file %s: %v", formFile.Filename, err)
 				return false
 			}
 			fname = info.Name()

From f5d21c8c1a2fa90696989b255fc54e9b7ebdffce Mon Sep 17 00:00:00 2001
From: Matt Baer <matt@write.as>
Date: Thu, 9 Jan 2020 13:29:30 -0500
Subject: [PATCH 083/127] Reorder federation check logic on upload

Ref T609
---
 account_import.go | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/account_import.go b/account_import.go
index 38cfcc3..abd38f1 100644
--- a/account_import.go
+++ b/account_import.go
@@ -152,9 +152,8 @@ func handleImport(app *App, u *User, w http.ResponseWriter, r *http.Request) err
 			continue
 		}
 
-		// create public post
-
-		if coll.ID != 0 && app.cfg.App.Federation {
+		// Federate post, if necessary
+		if app.cfg.App.Federation && coll.ID > 0 {
 			go federatePost(
 				app,
 				&PublicPost{

From 812136357e9ee2bf4aa940f64b3ebcfeed9a06e7 Mon Sep 17 00:00:00 2001
From: Matt Baer <matt@write.as>
Date: Thu, 9 Jan 2020 16:48:22 -0500
Subject: [PATCH 084/127] Move Format from DisplayCollection to CollectionObj

---
 collections.go | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/collections.go b/collections.go
index 66ad7a0..5c9a1b7 100644
--- a/collections.go
+++ b/collections.go
@@ -63,6 +63,7 @@ type (
 		TotalPosts int           `json:"total_posts"`
 		Owner      *User         `json:"owner,omitempty"`
 		Posts      *[]PublicPost `json:"posts,omitempty"`
+		Format     *CollectionFormat
 	}
 	DisplayCollection struct {
 		*CollectionObj
@@ -70,7 +71,6 @@ type (
 		IsTopLevel  bool
 		CurrentPage int
 		TotalPages  int
-		Format      *CollectionFormat
 		Suspended   bool
 	}
 	SubmittedCollection struct {
@@ -556,6 +556,13 @@ type CollectionPage struct {
 	CanInvite      bool
 }
 
+func NewCollectionObj(c *Collection) *CollectionObj {
+	return &CollectionObj{
+		Collection: *c,
+		Format:     c.NewFormat(),
+	}
+}
+
 func (c *CollectionObj) ScriptDisplay() template.JS {
 	return template.JS(c.Script)
 }
@@ -705,11 +712,10 @@ func checkUserForCollection(app *App, cr *collectionReq, r *http.Request, isPost
 
 func newDisplayCollection(c *Collection, cr *collectionReq, page int) *DisplayCollection {
 	coll := &DisplayCollection{
-		CollectionObj: &CollectionObj{Collection: *c},
+		CollectionObj: NewCollectionObj(c),
 		CurrentPage:   page,
 		Prefix:        cr.prefix,
 		IsTopLevel:    isSingleUser,
-		Format:        c.NewFormat(),
 	}
 	c.db.GetPostsCount(coll.CollectionObj, cr.isCollOwner)
 	return coll

From 9958a1122bac318f9f2f6f1dfeddec607d0ef602 Mon Sep 17 00:00:00 2001
From: Matt Baer <matt@write.as>
Date: Thu, 9 Jan 2020 16:50:02 -0500
Subject: [PATCH 085/127] Show published date on post pages if Blog

Dates now display on blog post pages if the collection's chosen display
format is "Blog". It updates the chorus-collection-post template to now
respect this value (previously, it always showed the date).

Ref T669
---
 less/post-temp.less                   | 10 ++++++++++
 posts.go                              |  2 +-
 templates/chorus-collection-post.tmpl | 12 +-----------
 templates/collection-post.tmpl        |  2 +-
 4 files changed, 13 insertions(+), 13 deletions(-)

diff --git a/less/post-temp.less b/less/post-temp.less
index 3ec682d..8173864 100644
--- a/less/post-temp.less
+++ b/less/post-temp.less
@@ -17,6 +17,16 @@ body {
 				font-size: 1.6em;
 			}
 		}
+		article {
+			h2#title.dated {
+				margin-bottom: 0.5em;
+			}
+			time.dt-published {
+				display: block;
+				color: #666;
+				margin-bottom: 1em;
+			}
+		}
 	}
 }
 
diff --git a/posts.go b/posts.go
index 21ed1a1..d2fbcca 100644
--- a/posts.go
+++ b/posts.go
@@ -1354,7 +1354,7 @@ func viewCollectionPost(app *App, w http.ResponseWriter, r *http.Request) error
 
 	// Fetch extra data about the Collection
 	// TODO: refactor out this logic, shared in collection.go:fetchCollection()
-	coll := &CollectionObj{Collection: *c}
+	coll := NewCollectionObj(c)
 	owner, err := app.db.GetUserByID(coll.OwnerID)
 	if err != nil {
 		// Log the error and just continue
diff --git a/templates/chorus-collection-post.tmpl b/templates/chorus-collection-post.tmpl
index b9df8ad..0e1164b 100644
--- a/templates/chorus-collection-post.tmpl
+++ b/templates/chorus-collection-post.tmpl
@@ -37,16 +37,6 @@ body footer {
 }
 body#post header {
 	padding: 1em 1rem;
-}
-article time.dt-published {
-	display: block;
-	color: #666;
-}
-body#post article h2#title{
-	margin-bottom: 0.5em;
-}
-article time.dt-published {
-	margin-bottom: 1em;
 }
 	</style>
 
@@ -68,7 +58,7 @@ article time.dt-published {
 		{{if .Suspended}}
 			{{template "user-suspended"}}
 		{{end}}
-		<article id="post-body" class="{{.Font}} h-entry">{{if .IsScheduled}}<p class="badge">Scheduled</p>{{end}}{{if .Title.String}}<h2 id="title" class="p-name">{{.FormattedDisplayTitle}}</h2>{{end}}{{/* TODO: check format: if .Collection.Format.ShowDates*/}}<time class="dt-published" datetime="{{.Created}}" pubdate itemprop="datePublished" content="{{.Created}}">{{.DisplayDate}}</time><div class="e-content">{{.HTMLContent}}</div></article>
+		<article id="post-body" class="{{.Font}} h-entry">{{if .IsScheduled}}<p class="badge">Scheduled</p>{{end}}{{if .Title.String}}<h2 id="title" class="p-name{{if $.Collection.Format.ShowDates}} dated{{end}}">{{.FormattedDisplayTitle}}</h2>{{end}}{{if $.Collection.Format.ShowDates}}<time class="dt-published" datetime="{{.Created}}" pubdate itemprop="datePublished" content="{{.Created}}">{{.DisplayDate}}</time>{{end}}<div class="e-content">{{.HTMLContent}}</div></article>
 
 		{{ if .Collection.ShowFooterBranding }}
 		<footer dir="ltr">
diff --git a/templates/collection-post.tmpl b/templates/collection-post.tmpl
index a194cf4..3dfa504 100644
--- a/templates/collection-post.tmpl
+++ b/templates/collection-post.tmpl
@@ -62,7 +62,7 @@
 		{{if .Suspended}}
 			{{template "user-suspended"}}
 		{{end}}
-		<article id="post-body" class="{{.Font}} h-entry {{if not .IsFound}}error-page{{end}}">{{if .IsScheduled}}<p class="badge">Scheduled</p>{{end}}{{if .Title.String}}<h2 id="title" class="p-name">{{.FormattedDisplayTitle}}</h2>{{end}}<div class="e-content">{{.HTMLContent}}</div></article>
+		<article id="post-body" class="{{.Font}} h-entry {{if not .IsFound}}error-page{{end}}">{{if .IsScheduled}}<p class="badge">Scheduled</p>{{end}}{{if .Title.String}}<h2 id="title" class="p-name{{if $.Collection.Format.ShowDates}} dated{{end}}">{{.FormattedDisplayTitle}}</h2>{{end}}{{if $.Collection.Format.ShowDates}}<time class="dt-published" datetime="{{.Created}}" pubdate itemprop="datePublished" content="{{.Created}}">{{.DisplayDate}}</time>{{end}}<div class="e-content">{{.HTMLContent}}</div></article>
 
 		{{ if .Collection.ShowFooterBranding }}
 		<footer dir="ltr"><hr><nav><p style="font-size: 0.9em">{{localhtml "published with write.as" .Language.String}}</p></nav></footer>

From a77d403dfbe70bfce584fff24a636a05afe20fc0 Mon Sep 17 00:00:00 2001
From: Nick Gerakines <12125+ngerakines@users.noreply.github.com>
Date: Fri, 10 Jan 2020 16:16:43 -0500
Subject: [PATCH 086/127] Fixing bug in oauth callback URL registration.

Fixing a bug in the oauth callback URL registration where the lack of provider context was overwriting the previous oauth callback route registration call.
---
 oauth.go | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/oauth.go b/oauth.go
index eb47c91..2c7e2e8 100644
--- a/oauth.go
+++ b/oauth.go
@@ -116,13 +116,13 @@ func (h oauthHandler) viewOauthInit(app *App, w http.ResponseWriter, r *http.Req
 
 func configureSlackOauth(parentHandler *Handler, r *mux.Router, app *App) {
 	if app.Config().SlackOauth.ClientID != "" {
-		callbackLocation := app.Config().App.Host + "/oauth/callback"
+		callbackLocation := app.Config().App.Host + "/oauth/callback/slack"
 
 		var stateRegisterClient *callbackProxyClient = nil
 		if app.Config().SlackOauth.CallbackProxyAPI != "" {
 			stateRegisterClient = &callbackProxyClient{
 				server:           app.Config().SlackOauth.CallbackProxyAPI,
-				callbackLocation: app.Config().App.Host + "/oauth/callback",
+				callbackLocation: app.Config().App.Host + "/oauth/callback/slack",
 				httpClient:       config.DefaultHTTPClient(),
 			}
 			callbackLocation = app.Config().SlackOauth.CallbackProxy
@@ -140,13 +140,13 @@ func configureSlackOauth(parentHandler *Handler, r *mux.Router, app *App) {
 
 func configureWriteAsOauth(parentHandler *Handler, r *mux.Router, app *App) {
 	if app.Config().WriteAsOauth.ClientID != "" {
-		callbackLocation := app.Config().App.Host + "/oauth/callback"
+		callbackLocation := app.Config().App.Host + "/oauth/callback/write.as"
 
 		var callbackProxy *callbackProxyClient = nil
 		if app.Config().WriteAsOauth.CallbackProxy != "" {
 			callbackProxy = &callbackProxyClient{
 				server:           app.Config().WriteAsOauth.CallbackProxyAPI,
-				callbackLocation: app.Config().App.Host + "/oauth/callback",
+				callbackLocation: app.Config().App.Host + "/oauth/callback/write.as",
 				httpClient:       config.DefaultHTTPClient(),
 			}
 			callbackLocation = app.Config().SlackOauth.CallbackProxy
@@ -175,7 +175,7 @@ func configureOauthRoutes(parentHandler *Handler, r *mux.Router, app *App, oauth
 		callbackProxy: callbackProxy,
 	}
 	r.HandleFunc("/oauth/"+oauthClient.GetProvider(), parentHandler.OAuth(handler.viewOauthInit)).Methods("GET")
-	r.HandleFunc("/oauth/callback", parentHandler.OAuth(handler.viewOauthCallback)).Methods("GET")
+	r.HandleFunc("/oauth/callback/"+oauthClient.GetProvider(), parentHandler.OAuth(handler.viewOauthCallback)).Methods("GET")
 	r.HandleFunc("/oauth/signup", parentHandler.OAuth(handler.viewOauthSignup)).Methods("POST")
 }
 

From f7995bee48fc1492865987c80fcceb67532d5432 Mon Sep 17 00:00:00 2001
From: Nick Gerakines <ngerakines@users.noreply.github.com>
Date: Tue, 14 Jan 2020 10:24:48 -0500
Subject: [PATCH 087/127] Fixing bug where display name was not set correctly.

---
 oauth.go | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/oauth.go b/oauth.go
index 2c7e2e8..caf8189 100644
--- a/oauth.go
+++ b/oauth.go
@@ -224,6 +224,11 @@ func (h oauthHandler) viewOauthCallback(app *App, w http.ResponseWriter, r *http
 		return nil
 	}
 
+	displayName := tokenInfo.DisplayName
+	if len(displayName) == 0 {
+		displayName = tokenInfo.Username
+	}
+
 	tp := &oauthSignupPageParams{
 		AccessToken:     tokenResponse.AccessToken,
 		TokenUsername:   tokenInfo.Username,

From f4c6ce76dd146a154363181e9e986785d3698b33 Mon Sep 17 00:00:00 2001
From: Matti R <matti@mdranta.net>
Date: Tue, 14 Jan 2020 11:55:55 -0500
Subject: [PATCH 088/127] Switch to a maintained fork of XGO

---
 Makefile | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/Makefile b/Makefile
index 782e680..7fd7b49 100644
--- a/Makefile
+++ b/Makefile
@@ -25,31 +25,31 @@ build-no-sqlite: assets-no-sqlite deps-no-sqlite
 
 build-linux: deps
 	@hash xgo > /dev/null 2>&1; if [ $$? -ne 0 ]; then \
-		$(GOGET) -u github.com/karalabe/xgo; \
+		$(GOGET) -u src.techknowlogick.com/xgo; \
 	fi
 	xgo --targets=linux/amd64, -dest build/ $(LDFLAGS) -tags='sqlite' -out writefreely ./cmd/writefreely
 
 build-windows: deps
 	@hash xgo > /dev/null 2>&1; if [ $$? -ne 0 ]; then \
-		$(GOGET) -u github.com/karalabe/xgo; \
+		$(GOGET) -u src.techknowlogick.com/xgo; \
 	fi
 	xgo --targets=windows/amd64, -dest build/ $(LDFLAGS) -tags='sqlite' -out writefreely ./cmd/writefreely
 
 build-darwin: deps
 	@hash xgo > /dev/null 2>&1; if [ $$? -ne 0 ]; then \
-		$(GOGET) -u github.com/karalabe/xgo; \
+		$(GOGET) -u src.techknowlogick.com/xgo; \
 	fi
 	xgo --targets=darwin/amd64, -dest build/ $(LDFLAGS) -tags='sqlite' -out writefreely ./cmd/writefreely
 
 build-arm7: deps
 	@hash xgo > /dev/null 2>&1; if [ $$? -ne 0 ]; then \
-		$(GOGET) -u github.com/karalabe/xgo; \
+		$(GOGET) -u src.techknowlogick.com/xgo; \
 	fi
 	xgo --targets=linux/arm-7, -dest build/ $(LDFLAGS) -tags='sqlite' -out writefreely ./cmd/writefreely
 
 build-arm64: deps
 	@hash xgo > /dev/null 2>&1; if [ $$? -ne 0 ]; then \
-		$(GOGET) -u github.com/karalabe/xgo; \
+		$(GOGET) -u src.techknowlogick.com/xgo; \
 	fi
 	xgo --targets=linux/arm64, -dest build/ $(LDFLAGS) -tags='sqlite' -out writefreely ./cmd/writefreely
 
@@ -145,7 +145,7 @@ $(TMPBIN)/go-bindata: deps $(TMPBIN)
 	$(GOBUILD) -o $(TMPBIN)/go-bindata github.com/jteeuwen/go-bindata/go-bindata
 
 $(TMPBIN)/xgo: deps $(TMPBIN)
-	$(GOBUILD) -o $(TMPBIN)/xgo github.com/karalabe/xgo
+	$(GOBUILD) -o $(TMPBIN)/xgo src.techknowlogick.com/xgo
 
 ci-assets : $(TMPBIN)/go-bindata
 	$(TMPBIN)/go-bindata -pkg writefreely -ignore=\\.gitignore -tags="!wflib" schema.sql sqlite.sql

From aae2f28bb673aa1ce7bda51b29e8174ae11bd53d Mon Sep 17 00:00:00 2001
From: Rob Loranger <dev@loranger.xyz>
Date: Tue, 14 Jan 2020 08:59:30 -0800
Subject: [PATCH 089/127] pass original file modified date for imports

---
 account_import.go          | 10 ++++++++++
 templates/user/import.tmpl | 16 ++++++++++++++--
 2 files changed, 24 insertions(+), 2 deletions(-)

diff --git a/account_import.go b/account_import.go
index abd38f1..b34f3a7 100644
--- a/account_import.go
+++ b/account_import.go
@@ -1,6 +1,7 @@
 package writefreely
 
 import (
+	"encoding/json"
 	"fmt"
 	"html/template"
 	"io"
@@ -9,6 +10,7 @@ import (
 	"os"
 	"path/filepath"
 	"strings"
+	"time"
 
 	"github.com/hashicorp/go-multierror"
 	"github.com/writeas/impart"
@@ -77,6 +79,12 @@ func handleImport(app *App, u *User, w http.ResponseWriter, r *http.Request) err
 		coll.hostName = app.cfg.App.Host
 	}
 
+	fileDates := make(map[string]int64)
+	err = json.Unmarshal([]byte(r.FormValue("fileDates")), &fileDates)
+	if err != nil {
+		log.Error("invalid form data for file dates: %v", err)
+		return impart.HTTPError{http.StatusBadRequest, "form data for file dates was invalid"}
+	}
 	files := r.MultipartForm.File["files"]
 	var fileErrs []error
 	filesSubmitted := len(files)
@@ -138,6 +146,8 @@ func handleImport(app *App, u *User, w http.ResponseWriter, r *http.Request) err
 		if collAlias != "" {
 			post.Collection = collAlias
 		}
+		dateTime := time.Unix(fileDates[formFile.Filename], 0)
+		post.Created = &dateTime
 		created := post.Created.Format("2006-01-02T15:04:05Z")
 		submittedPost := SubmittedPost{
 			Title:   &post.Title,
diff --git a/templates/user/import.tmpl b/templates/user/import.tmpl
index 2b6a4c3..7642023 100644
--- a/templates/user/import.tmpl
+++ b/templates/user/import.tmpl
@@ -29,8 +29,9 @@
 	<div class="formContainer">
 		<form id="importPosts" class="prominent" enctype="multipart/form-data" action="/api/me/import" method="POST">
 			<label>Select some files to import:
-				<input class="fileInput" name="files" type="file" multiple accept="text/markdown, text/plain"/>
+				<input id="fileInput" class="fileInput" name="files" type="file" multiple accept="text/markdown, text/plain"/>
 			</label>
+			<input id="fileDates" name="fileDates" hidden/>
 			<label>
 				Import these posts to:
 				<select name="collection">
@@ -40,10 +41,21 @@
 					<option value="">Drafts</option>
 				</select>
 			</label>
+			<script>
+				const fileInput = document.getElementById('fileInput');
+				const fileDates = document.getElementById('fileDates');
+				fileInput.addEventListener('change', (e) => {
+					const files = e.target.files;
+					let dateMap = {};
+					for (let file of files) {
+						dateMap[file.name] = file.lastModified;
+					}
+					fileDates.value = JSON.stringify(dateMap);
+				})
+			</script>
 			<input type="submit" value="Import" />
 		</form>
 	</div>
 </div>
-
 {{template "footer" .}}
 {{end}}

From 98ca449b664061e028f7526817973db1f512e6d2 Mon Sep 17 00:00:00 2001
From: Matti R <matti@mdranta.net>
Date: Tue, 14 Jan 2020 12:02:43 -0500
Subject: [PATCH 090/127] add arm-6

---
 Makefile | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/Makefile b/Makefile
index 7fd7b49..85f02d3 100644
--- a/Makefile
+++ b/Makefile
@@ -41,6 +41,12 @@ build-darwin: deps
 	fi
 	xgo --targets=darwin/amd64, -dest build/ $(LDFLAGS) -tags='sqlite' -out writefreely ./cmd/writefreely
 
+build-arm6: deps
+	@hash xgo > /dev/null 2>&1; if [ $$? -ne 0 ]; then \
+		$(GOGET) -u src.techknowlogick.com/xgo; \
+	fi
+	xgo --targets=linux/arm-6, -dest build/ $(LDFLAGS) -tags='sqlite' -out writefreely ./cmd/writefreely
+
 build-arm7: deps
 	@hash xgo > /dev/null 2>&1; if [ $$? -ne 0 ]; then \
 		$(GOGET) -u src.techknowlogick.com/xgo; \
@@ -85,6 +91,10 @@ release : clean ui assets
 	mv build/$(BINARY_NAME)-linux-amd64 $(BUILDPATH)/$(BINARY_NAME)
 	tar -cvzf $(BINARY_NAME)_$(GITREV)_linux_amd64.tar.gz -C build $(BINARY_NAME)
 	rm $(BUILDPATH)/$(BINARY_NAME)
+	$(MAKE) build-arm6
+	mv build/$(BINARY_NAME)-linux-arm-6 $(BUILDPATH)/$(BINARY_NAME)
+	tar -cvzf $(BINARY_NAME)_$(GITREV)_linux_arm6.tar.gz -C build $(BINARY_NAME)
+	rm $(BUILDPATH)/$(BINARY_NAME)
 	$(MAKE) build-arm7
 	mv build/$(BINARY_NAME)-linux-arm-7 $(BUILDPATH)/$(BINARY_NAME)
 	tar -cvzf $(BINARY_NAME)_$(GITREV)_linux_arm7.tar.gz -C build $(BINARY_NAME)

From 2b066997d131e298607bc6864bc17718871994c2 Mon Sep 17 00:00:00 2001
From: Matt Baer <matt@write.as>
Date: Tue, 14 Jan 2020 12:21:11 -0500
Subject: [PATCH 091/127] Fix unix timestamp in file upload

File API gives timestamp in milliseconds, not seconds, so this converts
it correctly.

Ref T609
---
 account_import.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/account_import.go b/account_import.go
index b34f3a7..a7b5f25 100644
--- a/account_import.go
+++ b/account_import.go
@@ -146,7 +146,8 @@ func handleImport(app *App, u *User, w http.ResponseWriter, r *http.Request) err
 		if collAlias != "" {
 			post.Collection = collAlias
 		}
-		dateTime := time.Unix(fileDates[formFile.Filename], 0)
+		ts := fileDates[formFile.Filename] / 1000 // Get timestamp in seconds, not milliseconds
+		dateTime := time.Unix(ts, 0)
 		post.Created = &dateTime
 		created := post.Created.Format("2006-01-02T15:04:05Z")
 		submittedPost := SubmittedPost{

From 65e2e5126bb11ff32ba5d4cdf21c22e229a7a7ad Mon Sep 17 00:00:00 2001
From: Matt Baer <matt@write.as>
Date: Tue, 14 Jan 2020 12:24:57 -0500
Subject: [PATCH 092/127] Revert "Fix unix timestamp in file upload"

This reverts commit 2b066997d131e298607bc6864bc17718871994c2.
---
 account_import.go | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/account_import.go b/account_import.go
index a7b5f25..b34f3a7 100644
--- a/account_import.go
+++ b/account_import.go
@@ -146,8 +146,7 @@ func handleImport(app *App, u *User, w http.ResponseWriter, r *http.Request) err
 		if collAlias != "" {
 			post.Collection = collAlias
 		}
-		ts := fileDates[formFile.Filename] / 1000 // Get timestamp in seconds, not milliseconds
-		dateTime := time.Unix(ts, 0)
+		dateTime := time.Unix(fileDates[formFile.Filename], 0)
 		post.Created = &dateTime
 		created := post.Created.Format("2006-01-02T15:04:05Z")
 		submittedPost := SubmittedPost{

From 3e97625cca86484a2836befe418cfc7af3fc70ab Mon Sep 17 00:00:00 2001
From: Matt Baer <matt@write.as>
Date: Tue, 14 Jan 2020 12:26:02 -0500
Subject: [PATCH 093/127] Fix Unix timestamps on client during import

File API gives timestamp in milliseconds, not seconds, so this converts
it on the client-side and sends it the correct time to the server.

Ref T609
---
 templates/user/import.tmpl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/templates/user/import.tmpl b/templates/user/import.tmpl
index 7642023..3400e2f 100644
--- a/templates/user/import.tmpl
+++ b/templates/user/import.tmpl
@@ -48,7 +48,7 @@
 					const files = e.target.files;
 					let dateMap = {};
 					for (let file of files) {
-						dateMap[file.name] = file.lastModified;
+						dateMap[file.name] = file.lastModified / 1000;
 					}
 					fileDates.value = JSON.stringify(dateMap);
 				})

From d2978597053e3526e85506184a51b9af4ca08fe1 Mon Sep 17 00:00:00 2001
From: Matt Baer <matt@write.as>
Date: Thu, 16 Jan 2020 12:18:21 -0500
Subject: [PATCH 094/127] Reserve the username "oauth"

---
 author/author.go | 1 +
 1 file changed, 1 insertion(+)

diff --git a/author/author.go b/author/author.go
index bf3bfe1..e2e9508 100644
--- a/author/author.go
+++ b/author/author.go
@@ -65,6 +65,7 @@ var reservedUsernames = map[string]bool{
 	"metadata":         true,
 	"new":              true,
 	"news":             true,
+	"oauth":            true,
 	"post":             true,
 	"posts":            true,
 	"privacy":          true,

From f2f779e4a2d2d64594f87f93d21313fa6d9b9d0d Mon Sep 17 00:00:00 2001
From: Matt Baer <matt@write.as>
Date: Thu, 16 Jan 2020 12:24:10 -0500
Subject: [PATCH 095/127] Generate non-colliding usernames in all lowercase

All usernames should be lowercase, so this generates any username suffix
(in cases of collision) with only lowercase letters. It also removes
vowels to prevent bad 5-letter words from forming.

Ref T712
---
 oauth_slack.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/oauth_slack.go b/oauth_slack.go
index 8cf4992..f700c2c 100644
--- a/oauth_slack.go
+++ b/oauth_slack.go
@@ -157,7 +157,7 @@ func (c slackOauthClient) inspectOauthAccessToken(ctx context.Context, accessTok
 func (resp slackUserIdentityResponse) InspectResponse() *InspectResponse {
 	return &InspectResponse{
 		UserID:      resp.User.ID,
-		Username:    fmt.Sprintf("%s-%s", slug.Make(resp.User.Name), store.Generate62RandomString(5)),
+		Username:    fmt.Sprintf("%s-%s", slug.Make(resp.User.Name), store.GenerateRandomString("0123456789bcdfghjklmnpqrstvwxyz", 5)),
 		DisplayName: resp.User.Name,
 		Email:       resp.User.Email,
 	}

From 33a6129d1e4e548c87097306c5929858c04962ec Mon Sep 17 00:00:00 2001
From: Matt Baer <matt@write.as>
Date: Thu, 16 Jan 2020 13:13:33 -0500
Subject: [PATCH 096/127] Add async username check on OAuth signup form

This checks the user's inputted username as they type it, and prevents
form submission if the name is taken.

Ref T712
---
 pages/signup-oauth.tmpl | 66 +++++++++++++++++++++++++++++++++++++++--
 1 file changed, 64 insertions(+), 2 deletions(-)

diff --git a/pages/signup-oauth.tmpl b/pages/signup-oauth.tmpl
index 34081cf..3fd4255 100644
--- a/pages/signup-oauth.tmpl
+++ b/pages/signup-oauth.tmpl
@@ -65,7 +65,7 @@ form dd {
 	</ul>{{end}}
 
     <div id="billing">
-	    <form action="/oauth/signup" method="post" style="text-align: center;margin-top:1em;" onsubmit="disableSubmit()">
+	    <form action="/oauth/signup" method="post" style="text-align: center;margin-top:1em;" onsubmit="return disableSubmit()">
 	        <input type="hidden" name="access_token" value="{{ .AccessToken }}" />
 	        <input type="hidden" name="token_username" value="{{ .TokenUsername }}" />
 	        <input type="hidden" name="token_alias" value="{{ .TokenAlias }}" />
@@ -85,7 +85,7 @@ form dd {
                 <label>
                     <dt>Username</dt>
 					<dd>
-		<input type="text" name="username" style="width: 100%; box-sizing: border-box;" placeholder="Username" value="{{.Username}}" /><br />
+		<input type="text" id="username" name="username" style="width: 100%; box-sizing: border-box;" placeholder="Username" value="{{.Username}}" /><br />
 		{{if .Federation}}<p id="alias-site" class="demo">@<strong>your-username</strong>@{{.FriendlyHost}}</p>{{else}}<p id="alias-site" class="demo">{{.FriendlyHost}}/<strong>your-username</strong></p>{{end}}
                     </dd>
                 </label>
@@ -108,11 +108,73 @@ form dd {
         </form>
     </div>
 
+<script type="text/javascript" src="/js/h.js"></script>
 <script type="text/javascript">
+// Copied from signup.tmpl
+// NOTE: this element is named "alias" on signup.tmpl and "username" here
+var $alias = H.getEl('username');
+
 function disableSubmit() {
+    // Validate input
+    if (!aliasOK) {
+        var $a = $alias;
+        $a.el.className = 'error';
+        $a.el.focus();
+        $a.el.scrollIntoView();
+        return false;
+    }
+
 	var $btn = document.getElementById("btn-login");
 	$btn.value = "Logging in...";
 	$btn.disabled = true;
+	return true;
 }
+
+// Copied from signup.tmpl
+var $aliasSite = document.getElementById('alias-site');
+var aliasOK = true;
+var typingTimer;
+var doneTypingInterval = 750;
+var doneTyping = function() {
+    // Check on username
+    var alias = $alias.el.value;
+    if (alias != "") {
+        var params = {
+            username: alias
+        };
+        var http = new XMLHttpRequest();
+        http.open("POST", '/api/alias', true);
+
+        // Send the proper header information along with the request
+        http.setRequestHeader("Content-type", "application/json");
+
+        http.onreadystatechange = function() {
+            if (http.readyState == 4) {
+                data = JSON.parse(http.responseText);
+                if (http.status == 200) {
+                    aliasOK = true;
+                    $alias.removeClass('error');
+                    $aliasSite.className = $aliasSite.className.replace(/(?:^|\s)demo(?!\S)/g, '');
+                    $aliasSite.className = $aliasSite.className.replace(/(?:^|\s)error(?!\S)/g, '');
+                    $aliasSite.innerHTML = '{{ if .Federation }}@<strong>' + data.data + '</strong>@{{.FriendlyHost}}{{ else }}{{.FriendlyHost}}/<strong>' + data.data + '</strong>/{{ end }}';
+                } else {
+                    aliasOK = false;
+                    $alias.setClass('error');
+                    $aliasSite.className = 'error';
+                    $aliasSite.textContent = data.error_msg;
+                }
+            }
+        }
+        http.send(JSON.stringify(params));
+    } else {
+        $aliasSite.className += ' demo';
+        $aliasSite.innerHTML = '{{ if .Federation }}@<strong>your-username</strong>@{{.FriendlyHost}}{{ else }}{{.FriendlyHost}}/<strong>your-username</strong>/{{ end }}';
+    }
+};
+$alias.on('keyup input', function() {
+    clearTimeout(typingTimer);
+    typingTimer = setTimeout(doneTyping, doneTypingInterval);
+});
+doneTyping();
 </script>
 {{end}}

From 4d5c89e7efec6fad7b3fae7f36f92f0c58a9b30a Mon Sep 17 00:00:00 2001
From: Matt Baer <matt@write.as>
Date: Thu, 16 Jan 2020 13:37:44 -0500
Subject: [PATCH 097/127] Fix false login state on OAuth signup page

Having a `Username` field populated in the page data tells the base
template to display navigation that only a logged in user should see. So
this renames the field to `LoginUsername`, similar to our login.tmpl
page.

Ref T712
---
 oauth_signup.go         | 12 ++++++------
 pages/signup-oauth.tmpl |  2 +-
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/oauth_signup.go b/oauth_signup.go
index cf90af6..96b9936 100644
--- a/oauth_signup.go
+++ b/oauth_signup.go
@@ -29,9 +29,9 @@ type viewOauthSignupVars struct {
 	ClientID        string
 	TokenHash       string
 
-	Username string
-	Alias    string
-	Email    string
+	LoginUsername string
+	Alias         string
+	Email         string
 }
 
 const (
@@ -184,9 +184,9 @@ func (h oauthHandler) showOauthSignupPage(app *App, w http.ResponseWriter, r *ht
 		ClientID:        tp.ClientID,
 		TokenHash:       tp.TokenHash,
 
-		Username: username,
-		Alias:    alias,
-		Email:    email,
+		LoginUsername: username,
+		Alias:         collTitle,
+		Email:         email,
 	}
 
 	// Display any error messages
diff --git a/pages/signup-oauth.tmpl b/pages/signup-oauth.tmpl
index 3fd4255..40cc2e6 100644
--- a/pages/signup-oauth.tmpl
+++ b/pages/signup-oauth.tmpl
@@ -85,7 +85,7 @@ form dd {
                 <label>
                     <dt>Username</dt>
 					<dd>
-		<input type="text" id="username" name="username" style="width: 100%; box-sizing: border-box;" placeholder="Username" value="{{.Username}}" /><br />
+		<input type="text" id="username" name="username" style="width: 100%; box-sizing: border-box;" placeholder="Username" value="{{.LoginUsername}}" /><br />
 		{{if .Federation}}<p id="alias-site" class="demo">@<strong>your-username</strong>@{{.FriendlyHost}}</p>{{else}}<p id="alias-site" class="demo">{{.FriendlyHost}}/<strong>your-username</strong></p>{{end}}
                     </dd>
                 </label>

From 6842ab2e3be7ffae9ce46a0613714a95cc1dd135 Mon Sep 17 00:00:00 2001
From: Matt Baer <matt@write.as>
Date: Thu, 16 Jan 2020 13:50:37 -0500
Subject: [PATCH 098/127] Rename collTitle from alias

"alias" is the name of a different collection field, so this renames the
variable internally to make things clearer.
---
 oauth_signup.go | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/oauth_signup.go b/oauth_signup.go
index 96b9936..58071c6 100644
--- a/oauth_signup.go
+++ b/oauth_signup.go
@@ -22,7 +22,7 @@ type viewOauthSignupVars struct {
 
 	AccessToken     string
 	TokenUsername   string
-	TokenAlias      string
+	TokenAlias      string // TODO: rename this to match the data it represents: the collection title
 	TokenEmail      string
 	TokenRemoteUser string
 	Provider        string
@@ -30,7 +30,7 @@ type viewOauthSignupVars struct {
 	TokenHash       string
 
 	LoginUsername string
-	Alias         string
+	Alias         string // TODO: rename this to match the data it represents: the collection title
 	Email         string
 }
 
@@ -52,7 +52,7 @@ const (
 type oauthSignupPageParams struct {
 	AccessToken     string
 	TokenUsername   string
-	TokenAlias      string
+	TokenAlias      string // TODO: rename this to match the data it represents: the collection title
 	TokenEmail      string
 	TokenRemoteUser string
 	ClientID        string
@@ -131,8 +131,8 @@ func (h oauthHandler) validateOauthSignup(r *http.Request) error {
 	if len(username) > 100 {
 		return impart.HTTPError{Status: http.StatusBadRequest, Message: "Username is too long."}
 	}
-	alias := r.FormValue(oauthParamAlias)
-	if len(alias) == 0 {
+	collTitle := r.FormValue(oauthParamAlias)
+	if len(collTitle) == 0 {
 		return impart.HTTPError{Status: http.StatusBadRequest, Message: "Alias is too short."}
 	}
 	password := r.FormValue("password")
@@ -151,7 +151,7 @@ func (h oauthHandler) validateOauthSignup(r *http.Request) error {
 
 func (h oauthHandler) showOauthSignupPage(app *App, w http.ResponseWriter, r *http.Request, tp *oauthSignupPageParams, errMsg error) error {
 	username := tp.TokenUsername
-	alias := tp.TokenAlias
+	collTitle := tp.TokenAlias
 	email := tp.TokenEmail
 
 	session, err := app.sessionStore.Get(r, cookieName)
@@ -164,7 +164,7 @@ func (h oauthHandler) showOauthSignupPage(app *App, w http.ResponseWriter, r *ht
 		username = tmpValue
 	}
 	if tmpValue := r.FormValue(oauthParamAlias); len(tmpValue) > 0 {
-		alias = tmpValue
+		collTitle = tmpValue
 	}
 	if tmpValue := r.FormValue(oauthParamEmail); len(tmpValue) > 0 {
 		email = tmpValue

From 130c9eb7475d93ab7d3a4a016c26d09ce3a8464c Mon Sep 17 00:00:00 2001
From: Matt Baer <matt@write.as>
Date: Thu, 16 Jan 2020 13:58:14 -0500
Subject: [PATCH 099/127] Change Blog Title to Display Name in OAuth signup

Ref T712
---
 oauth_signup.go         | 2 +-
 pages/signup-oauth.tmpl | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/oauth_signup.go b/oauth_signup.go
index 58071c6..5b960ca 100644
--- a/oauth_signup.go
+++ b/oauth_signup.go
@@ -133,7 +133,7 @@ func (h oauthHandler) validateOauthSignup(r *http.Request) error {
 	}
 	collTitle := r.FormValue(oauthParamAlias)
 	if len(collTitle) == 0 {
-		return impart.HTTPError{Status: http.StatusBadRequest, Message: "Alias is too short."}
+		return impart.HTTPError{Status: http.StatusBadRequest, Message: "Display name is too short."}
 	}
 	password := r.FormValue("password")
 	if len(password) == 0 {
diff --git a/pages/signup-oauth.tmpl b/pages/signup-oauth.tmpl
index 40cc2e6..21e8ed5 100644
--- a/pages/signup-oauth.tmpl
+++ b/pages/signup-oauth.tmpl
@@ -77,9 +77,9 @@ form dd {
 
             <dl class="billing">
                 <label>
-                    <dt>Blog Title</dt>
+                    <dt>Display Name</dt>
                     <dd>
-                        <input type="text" style="width: 100%; box-sizing: border-box;" name="alias" placeholder="Alias"{{ if .Alias }} value="{{.Alias}}"{{ end }} />
+                        <input type="text" style="width: 100%; box-sizing: border-box;" name="alias" placeholder="Name"{{ if .Alias }} value="{{.Alias}}"{{ end }} />
                     </dd>
                 </label>
                 <label>

From b5a38efd2853f2cd81a7875b5a1ff4d41edef086 Mon Sep 17 00:00:00 2001
From: Matt Baer <matt@write.as>
Date: Thu, 16 Jan 2020 14:09:42 -0500
Subject: [PATCH 100/127] Fall back to username as coll title on OAuth signup

This uses the given username as the Display Name / Collection Title if a
user doesn't give one -- as might happen when authenticating with
Write.as.

Ref T712
---
 oauth_signup.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/oauth_signup.go b/oauth_signup.go
index 5b960ca..d1fa9b5 100644
--- a/oauth_signup.go
+++ b/oauth_signup.go
@@ -133,7 +133,7 @@ func (h oauthHandler) validateOauthSignup(r *http.Request) error {
 	}
 	collTitle := r.FormValue(oauthParamAlias)
 	if len(collTitle) == 0 {
-		return impart.HTTPError{Status: http.StatusBadRequest, Message: "Display name is too short."}
+		collTitle = username
 	}
 	password := r.FormValue("password")
 	if len(password) == 0 {

From f7dabd39c2c86337323d58d2fd62513a37ef6f2e Mon Sep 17 00:00:00 2001
From: Matt Baer <matt@write.as>
Date: Thu, 16 Jan 2020 14:25:33 -0500
Subject: [PATCH 101/127] Skip password requirement on OAuth signup

This makes it possible to complete OAuth signup without creating a
password on the WriteFreely instance.

A user can then add a password to their account through their Account
Settings page without any admin action (all of this logic is already in
place).

Ref T715 T712
---
 oauth_signup.go | 18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

diff --git a/oauth_signup.go b/oauth_signup.go
index d1fa9b5..10d2306 100644
--- a/oauth_signup.go
+++ b/oauth_signup.go
@@ -91,14 +91,20 @@ func (h oauthHandler) viewOauthSignup(app *App, w http.ResponseWriter, r *http.R
 		return h.showOauthSignupPage(app, w, r, tp, err)
 	}
 
-	hashedPass, err := auth.HashPass([]byte(r.FormValue(oauthParamPassword)))
-	if err != nil {
-		return h.showOauthSignupPage(app, w, r, tp, fmt.Errorf("unable to hash password"))
+	var err error
+	hashedPass := []byte{}
+	clearPass := r.FormValue(oauthParamPassword)
+	hasPass := clearPass != ""
+	if hasPass {
+		hashedPass, err = auth.HashPass([]byte(clearPass))
+		if err != nil {
+			return h.showOauthSignupPage(app, w, r, tp, fmt.Errorf("unable to hash password"))
+		}
 	}
 	newUser := &User{
 		Username:   r.FormValue(oauthParamUsername),
 		HashedPass: hashedPass,
-		HasPass:    true,
+		HasPass:    hasPass,
 		Email:      prepareUserEmail(r.FormValue(oauthParamEmail), h.EmailKey),
 		Created:    time.Now().Truncate(time.Second).UTC(),
 	}
@@ -135,10 +141,6 @@ func (h oauthHandler) validateOauthSignup(r *http.Request) error {
 	if len(collTitle) == 0 {
 		collTitle = username
 	}
-	password := r.FormValue("password")
-	if len(password) == 0 {
-		return impart.HTTPError{Status: http.StatusBadRequest, Message: "Password is too short."}
-	}
 	email := r.FormValue(oauthParamEmail)
 	if len(email) > 0 {
 		parts := strings.Split(email, "@")

From 803dd78df5ea27096ef7b5b05d1f50d50ee729aa Mon Sep 17 00:00:00 2001
From: Matt Baer <matt@write.as>
Date: Thu, 16 Jan 2020 14:30:09 -0500
Subject: [PATCH 102/127] Remove Password field from OAuth signup page

This removes a bit of friction.

Ref T715 T712
---
 pages/signup-oauth.tmpl | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/pages/signup-oauth.tmpl b/pages/signup-oauth.tmpl
index 21e8ed5..ecf5db0 100644
--- a/pages/signup-oauth.tmpl
+++ b/pages/signup-oauth.tmpl
@@ -95,12 +95,6 @@ form dd {
 <input type="text" name="email" style="width: 100%; box-sizing: border-box;" placeholder="Email"{{ if .Email }} value="{{.Email}}"{{ end }} />
                     </dd>
                 </label>
-                <label>
-                    <dt>Password</dt>
-                    <dd>
-<input type="password" name="password" style="width: 100%; box-sizing: border-box;" placeholder="Password" /><br />
-                    </dd>
-                </label>
                 <dt>
                     <input type="submit" id="btn-login" value="Login" />
                 </dt>

From dcdd4dd1ef19170e22f47ebef4be30a698fcd7eb Mon Sep 17 00:00:00 2001
From: Matt Baer <matt@write.as>
Date: Thu, 16 Jan 2020 14:39:18 -0500
Subject: [PATCH 103/127] Add and update copyright notices

---
 author/author.go |  2 +-
 oauth_signup.go  | 10 ++++++++++
 oauth_slack.go   | 10 ++++++++++
 3 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/author/author.go b/author/author.go
index e2e9508..0114905 100644
--- a/author/author.go
+++ b/author/author.go
@@ -1,5 +1,5 @@
 /*
- * Copyright © 2018 A Bunch Tell LLC.
+ * Copyright © 2018-2020 A Bunch Tell LLC.
  *
  * This file is part of WriteFreely.
  *
diff --git a/oauth_signup.go b/oauth_signup.go
index 10d2306..220afbd 100644
--- a/oauth_signup.go
+++ b/oauth_signup.go
@@ -1,3 +1,13 @@
+/*
+ * Copyright © 2020 A Bunch Tell LLC.
+ *
+ * This file is part of WriteFreely.
+ *
+ * WriteFreely is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License, included
+ * in the LICENSE file in this source code package.
+ */
+
 package writefreely
 
 import (
diff --git a/oauth_slack.go b/oauth_slack.go
index f700c2c..1db3613 100644
--- a/oauth_slack.go
+++ b/oauth_slack.go
@@ -1,3 +1,13 @@
+/*
+ * Copyright © 2020 A Bunch Tell LLC.
+ *
+ * This file is part of WriteFreely.
+ *
+ * WriteFreely is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License, included
+ * in the LICENSE file in this source code package.
+ */
+
 package writefreely
 
 import (

From c1ec6b26051ee76f63d12f9581218fe479bf8f64 Mon Sep 17 00:00:00 2001
From: Matt Baer <matt@write.as>
Date: Thu, 16 Jan 2020 14:43:32 -0500
Subject: [PATCH 104/127] Fix copyright years in oauth_slack.go

---
 oauth_slack.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/oauth_slack.go b/oauth_slack.go
index 1db3613..35db156 100644
--- a/oauth_slack.go
+++ b/oauth_slack.go
@@ -1,5 +1,5 @@
 /*
- * Copyright © 2020 A Bunch Tell LLC.
+ * Copyright © 2019-2020 A Bunch Tell LLC.
  *
  * This file is part of WriteFreely.
  *

From 8e09e72979128d1d16d28df0df17e544037da9f0 Mon Sep 17 00:00:00 2001
From: Matt Baer <matt@write.as>
Date: Thu, 16 Jan 2020 14:47:23 -0500
Subject: [PATCH 105/127] Require authenticated user for editor access

Previously, anyone could access the editor even if they weren't logged
in. They couldn't do much in that case (publishing would fail), but it
could potentially cause some confusion.

Now, users will be sent to the login page, and then redirected back to
the editor once successfully logged in.
---
 routes.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/routes.go b/routes.go
index 7784d71..ba531fb 100644
--- a/routes.go
+++ b/routes.go
@@ -169,9 +169,9 @@ func InitRoutes(apper Apper, r *mux.Router) *mux.Router {
 	draftEditPrefix := ""
 	if apper.App().cfg.App.SingleUser {
 		draftEditPrefix = "/d"
-		write.HandleFunc("/me/new", handler.Web(handleViewPad, UserLevelOptional)).Methods("GET")
+		write.HandleFunc("/me/new", handler.Web(handleViewPad, UserLevelUser)).Methods("GET")
 	} else {
-		write.HandleFunc("/new", handler.Web(handleViewPad, UserLevelOptional)).Methods("GET")
+		write.HandleFunc("/new", handler.Web(handleViewPad, UserLevelUser)).Methods("GET")
 	}
 
 	// All the existing stuff

From 2c075c0347a4d123bc260eb935e1becd67edb2bc Mon Sep 17 00:00:00 2001
From: Rob Loranger <dev@loranger.xyz>
Date: Sun, 19 Jan 2020 15:57:58 -0800
Subject: [PATCH 106/127] update upgrade script for recent changes

changes accounted for
- the tar directory structure had changed to use a subdirectory
- there are now multiple linux targets released

bugs
- the service must be stopped before replacing the binary
- migrations were not being run during an upgrade
---
 scripts/upgrade-server.sh | 18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

diff --git a/scripts/upgrade-server.sh b/scripts/upgrade-server.sh
index c8e004a..ef10452 100755
--- a/scripts/upgrade-server.sh
+++ b/scripts/upgrade-server.sh
@@ -31,7 +31,7 @@ fi
 # go ahead and check for the latest release on linux
 echo "Checking for updates..."
 
-url=`curl -s https://api.github.com/repos/writeas/writefreely/releases/latest | grep 'browser_' | grep linux | cut -d\" -f4`
+url=`curl -s https://api.github.com/repos/writeas/writefreely/releases/latest | grep 'browser_' | grep 'linux' | grep 'amd64' | cut -d\" -f4`
 
 # check current version
 
@@ -82,13 +82,25 @@ filename=${parts[-1]}
 echo "Extracting files..."
 tar -zxf $tempdir/$filename -C $tempdir
 
+# stop service
+echo "Stopping writefreely systemd service..."
+if `systemctl start writefreely`; then
+	echo "Success, service stopped."
+else
+	echo "Upgrade failed to stop the systemd service, exiting early."
+	exit 1
+fi
+
 # copy files
 echo "Copying files..."
-cp -r $tempdir/{pages,static,templates,writefreely} .
+cp -r $tempdir/writefreely/{pages,static,templates,writefreely} .
+
+# migrate db
+./writefreely -migrate
 
 # restart service
 echo "Restarting writefreely systemd service..."
-if `systemctl restart writefreely`; then
+if `systemctl start writefreely`; then
 	echo "Success, version has been upgraded to $latest."
 else
 	echo "Upgrade complete, but failed to restart service."

From b336e95e1244007426a4c3fb66d7691424c9d3ed Mon Sep 17 00:00:00 2001
From: Matt Baer <matt@write.as>
Date: Mon, 20 Jan 2020 15:20:45 -0500
Subject: [PATCH 107/127] Render HTML entities in Drafts list

Previously, we'd show the raw HTML entities in the summaries of Draft
posts, instead of rendering them. This fixes that.
---
 posts.go                     | 4 ++++
 templates/user/articles.tmpl | 2 +-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/posts.go b/posts.go
index d2fbcca..608f2fc 100644
--- a/posts.go
+++ b/posts.go
@@ -229,6 +229,10 @@ func (p Post) Summary() string {
 	return shortPostDescription(p.Content)
 }
 
+func (p Post) SummaryHTML() template.HTML {
+	return template.HTML(p.Summary())
+}
+
 // Excerpt shows any text that comes before a (more) tag.
 // TODO: use HTMLExcerpt in templates instead of this method
 func (p *Post) Excerpt() template.HTML {
diff --git a/templates/user/articles.tmpl b/templates/user/articles.tmpl
index 3edb89c..5dbe47b 100644
--- a/templates/user/articles.tmpl
+++ b/templates/user/articles.tmpl
@@ -34,7 +34,7 @@
 			{{end}}
 			{{ end }}
 		</h4>
-		{{if .Summary}}<p>{{.Summary}}</p>{{end}}
+		{{if .Summary}}<p>{{.SummaryHTML}}</p>{{end}}
 	</div>{{end}}
 </div>{{ else }}<div id="no-posts-published"><p>You haven't saved any drafts yet.</p>
 	<p>They'll show up here once you do. {{if not .SingleUser}}Find your blog posts from the <a href="/me/c/">Blogs</a> page.{{end}}</p>

From 30032e74a0199c247aea8f0efdeb0a6f28c63db3 Mon Sep 17 00:00:00 2001
From: Matt Baer <matt@write.as>
Date: Mon, 20 Jan 2020 15:25:37 -0500
Subject: [PATCH 108/127] Add helpful text on Drafts page

---
 templates/user/articles.tmpl | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/templates/user/articles.tmpl b/templates/user/articles.tmpl
index 5dbe47b..16fb4e3 100644
--- a/templates/user/articles.tmpl
+++ b/templates/user/articles.tmpl
@@ -12,7 +12,10 @@
 
 <h2 id="posts-header">drafts</h2>
 
-{{ if .AnonymousPosts }}<div class="atoms posts">
+{{ if .AnonymousPosts }}
+	<p>These are your draft posts. You can share them individually (without a blog) or move them to your blog when you're ready.</p>
+
+	<div class="atoms posts">
 	{{ range $el := .AnonymousPosts }}<div id="post-{{.ID}}" class="post">
 		<h3><a href="/{{if $.SingleUser}}d/{{end}}{{.ID}}" itemprop="url">{{.DisplayTitle}}</a></h3>
 		<h4>
@@ -36,8 +39,9 @@
 		</h4>
 		{{if .Summary}}<p>{{.SummaryHTML}}</p>{{end}}
 	</div>{{end}}
-</div>{{ else }}<div id="no-posts-published"><p>You haven't saved any drafts yet.</p>
-	<p>They'll show up here once you do. {{if not .SingleUser}}Find your blog posts from the <a href="/me/c/">Blogs</a> page.{{end}}</p>
+</div>{{ else }}<div id="no-posts-published">
+	<p>Your anonymous and draft posts will show up here once you've published some. You'll be able to share them individually (without a blog) or move them to a blog when you're ready.</p>
+	{{if not .SingleUser}}<p>Alternatively, see your blogs and their posts on your <a href="/me/c/">Blogs</a> page.</p>{{end}}
 	<p class="text-cta"><a href="{{if .SingleUser}}/me/new{{else}}/{{end}}">Start writing</a></p></div>{{ end }}
 
 <div id="moving"></div>

From ae1a892be00d4b38486658b658a12bd14420194d Mon Sep 17 00:00:00 2001
From: Matt Baer <matt@write.as>
Date: Wed, 29 Jan 2020 04:56:23 -0500
Subject: [PATCH 109/127] Upgrade gorilla/sessions to v1.2.0

This gets rid of the gorilla/context dependency, which might have been
causing a memory leak.

We noticed some serious memory leakage on Write.as that seemed to point
to this library. One heap snapshot:

      flat  flat%   sum%        cum   cum%
  259.13MB 30.41% 30.41%   268.13MB 31.46%  net/textproto.(*Reader).ReadMIMEHeader
  105.71MB 12.40% 42.81%   105.71MB 12.40%  github.com/gorilla/context.Set
   78.53MB  9.21% 52.03%   125.53MB 14.73%  github.com/gorilla/sessions.(*Registry).Get
   55.51MB  6.51% 58.54%    82.52MB  9.68%  net/http.(*Request).WithContext
   38.01MB  4.46% 63.00%    38.01MB  4.46%  github.com/gorilla/mux.extractVars
      35MB  4.11% 67.11%       53MB  6.22%  context.WithCancel
   34.50MB  4.05% 71.16%    34.50MB  4.05%  context.WithValue
      27MB  3.17% 74.32%       27MB  3.17%  net/http.cloneURL
      26MB  3.05% 77.38%       26MB  3.05%  github.com/gorilla/sessions.NewSession
      18MB  2.11% 79.49%       18MB  2.11%  context.(*cancelCtx).Done
   16.50MB  1.94% 81.42%    16.50MB  1.94%  syscall.anyToSockaddr
      14MB  1.64% 83.07%       47MB  5.52%  github.com/gorilla/sessions.(*CookieStore).New
   13.50MB  1.58% 84.65%    51.51MB  6.04%  github.com/gorilla/mux.(*Route).Match
   11.67MB  1.37% 86.02%    13.21MB  1.55%  regexp.(*Regexp).replaceAll
    9.72MB  1.14% 87.16%    22.94MB  2.69%  regexp.(*Regexp).ReplaceAllString
    9.50MB  1.11% 88.28%   115.21MB 13.52%  github.com/gorilla/sessions.GetRegistry

With the help of these articles, we tracked it down to this dependency,
and upgraded the library, which seems to have completely fixed the issue
so far:

https://rover.rocks/golang-memory-leak/
https://medium.com/@walterwu_22843/golang-memory-leak-while-handling-huge-amount-of-http-request-35cc970cb75e

This should fix #133
---
 go.mod | 2 +-
 go.sum | 6 ++----
 2 files changed, 3 insertions(+), 5 deletions(-)

diff --git a/go.mod b/go.mod
index f6aa8b7..adfcccb 100644
--- a/go.mod
+++ b/go.mod
@@ -15,7 +15,7 @@ require (
 	github.com/gorilla/feeds v1.1.0
 	github.com/gorilla/mux v1.7.0
 	github.com/gorilla/schema v1.0.2
-	github.com/gorilla/sessions v1.1.3
+	github.com/gorilla/sessions v1.2.0
 	github.com/guregu/null v3.4.0+incompatible
 	github.com/hashicorp/go-multierror v1.0.0
 	github.com/ikeikeikeike/go-sitemap-generator v1.0.1
diff --git a/go.sum b/go.sum
index 5b8b88a..f958de2 100644
--- a/go.sum
+++ b/go.sum
@@ -46,8 +46,6 @@ github.com/gopherjs/gopherjs v0.0.0-20181103185306-d547d1d9531e h1:JKmoR8x90Iww1
 github.com/gopherjs/gopherjs v0.0.0-20181103185306-d547d1d9531e/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
 github.com/gordonklaus/ineffassign v0.0.0-20180909121442-1003c8bd00dc h1:cJlkeAx1QYgO5N80aF5xRGstVsRQwgLR7uA2FnP1ZjY=
 github.com/gordonklaus/ineffassign v0.0.0-20180909121442-1003c8bd00dc/go.mod h1:cuNKsD1zp2v6XfE/orVX2QE1LC+i254ceGcVeDT3pTU=
-github.com/gorilla/context v1.1.1 h1:AWwleXJkX/nhcU9bZSnZoi3h/qGYqQAGhq6zZe/aQW8=
-github.com/gorilla/context v1.1.1/go.mod h1:kBGZzfjB9CEq2AlWe17Uuf7NDRt0dE0s8S51q0aT7Yg=
 github.com/gorilla/feeds v1.1.0 h1:pcgLJhbdYgaUESnj3AmXPcB7cS3vy63+jC/TI14AGXk=
 github.com/gorilla/feeds v1.1.0/go.mod h1:Nk0jZrvPFZX1OBe5NPiddPw7CfwF6Q9eqzaBbaightA=
 github.com/gorilla/mux v1.7.0 h1:tOSd0UKHQd6urX6ApfOn4XdBMY6Sh1MfxV3kmaazO+U=
@@ -56,8 +54,8 @@ github.com/gorilla/schema v1.0.2 h1:sAgNfOcNYvdDSrzGHVy9nzCQahG+qmsg+nE8dK85QRA=
 github.com/gorilla/schema v1.0.2/go.mod h1:kgLaKoK1FELgZqMAVxx/5cbj0kT+57qxUrAlIO2eleU=
 github.com/gorilla/securecookie v1.1.1 h1:miw7JPhV+b/lAHSXz4qd/nN9jRiAFV5FwjeKyCS8BvQ=
 github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4=
-github.com/gorilla/sessions v1.1.3 h1:uXoZdcdA5XdXF3QzuSlheVRUvjl+1rKY7zBXL68L9RU=
-github.com/gorilla/sessions v1.1.3/go.mod h1:8KCfur6+4Mqcc6S0FEfKuN15Vl5MgXW92AE8ovaJD0w=
+github.com/gorilla/sessions v1.2.0 h1:S7P+1Hm5V/AT9cjEcUD5uDaQSX0OE577aCXgoaKpYbQ=
+github.com/gorilla/sessions v1.2.0/go.mod h1:dk2InVEVJ0sfLlnXv9EAgkf6ecYs/i80K/zI+bUmuGM=
 github.com/guregu/null v3.4.0+incompatible h1:a4mw37gBO7ypcBlTJeZGuMpSxxFTV9qFfFKgWxQSGaM=
 github.com/guregu/null v3.4.0+incompatible/go.mod h1:ePGpQaN9cw0tj45IR5E5ehMvsFlLlQZAkkOXZurJ3NM=
 github.com/hashicorp/errwrap v1.0.0 h1:hLrqtEDnRye3+sgx6z4qVLNuviH3MR5aQ0ykNJa/UYA=

From 8fce34b70b039b5ff9528ad8494a6f4a7921ae6c Mon Sep 17 00:00:00 2001
From: Matt Baer <matt@write.as>
Date: Wed, 29 Jan 2020 05:24:22 -0500
Subject: [PATCH 110/127] Tidy up Go mod files

---
 go.mod |  6 ++----
 go.sum | 10 ----------
 2 files changed, 2 insertions(+), 14 deletions(-)

diff --git a/go.mod b/go.mod
index adfcccb..519a6ea 100644
--- a/go.mod
+++ b/go.mod
@@ -18,10 +18,8 @@ require (
 	github.com/gorilla/sessions v1.2.0
 	github.com/guregu/null v3.4.0+incompatible
 	github.com/hashicorp/go-multierror v1.0.0
-	github.com/ikeikeikeike/go-sitemap-generator v1.0.1
 	github.com/ikeikeikeike/go-sitemap-generator/v2 v2.0.2
 	github.com/jtolds/gls v4.2.1+incompatible // indirect
-	github.com/kr/pretty v0.1.0
 	github.com/kylemcc/twitter-text-go v0.0.0-20180726194232-7f582f6736ec
 	github.com/lunixbochs/vtclean v1.0.0 // indirect
 	github.com/manifoldco/promptui v0.3.2
@@ -32,7 +30,7 @@ require (
 	github.com/nicksnyder/go-i18n v1.10.0 // indirect
 	github.com/nu7hatch/gouuid v0.0.0-20131221200532-179d4d0c4d8d
 	github.com/pelletier/go-toml v1.2.0 // indirect
-	github.com/pkg/errors v0.8.1
+	github.com/pkg/errors v0.8.1 // indirect
 	github.com/rainycape/unidecode v0.0.0-20150907023854-cb7f23ec59be // indirect
 	github.com/smartystreets/assertions v0.0.0-20190116191733-b6c0e53d7304 // indirect
 	github.com/smartystreets/goconvey v0.0.0-20181108003508-044398e4856c // indirect
@@ -53,7 +51,7 @@ require (
 	golang.org/x/lint v0.0.0-20181217174547-8f45f776aaf1 // indirect
 	golang.org/x/net v0.0.0-20190206173232-65e2d4e15006 // indirect
 	golang.org/x/sys v0.0.0-20190209173611-3b5209105503 // indirect
-	golang.org/x/tools v0.0.0-20190208222737-3744606dbb67
+	golang.org/x/tools v0.0.0-20190208222737-3744606dbb67 // indirect
 	google.golang.org/appengine v1.4.0 // indirect
 	gopkg.in/alecthomas/kingpin.v3-unstable v3.0.0-20180810215634-df19058c872c // indirect
 	gopkg.in/ini.v1 v1.41.0
diff --git a/go.sum b/go.sum
index f958de2..4cb46da 100644
--- a/go.sum
+++ b/go.sum
@@ -62,8 +62,6 @@ github.com/hashicorp/errwrap v1.0.0 h1:hLrqtEDnRye3+sgx6z4qVLNuviH3MR5aQ0ykNJa/U
 github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
 github.com/hashicorp/go-multierror v1.0.0 h1:iVjPR7a6H0tWELX5NxNe7bYopibicUzc7uPribsnS6o=
 github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk=
-github.com/ikeikeikeike/go-sitemap-generator v1.0.1 h1:49Fn8gro/B12vCY8pf5/+/Jpr3kwB9TvP0MSymo69SY=
-github.com/ikeikeikeike/go-sitemap-generator v1.0.1/go.mod h1:QI+zWsz6yQyxkG9LWNcnu0f7aiAE5tPdsZOsICgmd1c=
 github.com/ikeikeikeike/go-sitemap-generator/v2 v2.0.2 h1:wIdDEle9HEy7vBPjC6oKz6ejs3Ut+jmsYvuOoAW2pSM=
 github.com/ikeikeikeike/go-sitemap-generator/v2 v2.0.2/go.mod h1:WtaVKD9TeruTED9ydiaOJU08qGoEPP/LyzTKiD3jEsw=
 github.com/jtolds/gls v4.2.1+incompatible h1:fSuqC+Gmlu6l/ZYAoZzx2pyucC8Xza35fpRVWLVmUEE=
@@ -135,12 +133,6 @@ github.com/writeas/impart v1.1.0 h1:nPnoO211VscNkp/gnzir5UwCDEvdHThL5uELU60NFSE=
 github.com/writeas/impart v1.1.0/go.mod h1:g0MpxdnTOHHrl+Ca/2oMXUHJ0PcRAEWtkCzYCJUXC9Y=
 github.com/writeas/impart v1.1.1-0.20191230230525-d3c45ced010d h1:PK7DOj3JE6MGf647esPrKzXEHFjGWX2hl22uX79ixaE=
 github.com/writeas/impart v1.1.1-0.20191230230525-d3c45ced010d/go.mod h1:g0MpxdnTOHHrl+Ca/2oMXUHJ0PcRAEWtkCzYCJUXC9Y=
-github.com/writeas/import v0.0.0-20190815214647-baae8acd8d06 h1:S6oKKP8GhSoyZUvVuhO9UiQ9f+U1aR/x5B4MP7YQHaU=
-github.com/writeas/import v0.0.0-20190815214647-baae8acd8d06/go.mod h1:f3K8z7YnJwKnPIT4h7980n9C6cQb4DIB2QcxVCTB7lE=
-github.com/writeas/import v0.0.0-20190815235139-628d10daaa9e h1:31PkvDTWkjzC1nGzWw9uAE92ZfcVyFX/K9L9ejQjnEs=
-github.com/writeas/import v0.0.0-20190815235139-628d10daaa9e/go.mod h1:f3K8z7YnJwKnPIT4h7980n9C6cQb4DIB2QcxVCTB7lE=
-github.com/writeas/import v0.1.1 h1:SbYltT+nxrJBUe0xQWJqeKMHaupbxV0a6K3RtwcE4yY=
-github.com/writeas/import v0.1.1/go.mod h1:gFe0Pl7ZWYiXbI0TJxeMMyylPGZmhVvCfQxhMEc8CxM=
 github.com/writeas/import v0.2.0 h1:Ov23JW9Rnjxk06rki1Spar45bNX647HhwhAZj3flJiY=
 github.com/writeas/import v0.2.0/go.mod h1:gFe0Pl7ZWYiXbI0TJxeMMyylPGZmhVvCfQxhMEc8CxM=
 github.com/writeas/monday v0.0.0-20181024183321-54a7dd579219 h1:baEp0631C8sT2r/hqwypIw2snCFZa6h7U6TojoLHu/c=
@@ -154,8 +146,6 @@ github.com/writeas/saturday v1.7.1 h1:lYo1EH6CYyrFObQoA9RNWHVlpZA5iYL5Opxo7PYAnZ
 github.com/writeas/saturday v1.7.1/go.mod h1:ETE1EK6ogxptJpAgUbcJD0prAtX48bSloie80+tvnzQ=
 github.com/writeas/slug v1.2.0 h1:EMQ+cwLiOcA6EtFwUgyw3Ge18x9uflUnOnR6bp/J+/g=
 github.com/writeas/slug v1.2.0/go.mod h1:RE8shOqQP3YhsfsQe0L3RnuejfQ4Mk+JjY5YJQFubfQ=
-github.com/writeas/web-core v1.0.0 h1:5VKkCakQgdKZcbfVKJXtRpc5VHrkflusCl/KRCPzpQ0=
-github.com/writeas/web-core v1.0.0/go.mod h1:Si3chV7VWgY8CsV+3gRolMXSO2Vx1ZFAQ/mkrpvmyEE=
 github.com/writeas/web-core v1.2.0 h1:CYqvBd+byi1cK4mCr1NZ6CjILuMOFmiFecv+OACcmG0=
 github.com/writeas/web-core v1.2.0/go.mod h1:vTYajviuNBAxjctPp2NUYdgjofywVkxUGpeaERF3SfI=
 github.com/writefreely/go-nodeinfo v1.2.0 h1:La+YbTCvmpTwFhBSlebWDDL81N88Qf/SCAvRLR7F8ss=

From be0885698e5afdaf689d23f54e1798cf9ce56160 Mon Sep 17 00:00:00 2001
From: Matt Baer <matt@write.as>
Date: Wed, 29 Jan 2020 05:46:59 -0500
Subject: [PATCH 111/127] Change "restarting" to "starting" in upgrade script

---
 scripts/upgrade-server.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/upgrade-server.sh b/scripts/upgrade-server.sh
index ef10452..36281bf 100755
--- a/scripts/upgrade-server.sh
+++ b/scripts/upgrade-server.sh
@@ -99,7 +99,7 @@ cp -r $tempdir/writefreely/{pages,static,templates,writefreely} .
 ./writefreely -migrate
 
 # restart service
-echo "Restarting writefreely systemd service..."
+echo "Starting writefreely systemd service..."
 if `systemctl start writefreely`; then
 	echo "Success, version has been upgraded to $latest."
 else

From b25cec8381006780f39a0433fef4ddaa03ca6545 Mon Sep 17 00:00:00 2001
From: Matt Baer <matt@write.as>
Date: Wed, 29 Jan 2020 05:49:12 -0500
Subject: [PATCH 112/127] Update copyright in upgrade script

---
 scripts/upgrade-server.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/upgrade-server.sh b/scripts/upgrade-server.sh
index 36281bf..581085d 100755
--- a/scripts/upgrade-server.sh
+++ b/scripts/upgrade-server.sh
@@ -11,7 +11,7 @@
 ##	have not installed the binary `writefreely` in another location.     ##
 ###############################################################################
 #
-#	Copyright © 2019 A Bunch Tell LLC.
+#	Copyright © 2019-2020 A Bunch Tell LLC.
 #
 #	This file is part of WriteFreely.
 #

From 4d5f58a7e65733f1fe6e4c8819708abdfcc295cd Mon Sep 17 00:00:00 2001
From: Matt Baer <matt@write.as>
Date: Wed, 29 Jan 2020 06:42:32 -0500
Subject: [PATCH 113/127] Fix date-based post header links

Posts without an explicit title render the date as the post header in
lists of posts (like on the blog index and tag pages). This updates
localdate.js to properly adjust those dates, too.
---
 static/js/localdate.js | 17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)

diff --git a/static/js/localdate.js b/static/js/localdate.js
index 19fa502..879ebe4 100644
--- a/static/js/localdate.js
+++ b/static/js/localdate.js
@@ -1,9 +1,16 @@
-function toLocalDate(el) {
-	var d = new Date(el.getAttribute("datetime"));
-	el.textContent = d.toLocaleDateString(navigator.language || "en-US", { year: 'numeric', month: 'long', day: 'numeric' });
+function toLocalDate(dateEl, displayEl) {
+	var d = new Date(dateEl.getAttribute("datetime"));
+	displayEl.textContent = d.toLocaleDateString(navigator.language || "en-US", { year: 'numeric', month: 'long', day: 'numeric' });
 }
 
-var $dates = document.querySelectorAll("time");
+// Adjust dates on individual post pages, and on posts in a list *with* an explicit title
+var $dates = document.querySelectorAll("article > time");
 for (var i=0; i < $dates.length; i++) {
-	toLocalDate($dates[i]);
+	toLocalDate($dates[i], $dates[i]);
 }
+
+// Adjust dates on posts in a list without an explicit title, where they act as the header
+$dates = document.querySelectorAll("h2.post-title > time");
+for (i=0; i < $dates.length; i++) {
+	toLocalDate($dates[i], $dates[i].querySelector('a'));
+}
\ No newline at end of file

From 50901d2446ca9dc473a3820778aaff5aae250607 Mon Sep 17 00:00:00 2001
From: Matt Baer <matt@write.as>
Date: Wed, 29 Jan 2020 13:01:21 -0500
Subject: [PATCH 114/127] Fix date format in `datetime` attribute

Previously, the date format in this attribute for posts was invalid.
This caused local date rendering to fail in Firefox. This fixes that.

Closes #253
---
 templates/chorus-collection-post.tmpl | 2 +-
 templates/collection-post.tmpl        | 2 +-
 templates/include/posts.tmpl          | 4 ++--
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/templates/chorus-collection-post.tmpl b/templates/chorus-collection-post.tmpl
index c231b64..f88e334 100644
--- a/templates/chorus-collection-post.tmpl
+++ b/templates/chorus-collection-post.tmpl
@@ -58,7 +58,7 @@ body#post header {
 		{{if .Suspended}}
 			{{template "user-suspended"}}
 		{{end}}
-		<article id="post-body" class="{{.Font}} h-entry">{{if .IsScheduled}}<p class="badge">Scheduled</p>{{end}}{{if .Title.String}}<h2 id="title" class="p-name{{if $.Collection.Format.ShowDates}} dated{{end}}">{{.FormattedDisplayTitle}}</h2>{{end}}{{if $.Collection.Format.ShowDates}}<time class="dt-published" datetime="{{.Created}}" pubdate itemprop="datePublished" content="{{.Created}}">{{.DisplayDate}}</time>{{end}}<div class="e-content">{{.HTMLContent}}</div></article>
+		<article id="post-body" class="{{.Font}} h-entry">{{if .IsScheduled}}<p class="badge">Scheduled</p>{{end}}{{if .Title.String}}<h2 id="title" class="p-name{{if $.Collection.Format.ShowDates}} dated{{end}}">{{.FormattedDisplayTitle}}</h2>{{end}}{{if $.Collection.Format.ShowDates}}<time class="dt-published" datetime="{{.Created8601}}" pubdate itemprop="datePublished" content="{{.Created}}">{{.DisplayDate}}</time>{{end}}<div class="e-content">{{.HTMLContent}}</div></article>
 
 		{{ if .Collection.ShowFooterBranding }}
 		<footer dir="ltr">
diff --git a/templates/collection-post.tmpl b/templates/collection-post.tmpl
index 00535b9..a8c105b 100644
--- a/templates/collection-post.tmpl
+++ b/templates/collection-post.tmpl
@@ -62,7 +62,7 @@
 		{{if .Suspended}}
 			{{template "user-suspended"}}
 		{{end}}
-		<article id="post-body" class="{{.Font}} h-entry {{if not .IsFound}}error-page{{end}}">{{if .IsScheduled}}<p class="badge">Scheduled</p>{{end}}{{if .Title.String}}<h2 id="title" class="p-name{{if $.Collection.Format.ShowDates}} dated{{end}}">{{.FormattedDisplayTitle}}</h2>{{end}}{{if $.Collection.Format.ShowDates}}<time class="dt-published" datetime="{{.Created}}" pubdate itemprop="datePublished" content="{{.Created}}">{{.DisplayDate}}</time>{{end}}<div class="e-content">{{.HTMLContent}}</div></article>
+		<article id="post-body" class="{{.Font}} h-entry {{if not .IsFound}}error-page{{end}}">{{if .IsScheduled}}<p class="badge">Scheduled</p>{{end}}{{if .Title.String}}<h2 id="title" class="p-name{{if $.Collection.Format.ShowDates}} dated{{end}}">{{.FormattedDisplayTitle}}</h2>{{end}}{{if $.Collection.Format.ShowDates}}<time class="dt-published" datetime="{{.Created8601}}" pubdate itemprop="datePublished" content="{{.Created}}">{{.DisplayDate}}</time>{{end}}<div class="e-content">{{.HTMLContent}}</div></article>
 
 		{{ if .Collection.ShowFooterBranding }}
 		<footer dir="ltr"><hr><nav><p style="font-size: 0.9em">{{localhtml "published with write.as" .Language.String}}</p></nav></footer>
diff --git a/templates/include/posts.tmpl b/templates/include/posts.tmpl
index 514f69f..b1ccbf2 100644
--- a/templates/include/posts.tmpl
+++ b/templates/include/posts.tmpl
@@ -21,10 +21,10 @@
 			{{end}}
 		{{end}}
 	</h2>
-	{{if $.Format.ShowDates}}<time class="dt-published" datetime="{{.Created}}" pubdate itemprop="datePublished" content="{{.Created}}">{{if not .Title.String}}<a href="{{$.CanonicalURL}}{{.Slug.String}}" itemprop="url">{{end}}{{.DisplayDate}}{{if not .Title.String}}</a>{{end}}</time>{{end}}
+	{{if $.Format.ShowDates}}<time class="dt-published" datetime="{{.Created8601}}" pubdate itemprop="datePublished" content="{{.Created}}">{{if not .Title.String}}<a href="{{$.CanonicalURL}}{{.Slug.String}}" itemprop="url">{{end}}{{.DisplayDate}}{{if not .Title.String}}</a>{{end}}</time>{{end}}
 {{else}}
 <h2 class="post-title" itemprop="name">
-	{{if $.Format.ShowDates}}<time class="dt-published" datetime="{{.Created}}" pubdate itemprop="datePublished" content="{{.Created}}"><a href="{{if not $.SingleUser}}/{{$.Alias}}/{{.Slug.String}}{{else}}{{$.CanonicalURL}}{{.Slug.String}}{{end}}" itemprop="url" class="u-url">{{.DisplayDate}}</a></time>{{end}}
+	{{if $.Format.ShowDates}}<time class="dt-published" datetime="{{.Created8601}}" pubdate itemprop="datePublished" content="{{.Created}}"><a href="{{if not $.SingleUser}}/{{$.Alias}}/{{.Slug.String}}{{else}}{{$.CanonicalURL}}{{.Slug.String}}{{end}}" itemprop="url" class="u-url">{{.DisplayDate}}</a></time>{{end}}
 	{{if $.IsOwner}}
 		{{if not $.Format.ShowDates}}<a class="user hidden action" href="{{if not $.SingleUser}}/{{$.Alias}}/{{.Slug.String}}{{else}}{{$.CanonicalURL}}{{.Slug.String}}{{end}}">view</a>{{end}}
 		<a class="user hidden action" href="/{{if not $.SingleUser}}{{$.Alias}}/{{end}}{{.Slug.String}}/edit">edit</a>

From 5de2f633e15ace6f931feef333ca1f9fdeaba1b6 Mon Sep 17 00:00:00 2001
From: Matt Baer <matt@write.as>
Date: Wed, 29 Jan 2020 13:03:04 -0500
Subject: [PATCH 115/127] Fix localdate.js not included on Tags page

---
 templates/collection-tags.tmpl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/templates/collection-tags.tmpl b/templates/collection-tags.tmpl
index 2f79bbb..93cd7e0 100644
--- a/templates/collection-tags.tmpl
+++ b/templates/collection-tags.tmpl
@@ -75,9 +75,9 @@
 		{{range .ExternalScripts}}<script type="text/javascript" src="{{.}}" async></script>{{end}}
 		{{if .Collection.Script}}<script type="text/javascript">{{.ScriptDisplay}}</script>{{end}}
 	{{end}}
+	<script src="/js/localdate.js"></script>
 	{{if .IsOwner}}
 	<script src="/js/h.js"></script>
-	<script src="/js/localdate.js"></script>
 	<script src="/js/postactions.js"></script>
 	{{end}}
 	<script type="text/javascript">

From bc9455db4fda0d8846113aaae69fba72021420b5 Mon Sep 17 00:00:00 2001
From: Matt Baer <matt@write.as>
Date: Thu, 30 Jan 2020 10:20:50 +0100
Subject: [PATCH 116/127] Fix datetime attributes on read.tmpl

---
 templates/read.tmpl | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/templates/read.tmpl b/templates/read.tmpl
index 7b43995..ddcccdd 100644
--- a/templates/read.tmpl
+++ b/templates/read.tmpl
@@ -88,9 +88,9 @@
 		<section itemscope itemtype="http://schema.org/Blog">
 			{{range .Posts}}<article class="{{.Font}} h-entry" itemscope itemtype="http://schema.org/BlogPosting">
 			{{if .Title.String}}<h2 class="post-title" itemprop="name" class="p-name"><a href="{{if .Slug.String}}{{.Collection.CanonicalURL}}{{.Slug.String}}{{else}}{{.CanonicalURL .Host}}.md{{end}}" itemprop="url" class="u-url">{{.PlainDisplayTitle}}</a></h2>
-			<time class="dt-published" datetime="{{.Created}}" pubdate itemprop="datePublished" content="{{.Created}}">{{if not .Title.String}}<a href="{{.Collection.CanonicalURL}}{{.Slug.String}}" itemprop="url">{{end}}{{.DisplayDate}}{{if not .Title.String}}</a>{{end}}</time>
+			<time class="dt-published" datetime="{{.Created8601}}" pubdate itemprop="datePublished" content="{{.Created}}">{{if not .Title.String}}<a href="{{.Collection.CanonicalURL}}{{.Slug.String}}" itemprop="url">{{end}}{{.DisplayDate}}{{if not .Title.String}}</a>{{end}}</time>
 			{{else}}
-			<h2 class="post-title" itemprop="name"><time class="dt-published" datetime="{{.Created}}" pubdate itemprop="datePublished" content="{{.Created}}"><a href="{{if .Collection}}{{.Collection.CanonicalURL}}{{.Slug.String}}{{else}}{{.CanonicalURL .Host}}.md{{end}}" itemprop="url" class="u-url">{{.DisplayDate}}</a></time></h2>
+			<h2 class="post-title" itemprop="name"><time class="dt-published" datetime="{{.Created8601}}" pubdate itemprop="datePublished" content="{{.Created}}"><a href="{{if .Collection}}{{.Collection.CanonicalURL}}{{.Slug.String}}{{else}}{{.CanonicalURL .Host}}.md{{end}}" itemprop="url" class="u-url">{{.DisplayDate}}</a></time></h2>
 			{{end}}
 			<p class="source">{{if .Collection}}from <a href="{{.Collection.CanonicalURL}}">{{.Collection.DisplayTitle}}</a>{{else}}<em>Anonymous</em>{{end}}</p>
 			{{if .Excerpt}}<div class="p-summary" {{if .Language}}lang="{{.Language.String}}"{{end}} dir="{{.Direction}}">{{.Excerpt}}</div>

From 0ed3059bd73541ead143acc7805e315e0f0e197e Mon Sep 17 00:00:00 2001
From: Matti R <matti@mdranta.net>
Date: Fri, 31 Jan 2020 16:34:36 -0500
Subject: [PATCH 117/127] add xgo to go mod

---
 go.mod | 1 +
 go.sum | 2 ++
 2 files changed, 3 insertions(+)

diff --git a/go.mod b/go.mod
index 5c5e936..b215792 100644
--- a/go.mod
+++ b/go.mod
@@ -55,6 +55,7 @@ require (
 	gopkg.in/alecthomas/kingpin.v3-unstable v3.0.0-20180810215634-df19058c872c // indirect
 	gopkg.in/ini.v1 v1.41.0
 	gopkg.in/yaml.v2 v2.2.2 // indirect
+	src.techknowlogick.com/xgo v0.0.0-20200129005940-d0fae26e014b // indirect
 )
 
 go 1.13
diff --git a/go.sum b/go.sum
index 0c9d05d..6c675fa 100644
--- a/go.sum
+++ b/go.sum
@@ -176,3 +176,5 @@ gopkg.in/yaml.v1 v1.0.0-20140924161607-9f9df34309c0 h1:POO/ycCATvegFmVuPpQzZFJ+p
 gopkg.in/yaml.v1 v1.0.0-20140924161607-9f9df34309c0/go.mod h1:WDnlLJ4WF5VGsH/HVa3CI79GS0ol3YnhVnKP89i0kNg=
 gopkg.in/yaml.v2 v2.2.2 h1:ZCJp+EgiOT7lHqUV2J862kp8Qj64Jo6az82+3Td9dZw=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+src.techknowlogick.com/xgo v0.0.0-20200129005940-d0fae26e014b h1:rPAdjgXks4ToezTjygsnKZroxKVnA1L35DSpsJXPtfc=
+src.techknowlogick.com/xgo v0.0.0-20200129005940-d0fae26e014b/go.mod h1:31CE1YKtDOrKTk9PSnjTpe6YbO6W/0LTYZ1VskL09oU=

From bb63e648835f58a3e5938b266d1da0461340e9bb Mon Sep 17 00:00:00 2001
From: Matt Baer <matt@write.as>
Date: Sat, 8 Feb 2020 12:10:47 -0500
Subject: [PATCH 118/127] Clean up getProfilePageFromHandle

- Export the func
- Remove commented-out code
- Use log, not fmt for debug messages
- Remove named return parameters
- Use standard var naming schemes
- Fix spacing in queries and remove unnecessary chars
---
 collections.go |  6 +++---
 database.go    | 19 ++++++++++---------
 posts.go       |  4 ++--
 3 files changed, 15 insertions(+), 14 deletions(-)

diff --git a/collections.go b/collections.go
index 447d657..8ee88f1 100644
--- a/collections.go
+++ b/collections.go
@@ -1,5 +1,5 @@
 /*
- * Copyright © 2018 A Bunch Tell LLC.
+ * Copyright © 2018-2020 A Bunch Tell LLC.
  *
  * This file is part of WriteFreely.
  *
@@ -861,13 +861,13 @@ func handleViewMention(app *App, w http.ResponseWriter, r *http.Request) error {
 	vars := mux.Vars(r)
 	handle := vars["handle"]
 
-	remoteUser, err := app.db.getProfilePageFromHandle(app, handle)
+	remoteUser, err := app.db.GetProfilePageFromHandle(app, handle)
 	if err != nil {
 		log.Error("Couldn't find this user "+handle, err)
 		return nil
 	}
 
-	return impart.HTTPError{Status: http.StatusFound, Message: remoteUser} 
+	return impart.HTTPError{Status: http.StatusFound, Message: remoteUser}
 }
 
 func handleViewCollectionTag(app *App, w http.ResponseWriter, r *http.Request) error {
diff --git a/database.go b/database.go
index 7d4bfc0..eca09d7 100644
--- a/database.go
+++ b/database.go
@@ -2557,18 +2557,17 @@ func handleFailedPostInsert(err error) error {
 	return err
 }
 
-func (db *datastore) getProfilePageFromHandle(app *App, handle string) (actorIRI string, err error) {
-	remoteuser, errRemoteUser := getRemoteUserFromHandle(app, handle)
-	if errRemoteUser != nil {
+func (db *datastore) GetProfilePageFromHandle(app *App, handle string) (string, error) {
+	actorIRI := ""
+	remoteUser, err := getRemoteUserFromHandle(app, handle)
+	if err != nil {
 		// can't find using handle in the table but the table may already have this user without
 		// handle from a previous version
 		actorIRI = RemoteLookup(handle)
 		_, errRemoteUser := getRemoteUser(app, actorIRI)
 		// if it exists then we need to update the handle
 		if errRemoteUser == nil {
-			// query := "UPDATE remoteusers SET handle='" + handle + "' WHERE actor_id='" + iri + "';"
-			// log.Info(query)
-			_, err := app.db.Exec("UPDATE remoteusers SET handle=? WHERE actor_id=?;", handle, actorIRI)
+			_, err := app.db.Exec("UPDATE remoteusers SET handle = ? WHERE actor_id = ?", handle, actorIRI)
 			if err != nil {
 				log.Error("Can't update handle (" + handle + ") in database for user " + actorIRI)
 			}
@@ -2579,15 +2578,17 @@ func (db *datastore) getProfilePageFromHandle(app *App, handle string) (actorIRI
 			if err != nil {
 				log.Error("Couldn't fetch remote actor", err)
 			}
-			fmt.Println(actorIRI, remoteActor.GetInbox(), remoteActor.GetSharedInbox(), handle)
-			_, err = app.db.Exec("INSERT INTO remoteusers (actor_id, inbox, shared_inbox, handle) VALUES( ?, ?, ?, ?)", actorIRI, remoteActor.GetInbox(), remoteActor.GetSharedInbox(), handle)
+			if debugging {
+				log.Info("%s %s %s %s", actorIRI, remoteActor.GetInbox(), remoteActor.GetSharedInbox(), handle)
+			}
+			_, err = app.db.Exec("INSERT INTO remoteusers (actor_id, inbox, shared_inbox, handle) VALUES(?, ?, ?, ?)", actorIRI, remoteActor.GetInbox(), remoteActor.GetSharedInbox(), handle)
 			if err != nil {
 				log.Error("Can't insert remote user in database", err)
 				return "", err
 			}
 		}
 	} else {
-		actorIRI = remoteuser.ActorID
+		actorIRI = remoteUser.ActorID
 	}
 	return actorIRI, nil
 }
diff --git a/posts.go b/posts.go
index 5115c92..a918531 100644
--- a/posts.go
+++ b/posts.go
@@ -1,5 +1,5 @@
 /*
- * Copyright © 2018-2019 A Bunch Tell LLC.
+ * Copyright © 2018-2020 A Bunch Tell LLC.
  *
  * This file is part of WriteFreely.
  *
@@ -1176,7 +1176,7 @@ func (p *PublicPost) ActivityObject(app *App) *activitystreams.Object {
 	mentions := mentionRegex.FindAllString(content, -1)
 
 	for _, handle := range mentions {
-		actorIRI, err := app.db.getProfilePageFromHandle(app, handle)
+		actorIRI, err := app.db.GetProfilePageFromHandle(app, handle)
 		if err != nil {
 			log.Info("Can't find this user either in the database nor in the remote instance")
 			return nil

From 81edb739dda0db3368349a4ef809cbc1c7bdc2a0 Mon Sep 17 00:00:00 2001
From: Matt Baer <matt@write.as>
Date: Sat, 8 Feb 2020 12:19:08 -0500
Subject: [PATCH 119/127] Fix mention links

by making them absolute, not relative.
---
 postrender.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/postrender.go b/postrender.go
index 1b25598..2f03f85 100644
--- a/postrender.go
+++ b/postrender.go
@@ -87,7 +87,7 @@ func applyMarkdownSpecial(data []byte, skipNoFollow bool, baseURL string, cfg *c
 			tagPrefix = "/read/t/"
 		}
 		md = []byte(hashtagReg.ReplaceAll(md, []byte("<a href=\""+tagPrefix+"$1\" class=\"hashtag\"><span>#</span><span class=\"p-category\">$1</span></a>")))
-		handlePrefix := "/mention:"
+		handlePrefix := cfg.App.Host + "/mention:"
 		md = []byte(mentionReg.ReplaceAll(md, []byte("<a href=\""+handlePrefix+"$0\" class=\"mention\">$0</a>")))
 	}
 	// Strip out bad HTML

From 867eb53b3596bd7b3f2be3c53a3faf857f4cd36d Mon Sep 17 00:00:00 2001
From: Matt Baer <matt@write.as>
Date: Sat, 8 Feb 2020 12:55:10 -0500
Subject: [PATCH 120/127] Show 404 when remote user not found

This notifies the user that the remote user doesn't exist, instead of
showing a blank page.

Ref T627
---
 collections.go | 6 +++---
 errors.go      | 7 ++++---
 2 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/collections.go b/collections.go
index 8ee88f1..189b4e4 100644
--- a/collections.go
+++ b/collections.go
@@ -862,9 +862,9 @@ func handleViewMention(app *App, w http.ResponseWriter, r *http.Request) error {
 	handle := vars["handle"]
 
 	remoteUser, err := app.db.GetProfilePageFromHandle(app, handle)
-	if err != nil {
-		log.Error("Couldn't find this user "+handle, err)
-		return nil
+	if err != nil || remoteUser == "" {
+		log.Error("Couldn't find user %s: %v", handle, err)
+		return ErrRemoteUserNotFound
 	}
 
 	return impart.HTTPError{Status: http.StatusFound, Message: remoteUser}
diff --git a/errors.go b/errors.go
index c0d435c..1da713a 100644
--- a/errors.go
+++ b/errors.go
@@ -1,5 +1,5 @@
 /*
- * Copyright © 2018 A Bunch Tell LLC.
+ * Copyright © 2018-2020 A Bunch Tell LLC.
  *
  * This file is part of WriteFreely.
  *
@@ -45,8 +45,9 @@ var (
 	ErrPostUnpublished        = impart.HTTPError{Status: http.StatusGone, Message: "Post unpublished by author."}
 	ErrPostFetchError         = impart.HTTPError{Status: http.StatusInternalServerError, Message: "We encountered an error getting the post. The humans have been alerted."}
 
-	ErrUserNotFound      = impart.HTTPError{http.StatusNotFound, "User doesn't exist."}
-	ErrUserNotFoundEmail = impart.HTTPError{http.StatusNotFound, "Please enter your username instead of your email address."}
+	ErrUserNotFound       = impart.HTTPError{http.StatusNotFound, "User doesn't exist."}
+	ErrRemoteUserNotFound = impart.HTTPError{http.StatusNotFound, "Remote user not found."}
+	ErrUserNotFoundEmail  = impart.HTTPError{http.StatusNotFound, "Please enter your username instead of your email address."}
 
 	ErrUserSuspended = impart.HTTPError{http.StatusForbidden, "Account is silenced."}
 )

From eac223158af8e5b69d2a08044c80c1cc2b3fd114 Mon Sep 17 00:00:00 2001
From: Matt Baer <matt@write.as>
Date: Sat, 8 Feb 2020 12:57:49 -0500
Subject: [PATCH 121/127] Move remote user URL to /@/

from /mention:

Ref T627
---
 postrender.go | 6 +++---
 routes.go     | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/postrender.go b/postrender.go
index 2f03f85..4afa42a 100644
--- a/postrender.go
+++ b/postrender.go
@@ -38,7 +38,7 @@ var (
 	titleElementReg = regexp.MustCompile("</?h[1-6]>")
 	hashtagReg      = regexp.MustCompile(`{{\[\[\|\|([^|]+)\|\|\]\]}}`)
 	markeddownReg   = regexp.MustCompile("<p>(.+)</p>")
-	mentionReg      = regexp.MustCompile(`@[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]+\b`)
+	mentionReg      = regexp.MustCompile(`@([A-Za-z0-9._%+-]+)(@[A-Za-z0-9.-]+\.[A-Za-z]+)\b`)
 )
 
 func (p *Post) formatContent(cfg *config.Config, c *Collection, isOwner bool) {
@@ -87,8 +87,8 @@ func applyMarkdownSpecial(data []byte, skipNoFollow bool, baseURL string, cfg *c
 			tagPrefix = "/read/t/"
 		}
 		md = []byte(hashtagReg.ReplaceAll(md, []byte("<a href=\""+tagPrefix+"$1\" class=\"hashtag\"><span>#</span><span class=\"p-category\">$1</span></a>")))
-		handlePrefix := cfg.App.Host + "/mention:"
-		md = []byte(mentionReg.ReplaceAll(md, []byte("<a href=\""+handlePrefix+"$0\" class=\"mention\">$0</a>")))
+		handlePrefix := cfg.App.Host + "/@/"
+		md = []byte(mentionReg.ReplaceAll(md, []byte("<a href=\""+handlePrefix+"$1$2\" class=\"mention\">@$1$2</a>")))
 	}
 	// Strip out bad HTML
 	policy := getSanitizationPolicy()
diff --git a/routes.go b/routes.go
index a3676f6..266299b 100644
--- a/routes.go
+++ b/routes.go
@@ -71,7 +71,7 @@ func InitRoutes(apper Apper, r *mux.Router) *mux.Router {
 	write.HandleFunc(niCfg.InfoURL, handler.LogHandlerFunc(http.HandlerFunc(ni.NodeInfo)))
 
 	// handle mentions
-	write.HandleFunc("/mention:{handle}", handler.Web(handleViewMention, UserLevelReader))
+	write.HandleFunc("/@/{handle}", handler.Web(handleViewMention, UserLevelReader))
 
 	configureSlackOauth(handler, write, apper.App())
 	configureWriteAsOauth(handler, write, apper.App())

From 457051106d9db8e739f7bfb8db878aeda9fb8e80 Mon Sep 17 00:00:00 2001
From: Matt Baer <matt@write.as>
Date: Sat, 8 Feb 2020 13:04:23 -0500
Subject: [PATCH 122/127] Add u-url class and span in mention link

Ref T627
---
 postrender.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/postrender.go b/postrender.go
index 4afa42a..e70c0d5 100644
--- a/postrender.go
+++ b/postrender.go
@@ -88,7 +88,7 @@ func applyMarkdownSpecial(data []byte, skipNoFollow bool, baseURL string, cfg *c
 		}
 		md = []byte(hashtagReg.ReplaceAll(md, []byte("<a href=\""+tagPrefix+"$1\" class=\"hashtag\"><span>#</span><span class=\"p-category\">$1</span></a>")))
 		handlePrefix := cfg.App.Host + "/@/"
-		md = []byte(mentionReg.ReplaceAll(md, []byte("<a href=\""+handlePrefix+"$1$2\" class=\"mention\">@$1$2</a>")))
+		md = []byte(mentionReg.ReplaceAll(md, []byte("<a href=\""+handlePrefix+"$1$2\" class=\"u-url mention\">@<span>$1$2</span></a>")))
 	}
 	// Strip out bad HTML
 	policy := getSanitizationPolicy()

From ca4b0acf6028522b75cbf3db64d143b5eb6e100f Mon Sep 17 00:00:00 2001
From: Matt Baer <matt@write.as>
Date: Sat, 8 Feb 2020 13:05:09 -0500
Subject: [PATCH 123/127] Fix error logging format in RemoteLookup

---
 webfinger.go | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/webfinger.go b/webfinger.go
index 3cf0ba7..d9976f9 100644
--- a/webfinger.go
+++ b/webfinger.go
@@ -1,5 +1,5 @@
 /*
- * Copyright © 2018 A Bunch Tell LLC.
+ * Copyright © 2018-2020 A Bunch Tell LLC.
  *
  * This file is part of WriteFreely.
  *
@@ -113,9 +113,8 @@ func RemoteLookup(handle string) string {
 
 	var result webfinger.Resource
 	err = json.Unmarshal(body, &result)
-
 	if err != nil {
-		log.Error("Unsupported webfinger response received", err)
+		log.Error("Unsupported webfinger response received: %v", err)
 		return ""
 	}
 

From 9589612d0e3efe61ab11493539c6d5c0b2b617d6 Mon Sep 17 00:00:00 2001
From: Matt Baer <matt@write.as>
Date: Sat, 8 Feb 2020 13:05:54 -0500
Subject: [PATCH 124/127] Add TODOs for improving GetProfilePageFromHandle()

---
 activitypub.go | 4 ++--
 database.go    | 1 +
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/activitypub.go b/activitypub.go
index 80c7365..a5b140d 100644
--- a/activitypub.go
+++ b/activitypub.go
@@ -1,5 +1,5 @@
 /*
- * Copyright © 2018-2019 A Bunch Tell LLC.
+ * Copyright © 2018-2020 A Bunch Tell LLC.
  *
  * This file is part of WriteFreely.
  *
@@ -715,7 +715,7 @@ func getRemoteUserFromHandle(app *App, handle string) (*RemoteUser, error) {
 	err := app.db.QueryRow("SELECT id, actor_id, inbox, shared_inbox FROM remoteusers WHERE handle = ?", handle).Scan(&u.ID, &u.ActorID, &u.Inbox, &u.SharedInbox)
 	switch {
 	case err == sql.ErrNoRows:
-		return nil, impart.HTTPError{http.StatusNotFound, "No remote user with that handle."}
+		return nil, ErrRemoteUserNotFound
 	case err != nil:
 		log.Error("Couldn't get remote user %s: %v", handle, err)
 		return nil, err
diff --git a/database.go b/database.go
index eca09d7..2d233d4 100644
--- a/database.go
+++ b/database.go
@@ -2563,6 +2563,7 @@ func (db *datastore) GetProfilePageFromHandle(app *App, handle string) (string,
 	if err != nil {
 		// can't find using handle in the table but the table may already have this user without
 		// handle from a previous version
+		// TODO: Make this determination. We should know whether a user exists without a handle, or doesn't exist at all
 		actorIRI = RemoteLookup(handle)
 		_, errRemoteUser := getRemoteUser(app, actorIRI)
 		// if it exists then we need to update the handle

From c9faff178d9501554463742b0a04122279f81c7e Mon Sep 17 00:00:00 2001
From: Matt Baer <matt@write.as>
Date: Sat, 8 Feb 2020 13:51:14 -0500
Subject: [PATCH 125/127] Don't float posts on account deletion

Ref T319
---
 database.go | 10 ----------
 1 file changed, 10 deletions(-)

diff --git a/database.go b/database.go
index bbec580..757a371 100644
--- a/database.go
+++ b/database.go
@@ -2184,16 +2184,6 @@ func (db *datastore) DeleteAccount(userID int64) error {
 		rs, _ = res.RowsAffected()
 		log.Info("Deleted %d for %s from collectionkeys", rs, c.Alias)
 
-		// Float all collection's posts
-		res, err = t.Exec("UPDATE posts SET collection_id = NULL WHERE collection_id = ? AND owner_id = ?", c.ID, userID)
-		if err != nil {
-			t.Rollback()
-			log.Error("Unable to update collection %s for posts: %v", c.Alias, err)
-			return err
-		}
-		rs, _ = res.RowsAffected()
-		log.Info("Removed %d posts from collection %s", rs, c.Alias)
-
 		// TODO: federate delete collection
 
 		// Remove remote follows

From af14bcbb7804334552a3b5d369b2a13f65b0f93f Mon Sep 17 00:00:00 2001
From: Matt Baer <matt@write.as>
Date: Sat, 8 Feb 2020 13:51:38 -0500
Subject: [PATCH 126/127] Clean up oauth_users table on account deletion

Ref T319
---
 database.go | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/database.go b/database.go
index 757a371..2c44492 100644
--- a/database.go
+++ b/database.go
@@ -2217,6 +2217,16 @@ func (db *datastore) DeleteAccount(userID int64) error {
 	rs, _ = res.RowsAffected()
 	log.Info("Deleted %d from accesstokens", rs)
 
+	// Delete user attributes
+	res, err = t.Exec("DELETE FROM oauth_users WHERE user_id = ?", userID)
+	if err != nil {
+		t.Rollback()
+		log.Error("Unable to delete oauth_users: %v", err)
+		return err
+	}
+	rs, _ = res.RowsAffected()
+	log.Info("Deleted %d from oauth_users", rs)
+
 	// Delete posts
 	// TODO: should maybe get each row so we can federate a delete
 	// if so needs to be outside of transaction like collections

From 666bd1b9d1e50fbe963dfa93616317784be6ba6c Mon Sep 17 00:00:00 2001
From: Matt Baer <matt@write.as>
Date: Sat, 8 Feb 2020 14:46:05 -0500
Subject: [PATCH 127/127] Show correct error when user not found in admin panel

Previously, it would show a 500. This also logs the real reason if it's
not a "not found" error
---
 admin.go | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/admin.go b/admin.go
index 0a73a11..83dcc80 100644
--- a/admin.go
+++ b/admin.go
@@ -187,7 +187,11 @@ func handleViewAdminUser(app *App, u *User, w http.ResponseWriter, r *http.Reque
 	var err error
 	p.User, err = app.db.GetUserForAuth(username)
 	if err != nil {
-		return impart.HTTPError{http.StatusInternalServerError, fmt.Sprintf("Could not get user: %v", err)}
+		if err == ErrUserNotFound {
+			return err
+		}
+		log.Error("Could not get user: %v", err)
+		return impart.HTTPError{http.StatusInternalServerError, err.Error()}
 	}
 
 	flashes, _ := getSessionFlashes(app, w, r, nil)