Merge develop branch into oauth-gitea and resolve pages/login.tmpl conflict.

2020-04-23 14:24:17 +03:00 · 2020-04-23 14:24:17 +03:00 · 8675eb0f95
parent 0e1459c6b2 99d86a7489
commit 8675eb0f95
21 changed files with 340 additions and 193 deletions
--- a/README.md
+++ b/README.md
@ -7,81 +7,76 @@
 	<a href="https://github.com/writeas/writefreely/releases/">
 		<img src="https://img.shields.io/github/release/writeas/writefreely.svg" alt="Latest release" />
 	</a>
-	<a href="https://goreportcard.com/report/github.com/writeas/writefreely">
-		<img src="https://goreportcard.com/badge/github.com/writeas/writefreely" alt="Go Report Card" />
-	</a>
 	<a href="https://travis-ci.org/writeas/writefreely">
 		<img src="https://travis-ci.org/writeas/writefreely.svg" alt="Build status" />
 	</a>
 	<a href="https://github.com/writeas/writefreely/releases/latest">
 		<img src="https://img.shields.io/github/downloads/writeas/writefreely/total.svg" />
 	</a>
+	<a href="https://goreportcard.com/report/github.com/writeas/writefreely">
+		<img src="https://goreportcard.com/badge/github.com/writeas/writefreely" alt="Go Report Card" />
+	</a>
 	<a href="https://hub.docker.com/r/writeas/writefreely/">
 		<img src="https://img.shields.io/docker/pulls/writeas/writefreely.svg" />
 	</a>
 </p>
 &nbsp;

-WriteFreely is a beautifully pared-down blogging platform that's simple on the surface, yet powerful underneath.
+WriteFreely is free and open source software for building **a writing space** on the web &mdash; whether a publication, internal blog, or writing community in the fediverse.

-It's designed to be flexible and share your writing widely, so it's built around plain text and can publish to the _fediverse_ via ActivityPub. It's easy to install and light enough to run on a Raspberry Pi.
+![](https://writefreely.org/img/screens/pencil-reader.png)

-[Try the editor](https://write.as/new)
+[Try the writing experience](https://write.as/new)

 [Find an instance](https://writefreely.org/instances)

 ## Features

-* Start a blog for yourself, or host a community of writers
-* Form larger federated networks, and interact over modern protocols like ActivityPub
-* Write on a fast, dead-simple, and distraction-free editor
-* [Format text](https://howto.write.as/getting-started) with Markdown
-* [Organize posts](https://howto.write.as/organization) with hashtags
-* Create [static pages](https://howto.write.as/creating-a-static-page)
-* Publish drafts and let others proofread them by sharing a private link
-* Create multiple lightweight blogs under a single account
-* Export all data in plain text files
-* Read a stream of other posts in your writing community
-* Build more advanced apps and extensions with the [well-documented API](https://developers.write.as/docs/api/)
-* Designed around user privacy and consent
+### Made for writing

-## Hosting
+Built on a plain, auto-saving editor, WriteFreely gives you a distraction-free writing environment. Once published, your words are front and center, and easy to read.

-We offer two kinds of hosting services that make WriteFreely deployment painless: [Write.as Pro](https://write.as/pro) for individuals, and [Write.as for Teams](https://write.as/for/teams) for businesses. Besides saving you time and effort, both services directly fund WriteFreely development and ensure the long-term sustainability of our open source work.
+### A connected community

-### [![Write.as Pro](https://writefreely.org/img/writeas-pro-readme.png)](https://write.as/pro)
+Start writing together, publicly or privately. Connect with other communities, whether running WriteFreely, [Plume](https://joinplu.me/), or other ActivityPub-powered software. And bring members on board from your existing platforms, thanks to our OAuth 2.0 support.

-Start a personal blog on [Write.as](https://write.as), our flagship instance. Built to eliminate setup friction and preserve your privacy, Write.as helps you start a blog in seconds. It supports custom domains (with SSL) and multiple blogs / pen names per account. [Read more here](https://write.as/pro).
+### Intuitive organization

-### [![Write.as for Teams](https://writefreely.org/img/writeas-for-teams-readme.png)](https://write.as/for/teams)
+Categorize articles [with hashtags](https://writefreely.org/docs/latest/writer/hashtags), and create static pages from normal posts by [_pinning_ them](https://writefreely.org/docs/latest/writer/static) to your blog. Create draft posts and publish to multiple blogs from one account.

-[Write.as for Teams](https://write.as/for/teams) gives your organization, business, or [open source project](https://write.as/for/open-source) a clutter-free space to share updates or proposals and build your collective knowledge. We take care of hosting, upgrades, backups, and maintenance so your team can focus on writing.
+### International
+
+Blog elements are localized in 20+ languages, and WriteFreely includes first-class support for non-Latin and right-to-left (RTL) script languages.
+
+### Private by default
+
+WriteFreely collects minimal data, and never publicizes more than a writer consents to. Writers can seamlessly create multiple blogs from a single account for different pen names or purposes without publicly revealing their association.
+
+<h2><a href="https://write.as/writefreely"><img src="https://writefreely.org/img/writeas-readme.png" height="32px" alt="Write.as" /></a></h2>
+
+The quickest way to deploy WriteFreely is with [Write.as](https://write.as/writefreely), a hosted service from the team behind WriteFreely. You'll get fully-managed installation, backup, upgrades, and maintenance — and directly fund our free software work ❤️
+
+[**Learn more on Write.as**](https://write.as/writefreely).

 ## Quick start

-WriteFreely has minimal requirements to get up and running — you only need to be able to run an executable.
+WriteFreely deploys as a static binary on any platform and architecture that Go supports. Just use our built-in SQLite support, or add a MySQL database, and you'll be up and running!

-> **Note** this is currently alpha software. We're quickly moving out of this v0.x stage, but while we're in it, there are no guarantees that this is ready for production use.
+For common platforms, start with our [pre-built binaries](https://github.com/writeas/writefreely/releases/) and head over to our [installation guide](https://writefreely.org/start) to get started.

-To get started, head over to our [Getting Started guide](https://writefreely.org/start). For production use, jump to the [Running in Production](https://writefreely.org/start#production) section.
+### Packages

-## Packages
-
-WriteFreely is available in these package repositories:
+You can also find WriteFreely in these package repositories, thanks to our wonderful community!

 * [Arch User Repository](https://aur.archlinux.org/packages/writefreely/)

 ## Documentation

-Read our full [documentation on WriteFreely.org](https://writefreely.org/docs). Help us improve by contributing to the [writefreely/documentation](https://github.com/writefreely/documentation) repo.
+Read our full [documentation on WriteFreely.org](https://writefreely.org/docs) &mdash;️ and help us improve by contributing to the [writefreely/documentation](https://github.com/writefreely/documentation) repo.

 ## Development

-Ready to hack on your site? Get started with our [developer guide](https://writefreely.org/docs/latest/developer/setup).
-
-## Docker
-
-Read about using Docker in the [documentation](https://writefreely.org/docs/latest/admin/docker).
+Start hacking on WriteFreely with our [developer setup guide](https://writefreely.org/docs/latest/developer/setup). For Docker support, see our [Docker guide](https://writefreely.org/docs/latest/admin/docker).

 ## Contributing

@ -91,4 +86,4 @@ Before contributing anything, please read our [Contributing Guide](https://githu

 ## License

-Licensed under the AGPL.
+Copyright © 2018-2020 [A Bunch Tell LLC](https://abunchtell.com) and contributing authors. Licensed under the [AGPL](https://github.com/writeas/writefreely/blob/develop/LICENSE).
--- a/account.go
+++ b/account.go
@ -1,5 +1,5 @@
 /*
- * Copyright © 2018-2019 A Bunch Tell LLC.
+ * Copyright © 2018-2020 A Bunch Tell LLC.
 *
 * This file is part of WriteFreely.
 *
@ -168,11 +168,7 @@ func signupWithRegistration(app *App, signup userRegistration, w http.ResponseWr

 	// Log invite if needed
 	if signup.InviteCode != "" {
-		cu, err := app.db.GetUserForAuth(signup.Alias)
-		if err != nil {
-			return nil, err
-		}
-		err = app.db.CreateInvitedUser(signup.InviteCode, cu.ID)
+		err = app.db.CreateInvitedUser(signup.InviteCode, u.ID)
 		if err != nil {
 			return nil, err
 		}
@ -497,6 +493,9 @@ func login(app *App, w http.ResponseWriter, r *http.Request) error {
 				return impart.HTTPError{http.StatusPreconditionFailed, "This user never added a password or email address. Please contact us for help."}
 			}
 		}
+		if len(u.HashedPass) == 0 {
+			return impart.HTTPError{http.StatusUnauthorized, "This user never set a password. Perhaps try logging in via OAuth?"}
+		}
 		if !auth.Authenticated(u.HashedPass, []byte(signin.Pass)) {
 			return impart.HTTPError{http.StatusUnauthorized, "Incorrect password."}
 		}
--- a/activitypub.go
+++ b/activitypub.go
@ -160,6 +160,7 @@ func handleFetchCollectionOutbox(app *App, w http.ResponseWriter, r *http.Reques
 		pp.Collection = res
 		o := pp.ActivityObject(app)
 		a := activitystreams.NewCreateActivity(o)
+		a.Context = nil
 		ocp.OrderedItems = append(ocp.OrderedItems, *a)
 	}

--- a/config/setup.go
+++ b/config/setup.go
@ -356,7 +356,7 @@ func Configure(fname string, configSections string) (*SetupData, error) {
 		if data.Config.App.Federation {
 			selPrompt = promptui.Select{
 				Templates: selTmpls,
-				Label:     "Federation usage stats",
+				Label:     "Usage stats (active users, posts)",
 				Items:     []string{"Public", "Private"},
 			}
 			_, fedStatsType, err := selPrompt.Run()
--- a/database.go
+++ b/database.go
@ -132,8 +132,8 @@ type writestore interface {

 	GetIDForRemoteUser(context.Context, string, string, string) (int64, error)
 	RecordRemoteUserID(context.Context, int64, string, string, string, string) error
-	ValidateOAuthState(context.Context, string) (string, string, int64, error)
-	GenerateOAuthState(context.Context, string, string, int64) (string, error)
+	ValidateOAuthState(context.Context, string) (string, string, int64, string, error)
+	GenerateOAuthState(context.Context, string, string, int64, string) (string, error)
 	GetOauthAccounts(ctx context.Context, userID int64) ([]oauthAccountInfo, error)
 	RemoveOauth(ctx context.Context, userID int64, provider string, clientID string, remoteUserID string) error

@ -178,6 +178,7 @@ func (db *datastore) dateSub(l int, unit string) string {
 	return fmt.Sprintf("DATE_SUB(NOW(), INTERVAL %d %s)", l, unit)
 }

+// CreateUser creates a new user in the database from the given User, UPDATING it in the process with the user's ID.
 func (db *datastore) CreateUser(cfg *config.Config, u *User, collectionTitle string) error {
 	if db.PostIDExists(u.Username) {
 		return impart.HTTPError{http.StatusConflict, "Invalid collection name."}
@ -2516,24 +2517,26 @@ func (db *datastore) GetCollectionLastPostTime(id int64) (*time.Time, error) {
 	return &t, nil
 }

-func (db *datastore) GenerateOAuthState(ctx context.Context, provider string, clientID string, attachUser int64) (string, error) {
+func (db *datastore) GenerateOAuthState(ctx context.Context, provider string, clientID string, attachUser int64, inviteCode string) (string, error) {
 	state := store.Generate62RandomString(24)
 	attachUserVal := sql.NullInt64{Valid: attachUser > 0, Int64: attachUser}
-	_, err := db.ExecContext(ctx, "INSERT INTO oauth_client_states (state, provider, client_id, used, created_at, attach_user_id) VALUES (?, ?, ?, FALSE, "+db.now()+", ?)", state, provider, clientID, attachUserVal)
+	inviteCodeVal := sql.NullString{Valid: inviteCode != "", String: inviteCode}
+	_, err := db.ExecContext(ctx, "INSERT INTO oauth_client_states (state, provider, client_id, used, created_at, attach_user_id, invite_code) VALUES (?, ?, ?, FALSE, "+db.now()+", ?, ?)", state, provider, clientID, attachUserVal, inviteCodeVal)
 	if err != nil {
 		return "", fmt.Errorf("unable to record oauth client state: %w", err)
 	}
 	return state, nil
 }

-func (db *datastore) ValidateOAuthState(ctx context.Context, state string) (string, string, int64, error) {
+func (db *datastore) ValidateOAuthState(ctx context.Context, state string) (string, string, int64, string, error) {
 	var provider string
 	var clientID string
 	var attachUserID sql.NullInt64
+	var inviteCode sql.NullString
 	err := wf_db.RunTransactionWithOptions(ctx, db.DB, &sql.TxOptions{}, func(ctx context.Context, tx *sql.Tx) error {
 		err := tx.
-			QueryRowContext(ctx, "SELECT provider, client_id, attach_user_id FROM oauth_client_states WHERE state = ? AND used = FALSE", state).
-			Scan(&provider, &clientID, &attachUserID)
+			QueryRowContext(ctx, "SELECT provider, client_id, attach_user_id, invite_code FROM oauth_client_states WHERE state = ? AND used = FALSE", state).
+			Scan(&provider, &clientID, &attachUserID, &inviteCode)
 		if err != nil {
 			return err
 		}
@ -2552,9 +2555,9 @@ func (db *datastore) ValidateOAuthState(ctx context.Context, state string) (stri
 		return nil
 	})
 	if err != nil {
-		return "", "", 0, nil
+		return "", "", 0, "", nil
 	}
-	return provider, clientID, attachUserID.Int64, nil
+	return provider, clientID, attachUserID.Int64, inviteCode.String, nil
 }

 func (db *datastore) RecordRemoteUserID(ctx context.Context, localUserID int64, remoteUserID, provider, clientID, accessToken string) error {
--- a/database_test.go
+++ b/database_test.go
@ -18,13 +18,13 @@ func TestOAuthDatastore(t *testing.T) {
 			driverName: "",
 		}

-		state, err := ds.GenerateOAuthState(ctx, "test", "development", 0)
+		state, err := ds.GenerateOAuthState(ctx, "test", "development", 0, "")
 		assert.NoError(t, err)
 		assert.Len(t, state, 24)

 		countRows(t, ctx, db, 1, "SELECT COUNT(*) FROM `oauth_client_states` WHERE `state` = ? AND `used` = false", state)

-		_, _, _, err = ds.ValidateOAuthState(ctx, state)
+		_, _, _, _, err = ds.ValidateOAuthState(ctx, state)
 		assert.NoError(t, err)

 		countRows(t, ctx, db, 1, "SELECT COUNT(*) FROM `oauth_client_states` WHERE `state` = ? AND `used` = true", state)
--- a/go.mod
+++ b/go.mod
@ -3,19 +3,15 @@ module github.com/writeas/writefreely
 require (
 	github.com/alecthomas/gometalinter v3.0.0+incompatible // indirect
 	github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf // indirect
-	github.com/captncraig/cors v0.0.0-20180620154129-376d45073b49 // indirect
 	github.com/clbanning/mxj v1.8.4 // indirect
-	github.com/dchest/uniuri v0.0.0-20160212164326-8902c56451e9 // indirect
 	github.com/dustin/go-humanize v1.0.0
 	github.com/fatih/color v1.7.0
-	github.com/go-fed/httpsig v0.1.1-0.20190924171022-f4c36041199d // indirect
 	github.com/go-sql-driver/mysql v1.4.1
 	github.com/go-test/deep v1.0.1 // indirect
 	github.com/golang/lint v0.0.0-20181217174547-8f45f776aaf1 // indirect
-	github.com/gologme/log v0.0.0-20181207131047-4e5d8ccb38e8 // indirect
 	github.com/gopherjs/gopherjs v0.0.0-20181103185306-d547d1d9531e // indirect
 	github.com/gorilla/feeds v1.1.0
-	github.com/gorilla/mux v1.7.0
+	github.com/gorilla/mux v1.7.4
 	github.com/gorilla/schema v1.0.2
 	github.com/gorilla/sessions v1.2.0
 	github.com/guregu/null v3.4.0+incompatible
@ -42,7 +38,7 @@ require (
 	github.com/writeas/activity v0.1.2
 	github.com/writeas/activityserve v0.0.0-20200409150223-d7ab3eaa4481
 	github.com/writeas/go-strip-markdown v2.0.1+incompatible
-	github.com/writeas/go-webfinger v0.0.0-20190106002315-85cf805c86d2
+	github.com/writeas/go-webfinger v1.1.0
 	github.com/writeas/httpsig v1.0.0
 	github.com/writeas/impart v1.1.1
 	github.com/writeas/import v0.2.0
@ -52,13 +48,12 @@ require (
 	github.com/writeas/slug v1.2.0
 	github.com/writeas/web-core v1.2.0
 	github.com/writefreely/go-nodeinfo v1.2.0
-	golang.org/dl v0.0.0-20200319204010-bf12898a6070 // indirect
 	golang.org/x/crypto v0.0.0-20200109152110-61a87790db17
 	golang.org/x/lint v0.0.0-20181217174547-8f45f776aaf1 // indirect
 	golang.org/x/tools v0.0.0-20190208222737-3744606dbb67 // indirect
 	google.golang.org/appengine v1.4.0 // indirect
 	gopkg.in/alecthomas/kingpin.v3-unstable v3.0.0-20180810215634-df19058c872c // indirect
-	gopkg.in/ini.v1 v1.41.0
+	gopkg.in/ini.v1 v1.55.0
 	src.techknowlogick.com/xgo v0.0.0-20200129005940-d0fae26e014b // indirect
 )

--- a/go.sum
+++ b/go.sum
@ -9,8 +9,8 @@ github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf h1:qet1QNfXsQxTZq
 github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
 github.com/beevik/etree v1.1.0 h1:T0xke/WvNtMoCqgzPhkX2r4rjY3GDZFi+FjpRZY2Jbs=
 github.com/beevik/etree v1.1.0/go.mod h1:r8Aw8JqVegEf0w2fDnATrX9VpkMcyFeM0FhwO62wh+A=
-github.com/captncraig/cors v0.0.0-20180620154129-376d45073b49 h1:jWNY1NDg6a/c8RSXkai7IX6UOhir0LD39I4Dukg+4Ks=
-github.com/captncraig/cors v0.0.0-20180620154129-376d45073b49/go.mod h1:EIlIeMufZ8nqdUhnesledB15xLRl4wIJUppwDLPrdrQ=
+github.com/captncraig/cors v0.0.0-20190703115713-e80254a89df1 h1:AFSJaASPGYNbkUa5c8ZybrcW9pP3Cy7+z5dnpcc/qG8=
+github.com/captncraig/cors v0.0.0-20190703115713-e80254a89df1/go.mod h1:EIlIeMufZ8nqdUhnesledB15xLRl4wIJUppwDLPrdrQ=
 github.com/chzyer/logex v1.1.10 h1:Swpa1K6QvQznwJRcfTfQJmTE72DqScAa40E+fbHEXEE=
 github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
 github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e h1:fY5BOSpyZCqRo5OhCuC+XN+r/bBCmeuuJtjz+bCNIf8=
@ -27,8 +27,8 @@ github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:ma
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/dchest/uniuri v0.0.0-20160212164326-8902c56451e9 h1:74lLNRzvsdIlkTgfDSMuaPjBr4cf6k7pwQQANm/yLKU=
-github.com/dchest/uniuri v0.0.0-20160212164326-8902c56451e9/go.mod h1:GgB8SF9nRG+GqaDtLcwJZsQFhcogVCJ79j4EdT0c2V4=
+github.com/dchest/uniuri v0.0.0-20200228104902-7aecb25e1fe5 h1:RAV05c0xOkJ3dZGS0JFybxFKZ2WMLabgx3uXnd7rpGs=
+github.com/dchest/uniuri v0.0.0-20200228104902-7aecb25e1fe5/go.mod h1:GgB8SF9nRG+GqaDtLcwJZsQFhcogVCJ79j4EdT0c2V4=
 github.com/dustin/go-humanize v1.0.0 h1:VSnTsYCnlFHaM2/igO1h6X3HA71jcobQuxemgkq4zYo=
 github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
 github.com/fatih/color v1.7.0 h1:DkWD4oS2D8LGGgTQ6IvwJJXSL5Vp2ffcQg58nFV38Ys=
@ -37,8 +37,8 @@ github.com/fatih/structs v1.1.0 h1:Q7juDM0QtcnhCpeyLGQKyg4TOIghuNXrkL32pHAUMxo=
 github.com/fatih/structs v1.1.0/go.mod h1:9NiDSp5zOcgEDl+j00MP/WkGVPOlPRLejGD8Ga6PJ7M=
 github.com/go-fed/httpsig v0.1.0 h1:6F2OxRVnNTN4OPN+Mc2jxs2WEay9/qiHT/jphlvAwIY=
 github.com/go-fed/httpsig v0.1.0/go.mod h1:T56HUNYZUQ1AGUzhAYPugZfp36sKApVnGBgKlIY+aIE=
-github.com/go-fed/httpsig v0.1.1-0.20190924171022-f4c36041199d h1:+uoOvOnNDgsYbWtAij4xP6Rgir3eJGjocFPxBJETU/U=
-github.com/go-fed/httpsig v0.1.1-0.20190924171022-f4c36041199d/go.mod h1:T56HUNYZUQ1AGUzhAYPugZfp36sKApVnGBgKlIY+aIE=
+github.com/go-fed/httpsig v0.1.1-0.20200204213531-0ef28562fabe h1:U71giCx5NjRn4Lb71UuprPHqhjxGv3Jqonb9fgcaJH8=
+github.com/go-fed/httpsig v0.1.1-0.20200204213531-0ef28562fabe/go.mod h1:T56HUNYZUQ1AGUzhAYPugZfp36sKApVnGBgKlIY+aIE=
 github.com/go-sql-driver/mysql v1.4.1 h1:g24URVg0OFbNUTx9qqY1IRZ9D9z3iPyi5zKhQZpNwpA=
 github.com/go-sql-driver/mysql v1.4.1/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w=
 github.com/go-test/deep v1.0.1 h1:UQhStjbkDClarlmv0am7OXXO4/GaPdCGiUiMTvi28sg=
@ -47,8 +47,8 @@ github.com/golang/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:tluoj9z5200j
 github.com/golang/lint v0.0.0-20181217174547-8f45f776aaf1 h1:6DVPu65tee05kY0/rciBQ47ue+AnuY8KTayV6VHikIo=
 github.com/golang/lint v0.0.0-20181217174547-8f45f776aaf1/go.mod h1:tluoj9z5200jBnyusfRPU2LqT6J+DAorxEvtC7LHB+E=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
-github.com/gologme/log v0.0.0-20181207131047-4e5d8ccb38e8 h1:WD8iJ37bRNwvETMfVTusVSAi0WdXTpfNVGY2aHycNKY=
-github.com/gologme/log v0.0.0-20181207131047-4e5d8ccb38e8/go.mod h1:gq31gQ8wEHkR+WekdWsqDuf8pXTUZA9BnnzTuPz1Y9U=
+github.com/gologme/log v1.2.0 h1:Ya5Ip/KD6FX7uH0S31QO87nCCSucKtF44TLbTtO7V4c=
+github.com/gologme/log v1.2.0/go.mod h1:gq31gQ8wEHkR+WekdWsqDuf8pXTUZA9BnnzTuPz1Y9U=
 github.com/google/shlex v0.0.0-20181106134648-c34317bd91bf h1:7+FW5aGwISbqUtkfmIpZJGRgNFg2ioYPvFaUxdqpDsg=
 github.com/google/shlex v0.0.0-20181106134648-c34317bd91bf/go.mod h1:RpwtwJQFrIEPstU94h88MWPXP2ektJZ8cZ0YntAmXiE=
 github.com/gopherjs/gopherjs v0.0.0-20181103185306-d547d1d9531e h1:JKmoR8x90Iww1ks85zJ1lfDGgIiMDuIptTOhJq+zKyg=
@ -57,8 +57,8 @@ github.com/gordonklaus/ineffassign v0.0.0-20180909121442-1003c8bd00dc h1:cJlkeAx
 github.com/gordonklaus/ineffassign v0.0.0-20180909121442-1003c8bd00dc/go.mod h1:cuNKsD1zp2v6XfE/orVX2QE1LC+i254ceGcVeDT3pTU=
 github.com/gorilla/feeds v1.1.0 h1:pcgLJhbdYgaUESnj3AmXPcB7cS3vy63+jC/TI14AGXk=
 github.com/gorilla/feeds v1.1.0/go.mod h1:Nk0jZrvPFZX1OBe5NPiddPw7CfwF6Q9eqzaBbaightA=
-github.com/gorilla/mux v1.7.0 h1:tOSd0UKHQd6urX6ApfOn4XdBMY6Sh1MfxV3kmaazO+U=
-github.com/gorilla/mux v1.7.0/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs=
+github.com/gorilla/mux v1.7.4 h1:VuZ8uybHlWmqV03+zRzdwKL4tUnIp1MAQtp1mIFE1bc=
+github.com/gorilla/mux v1.7.4/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB71So=
 github.com/gorilla/schema v1.0.2 h1:sAgNfOcNYvdDSrzGHVy9nzCQahG+qmsg+nE8dK85QRA=
 github.com/gorilla/schema v1.0.2/go.mod h1:kgLaKoK1FELgZqMAVxx/5cbj0kT+57qxUrAlIO2eleU=
 github.com/gorilla/securecookie v1.1.1 h1:miw7JPhV+b/lAHSXz4qd/nN9jRiAFV5FwjeKyCS8BvQ=
@ -134,14 +134,12 @@ github.com/urfave/cli/v2 v2.1.1 h1:Qt8FeAtxE/vfdrLmR3rxR6JRE0RoVmbXu8+6kZtYU4k=
 github.com/urfave/cli/v2 v2.1.1/go.mod h1:SE9GqnLQmjVa0iPEY0f1w3ygNIYcIJ0OKPMoW2caLfQ=
 github.com/writeas/activity v0.1.2 h1:Y12B5lIrabfqKE7e7HFCWiXrlfXljr9tlkFm2mp7DgY=
 github.com/writeas/activity v0.1.2/go.mod h1:mYYgiewmEM+8tlifirK/vl6tmB2EbjYaxwb+ndUw5T0=
-github.com/writeas/activityserve v0.0.0-20191115095800-dd6d19cc8b89 h1:NJhzq9aTccL3SSSZMrcnYhkD6sObdY9otNZ1X6/ZKNE=
-github.com/writeas/activityserve v0.0.0-20191115095800-dd6d19cc8b89/go.mod h1:Kz62mzYsCnrFTSTSFLXFj3fGYBQOntmBWTDDq57b46A=
 github.com/writeas/activityserve v0.0.0-20200409150223-d7ab3eaa4481 h1:BiSivIxLQFcKoUorpNN3rNwwFG5bITPnqUSyIccfdh0=
 github.com/writeas/activityserve v0.0.0-20200409150223-d7ab3eaa4481/go.mod h1:4akDJSl+sSp+QhrQKMqzAqdV1gJ1pPx6XPI77zgMM8o=
 github.com/writeas/go-strip-markdown v2.0.1+incompatible h1:IIqxTM5Jr7RzhigcL6FkrCNfXkvbR+Nbu1ls48pXYcw=
 github.com/writeas/go-strip-markdown v2.0.1+incompatible/go.mod h1:Rsyu10ZhbEK9pXdk8V6MVnZmTzRG0alMNLMwa0J01fE=
-github.com/writeas/go-webfinger v0.0.0-20190106002315-85cf805c86d2 h1:DUsp4OhdfI+e6iUqcPQlwx8QYXuUDsToTz/x82D3Zuo=
-github.com/writeas/go-webfinger v0.0.0-20190106002315-85cf805c86d2/go.mod h1:w2VxyRO/J5vfNjJHYVubsjUGHd3RLDoVciz0DE3ApOc=
+github.com/writeas/go-webfinger v1.1.0 h1:MzNyt0ry/GMsRmJGftn2o9mPwqK1Q5MLdh4VuJCfb1Q=
+github.com/writeas/go-webfinger v1.1.0/go.mod h1:w2VxyRO/J5vfNjJHYVubsjUGHd3RLDoVciz0DE3ApOc=
 github.com/writeas/go-writeas v1.1.0 h1:WHGm6wriBkxYAOGbvriXH8DlMUGOi6jhSZLUZKQ+4mQ=
 github.com/writeas/go-writeas v1.1.0/go.mod h1:oh9U1rWaiE0p3kzdKwwvOpNXgp0P0IELI7OLOwV4fkA=
 github.com/writeas/go-writeas/v2 v2.0.2 h1:akvdMg89U5oBJiCkBwOXljVLTqP354uN6qnG2oOMrbk=
@ -150,8 +148,6 @@ github.com/writeas/httpsig v1.0.0 h1:peIAoIA3DmlP8IG8tMNZqI4YD1uEnWBmkcC9OFPjt3A
 github.com/writeas/httpsig v1.0.0/go.mod h1:7ClMGSrSVXJbmiLa17bZ1LrG1oibGZmUMlh3402flPY=
 github.com/writeas/impart v1.1.0 h1:nPnoO211VscNkp/gnzir5UwCDEvdHThL5uELU60NFSE=
 github.com/writeas/impart v1.1.0/go.mod h1:g0MpxdnTOHHrl+Ca/2oMXUHJ0PcRAEWtkCzYCJUXC9Y=
-github.com/writeas/impart v1.1.1-0.20191230230525-d3c45ced010d h1:PK7DOj3JE6MGf647esPrKzXEHFjGWX2hl22uX79ixaE=
-github.com/writeas/impart v1.1.1-0.20191230230525-d3c45ced010d/go.mod h1:g0MpxdnTOHHrl+Ca/2oMXUHJ0PcRAEWtkCzYCJUXC9Y=
 github.com/writeas/impart v1.1.1 h1:RyA9+CqbdbDuz53k+nXCWUY+NlEkdyw6+nWanxSBl5o=
 github.com/writeas/impart v1.1.1/go.mod h1:g0MpxdnTOHHrl+Ca/2oMXUHJ0PcRAEWtkCzYCJUXC9Y=
 github.com/writeas/import v0.2.0 h1:Ov23JW9Rnjxk06rki1Spar45bNX647HhwhAZj3flJiY=
@ -171,8 +167,6 @@ github.com/writeas/web-core v1.2.0 h1:CYqvBd+byi1cK4mCr1NZ6CjILuMOFmiFecv+OACcmG
 github.com/writeas/web-core v1.2.0/go.mod h1:vTYajviuNBAxjctPp2NUYdgjofywVkxUGpeaERF3SfI=
 github.com/writefreely/go-nodeinfo v1.2.0 h1:La+YbTCvmpTwFhBSlebWDDL81N88Qf/SCAvRLR7F8ss=
 github.com/writefreely/go-nodeinfo v1.2.0/go.mod h1:UTvE78KpcjYOlRHupZIiSEFcXHioTXuacCbHU+CAcPg=
-golang.org/dl v0.0.0-20200319204010-bf12898a6070 h1:m3RoSUFYtel4F/gCw0tosY5Exe7hm2NbeNv/737FbSo=
-golang.org/dl v0.0.0-20200319204010-bf12898a6070/go.mod h1:IUMfjQLJQd4UTqG1Z90tenwKoCX93Gn3MAQJMOSBsDQ=
 golang.org/x/crypto v0.0.0-20180527072434-ab813273cd59 h1:hk3yo72LXLapY9EXVttc3Z1rLOxT9IuAPPX3GpY2+jo=
 golang.org/x/crypto v0.0.0-20180527072434-ab813273cd59/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190131182504-b8fe1690c613/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
@ -204,11 +198,10 @@ gopkg.in/alecthomas/kingpin.v3-unstable v3.0.0-20180810215634-df19058c872c/go.mo
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/ini.v1 v1.41.0 h1:Ka3ViY6gNYSKiVy71zXBEqKplnV35ImDLVG+8uoIklE=
-gopkg.in/ini.v1 v1.41.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
+gopkg.in/ini.v1 v1.55.0 h1:E8yzL5unfpW3M6fz/eB7Cb5MQAYSZ7GKo4Qth+N2sgQ=
+gopkg.in/ini.v1 v1.55.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
 gopkg.in/yaml.v1 v1.0.0-20140924161607-9f9df34309c0 h1:POO/ycCATvegFmVuPpQzZFJ+pGZeX22Ufu6fibxDVjU=
 gopkg.in/yaml.v1 v1.0.0-20140924161607-9f9df34309c0/go.mod h1:WDnlLJ4WF5VGsH/HVa3CI79GS0ol3YnhVnKP89i0kNg=
 gopkg.in/yaml.v2 v2.2.2 h1:ZCJp+EgiOT7lHqUV2J862kp8Qj64Jo6az82+3Td9dZw=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-src.techknowlogick.com/xgo v0.0.0-20200129005940-d0fae26e014b h1:rPAdjgXks4ToezTjygsnKZroxKVnA1L35DSpsJXPtfc=
 src.techknowlogick.com/xgo v0.0.0-20200129005940-d0fae26e014b/go.mod h1:31CE1YKtDOrKTk9PSnjTpe6YbO6W/0LTYZ1VskL09oU=
--- a/invites.go
+++ b/invites.go
@ -1,5 +1,5 @@
 /*
- * Copyright © 2019 A Bunch Tell LLC.
+ * Copyright © 2019-2020 A Bunch Tell LLC.
 *
 * This file is part of WriteFreely.
 *
@ -42,6 +42,18 @@ func (i Invite) Expired() bool {
 	return i.Expires != nil && i.Expires.Before(time.Now())
 }

+func (i Invite) Active(db *datastore) bool {
+	if i.Expired() {
+		return false
+	}
+	if i.MaxUses.Valid && i.MaxUses.Int64 > 0 {
+		if c := db.GetUsersInvitedCount(i.ID); c >= i.MaxUses.Int64 {
+			return false
+		}
+	}
+	return true
+}
+
 func (i Invite) ExpiresFriendly() string {
 	return i.Expires.Format("January 2, 2006, 3:04 PM")
 }
@ -161,9 +173,11 @@ func handleViewInvite(app *App, w http.ResponseWriter, r *http.Request) error {
 		Error   string
 		Flashes []template.HTML
 		Invite  string
+		OAuth   *OAuthButtons
 	}{
 		StaticPage: pageForReq(app, r),
 		Invite:     inviteCode,
+		OAuth:      NewOAuthButtons(app.cfg),
 	}

 	if expired {
--- a/less/app.less
+++ b/less/app.less
@ -5,6 +5,7 @@
@import "post-temp";
@import "effects";
@import "admin";
+@import "login";
@import "pages/error";
@import "lib/elements";
@import "lib/material";
--- a/less/login.less
+++ b/less/login.less
@ -0,0 +1,45 @@
+/*
+ * Copyright © 2020 A Bunch Tell LLC.
+ *
+ * This file is part of WriteFreely.
+ *
+ * WriteFreely is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License, included
+ * in the LICENSE file in this source code package.
+ */
+
+.row.signinbtns {
+	justify-content: space-evenly;
+	font-size: 1em;
+	margin-top: 2em;
+	margin-bottom: 1em;
+
+	.loginbtn {
+		height: 40px;
+	}
+
+	#writeas-login, #gitlab-login {
+		box-sizing: border-box;
+		font-size: 17px;
+	}
+}
+
+.or {
+	text-align: center;
+	margin-bottom: 3.5em;
+
+	p {
+		display: inline-block;
+		background-color: white;
+		padding: 0 1em;
+	}
+
+	hr {
+		margin-top: -1.6em;
+		margin-bottom: 0;
+	}
+
+	hr.short {
+		max-width: 30rem;
+	}
+}
--- a/migrations/migrations.go
+++ b/migrations/migrations.go
@ -62,7 +62,8 @@ var migrations = []Migration{
 	New("support oauth", oauth),                                     // V3 -> V4
 	New("support slack oauth", oauthSlack),                          // V4 -> v5
 	New("support ActivityPub mentions", supportActivityPubMentions), // V5 -> V6
-	New("support oauth attach", oauthAttach),                        // V6 -> V7 (v0.12.0)
+	New("support oauth attach", oauthAttach),                        // V6 -> V7
+	New("support oauth via invite", oauthInvites),                   // V7 -> V8 (v0.12.0)
 }

 // CurrentVer returns the current migration version the application is on
--- a/migrations/v8.go
+++ b/migrations/v8.go
@ -0,0 +1,45 @@
+/*
+ * Copyright © 2020 A Bunch Tell LLC.
+ *
+ * This file is part of WriteFreely.
+ *
+ * WriteFreely is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License, included
+ * in the LICENSE file in this source code package.
+ */
+
+package migrations
+
+import (
+	"context"
+	"database/sql"
+
+	wf_db "github.com/writeas/writefreely/db"
+)
+
+func oauthInvites(db *datastore) error {
+	dialect := wf_db.DialectMySQL
+	if db.driverName == driverSQLite {
+		dialect = wf_db.DialectSQLite
+	}
+	return wf_db.RunTransactionWithOptions(context.Background(), db.DB, &sql.TxOptions{}, func(ctx context.Context, tx *sql.Tx) error {
+		builders := []wf_db.SQLBuilder{
+			dialect.
+				AlterTable("oauth_client_states").
+				AddColumn(dialect.Column("invite_code", wf_db.ColumnTypeChar, wf_db.OptionalInt{
+					Set:   true,
+					Value: 6,
+				}).SetNullable(true)),
+		}
+		for _, builder := range builders {
+			query, err := builder.ToSQL()
+			if err != nil {
+				return err
+			}
+			if _, err := tx.ExecContext(ctx, query); err != nil {
+				return err
+			}
+		}
+		return nil
+	})
+}
--- a/oauth.go
+++ b/oauth.go
@ -1,3 +1,13 @@
+/*
+ * Copyright © 2019-2020 A Bunch Tell LLC.
+ *
+ * This file is part of WriteFreely.
+ *
+ * WriteFreely is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License, included
+ * in the LICENSE file in this source code package.
+ */
+
 package writefreely

 import (
@ -15,10 +25,27 @@ import (
 	"github.com/gorilla/sessions"
 	"github.com/writeas/impart"
 	"github.com/writeas/web-core/log"
-
 	"github.com/writeas/writefreely/config"
 )

+// OAuthButtons holds display information for different OAuth providers we support.
+type OAuthButtons struct {
+	SlackEnabled      bool
+	WriteAsEnabled    bool
+	GitLabEnabled     bool
+	GitLabDisplayName string
+}
+
+// NewOAuthButtons creates a new OAuthButtons struct based on our app configuration.
+func NewOAuthButtons(cfg *config.Config) *OAuthButtons {
+	return &OAuthButtons{
+		SlackEnabled:      cfg.SlackOauth.ClientID != "",
+		WriteAsEnabled:    cfg.WriteAsOauth.ClientID != "",
+		GitLabEnabled:     cfg.GitlabOauth.ClientID != "",
+		GitLabDisplayName: config.OrDefaultString(cfg.GitlabOauth.DisplayName, gitlabDisplayName),
+	}
+}
+
 // TokenResponse contains data returned when a token is created either
 // through a code exchange or using a refresh token.
 type TokenResponse struct {
@ -61,8 +88,8 @@ type OAuthDatastoreProvider interface {
 type OAuthDatastore interface {
 	GetIDForRemoteUser(context.Context, string, string, string) (int64, error)
 	RecordRemoteUserID(context.Context, int64, string, string, string, string) error
-	ValidateOAuthState(context.Context, string) (string, string, int64, error)
-	GenerateOAuthState(context.Context, string, string, int64) (string, error)
+	ValidateOAuthState(context.Context, string) (string, string, int64, string, error)
+	GenerateOAuthState(context.Context, string, string, int64, string) (string, error)

 	CreateUser(*config.Config, *User, string) error
 	GetUserByID(int64) (*User, error)
@ -108,7 +135,7 @@ func (h oauthHandler) viewOauthInit(app *App, w http.ResponseWriter, r *http.Req
 		attachUser = user.ID
 	}

-	state, err := h.DB.GenerateOAuthState(ctx, h.oauthClient.GetProvider(), h.oauthClient.GetClientID(), attachUser)
+	state, err := h.DB.GenerateOAuthState(ctx, h.oauthClient.GetProvider(), h.oauthClient.GetClientID(), attachUser, r.FormValue("invite_code"))
 	if err != nil {
 		log.Error("viewOauthInit error: %s", err)
 		return impart.HTTPError{http.StatusInternalServerError, "could not prepare oauth redirect url"}
@ -255,7 +282,7 @@ func (h oauthHandler) viewOauthCallback(app *App, w http.ResponseWriter, r *http
 	code := r.FormValue("code")
 	state := r.FormValue("state")

-	provider, clientID, attachUserID, err := h.DB.ValidateOAuthState(ctx, state)
+	provider, clientID, attachUserID, inviteCode, err := h.DB.ValidateOAuthState(ctx, state)
 	if err != nil {
 		log.Error("Unable to ValidateOAuthState: %s", err)
 		return impart.HTTPError{http.StatusInternalServerError, err.Error()}
@ -267,7 +294,7 @@ func (h oauthHandler) viewOauthCallback(app *App, w http.ResponseWriter, r *http
 		return impart.HTTPError{http.StatusInternalServerError, err.Error()}
 	}

-	// Now that we have the access token, let's use it real quick to make sur
+	// Now that we have the access token, let's use it real quick to make sure
 	// it really really works.
 	tokenInfo, err := h.oauthClient.inspectOauthAccessToken(ctx, tokenResponse.AccessToken)
 	if err != nil {
@ -289,6 +316,7 @@ func (h oauthHandler) viewOauthCallback(app *App, w http.ResponseWriter, r *http
 	}

 	if localUserID != -1 {
+		// Existing user, so log in now
 		user, err := h.DB.GetUserByID(localUserID)
 		if err != nil {
 			log.Error("Unable to GetUserByID %d: %s", localUserID, err)
@ -309,6 +337,22 @@ func (h oauthHandler) viewOauthCallback(app *App, w http.ResponseWriter, r *http
 		return impart.HTTPError{http.StatusFound, "/me/settings"}
 	}

+	// New user registration below.
+	// First, verify that user is allowed to register
+	if inviteCode != "" {
+		// Verify invite code is valid
+		i, err := app.db.GetUserInvite(inviteCode)
+		if err != nil {
+			return impart.HTTPError{http.StatusInternalServerError, err.Error()}
+		}
+		if !i.Active(app.db) {
+			return impart.HTTPError{http.StatusNotFound, "Invite link has expired."}
+		}
+	} else if !app.cfg.App.OpenRegistration {
+		addSessionFlash(app, w, r, ErrUserNotFound.Error(), nil)
+		return impart.HTTPError{http.StatusFound, "/login"}
+	}
+
 	displayName := tokenInfo.DisplayName
 	if len(displayName) == 0 {
 		displayName = tokenInfo.Username
@ -322,6 +366,7 @@ func (h oauthHandler) viewOauthCallback(app *App, w http.ResponseWriter, r *http
 		TokenRemoteUser: tokenInfo.UserID,
 		Provider:        provider,
 		ClientID:        clientID,
+		InviteCode:      inviteCode,
 	}
 	tp.TokenHash = tp.HashTokenParams(h.Config.Server.HashSeed)

--- a/oauth_signup.go
+++ b/oauth_signup.go
@ -38,6 +38,7 @@ type viewOauthSignupVars struct {
 	Provider        string
 	ClientID        string
 	TokenHash       string
+	InviteCode      string

 	LoginUsername string
 	Alias         string // TODO: rename this to match the data it represents: the collection title
@ -57,6 +58,7 @@ const (
 	oauthParamAlias             = "alias"
 	oauthParamEmail             = "email"
 	oauthParamPassword          = "password"
+	oauthParamInviteCode        = "invite_code"
 )

 type oauthSignupPageParams struct {
@ -68,6 +70,7 @@ type oauthSignupPageParams struct {
 	ClientID        string
 	Provider        string
 	TokenHash       string
+	InviteCode      string
 }

 func (p oauthSignupPageParams) HashTokenParams(key string) string {
@ -92,6 +95,7 @@ func (h oauthHandler) viewOauthSignup(app *App, w http.ResponseWriter, r *http.R
 		TokenRemoteUser: r.FormValue(oauthParamTokenRemoteUserID),
 		ClientID:        r.FormValue(oauthParamClientID),
 		Provider:        r.FormValue(oauthParamProvider),
+		InviteCode:      r.FormValue(oauthParamInviteCode),
 	}
 	if tp.HashTokenParams(h.Config.Server.HashSeed) != r.FormValue(oauthParamHash) {
 		return impart.HTTPError{Status: http.StatusBadRequest, Message: "Request has been tampered with."}
@ -128,6 +132,14 @@ func (h oauthHandler) viewOauthSignup(app *App, w http.ResponseWriter, r *http.R
 		return h.showOauthSignupPage(app, w, r, tp, err)
 	}

+	// Log invite if needed
+	if tp.InviteCode != "" {
+		err = app.db.CreateInvitedUser(tp.InviteCode, newUser.ID)
+		if err != nil {
+			return err
+		}
+	}
+
 	err = h.DB.RecordRemoteUserID(r.Context(), newUser.ID, r.FormValue(oauthParamTokenRemoteUserID), r.FormValue(oauthParamProvider), r.FormValue(oauthParamClientID), r.FormValue(oauthParamAccessToken))
 	if err != nil {
 		return h.showOauthSignupPage(app, w, r, tp, err)
@ -195,6 +207,7 @@ func (h oauthHandler) showOauthSignupPage(app *App, w http.ResponseWriter, r *ht
 		Provider:        tp.Provider,
 		ClientID:        tp.ClientID,
 		TokenHash:       tp.TokenHash,
+		InviteCode:      tp.InviteCode,

 		LoginUsername: username,
 		Alias:         collTitle,
--- a/oauth_slack.go
+++ b/oauth_slack.go
@ -13,8 +13,6 @@ package writefreely
 import (
 	"context"
 	"errors"
-	"fmt"
-	"github.com/writeas/nerds/store"
 	"github.com/writeas/slug"
 	"net/http"
 	"net/url"
@ -167,7 +165,7 @@ func (c slackOauthClient) inspectOauthAccessToken(ctx context.Context, accessTok
 func (resp slackUserIdentityResponse) InspectResponse() *InspectResponse {
 	return &InspectResponse{
 		UserID:      resp.User.ID,
-		Username:    fmt.Sprintf("%s-%s", slug.Make(resp.User.Name), store.GenerateRandomString("0123456789bcdfghjklmnpqrstvwxyz", 5)),
+		Username:    slug.Make(resp.User.Name),
 		DisplayName: resp.User.Name,
 		Email:       resp.User.Email,
 	}
--- a/oauth_test.go
+++ b/oauth_test.go
@ -22,8 +22,8 @@ type MockOAuthDatastoreProvider struct {
 }

 type MockOAuthDatastore struct {
-	DoGenerateOAuthState func(context.Context, string, string, int64) (string, error)
-	DoValidateOAuthState func(context.Context, string) (string, string, int64, error)
+	DoGenerateOAuthState func(context.Context, string, string, int64, string) (string, error)
+	DoValidateOAuthState func(context.Context, string) (string, string, int64, string, error)
 	DoGetIDForRemoteUser func(context.Context, string, string, string) (int64, error)
 	DoCreateUser         func(*config.Config, *User, string) error
 	DoRecordRemoteUserID func(context.Context, int64, string, string, string, string) error
@ -86,11 +86,11 @@ func (m *MockOAuthDatastoreProvider) Config() *config.Config {
 	return cfg
 }

-func (m *MockOAuthDatastore) ValidateOAuthState(ctx context.Context, state string) (string, string, int64, error) {
+func (m *MockOAuthDatastore) ValidateOAuthState(ctx context.Context, state string) (string, string, int64, string, error) {
 	if m.DoValidateOAuthState != nil {
 		return m.DoValidateOAuthState(ctx, state)
 	}
-	return "", "", 0, nil
+	return "", "", 0, "", nil
 }

 func (m *MockOAuthDatastore) GetIDForRemoteUser(ctx context.Context, remoteUserID, provider, clientID string) (int64, error) {
@ -119,15 +119,13 @@ func (m *MockOAuthDatastore) GetUserByID(userID int64) (*User, error) {
 	if m.DoGetUserByID != nil {
 		return m.DoGetUserByID(userID)
 	}
-	user := &User{
-
-	}
+	user := &User{}
 	return user, nil
 }

-func (m *MockOAuthDatastore) GenerateOAuthState(ctx context.Context, provider string, clientID string, attachUserID int64) (string, error) {
+func (m *MockOAuthDatastore) GenerateOAuthState(ctx context.Context, provider string, clientID string, attachUserID int64, inviteCode string) (string, error) {
 	if m.DoGenerateOAuthState != nil {
-		return m.DoGenerateOAuthState(ctx, provider, clientID, attachUserID)
+		return m.DoGenerateOAuthState(ctx, provider, clientID, attachUserID, inviteCode)
 	}
 	return store.Generate62RandomString(14), nil
 }
@ -173,7 +171,7 @@ func TestViewOauthInit(t *testing.T) {
 		app := &MockOAuthDatastoreProvider{
 			DoDB: func() OAuthDatastore {
 				return &MockOAuthDatastore{
-					DoGenerateOAuthState: func(ctx context.Context, provider, clientID string, attachUserID int64) (string, error) {
+					DoGenerateOAuthState: func(ctx context.Context, provider, clientID string, attachUserID int64, inviteCode string) (string, error) {
 						return "", fmt.Errorf("pretend unable to write state error")
 					},
 				}
--- a/pages/login.tmpl
+++ b/pages/login.tmpl
@ -3,43 +3,6 @@
 <meta itemprop="description" content="Log in to {{.SiteName}}.">
 <style>
 input{margin-bottom:0.5em;}
-.or {
-	text-align: center;
-	margin-bottom: 3.5em;
-}
-.or p {
-	display: inline-block;
-	background-color: white;
-	padding: 0 1em;
-}
-.or hr {
-	margin-top: -1.6em;
-	margin-bottom: 0;
-}
-hr.short {
-	max-width: 30rem;
-}
-.row.signinbtns {
-	justify-content: space-evenly;
-	font-size: 1em;
-	margin-top: 3em;
-	margin-bottom: 2em;
-}
-.loginbtn {
-	height: 40px;
-}
-#writeas-login {
-	box-sizing: border-box;
-	font-size: 17px;
-}
-#gitlab-login {
-	box-sizing: border-box;
-	font-size: 17px;
-}
-#gitea-login {
-	box-sizing: border-box;
-	font-size: 17px;
-}
 </style>
 {{end}}
 {{define "content"}}
--- a/pages/signup-oauth.tmpl
+++ b/pages/signup-oauth.tmpl
@ -1,6 +1,4 @@
-{{define "head"}}<title>Log in &mdash; {{.SiteName}}</title>
-<meta name="description" content="Log in to {{.SiteName}}.">
-<meta itemprop="description" content="Log in to {{.SiteName}}.">
+{{define "head"}}<title>Finish Creating Account &mdash; {{.SiteName}}</title>
 <style>input{margin-bottom:0.5em;}</style>
 <style type="text/css">
 h2 {
@ -58,7 +56,7 @@ form dd {
 {{end}}
 {{define "content"}}
 <div id="pricing" class="tight content-container">
-	<h1>Log in to {{.SiteName}}</h1>
+	<h1>Finish creating account</h1>

 	{{if .Flashes}}<ul class="errors">
 		{{range .Flashes}}<li class="urgent">{{.}}</li>{{end}}
@ -74,6 +72,7 @@ form dd {
 	        <input type="hidden" name="provider" value="{{ .Provider }}" />
 	        <input type="hidden" name="client_id" value="{{ .ClientID }}" />
 	        <input type="hidden" name="signature" value="{{ .TokenHash }}" />
+	        {{if .InviteCode}}<input type="hidden" name="invite_code" value="{{ .InviteCode }}" />{{end}}

            <dl class="billing">
                <label>
@ -96,7 +95,7 @@ form dd {
                    </dd>
                </label>
                <dt>
-                    <input type="submit" id="btn-login" value="Login" />
+                    <input type="submit" id="btn-login" value="Next" />
                </dt>
            </dl>
        </form>
@ -129,7 +128,7 @@ var $aliasSite = document.getElementById('alias-site');
 var aliasOK = true;
 var typingTimer;
 var doneTypingInterval = 750;
-var doneTyping = function() {
+var doneTyping = function(genID) {
    // Check on username
    var alias = $alias.el.value;
    if (alias != "") {
@ -152,6 +151,11 @@ var doneTyping = function() {
                    $aliasSite.className = $aliasSite.className.replace(/(?:^|\s)error(?!\S)/g, '');
                    $aliasSite.innerHTML = '{{ if .Federation }}@<strong>' + data.data + '</strong>@{{.FriendlyHost}}{{ else }}{{.FriendlyHost}}/<strong>' + data.data + '</strong>/{{ end }}';
                } else {
+                    if (genID === true) {
+                        $alias.el.value = alias + "-" + randStr(4);
+                        doneTyping();
+                        return;
+                    }
                    aliasOK = false;
                    $alias.setClass('error');
                    $aliasSite.className = 'error';
@ -169,6 +173,14 @@ $alias.on('keyup input', function() {
    clearTimeout(typingTimer);
    typingTimer = setTimeout(doneTyping, doneTypingInterval);
 });
-doneTyping();
+function randStr(len) {
+    var res = '';
+    var chars = '23456789bcdfghjklmnpqrstvwxyz';
+    for (var i=0; i<len; i++) {
+        res += chars.charAt(Math.floor(Math.random() * chars.length));
+    }
+    return res;
+}
+doneTyping(true);
 </script>
 {{end}}
--- a/pages/signup.tmpl
+++ b/pages/signup.tmpl
@ -70,6 +70,25 @@ form dd {
 		</ul>{{end}}

 		<div id="billing">
+			{{ if or .OAuth.SlackEnabled .OAuth.WriteAsEnabled .OAuth.GitLabEnabled }}
+				<div class="row content-container signinbtns">
+					{{ if .OAuth.SlackEnabled }}
+						<a class="loginbtn" href="/oauth/slack{{if .Invite}}?invite_code={{.Invite}}{{end}}"><img alt="Sign in with Slack" height="40" width="172" src="/img/sign_in_with_slack.png" srcset="/img/sign_in_with_slack.png 1x, /img/sign_in_with_slack@2x.png 2x" /></a>
+					{{ end }}
+					{{ if .OAuth.WriteAsEnabled }}
+						<a class="btn cta loginbtn" id="writeas-login" href="/oauth/write.as{{if .Invite}}?invite_code={{.Invite}}{{end}}">Sign in with <strong>Write.as</strong></a>
+					{{ end }}
+					{{ if .OAuth.GitLabEnabled }}
+						<a class="btn cta loginbtn" id="gitlab-login" href="/oauth/gitlab{{if .Invite}}?invite_code={{.Invite}}{{end}}">Sign in with <strong>{{.OAuth.GitLabDisplayName}}</strong></a>
+					{{ end }}
+				</div>
+
+				<div class="or">
+					<p>or</p>
+					<hr class="short" />
+				</div>
+			{{ end }}
+
 			<form action="/auth/signup" method="POST" id="signup-form" onsubmit="return signup()">
 				<input type="hidden" name="invite_code" value="{{.Invite}}" />
 				<dl class="billing">
--- a/templates/user/admin/app-settings.tmpl
+++ b/templates/user/admin/app-settings.tmpl
@ -15,6 +15,13 @@ form dt {
 p.docs {
 	font-size: 0.86em;
 }
+input[type=checkbox] {
+	height: 1em;
+	width: 1em;
+}
+select {
+	font-size: 1em;
+}
 </style>

 <div class="content-container snug">
@ -42,7 +49,7 @@ p.docs {
 		<div class="features row">
 			<div>
 				Host
-				<p>The address where your site lives.</p>
+				<p>The public address where users will access your site, starting with <code>http://</code> or <code>https://</code>.</p>
 			</div>
 			<div>{{.Config.Host}}</div>
 		</div>
@ -56,24 +63,57 @@ p.docs {
 		<div class="features row">
 			<div{{if .Config.SingleUser}} class="invisible"{{end}}>
 				Landing Page
-				<p>The page that logged-out visitors will see first. This should be a path, e.g. <code>/read</code></p>
+				<p>The page that logged-out visitors will see first. This should be an absolute path like: <code>/read</code></p>
 			</div>
 			<div{{if .Config.SingleUser}} class="invisible"{{end}}><input type="text" name="landing" id="landing" class="inline" value="{{.Config.Landing}}" style="width: 14em;"/></div>
 		</div>
 		<div class="features row">
 			<div{{if .Config.SingleUser}} class="invisible"{{end}}><label for="open_registration">
 					Open Registrations
-					<p>Whether or not registration is open to anyone who visits the site.</p>
+					<p>Allow anyone who visits the site to create an account.</p>
 				</label></div>
 			<div{{if .Config.SingleUser}} class="invisible"{{end}}><input type="checkbox" name="open_registration" id="open_registration" {{if .Config.OpenRegistration}}checked="checked"{{end}} />
 			</div>
 		</div>
 		<div class="features row">
-			<div><label for="min_username_len">
-					Minimum Username Length
-					<p>The minimum number of characters allowed in a username. (Recommended: 2 or more.)</p>
+			<div{{if .Config.SingleUser}} class="invisible"{{end}}><label for="user_invites">
+					Allow invitations from...
+					<p>Choose who is allowed to invite new people.</p>
 				</label></div>
-			<div><input type="number" name="min_username_len" id="min_username_len" class="inline" min="1" max="100" value="{{.Config.MinUsernameLen}}"/></div>
+			<div{{if .Config.SingleUser}} class="invisible"{{end}}>
+				<select name="user_invites" id="user_invites">
+					<option value="none" {{if eq .Config.UserInvites ""}}selected="selected"{{end}}>No one</option>
+					<option value="admin" {{if eq .Config.UserInvites "admin"}}selected="selected"{{end}}>Only Admins</option>
+					<option value="user" {{if eq .Config.UserInvites "user"}}selected="selected"{{end}}>All Users</option>
+				</select>
+			</div>
+		</div>
+		<div class="features row">
+			<div><label for="private">
+					Private Instance
+					<p>Limit site access to people with an account.</p>
+				</label></div>
+			<div><input type="checkbox" name="private" id="private" {{if .Config.Private}}checked="checked"{{end}} /></div>
+		</div>
+		<div class="features row">
+			<div{{if .Config.SingleUser}} class="invisible"{{end}}><label for="local_timeline">
+					Reader
+					<p>Show a feed of user posts for anyone who chooses to share there.</p>
+				</label></div>
+			<div{{if .Config.SingleUser}} class="invisible"{{end}}><input type="checkbox" name="local_timeline" id="local_timeline" {{if .Config.LocalTimeline}}checked="checked"{{end}} /></div>
+		</div>
+		<div class="features row">
+			<div{{if .Config.SingleUser}} class="invisible"{{end}}><label for="default_visibility">
+					Default blog visibility
+					<p>The default setting for new accounts and blogs.</p>
+				</label></div>
+			<div{{if .Config.SingleUser}} class="invisible"{{end}}>
+				<select name="default_visibility" id="default_visibility">
+					<option value="unlisted" {{if eq .Config.DefaultVisibility "unlisted"}}selected="selected"{{end}}>Unlisted</option>
+					<option value="public" {{if eq .Config.DefaultVisibility "public"}}selected="selected"{{end}}>Public</option>
+					<option value="private" {{if eq .Config.DefaultVisibility "private"}}selected="selected"{{end}}>Private</option>
+				</select>
+			</div>
 		</div>
 		<div class="features row">
 			<div{{if .Config.SingleUser}} class="invisible"{{end}}><label for="max_blogs">
@ -97,44 +137,11 @@ p.docs {
 			<div><input type="checkbox" name="public_stats" id="public_stats" {{if .Config.PublicStats}}checked="checked"{{end}} /></div>
 		</div>
 		<div class="features row">
-			<div><label for="private">
-					Private Instance
-					<p>Make this instance accessible only to those with an account.</p>
+			<div><label for="min_username_len">
+					Minimum Username Length
+					<p>The minimum number of characters allowed in a username. (Recommended: 2 or more.)</p>
 				</label></div>
-			<div><input type="checkbox" name="private" id="private" {{if .Config.Private}}checked="checked"{{end}} /></div>
-		</div>
-		<div class="features row">
-			<div{{if .Config.SingleUser}} class="invisible"{{end}}><label for="local_timeline">
-					Reader
-					<p>Show a feed of user posts for anyone who chooses to share there.</p>
-				</label></div>
-			<div{{if .Config.SingleUser}} class="invisible"{{end}}><input type="checkbox" name="local_timeline" id="local_timeline" {{if .Config.LocalTimeline}}checked="checked"{{end}} /></div>
-		</div>
-		<div class="features row">
-			<div{{if .Config.SingleUser}} class="invisible"{{end}}><label for="user_invites">
-					Allow invitations from...
-					<p>Choose who on this instance can invite new people.</p>
-				</label></div>
-			<div{{if .Config.SingleUser}} class="invisible"{{end}}>
-				<select name="user_invites" id="user_invites">
-					<option value="none" {{if eq .Config.UserInvites ""}}selected="selected"{{end}}>No one</option>
-					<option value="admin" {{if eq .Config.UserInvites "admin"}}selected="selected"{{end}}>Only Admins</option>
-					<option value="user" {{if eq .Config.UserInvites "user"}}selected="selected"{{end}}>All Users</option>
-				</select>
-			</div>
-		</div>
-		<div class="features row">
-			<div{{if .Config.SingleUser}} class="invisible"{{end}}><label for="default_visibility">
-					Default blog visibility
-					<p>The default setting for new accounts and blogs.</p>
-				</label></div>
-			<div{{if .Config.SingleUser}} class="invisible"{{end}}>
-				<select name="default_visibility" id="default_visibility">
-					<option value="unlisted" {{if eq .Config.DefaultVisibility "unlisted"}}selected="selected"{{end}}>Unlisted</option>
-					<option value="public" {{if eq .Config.DefaultVisibility "public"}}selected="selected"{{end}}>Public</option>
-					<option value="private" {{if eq .Config.DefaultVisibility "private"}}selected="selected"{{end}}>Private</option>
-				</select>
-			</div>
+			<div><input type="number" name="min_username_len" id="min_username_len" class="inline" min="1" max="100" value="{{.Config.MinUsernameLen}}"/></div>
 		</div>
 		<div class="features row">
 			<input type="submit" value="Save Settings" />