bridgev2/portal: add event being handled to context variable

Closes #468

.github/workflows/go.yml

@@ -10,12 +10,12 @@ jobs:
     runs-on: ubuntu-latest
     name: Lint (latest)
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
 
       - name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v6
         with:
-          go-version: "1.25"
+          go-version: "1.26"
           cache: true
 
       - name: Install libolm
@@ -24,6 +24,7 @@ jobs:
       - name: Install goimports
         run: |
           go install golang.org/x/tools/cmd/goimports@latest
+          go install honnef.co/go/tools/cmd/staticcheck@latest
           export PATH="$HOME/go/bin:$PATH"
 
       - name: Run pre-commit
@@ -34,14 +35,14 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        go-version: ["1.24", "1.25"]
-    name: Build (${{ matrix.go-version == '1.25' && 'latest' || 'old' }}, libolm)
+        go-version: ["1.25", "1.26"]
+    name: Build (${{ matrix.go-version == '1.26' && 'latest' || 'old' }}, libolm)
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
 
       - name: Set up Go ${{ matrix.go-version }}
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v6
         with:
           go-version: ${{ matrix.go-version }}
           cache: true
@@ -61,7 +62,6 @@ jobs:
         run: go test -json -v ./... 2>&1 | gotestfmt
 
       - name: Test (jsonv2)
-        if: matrix.go-version == '1.25'
         env:
           GOEXPERIMENT: jsonv2
         run: go test -json -v ./... 2>&1 | gotestfmt
@@ -71,14 +71,14 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        go-version: ["1.24", "1.25"]
-    name: Build (${{ matrix.go-version == '1.25' && 'latest' || 'old' }}, goolm)
+        go-version: ["1.25", "1.26"]
+    name: Build (${{ matrix.go-version == '1.26' && 'latest' || 'old' }}, goolm)
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
 
       - name: Set up Go ${{ matrix.go-version }}
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v6
         with:
           go-version: ${{ matrix.go-version }}
           cache: true

.github/workflows/stale.yml

@@ -17,7 +17,7 @@ jobs:
   lock-stale:
     runs-on: ubuntu-latest
     steps:
-      - uses: dessant/lock-threads@v5
+      - uses: dessant/lock-threads@v6
         id: lock
         with:
           issue-inactive-days: 90

.pre-commit-config.yaml

@@ -1,6 +1,6 @@
 repos:
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v5.0.0
+    rev: v6.0.0
     hooks:
       - id: trailing-whitespace
         exclude_types: [markdown]
@@ -9,7 +9,7 @@ repos:
       - id: check-added-large-files
 
   - repo: https://github.com/tekwizely/pre-commit-golang
-    rev: v1.0.0-rc.1
+    rev: v1.0.0-rc.4
     hooks:
       - id: go-imports-repo
         args:
@@ -18,8 +18,7 @@ repos:
           - "-w"
       - id: go-vet-repo-mod
       - id: go-mod-tidy
-      # TODO enable this
-      #- id: go-staticcheck-repo-mod
+      - id: go-staticcheck-repo-mod
 
   - repo: https://github.com/beeper/pre-commit-go
     rev: v0.4.2

CHANGELOG.md

@@ -1,3 +1,130 @@
+## v0.26.3 (2026-02-16)
+
+* Bumped minimum Go version to 1.25.
+* *(client)* Added fields for sending [MSC4354] sticky events.
+* *(bridgev2)* Added automatic message request accepting when sending message.
+* *(mediaproxy)* Added support for federation thumbnail endpoint.
+* *(crypto/ssss)* Improved support for recovery keys with slightly broken
+  metadata.
+* *(crypto)* Changed key import to call session received callback even for
+  sessions that already exist in the database.
+* *(appservice)* Fixed building websocket URL accidentally using file path
+  separators instead of always `/`.
+* *(crypto)* Fixed key exports not including the `sender_claimed_keys` field.
+* *(client)* Fixed incorrect context usage in async uploads.
+* *(crypto)* Fixed panic when passing invalid input to megolm message index
+  parser used for debugging.
+* *(bridgev2/provisioning)* Fixed completed or failed logins not being cleaned
+  up properly.
+
+[MSC4354]: https://github.com/matrix-org/matrix-spec-proposals/pull/4354
+
+## v0.26.2 (2026-01-16)
+
+* *(bridgev2)* Added chunked portal deletion to avoid database locks when
+  deleting large portals.
+* *(crypto,bridgev2)* Added option to encrypt reaction and reply metadata
+  as per [MSC4392].
+* *(bridgev2/login)* Added `default_value` for user input fields.
+* *(bridgev2)* Added interfaces to let the Matrix connector provide suggested
+  HTTP client settings and to reset active connections of the network connector.
+* *(bridgev2)* Added interface to let network connectors get the provisioning
+  API HTTP router and add new endpoints.
+* *(event)* Added blurhash field to Beeper link preview objects.
+* *(event)* Added [MSC4391] support for bot commands.
+* *(event)* Dropped [MSC4332] support for bot commands.
+* *(client)* Changed media download methods to return an error if the provided
+  MXC URI is empty.
+* *(client)* Stabilized support for [MSC4323].
+* *(bridgev2/matrix)* Fixed `GetEvent` panicking when trying to decrypt events.
+* *(bridgev2)* Fixed some deadlocks when room creation happens in parallel with
+  a portal re-ID call.
+
+[MSC4391]: https://github.com/matrix-org/matrix-spec-proposals/pull/4391
+[MSC4392]: https://github.com/matrix-org/matrix-spec-proposals/pull/4392
+
+## v0.26.1 (2025-12-16)
+
+* **Breaking change *(mediaproxy)*** Changed `GetMediaResponseFile` to return
+  the mime type from the callback rather than in the return get media return
+  value. The callback can now also redirect the caller to a different file.
+* *(federation)* Added join/knock/leave functions
+  (thanks to [@nexy7574] in [#422]).
+* *(federation/eventauth)* Fixed various incorrect checks.
+* *(client)* Added backoff for retrying media uploads to external URLs
+  (with MSC3870).
+* *(bridgev2/config)* Added support for overriding config fields using
+  environment variables.
+* *(bridgev2/commands)* Added command to mute chat on remote network.
+* *(bridgev2)* Added interface for network connectors to redirect to a different
+  user ID when handling an invite from Matrix.
+* *(bridgev2)* Added interface for signaling message request status of portals.
+* *(bridgev2)* Changed portal creation to not backfill unless `CanBackfill` flag
+  is set in chat info.
+* *(bridgev2)* Changed Matrix reaction handling to only delete old reaction if
+  bridging the new one is successful.
+* *(bridgev2/mxmain)* Improved error message when trying to run bridge with
+  pre-megabridge database when no database migration exists.
+* *(bridgev2)* Improved reliability of database migration when enabling split
+  portals.
+* *(bridgev2)* Improved detection of orphaned DM rooms when starting new chats.
+* *(bridgev2)* Stopped sending redundant invites when joining ghosts to public
+  portal rooms.
+* *(bridgev2)* Stopped hardcoding room versions in favor of checking
+  server capabilities to determine appropriate `/createRoom` parameters.
+
+[#422]: https://github.com/mautrix/go/pull/422
+
+## v0.26.0 (2025-11-16)
+
+* *(client,appservice)* Deprecated `SendMassagedStateEvent` as `SendStateEvent`
+  has been able to do the same for a while now.
+* *(client,federation)* Added size limits for responses to make it safer to send
+  requests to untrusted servers.
+* *(client)* Added wrapper for `/admin/whois` client API
+  (thanks to [@nexy7574] in [#411]).
+* *(synapseadmin)* Added `force_purge` option to DeleteRoom
+  (thanks to [@nexy7574] in [#420]).
+* *(statestore)* Added saving join rules for rooms.
+* *(bridgev2)* Added optional automatic rollback of room state if bridging the
+  change to the remote network fails.
+* *(bridgev2)* Added management room notices if transient disconnect state
+  doesn't resolve within 3 minutes.
+* *(bridgev2)* Added interface to signal that certain participants couldn't be
+  invited when creating a group.
+* *(bridgev2)* Added `select` type for user input fields in login.
+* *(bridgev2)* Added interface to let network connector customize personal
+  filtering space.
+* *(bridgev2/matrix)* Added checks to avoid sending error messages in reply to
+  other bots.
+* *(bridgev2/matrix)* Switched to using [MSC4169] to send redactions whenever
+  possible.
+* *(bridgev2/publicmedia)* Added support for custom path prefixes, file names,
+  and encrypted files.
+* *(bridgev2/commands)* Added command to resync a single portal.
+* *(bridgev2/commands)* Added create group command.
+* *(bridgev2/config)* Added option to limit maximum number of logins.
+* *(bridgev2)* Changed ghost joining to skip unnecessary invite if portal room
+  is public.
+* *(bridgev2/disappear)* Changed read receipt handling to only start
+  disappearing timers for messages up to the read message (note: may not work in
+  all cases if the read receipt points at an unknown event).
+* *(event/reply)* Changed plaintext reply fallback removal to only happen when
+  an HTML reply fallback is removed successfully.
+* *(bridgev2/matrix)* Fixed unnecessary sleep after registering bot on first run.
+* *(crypto/goolm)* Fixed panic when processing certain malformed Olm messages.
+* *(federation)* Fixed HTTP method for sending transactions
+  (thanks to [@nexy7574] in [#426]).
+* *(federation)* Fixed response body being closed even when using `DontReadBody`
+  parameter.
+* *(federation)* Fixed validating auth for requests with query params.
+* *(federation/eventauth)* Fixed typo causing restricted joins to not work.
+
+[MSC4169]: https://github.com/matrix-org/matrix-spec-proposals/pull/4169
+[#411]: github.com/mautrix/go/pull/411
+[#420]: github.com/mautrix/go/pull/420
+[#426]: github.com/mautrix/go/pull/426
+
 ## v0.25.2 (2025-10-16)
 
 * **Breaking change *(id)*** Split `UserID.ParseAndValidate` into
@@ -310,6 +437,7 @@
 [MSC4156]: https://github.com/matrix-org/matrix-spec-proposals/pull/4156
 [MSC4190]: https://github.com/matrix-org/matrix-spec-proposals/pull/4190
 [#288]: https://github.com/mautrix/go/pull/288
+[@onestacked]: https://github.com/onestacked
 
 ## v0.22.0 (2024-11-16)
 

README.md

@@ -1,8 +1,9 @@
 # mautrix-go
 [![GoDoc](https://pkg.go.dev/badge/maunium.net/go/mautrix)](https://pkg.go.dev/maunium.net/go/mautrix)
 
-A Golang Matrix framework. Used by [gomuks](https://matrix.org/docs/projects/client/gomuks),
-[go-neb](https://github.com/matrix-org/go-neb), [mautrix-whatsapp](https://github.com/mautrix/whatsapp)
+A Golang Matrix framework. Used by [gomuks](https://gomuks.app),
+[go-neb](https://github.com/matrix-org/go-neb),
+[mautrix-whatsapp](https://github.com/mautrix/whatsapp)
 and others.
 
 Matrix room: [`#go:maunium.net`](https://matrix.to/#/#go:maunium.net)
@@ -13,9 +14,10 @@ The original project is licensed under [Apache 2.0](https://github.com/matrix-or
 In addition to the basic client API features the original project has, this framework also has:
 
 * Appservice support (Intent API like mautrix-python, room state storage, etc)
-* End-to-end encryption support (incl. interactive SAS verification)
+* End-to-end encryption support (incl. key backup, cross-signing, interactive verification, etc)
 * High-level module for building puppeting bridges
-* High-level module for building chat clients
+* Partial federation module (making requests, PDU processing and event authorization)
+* A media proxy server which can be used to expose anything as a Matrix media repo
 * Wrapper functions for the Synapse admin API
 * Structs for parsing event content
 * Helpers for parsing and generating Matrix HTML

appservice/intent.go

@@ -51,7 +51,7 @@ func (as *AppService) NewIntentAPI(localpart string) *IntentAPI {
 }
 
 func (intent *IntentAPI) Register(ctx context.Context) error {
-	_, err := intent.Client.MakeRequest(ctx, http.MethodPost, intent.BuildClientURL("v3", "register"), &mautrix.ReqRegister{
+	_, err := intent.Client.MakeRequest(ctx, http.MethodPost, intent.BuildClientURL("v3", "register"), &mautrix.ReqRegister[any]{
 		Username:     intent.Localpart,
 		Type:         mautrix.AuthTypeAppservice,
 		InhibitLogin: true,
@@ -214,23 +214,31 @@ func (intent *IntentAPI) AddDoublePuppetValueWithTS(into any, ts int64) any {
 	}
 }
 
-func (intent *IntentAPI) SendMessageEvent(ctx context.Context, roomID id.RoomID, eventType event.Type, contentJSON interface{}) (*mautrix.RespSendEvent, error) {
+func (intent *IntentAPI) SendMessageEvent(ctx context.Context, roomID id.RoomID, eventType event.Type, contentJSON any, extra ...mautrix.ReqSendEvent) (*mautrix.RespSendEvent, error) {
 	if err := intent.EnsureJoined(ctx, roomID); err != nil {
 		return nil, err
 	}
 	contentJSON = intent.AddDoublePuppetValue(contentJSON)
-	return intent.Client.SendMessageEvent(ctx, roomID, eventType, contentJSON)
+	return intent.Client.SendMessageEvent(ctx, roomID, eventType, contentJSON, extra...)
 }
 
-func (intent *IntentAPI) SendMassagedMessageEvent(ctx context.Context, roomID id.RoomID, eventType event.Type, contentJSON interface{}, ts int64) (*mautrix.RespSendEvent, error) {
+func (intent *IntentAPI) BeeperSendEphemeralEvent(ctx context.Context, roomID id.RoomID, eventType event.Type, contentJSON any, extra ...mautrix.ReqSendEvent) (*mautrix.RespSendEvent, error) {
 	if err := intent.EnsureJoined(ctx, roomID); err != nil {
 		return nil, err
 	}
-	contentJSON = intent.AddDoublePuppetValueWithTS(contentJSON, ts)
-	return intent.Client.SendMessageEvent(ctx, roomID, eventType, contentJSON, mautrix.ReqSendEvent{Timestamp: ts})
+	if !intent.SpecVersions.Supports(mautrix.BeeperFeatureEphemeralEvents) {
+		return nil, mautrix.MUnrecognized.WithMessage("Homeserver does not advertise com.beeper.ephemeral support")
+	}
+	contentJSON = intent.AddDoublePuppetValue(contentJSON)
+	return intent.Client.BeeperSendEphemeralEvent(ctx, roomID, eventType, contentJSON, extra...)
 }
 
-func (intent *IntentAPI) SendStateEvent(ctx context.Context, roomID id.RoomID, eventType event.Type, stateKey string, contentJSON interface{}) (*mautrix.RespSendEvent, error) {
+// Deprecated: use SendMessageEvent with mautrix.ReqSendEvent.Timestamp instead
+func (intent *IntentAPI) SendMassagedMessageEvent(ctx context.Context, roomID id.RoomID, eventType event.Type, contentJSON interface{}, ts int64) (*mautrix.RespSendEvent, error) {
+	return intent.SendMessageEvent(ctx, roomID, eventType, contentJSON, mautrix.ReqSendEvent{Timestamp: ts})
+}
+
+func (intent *IntentAPI) SendStateEvent(ctx context.Context, roomID id.RoomID, eventType event.Type, stateKey string, contentJSON any, extra ...mautrix.ReqSendEvent) (*mautrix.RespSendEvent, error) {
 	if eventType != event.StateMember || stateKey != string(intent.UserID) {
 		if err := intent.EnsureJoined(ctx, roomID); err != nil {
 			return nil, err
@@ -239,15 +247,12 @@ func (intent *IntentAPI) SendStateEvent(ctx context.Context, roomID id.RoomID, e
 		return nil, err
 	}
 	contentJSON = intent.AddDoublePuppetValue(contentJSON)
-	return intent.Client.SendStateEvent(ctx, roomID, eventType, stateKey, contentJSON)
+	return intent.Client.SendStateEvent(ctx, roomID, eventType, stateKey, contentJSON, extra...)
 }
 
+// Deprecated: use SendStateEvent with mautrix.ReqSendEvent.Timestamp instead
 func (intent *IntentAPI) SendMassagedStateEvent(ctx context.Context, roomID id.RoomID, eventType event.Type, stateKey string, contentJSON interface{}, ts int64) (*mautrix.RespSendEvent, error) {
-	if err := intent.EnsureJoined(ctx, roomID); err != nil {
-		return nil, err
-	}
-	contentJSON = intent.AddDoublePuppetValueWithTS(contentJSON, ts)
-	return intent.Client.SendMassagedStateEvent(ctx, roomID, eventType, stateKey, contentJSON, ts)
+	return intent.SendStateEvent(ctx, roomID, eventType, stateKey, contentJSON, mautrix.ReqSendEvent{Timestamp: ts})
 }
 
 func (intent *IntentAPI) StateEvent(ctx context.Context, roomID id.RoomID, eventType event.Type, stateKey string, outContent interface{}) error {

appservice/websocket.go

@@ -14,7 +14,7 @@ import (
 	"io"
 	"net/http"
 	"net/url"
-	"path/filepath"
+	"path"
 	"strings"
 	"sync"
 	"sync/atomic"
@@ -56,7 +56,7 @@ func (wsc *WebsocketCommand) MakeResponse(ok bool, data any) *WebsocketRequest {
 		var prefixMessage string
 		for unwrappedErr != nil {
 			errorData, jsonErr = json.Marshal(unwrappedErr)
-			if errorData != nil && len(errorData) > 2 && jsonErr == nil {
+			if len(errorData) > 2 && jsonErr == nil {
 				prefixMessage = strings.Replace(err.Error(), unwrappedErr.Error(), "", 1)
 				prefixMessage = strings.TrimRight(prefixMessage, ": ")
 				break
@@ -374,7 +374,7 @@ func (as *AppService) StartWebsocket(ctx context.Context, baseURL string, onConn
 		copiedURL := *as.hsURLForClient
 		parsed = &copiedURL
 	}
-	parsed.Path = filepath.Join(parsed.Path, "_matrix/client/unstable/fi.mau.as_sync")
+	parsed.Path = path.Join(parsed.Path, "_matrix/client/unstable/fi.mau.as_sync")
 	if parsed.Scheme == "http" {
 		parsed.Scheme = "ws"
 	} else if parsed.Scheme == "https" {

bridgev2/bridge.go

@@ -11,10 +11,12 @@ import (
 	"fmt"
 	"os"
 	"sync"
+	"sync/atomic"
 	"time"
 
 	"github.com/rs/zerolog"
 	"go.mau.fi/util/dbutil"
+	"go.mau.fi/util/exhttp"
 	"go.mau.fi/util/exsync"
 
 	"maunium.net/go/mautrix/bridgev2/bridgeconfig"
@@ -52,6 +54,7 @@ type Bridge struct {
 
 	Background          bool
 	ExternallyManagedDB bool
+	stopping            atomic.Bool
 
 	wakeupBackfillQueue chan struct{}
 	stopBackfillQueue   *exsync.Event
@@ -127,6 +130,7 @@ func (br *Bridge) Start(ctx context.Context) error {
 
 func (br *Bridge) RunOnce(ctx context.Context, loginID networkid.UserLoginID, params *ConnectBackgroundParams) error {
 	br.Background = true
+	br.stopping.Store(false)
 	err := br.StartConnectors(ctx)
 	if err != nil {
 		return err
@@ -162,6 +166,7 @@ func (br *Bridge) RunOnce(ctx context.Context, loginID networkid.UserLoginID, pa
 		case <-time.After(20 * time.Second):
 		case <-ctx.Done():
 		}
+		br.stopping.Store(true)
 		return nil
 	} else {
 		br.Log.Info().Str("user_login_id", string(login.ID)).Msg("Starting individual user login in background mode")
@@ -171,6 +176,7 @@ func (br *Bridge) RunOnce(ctx context.Context, loginID networkid.UserLoginID, pa
 
 func (br *Bridge) StartConnectors(ctx context.Context) error {
 	br.Log.Info().Msg("Starting bridge")
+	br.stopping.Store(false)
 	if br.BackgroundCtx == nil || br.BackgroundCtx.Err() != nil {
 		br.BackgroundCtx, br.cancelBackgroundCtx = context.WithCancel(context.Background())
 		br.BackgroundCtx = br.Log.WithContext(br.BackgroundCtx)
@@ -368,6 +374,46 @@ func (br *Bridge) StartLogins(ctx context.Context) error {
 	return nil
 }
 
+func (br *Bridge) ResetNetworkConnections() {
+	nrn, ok := br.Network.(NetworkResettingNetwork)
+	if ok {
+		br.Log.Info().Msg("Resetting network connections with NetworkConnector.ResetNetworkConnections")
+		nrn.ResetNetworkConnections()
+		return
+	}
+
+	br.Log.Info().Msg("Network connector doesn't support ResetNetworkConnections, recreating clients manually")
+	for _, login := range br.GetAllCachedUserLogins() {
+		login.Log.Debug().Msg("Disconnecting and recreating client for network reset")
+		ctx := login.Log.WithContext(br.BackgroundCtx)
+		login.Client.Disconnect()
+		err := login.recreateClient(ctx)
+		if err != nil {
+			login.Log.Err(err).Msg("Failed to recreate client during network reset")
+			login.BridgeState.Send(status.BridgeState{
+				StateEvent: status.StateUnknownError,
+				Error:      "bridgev2-network-reset-fail",
+				Info:       map[string]any{"go_error": err.Error()},
+			})
+		} else {
+			login.Client.Connect(ctx)
+		}
+	}
+	br.Log.Info().Msg("Finished resetting all user logins")
+}
+
+func (br *Bridge) GetHTTPClientSettings() exhttp.ClientSettings {
+	mchs, ok := br.Matrix.(MatrixConnectorWithHTTPSettings)
+	if ok {
+		return mchs.GetHTTPClientSettings()
+	}
+	return exhttp.SensibleClientSettings
+}
+
+func (br *Bridge) IsStopping() bool {
+	return br.stopping.Load()
+}
+
 func (br *Bridge) Stop() {
 	br.stop(false, 0)
 }
@@ -378,6 +424,7 @@ func (br *Bridge) StopWithTimeout(timeout time.Duration) {
 
 func (br *Bridge) stop(isRunOnce bool, timeout time.Duration) {
 	br.Log.Info().Msg("Shutting down bridge")
+	br.stopping.Store(true)
 	br.DisappearLoop.Stop()
 	br.stopBackfillQueue.Set()
 	br.Matrix.PreStop()

bridgev2/bridgeconfig/backfill.go

@@ -34,10 +34,12 @@ type BackfillQueueConfig struct {
 	MaxBatchesOverride map[string]int `yaml:"max_batches_override"`
 }
 
-func (bqc *BackfillQueueConfig) GetOverride(name string) int {
-	override, ok := bqc.MaxBatchesOverride[name]
-	if !ok {
-		return bqc.MaxBatches
+func (bqc *BackfillQueueConfig) GetOverride(names ...string) int {
+	for _, name := range names {
+		override, ok := bqc.MaxBatchesOverride[name]
+		if ok {
+			return override
+		}
 	}
-	return override
+	return bqc.MaxBatches
 }

bridgev2/bridgeconfig/config.go

@@ -33,6 +33,8 @@ type Config struct {
 	Encryption   EncryptionConfig   `yaml:"encryption"`
 	Logging      zeroconfig.Config  `yaml:"logging"`
 
+	EnvConfigPrefix string `yaml:"env_config_prefix"`
+
 	ManagementRoomTexts ManagementRoomTexts `yaml:"management_room_texts"`
 }
 
@@ -60,36 +62,40 @@ type CleanupOnLogouts struct {
 }
 
 type BridgeConfig struct {
-	CommandPrefix             string           `yaml:"command_prefix"`
-	PersonalFilteringSpaces   bool             `yaml:"personal_filtering_spaces"`
-	PrivateChatPortalMeta     bool             `yaml:"private_chat_portal_meta"`
-	AsyncEvents               bool             `yaml:"async_events"`
-	SplitPortals              bool             `yaml:"split_portals"`
-	ResendBridgeInfo          bool             `yaml:"resend_bridge_info"`
-	NoBridgeInfoStateKey      bool             `yaml:"no_bridge_info_state_key"`
-	BridgeStatusNotices       string           `yaml:"bridge_status_notices"`
-	UnknownErrorAutoReconnect time.Duration    `yaml:"unknown_error_auto_reconnect"`
-	BridgeMatrixLeave         bool             `yaml:"bridge_matrix_leave"`
-	BridgeNotices             bool             `yaml:"bridge_notices"`
-	TagOnlyOnCreate           bool             `yaml:"tag_only_on_create"`
-	OnlyBridgeTags            []event.RoomTag  `yaml:"only_bridge_tags"`
-	MuteOnlyOnCreate          bool             `yaml:"mute_only_on_create"`
-	DeduplicateMatrixMessages bool             `yaml:"deduplicate_matrix_messages"`
-	CrossRoomReplies          bool             `yaml:"cross_room_replies"`
-	OutgoingMessageReID       bool             `yaml:"outgoing_message_re_id"`
-	CleanupOnLogout           CleanupOnLogouts `yaml:"cleanup_on_logout"`
-	Relay                     RelayConfig      `yaml:"relay"`
-	Permissions               PermissionConfig `yaml:"permissions"`
-	Backfill                  BackfillConfig   `yaml:"backfill"`
+	CommandPrefix                 string           `yaml:"command_prefix"`
+	PersonalFilteringSpaces       bool             `yaml:"personal_filtering_spaces"`
+	PrivateChatPortalMeta         bool             `yaml:"private_chat_portal_meta"`
+	AsyncEvents                   bool             `yaml:"async_events"`
+	SplitPortals                  bool             `yaml:"split_portals"`
+	ResendBridgeInfo              bool             `yaml:"resend_bridge_info"`
+	NoBridgeInfoStateKey          bool             `yaml:"no_bridge_info_state_key"`
+	BridgeStatusNotices           string           `yaml:"bridge_status_notices"`
+	UnknownErrorAutoReconnect     time.Duration    `yaml:"unknown_error_auto_reconnect"`
+	UnknownErrorMaxAutoReconnects int              `yaml:"unknown_error_max_auto_reconnects"`
+	BridgeMatrixLeave             bool             `yaml:"bridge_matrix_leave"`
+	BridgeNotices                 bool             `yaml:"bridge_notices"`
+	TagOnlyOnCreate               bool             `yaml:"tag_only_on_create"`
+	OnlyBridgeTags                []event.RoomTag  `yaml:"only_bridge_tags"`
+	MuteOnlyOnCreate              bool             `yaml:"mute_only_on_create"`
+	DeduplicateMatrixMessages     bool             `yaml:"deduplicate_matrix_messages"`
+	CrossRoomReplies              bool             `yaml:"cross_room_replies"`
+	OutgoingMessageReID           bool             `yaml:"outgoing_message_re_id"`
+	RevertFailedStateChanges      bool             `yaml:"revert_failed_state_changes"`
+	KickMatrixUsers               bool             `yaml:"kick_matrix_users"`
+	CleanupOnLogout               CleanupOnLogouts `yaml:"cleanup_on_logout"`
+	Relay                         RelayConfig      `yaml:"relay"`
+	Permissions                   PermissionConfig `yaml:"permissions"`
+	Backfill                      BackfillConfig   `yaml:"backfill"`
 }
 
 type MatrixConfig struct {
-	MessageStatusEvents bool  `yaml:"message_status_events"`
-	DeliveryReceipts    bool  `yaml:"delivery_receipts"`
-	MessageErrorNotices bool  `yaml:"message_error_notices"`
-	SyncDirectChatList  bool  `yaml:"sync_direct_chat_list"`
-	FederateRooms       bool  `yaml:"federate_rooms"`
-	UploadFileThreshold int64 `yaml:"upload_file_threshold"`
+	MessageStatusEvents   bool  `yaml:"message_status_events"`
+	DeliveryReceipts      bool  `yaml:"delivery_receipts"`
+	MessageErrorNotices   bool  `yaml:"message_error_notices"`
+	SyncDirectChatList    bool  `yaml:"sync_direct_chat_list"`
+	FederateRooms         bool  `yaml:"federate_rooms"`
+	UploadFileThreshold   int64 `yaml:"upload_file_threshold"`
+	GhostExtraProfileInfo bool  `yaml:"ghost_extra_profile_info"`
 }
 
 type AnalyticsConfig struct {
@@ -111,10 +117,12 @@ type DirectMediaConfig struct {
 }
 
 type PublicMediaConfig struct {
-	Enabled    bool   `yaml:"enabled"`
-	SigningKey string `yaml:"signing_key"`
-	HashLength int    `yaml:"hash_length"`
-	Expiry     int    `yaml:"expiry"`
+	Enabled     bool   `yaml:"enabled"`
+	SigningKey  string `yaml:"signing_key"`
+	Expiry      int    `yaml:"expiry"`
+	HashLength  int    `yaml:"hash_length"`
+	PathPrefix  string `yaml:"path_prefix"`
+	UseDatabase bool   `yaml:"use_database"`
 }
 
 type DoublePuppetConfig struct {

bridgev2/bridgeconfig/encryption.go

@@ -16,6 +16,7 @@ type EncryptionConfig struct {
 	Require    bool `yaml:"require"`
 	Appservice bool `yaml:"appservice"`
 	MSC4190    bool `yaml:"msc4190"`
+	MSC4392    bool `yaml:"msc4392"`
 	SelfSign   bool `yaml:"self_sign"`
 
 	PlaintextMentions bool `yaml:"plaintext_mentions"`

bridgev2/bridgeconfig/permissions.go

@@ -24,6 +24,7 @@ type Permissions struct {
 	DoublePuppet bool `yaml:"double_puppet"`
 	Admin        bool `yaml:"admin"`
 	ManageRelay  bool `yaml:"manage_relay"`
+	MaxLogins    int  `yaml:"max_logins"`
 }
 
 type PermissionConfig map[string]*Permissions
@@ -40,10 +41,7 @@ func (pc PermissionConfig) IsConfigured() bool {
 	_, hasExampleDomain := pc["example.com"]
 	_, hasExampleUser := pc["@admin:example.com"]
 	exampleLen := boolToInt(hasWildcard) + boolToInt(hasExampleUser) + boolToInt(hasExampleDomain)
-	if len(pc) <= exampleLen {
-		return false
-	}
-	return true
+	return len(pc) > exampleLen
 }
 
 func (pc PermissionConfig) Get(userID id.UserID) Permissions {

bridgev2/bridgeconfig/upgrade.go

@@ -33,6 +33,7 @@ func doUpgrade(helper up.Helper) {
 	helper.Copy(up.Bool, "bridge", "no_bridge_info_state_key")
 	helper.Copy(up.Str|up.Null, "bridge", "bridge_status_notices")
 	helper.Copy(up.Str|up.Int|up.Null, "bridge", "unknown_error_auto_reconnect")
+	helper.Copy(up.Int, "bridge", "unknown_error_max_auto_reconnects")
 	helper.Copy(up.Bool, "bridge", "bridge_matrix_leave")
 	helper.Copy(up.Bool, "bridge", "bridge_notices")
 	helper.Copy(up.Bool, "bridge", "tag_only_on_create")
@@ -40,6 +41,8 @@ func doUpgrade(helper up.Helper) {
 	helper.Copy(up.Bool, "bridge", "mute_only_on_create")
 	helper.Copy(up.Bool, "bridge", "deduplicate_matrix_messages")
 	helper.Copy(up.Bool, "bridge", "cross_room_replies")
+	helper.Copy(up.Bool, "bridge", "revert_failed_state_changes")
+	helper.Copy(up.Bool, "bridge", "kick_matrix_users")
 	helper.Copy(up.Bool, "bridge", "cleanup_on_logout", "enabled")
 	helper.Copy(up.Str, "bridge", "cleanup_on_logout", "manual", "private")
 	helper.Copy(up.Str, "bridge", "cleanup_on_logout", "manual", "relayed")
@@ -98,6 +101,7 @@ func doUpgrade(helper up.Helper) {
 	helper.Copy(up.Bool, "matrix", "sync_direct_chat_list")
 	helper.Copy(up.Bool, "matrix", "federate_rooms")
 	helper.Copy(up.Int, "matrix", "upload_file_threshold")
+	helper.Copy(up.Bool, "matrix", "ghost_extra_profile_info")
 
 	helper.Copy(up.Str|up.Null, "analytics", "token")
 	helper.Copy(up.Str|up.Null, "analytics", "url")
@@ -132,6 +136,8 @@ func doUpgrade(helper up.Helper) {
 	}
 	helper.Copy(up.Int, "public_media", "expiry")
 	helper.Copy(up.Int, "public_media", "hash_length")
+	helper.Copy(up.Str|up.Null, "public_media", "path_prefix")
+	helper.Copy(up.Bool, "public_media", "use_database")
 
 	helper.Copy(up.Bool, "backfill", "enabled")
 	helper.Copy(up.Int, "backfill", "max_initial_messages")
@@ -157,6 +163,7 @@ func doUpgrade(helper up.Helper) {
 	} else {
 		helper.Copy(up.Bool, "encryption", "msc4190")
 	}
+	helper.Copy(up.Bool, "encryption", "msc4392")
 	helper.Copy(up.Bool, "encryption", "self_sign")
 	helper.Copy(up.Bool, "encryption", "allow_key_sharing")
 	if secret, ok := helper.Get(up.Str, "encryption", "pickle_key"); !ok || secret == "generate" {
@@ -180,6 +187,8 @@ func doUpgrade(helper up.Helper) {
 	helper.Copy(up.Int, "encryption", "rotation", "messages")
 	helper.Copy(up.Bool, "encryption", "rotation", "disable_device_change_key_rotation")
 
+	helper.Copy(up.Str|up.Null, "env_config_prefix")
+
 	helper.Copy(up.Map, "logging")
 }
 
@@ -207,6 +216,7 @@ var SpacedBlocks = [][]string{
 	{"backfill"},
 	{"double_puppet"},
 	{"encryption"},
+	{"env_config_prefix"},
 	{"logging"},
 }
 

bridgev2/bridgestate.go

@@ -15,12 +15,15 @@ import (
 	"time"
 
 	"github.com/rs/zerolog"
+	"go.mau.fi/util/exfmt"
 
 	"maunium.net/go/mautrix/bridgev2/status"
 	"maunium.net/go/mautrix/event"
 	"maunium.net/go/mautrix/format"
 )
 
+var CatchBridgeStateQueuePanics = true
+
 type BridgeStateQueue struct {
 	prevUnsent *status.BridgeState
 	prevSent   *status.BridgeState
@@ -29,8 +32,13 @@ type BridgeStateQueue struct {
 	bridge     *Bridge
 	login      *UserLogin
 
+	firstTransientDisconnect time.Time
+	cancelScheduledNotice    atomic.Pointer[context.CancelFunc]
+
 	stopChan      chan struct{}
 	stopReconnect atomic.Pointer[context.CancelFunc]
+
+	unknownErrorReconnects int
 }
 
 func (br *Bridge) SendGlobalBridgeState(state status.BridgeState) {
@@ -74,31 +82,63 @@ func (bsq *BridgeStateQueue) StopUnknownErrorReconnect() {
 	if cancelFn := bsq.stopReconnect.Swap(nil); cancelFn != nil {
 		(*cancelFn)()
 	}
+	if cancelFn := bsq.cancelScheduledNotice.Swap(nil); cancelFn != nil {
+		(*cancelFn)()
+	}
 }
 
 func (bsq *BridgeStateQueue) loop() {
-	defer func() {
-		err := recover()
-		if err != nil {
-			bsq.login.Log.Error().
-				Bytes(zerolog.ErrorStackFieldName, debug.Stack()).
-				Any(zerolog.ErrorFieldName, err).
-				Msg("Panic in bridge state loop")
-		}
-	}()
+	if CatchBridgeStateQueuePanics {
+		defer func() {
+			err := recover()
+			if err != nil {
+				bsq.login.Log.Error().
+					Bytes(zerolog.ErrorStackFieldName, debug.Stack()).
+					Any(zerolog.ErrorFieldName, err).
+					Msg("Panic in bridge state loop")
+			}
+		}()
+	}
 	for state := range bsq.ch {
 		bsq.immediateSendBridgeState(state)
 	}
 }
 
-func (bsq *BridgeStateQueue) sendNotice(ctx context.Context, state status.BridgeState) {
+func (bsq *BridgeStateQueue) scheduleNotice(triggeredBy status.BridgeState) {
+	log := bsq.login.Log.With().Str("action", "transient disconnect notice").Logger()
+	ctx := log.WithContext(bsq.bridge.BackgroundCtx)
+	if !bsq.waitForTransientDisconnectReconnect(ctx) {
+		return
+	}
+	prevUnsent := bsq.GetPrevUnsent()
+	prev := bsq.GetPrev()
+	if triggeredBy.Timestamp != prev.Timestamp || len(bsq.ch) > 0 || bsq.errorSent ||
+		prevUnsent.StateEvent != status.StateTransientDisconnect || prev.StateEvent != status.StateTransientDisconnect {
+		log.Trace().Any("triggered_by", triggeredBy).Msg("Not sending delayed transient disconnect notice")
+		return
+	}
+	log.Debug().Any("triggered_by", triggeredBy).Msg("Sending delayed transient disconnect notice")
+	bsq.sendNotice(ctx, triggeredBy, true)
+}
+
+func (bsq *BridgeStateQueue) sendNotice(ctx context.Context, state status.BridgeState, isDelayed bool) {
 	noticeConfig := bsq.bridge.Config.BridgeStatusNotices
 	isError := state.StateEvent == status.StateBadCredentials ||
 		state.StateEvent == status.StateUnknownError ||
-		state.UserAction == status.UserActionOpenNative
+		state.UserAction == status.UserActionOpenNative ||
+		(isDelayed && state.StateEvent == status.StateTransientDisconnect)
 	sendNotice := noticeConfig == "all" || (noticeConfig == "errors" &&
 		(isError || (bsq.errorSent && state.StateEvent == status.StateConnected)))
+	if state.StateEvent != status.StateTransientDisconnect && state.StateEvent != status.StateUnknownError {
+		bsq.firstTransientDisconnect = time.Time{}
+	}
 	if !sendNotice {
+		if !bsq.errorSent && !isDelayed && noticeConfig == "errors" && state.StateEvent == status.StateTransientDisconnect {
+			if bsq.firstTransientDisconnect.IsZero() {
+				bsq.firstTransientDisconnect = time.Now()
+			}
+			go bsq.scheduleNotice(state)
+		}
 		return
 	}
 	managementRoom, err := bsq.login.User.GetManagementRoom(ctx)
@@ -114,6 +154,9 @@ func (bsq *BridgeStateQueue) sendNotice(ctx context.Context, state status.Bridge
 	if state.Error != "" {
 		message += fmt.Sprintf(" (`%s`)", state.Error)
 	}
+	if isDelayed {
+		message += fmt.Sprintf(" not resolved after waiting %s", exfmt.Duration(TransientDisconnectNoticeDelay))
+	}
 	if state.Message != "" {
 		message += fmt.Sprintf(": %s", state.Message)
 	}
@@ -151,8 +194,14 @@ func (bsq *BridgeStateQueue) unknownErrorReconnect(triggeredBy status.BridgeStat
 	} else if prevUnsent.StateEvent != status.StateUnknownError || prev.StateEvent != status.StateUnknownError {
 		log.Debug().Msg("Not reconnecting as the previous state was not an unknown error")
 		return
+	} else if bsq.unknownErrorReconnects > bsq.bridge.Config.UnknownErrorMaxAutoReconnects {
+		log.Warn().Msg("Not reconnecting as the maximum number of unknown error reconnects has been reached")
+		return
 	}
-	log.Info().Msg("Disconnecting and reconnecting login due to unknown error")
+	bsq.unknownErrorReconnects++
+	log.Info().
+		Int("reconnect_num", bsq.unknownErrorReconnects).
+		Msg("Disconnecting and reconnecting login due to unknown error")
 	bsq.login.Disconnect()
 	log.Debug().Msg("Disconnection finished, recreating client and reconnecting")
 	err := bsq.login.recreateClient(ctx)
@@ -171,14 +220,30 @@ func (bsq *BridgeStateQueue) waitForUnknownErrorReconnect(ctx context.Context) b
 		return false
 	}
 	reconnectIn += time.Duration(rand.Int64N(int64(float64(reconnectIn)*0.4)) - int64(float64(reconnectIn)*0.2))
+	return bsq.waitForReconnect(ctx, reconnectIn, &bsq.stopReconnect)
+}
+
+const TransientDisconnectNoticeDelay = 3 * time.Minute
+
+func (bsq *BridgeStateQueue) waitForTransientDisconnectReconnect(ctx context.Context) bool {
+	timeUntilSchedule := time.Until(bsq.firstTransientDisconnect.Add(TransientDisconnectNoticeDelay))
+	zerolog.Ctx(ctx).Trace().
+		Stringer("duration", timeUntilSchedule).
+		Msg("Waiting before sending notice about transient disconnect")
+	return bsq.waitForReconnect(ctx, timeUntilSchedule, &bsq.cancelScheduledNotice)
+}
+
+func (bsq *BridgeStateQueue) waitForReconnect(
+	ctx context.Context, reconnectIn time.Duration, ptr *atomic.Pointer[context.CancelFunc],
+) bool {
 	cancelCtx, cancel := context.WithCancel(ctx)
 	defer cancel()
-	if oldCancel := bsq.stopReconnect.Swap(&cancel); oldCancel != nil {
+	if oldCancel := ptr.Swap(&cancel); oldCancel != nil {
 		(*oldCancel)()
 	}
 	select {
 	case <-time.After(reconnectIn):
-		return bsq.stopReconnect.CompareAndSwap(&cancel, nil)
+		return ptr.CompareAndSwap(&cancel, nil)
 	case <-cancelCtx.Done():
 		return false
 	case <-bsq.stopChan:
@@ -198,7 +263,7 @@ func (bsq *BridgeStateQueue) immediateSendBridgeState(state status.BridgeState)
 	}
 
 	ctx := bsq.login.Log.WithContext(context.Background())
-	bsq.sendNotice(ctx, state)
+	bsq.sendNotice(ctx, state, false)
 
 	retryIn := 2
 	for {

bridgev2/commands/debug.go

@@ -7,10 +7,13 @@
 package commands
 
 import (
+	"encoding/json"
 	"strings"
+	"time"
 
 	"maunium.net/go/mautrix/bridgev2"
 	"maunium.net/go/mautrix/bridgev2/networkid"
+	"maunium.net/go/mautrix/event"
 )
 
 var CommandRegisterPush = &FullHandler{
@@ -59,3 +62,64 @@ var CommandRegisterPush = &FullHandler{
 	RequiresLogin: true,
 	NetworkAPI:    NetworkAPIImplements[bridgev2.PushableNetworkAPI],
 }
+
+var CommandSendAccountData = &FullHandler{
+	Func: func(ce *Event) {
+		if len(ce.Args) < 2 {
+			ce.Reply("Usage: `$cmdprefix debug-account-data <type> <content>")
+			return
+		}
+		var content event.Content
+		evtType := event.Type{Type: ce.Args[0], Class: event.AccountDataEventType}
+		ce.RawArgs = strings.TrimSpace(strings.Trim(ce.RawArgs, ce.Args[0]))
+		err := json.Unmarshal([]byte(ce.RawArgs), &content)
+		if err != nil {
+			ce.Reply("Failed to parse JSON: %v", err)
+			return
+		}
+		err = content.ParseRaw(evtType)
+		if err != nil {
+			ce.Reply("Failed to deserialize content: %v", err)
+			return
+		}
+		res := ce.Bridge.QueueMatrixEvent(ce.Ctx, &event.Event{
+			Sender:    ce.User.MXID,
+			Type:      evtType,
+			Timestamp: time.Now().UnixMilli(),
+			RoomID:    ce.RoomID,
+			Content:   content,
+		})
+		ce.Reply("Result: %+v", res)
+	},
+	Name: "debug-account-data",
+	Help: HelpMeta{
+		Section:     HelpSectionAdmin,
+		Description: "Send a room account data event to the bridge",
+		Args:        "<_type_> <_content_>",
+	},
+	RequiresAdmin:  true,
+	RequiresPortal: true,
+	RequiresLogin:  true,
+}
+
+var CommandResetNetwork = &FullHandler{
+	Func: func(ce *Event) {
+		if strings.Contains(strings.ToLower(ce.RawArgs), "--reset-transport") {
+			nrn, ok := ce.Bridge.Network.(bridgev2.NetworkResettingNetwork)
+			if ok {
+				nrn.ResetHTTPTransport()
+			} else {
+				ce.Reply("Network connector does not support resetting HTTP transport")
+			}
+		}
+		ce.Bridge.ResetNetworkConnections()
+		ce.React("✅️")
+	},
+	Name: "debug-reset-network",
+	Help: HelpMeta{
+		Section:     HelpSectionAdmin,
+		Description: "Reset network connections to the remote network",
+		Args:        "[--reset-transport]",
+	},
+	RequiresAdmin: true,
+}

bridgev2/commands/login.go

@@ -70,6 +70,15 @@ func fnLogin(ce *Event) {
 		}
 		ce.Args = ce.Args[1:]
 	}
+	if reauth == nil && ce.User.HasTooManyLogins() {
+		ce.Reply(
+			"You have reached the maximum number of logins (%d). "+
+				"Please logout from an existing login before creating a new one. "+
+				"If you want to re-authenticate an existing login, use the `$cmdprefix relogin` command.",
+			ce.User.Permissions.MaxLogins,
+		)
+		return
+	}
 	flows := ce.Bridge.Network.GetLoginFlows()
 	var chosenFlowID string
 	if len(ce.Args) > 0 {
@@ -112,6 +121,7 @@ func fnLogin(ce *Event) {
 		ce.Reply("Failed to start login: %v", err)
 		return
 	}
+	ce.Log.Debug().Any("first_step", nextStep).Msg("Created login process")
 
 	nextStep = checkLoginCommandDirectParams(ce, login, nextStep)
 	if nextStep != nil {
@@ -190,11 +200,14 @@ type userInputLoginCommandState struct {
 
 func (uilcs *userInputLoginCommandState) promptNext(ce *Event) {
 	field := uilcs.RemainingFields[0]
+	parts := []string{fmt.Sprintf("Please enter your %s", field.Name)}
 	if field.Description != "" {
-		ce.Reply("Please enter your %s\n%s", field.Name, field.Description)
-	} else {
-		ce.Reply("Please enter your %s", field.Name)
+		parts = append(parts, field.Description)
 	}
+	if len(field.Options) > 0 {
+		parts = append(parts, fmt.Sprintf("Options: `%s`", strings.Join(field.Options, "`, `")))
+	}
+	ce.Reply(strings.Join(parts, "\n"))
 	StoreCommandState(ce.User, &CommandState{
 		Next:   MinimalCommandHandlerFunc(uilcs.submitNext),
 		Action: "Login",
@@ -239,14 +252,19 @@ func sendQR(ce *Event, qr string, prevEventID *id.EventID) error {
 		return fmt.Errorf("failed to upload image: %w", err)
 	}
 	content := &event.MessageEventContent{
-		MsgType:  event.MsgImage,
-		FileName: "qr.png",
-		URL:      qrMXC,
-		File:     qrFile,
-
+		MsgType:       event.MsgImage,
+		FileName:      "qr.png",
+		URL:           qrMXC,
+		File:          qrFile,
 		Body:          qr,
 		Format:        event.FormatHTML,
 		FormattedBody: fmt.Sprintf("<pre><code>%s</code></pre>", html.EscapeString(qr)),
+		Info: &event.FileInfo{
+			MimeType: "image/png",
+			Width:    qrSizePx,
+			Height:   qrSizePx,
+			Size:     len(qrData),
+		},
 	}
 	if *prevEventID != "" {
 		content.SetEdit(*prevEventID)
@@ -261,6 +279,36 @@ func sendQR(ce *Event, qr string, prevEventID *id.EventID) error {
 	return nil
 }
 
+func sendUserInputAttachments(ce *Event, atts []*bridgev2.LoginUserInputAttachment) error {
+	for _, att := range atts {
+		if att.FileName == "" {
+			return fmt.Errorf("missing attachment filename")
+		}
+		mxc, file, err := ce.Bot.UploadMedia(ce.Ctx, ce.RoomID, att.Content, att.FileName, att.Info.MimeType)
+		if err != nil {
+			return fmt.Errorf("failed to upload attachment %q: %w", att.FileName, err)
+		}
+		content := &event.MessageEventContent{
+			MsgType:  att.Type,
+			FileName: att.FileName,
+			URL:      mxc,
+			File:     file,
+			Info: &event.FileInfo{
+				MimeType: att.Info.MimeType,
+				Width:    att.Info.Width,
+				Height:   att.Info.Height,
+				Size:     att.Info.Size,
+			},
+			Body: att.FileName,
+		}
+		_, err = ce.Bot.SendMessage(ce.Ctx, ce.RoomID, event.EventMessage, &event.Content{Parsed: content}, nil)
+		if err != nil {
+			return nil
+		}
+	}
+	return nil
+}
+
 type contextKey int
 
 const (
@@ -452,6 +500,7 @@ func maybeURLDecodeCookie(val string, field *bridgev2.LoginCookieField) string {
 }
 
 func doLoginStep(ce *Event, login bridgev2.LoginProcess, step *bridgev2.LoginStep, override *bridgev2.UserLogin) {
+	ce.Log.Debug().Any("next_step", step).Msg("Got next login step")
 	if step.Instructions != "" {
 		ce.Reply(step.Instructions)
 	}
@@ -466,6 +515,10 @@ func doLoginStep(ce *Event, login bridgev2.LoginProcess, step *bridgev2.LoginSte
 			Override: override,
 		}).prompt(ce)
 	case bridgev2.LoginStepTypeUserInput:
+		err := sendUserInputAttachments(ce, step.UserInputParams.Attachments)
+		if err != nil {
+			ce.Reply("Failed to send attachments: %v", err)
+		}
 		(&userInputLoginCommandState{
 			Login:           login.(bridgev2.LoginProcessUserInput),
 			RemainingFields: step.UserInputParams.Fields,

bridgev2/commands/processor.go

@@ -41,10 +41,11 @@ func NewProcessor(bridge *bridgev2.Bridge) bridgev2.CommandProcessor {
 	}
 	proc.AddHandlers(
 		CommandHelp, CommandCancel,
-		CommandRegisterPush, CommandDeletePortal, CommandDeleteAllPortals, CommandSetManagementRoom,
+		CommandRegisterPush, CommandSendAccountData, CommandResetNetwork,
+		CommandDeletePortal, CommandDeleteAllPortals, CommandSetManagementRoom,
 		CommandLogin, CommandRelogin, CommandListLogins, CommandLogout, CommandSetPreferredLogin,
 		CommandSetRelay, CommandUnsetRelay,
-		CommandResolveIdentifier, CommandStartChat, CommandSearch,
+		CommandResolveIdentifier, CommandStartChat, CommandCreateGroup, CommandSearch, CommandSyncChat, CommandMute,
 		CommandSudo, CommandDoIn,
 	)
 	return proc

bridgev2/commands/relay.go

@@ -37,7 +37,7 @@ func fnSetRelay(ce *Event) {
 	}
 	onlySetDefaultRelays := !ce.User.Permissions.Admin && ce.Bridge.Config.Relay.AdminOnly
 	var relay *bridgev2.UserLogin
-	if len(ce.Args) == 0 {
+	if len(ce.Args) == 0 && ce.Portal.Receiver == "" {
 		relay = ce.User.GetDefaultLogin()
 		isLoggedIn := relay != nil
 		if onlySetDefaultRelays {
@@ -73,9 +73,19 @@ func fnSetRelay(ce *Event) {
 			}
 		}
 	} else {
-		relay = ce.Bridge.GetCachedUserLoginByID(networkid.UserLoginID(ce.Args[0]))
+		var targetID networkid.UserLoginID
+		if ce.Portal.Receiver != "" {
+			targetID = ce.Portal.Receiver
+			if len(ce.Args) > 0 && ce.Args[0] != string(targetID) {
+				ce.Reply("In split portals, only the receiver (%s) can be set as relay", targetID)
+				return
+			}
+		} else {
+			targetID = networkid.UserLoginID(ce.Args[0])
+		}
+		relay = ce.Bridge.GetCachedUserLoginByID(targetID)
 		if relay == nil {
-			ce.Reply("User login with ID `%s` not found", ce.Args[0])
+			ce.Reply("User login with ID `%s` not found", targetID)
 			return
 		} else if slices.Contains(ce.Bridge.Config.Relay.DefaultRelays, relay.ID) {
 			// All good

bridgev2/commands/startchat.go

@@ -8,11 +8,13 @@ package commands
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"html"
 	"maps"
 	"slices"
 	"strings"
+	"time"
 
 	"github.com/rs/zerolog"
 
@@ -20,6 +22,7 @@ import (
 	"maunium.net/go/mautrix/bridgev2/networkid"
 	"maunium.net/go/mautrix/bridgev2/provisionutil"
 	"maunium.net/go/mautrix/event"
+	"maunium.net/go/mautrix/format"
 	"maunium.net/go/mautrix/id"
 )
 
@@ -35,6 +38,35 @@ var CommandResolveIdentifier = &FullHandler{
 	NetworkAPI:    NetworkAPIImplements[bridgev2.IdentifierResolvingNetworkAPI],
 }
 
+var CommandSyncChat = &FullHandler{
+	Func: func(ce *Event) {
+		login, _, err := ce.Portal.FindPreferredLogin(ce.Ctx, ce.User, false)
+		if err != nil {
+			ce.Log.Err(err).Msg("Failed to find login for sync")
+			ce.Reply("Failed to find login: %v", err)
+			return
+		} else if login == nil {
+			ce.Reply("No login found for sync")
+			return
+		}
+		info, err := login.Client.GetChatInfo(ce.Ctx, ce.Portal)
+		if err != nil {
+			ce.Log.Err(err).Msg("Failed to get chat info for sync")
+			ce.Reply("Failed to get chat info: %v", err)
+			return
+		}
+		ce.Portal.UpdateInfo(ce.Ctx, info, login, nil, time.Time{})
+		ce.React("✅️")
+	},
+	Name: "sync-portal",
+	Help: HelpMeta{
+		Section:     HelpSectionChats,
+		Description: "Sync the current portal room",
+	},
+	RequiresPortal: true,
+	RequiresLogin:  true,
+}
+
 var CommandStartChat = &FullHandler{
 	Func:    fnResolveIdentifier,
 	Name:    "start-chat",
@@ -48,9 +80,15 @@ var CommandStartChat = &FullHandler{
 	NetworkAPI:    NetworkAPIImplements[bridgev2.IdentifierResolvingNetworkAPI],
 }
 
-func getClientForStartingChat[T bridgev2.IdentifierResolvingNetworkAPI](ce *Event, thing string) (*bridgev2.UserLogin, T, []string) {
-	remainingArgs := ce.Args[1:]
-	login := ce.Bridge.GetCachedUserLoginByID(networkid.UserLoginID(ce.Args[0]))
+func getClientForStartingChat[T bridgev2.NetworkAPI](ce *Event, thing string) (*bridgev2.UserLogin, T, []string) {
+	var remainingArgs []string
+	if len(ce.Args) > 1 {
+		remainingArgs = ce.Args[1:]
+	}
+	var login *bridgev2.UserLogin
+	if len(ce.Args) > 0 {
+		login = ce.Bridge.GetCachedUserLoginByID(networkid.UserLoginID(ce.Args[0]))
+	}
 	if login == nil || login.UserMXID != ce.User.MXID {
 		remainingArgs = ce.Args
 		login = ce.User.GetDefaultLogin()
@@ -81,9 +119,13 @@ func fnResolveIdentifier(ce *Event) {
 	if api == nil {
 		return
 	}
+	allLogins := ce.User.GetUserLogins()
 	createChat := ce.Command == "start-chat" || ce.Command == "pm"
 	identifier := strings.Join(identifierParts, " ")
 	resp, err := provisionutil.ResolveIdentifier(ce.Ctx, login, identifier, createChat)
+	for i := 0; i < len(allLogins) && errors.Is(err, bridgev2.ErrResolveIdentifierTryNext); i++ {
+		resp, err = provisionutil.ResolveIdentifier(ce.Ctx, allLogins[i], identifier, createChat)
+	}
 	if err != nil {
 		ce.Reply("Failed to resolve identifier: %v", err)
 		return
@@ -195,7 +237,17 @@ func fnCreateGroup(ce *Event) {
 		ce.Reply("Failed to create group: %v", err)
 		return
 	}
-	ce.Reply("Successfully created group `%s`", resp.ID)
+	var postfix string
+	if len(resp.FailedParticipants) > 0 {
+		failedParticipantsStrings := make([]string, len(resp.FailedParticipants))
+		i := 0
+		for participantID, meta := range resp.FailedParticipants {
+			failedParticipantsStrings[i] = fmt.Sprintf("* %s: %s", format.SafeMarkdownCode(participantID), meta.Reason)
+			i++
+		}
+		postfix += "\n\nFailed to add some participants:\n" + strings.Join(failedParticipantsStrings, "\n")
+	}
+	ce.Reply("Successfully created group `%s`%s", resp.ID, postfix)
 }
 
 var CommandSearch = &FullHandler{
@@ -238,3 +290,44 @@ func fnSearch(ce *Event) {
 	}
 	ce.Reply("Search results:\n\n%s", strings.Join(resultsString, "\n"))
 }
+
+var CommandMute = &FullHandler{
+	Func:    fnMute,
+	Name:    "mute",
+	Aliases: []string{"unmute"},
+	Help: HelpMeta{
+		Section:     HelpSectionChats,
+		Description: "Mute or unmute a chat on the remote network",
+		Args:        "[duration]",
+	},
+	RequiresPortal: true,
+	RequiresLogin:  true,
+	NetworkAPI:     NetworkAPIImplements[bridgev2.MuteHandlingNetworkAPI],
+}
+
+func fnMute(ce *Event) {
+	_, api, _ := getClientForStartingChat[bridgev2.MuteHandlingNetworkAPI](ce, "muting chats")
+	var mutedUntil int64
+	if ce.Command == "mute" {
+		mutedUntil = -1
+		if len(ce.Args) > 0 {
+			duration, err := time.ParseDuration(ce.Args[0])
+			if err != nil {
+				ce.Reply("Invalid duration: %v", err)
+				return
+			}
+			mutedUntil = time.Now().Add(duration).UnixMilli()
+		}
+	}
+	err := api.HandleMute(ce.Ctx, &bridgev2.MatrixMute{
+		MatrixEventBase: bridgev2.MatrixEventBase[*event.BeeperMuteEventContent]{
+			Content: &event.BeeperMuteEventContent{MutedUntil: mutedUntil},
+			Portal:  ce.Portal,
+		},
+	})
+	if err != nil {
+		ce.Reply("Failed to %s chat: %v", ce.Command, err)
+	} else {
+		ce.React("✅️")
+	}
+}

bridgev2/database/database.go

@@ -7,13 +7,7 @@
 package database
 
 import (
-	"encoding/json"
-	"reflect"
-	"strings"
-
 	"go.mau.fi/util/dbutil"
-	"golang.org/x/exp/constraints"
-	"golang.org/x/exp/maps"
 
 	"maunium.net/go/mautrix/bridgev2/networkid"
 
@@ -34,6 +28,7 @@ type Database struct {
 	UserPortal          *UserPortalQuery
 	BackfillTask        *BackfillTaskQuery
 	KV                  *KVQuery
+	PublicMedia         *PublicMediaQuery
 }
 
 type MetaMerger interface {
@@ -141,6 +136,12 @@ func New(bridgeID networkid.BridgeID, mt MetaTypes, db *dbutil.Database) *Databa
 			BridgeID: bridgeID,
 			Database: db,
 		},
+		PublicMedia: &PublicMediaQuery{
+			BridgeID: bridgeID,
+			QueryHelper: dbutil.MakeQueryHelper(db, func(_ *dbutil.QueryHelper[*PublicMedia]) *PublicMedia {
+				return &PublicMedia{}
+			}),
+		},
 	}
 }
 
@@ -151,55 +152,3 @@ func ensureBridgeIDMatches(ptr *networkid.BridgeID, expected networkid.BridgeID)
 		panic("bridge ID mismatch")
 	}
 }
-
-func GetNumberFromMap[T constraints.Integer | constraints.Float](m map[string]any, key string) (T, bool) {
-	if val, found := m[key]; found {
-		floatVal, ok := val.(float64)
-		if ok {
-			return T(floatVal), true
-		}
-		tVal, ok := val.(T)
-		if ok {
-			return tVal, true
-		}
-	}
-	return 0, false
-}
-
-func unmarshalMerge(input []byte, data any, extra *map[string]any) error {
-	err := json.Unmarshal(input, data)
-	if err != nil {
-		return err
-	}
-	err = json.Unmarshal(input, extra)
-	if err != nil {
-		return err
-	}
-	if *extra == nil {
-		*extra = make(map[string]any)
-	}
-	return nil
-}
-
-func marshalMerge(data any, extra map[string]any) ([]byte, error) {
-	if extra == nil {
-		return json.Marshal(data)
-	}
-	merged := make(map[string]any)
-	maps.Copy(merged, extra)
-	dataRef := reflect.ValueOf(data).Elem()
-	dataType := dataRef.Type()
-	for _, field := range reflect.VisibleFields(dataType) {
-		parts := strings.Split(field.Tag.Get("json"), ",")
-		if len(parts) == 0 || len(parts[0]) == 0 || parts[0] == "-" {
-			continue
-		}
-		fieldVal := dataRef.FieldByIndex(field.Index)
-		if fieldVal.IsZero() {
-			delete(merged, parts[0])
-		} else {
-			merged[parts[0]] = fieldVal.Interface()
-		}
-	}
-	return json.Marshal(merged)
-}

bridgev2/database/disappear.go

@@ -37,6 +37,16 @@ type DisappearingSetting struct {
 	DisappearAt time.Time
 }
 
+func DisappearingSettingFromEvent(evt *event.BeeperDisappearingTimer) DisappearingSetting {
+	if evt == nil || evt.Type == event.DisappearingTypeNone {
+		return DisappearingSetting{}
+	}
+	return DisappearingSetting{
+		Type:  evt.Type,
+		Timer: evt.Timer.Duration,
+	}
+}
+
 func (ds DisappearingSetting) Normalize() DisappearingSetting {
 	if ds.Type == event.DisappearingTypeNone {
 		ds.Timer = 0
@@ -67,26 +77,27 @@ type DisappearingMessageQuery struct {
 }
 
 type DisappearingMessage struct {
-	BridgeID networkid.BridgeID
-	RoomID   id.RoomID
-	EventID  id.EventID
+	BridgeID  networkid.BridgeID
+	RoomID    id.RoomID
+	EventID   id.EventID
+	Timestamp time.Time
 	DisappearingSetting
 }
 
 const (
 	upsertDisappearingMessageQuery = `
-		INSERT INTO disappearing_message (bridge_id, mx_room, mxid, type, timer, disappear_at)
-		VALUES ($1, $2, $3, $4, $5, $6)
+		INSERT INTO disappearing_message (bridge_id, mx_room, mxid, timestamp, type, timer, disappear_at)
+		VALUES ($1, $2, $3, $4, $5, $6, $7)
 		ON CONFLICT (bridge_id, mxid) DO UPDATE SET timer=excluded.timer, disappear_at=excluded.disappear_at
 	`
 	startDisappearingMessagesQuery = `
 		UPDATE disappearing_message
 		SET disappear_at=$1 + timer
-		WHERE bridge_id=$2 AND mx_room=$3 AND disappear_at IS NULL AND type='after_read'
-		RETURNING bridge_id, mx_room, mxid, type, timer, disappear_at
+		WHERE bridge_id=$2 AND mx_room=$3 AND disappear_at IS NULL AND type='after_read' AND timestamp<=$4
+		RETURNING bridge_id, mx_room, mxid, timestamp, type, timer, disappear_at
 	`
 	getUpcomingDisappearingMessagesQuery = `
-		SELECT bridge_id, mx_room, mxid, type, timer, disappear_at
+		SELECT bridge_id, mx_room, mxid, timestamp, type, timer, disappear_at
 		FROM disappearing_message WHERE bridge_id = $1 AND disappear_at IS NOT NULL AND disappear_at < $2
 		ORDER BY disappear_at LIMIT $3
 	`
@@ -100,8 +111,8 @@ func (dmq *DisappearingMessageQuery) Put(ctx context.Context, dm *DisappearingMe
 	return dmq.Exec(ctx, upsertDisappearingMessageQuery, dm.sqlVariables()...)
 }
 
-func (dmq *DisappearingMessageQuery) StartAll(ctx context.Context, roomID id.RoomID) ([]*DisappearingMessage, error) {
-	return dmq.QueryMany(ctx, startDisappearingMessagesQuery, time.Now().UnixNano(), dmq.BridgeID, roomID)
+func (dmq *DisappearingMessageQuery) StartAllBefore(ctx context.Context, roomID id.RoomID, beforeTS time.Time) ([]*DisappearingMessage, error) {
+	return dmq.QueryMany(ctx, startDisappearingMessagesQuery, time.Now().UnixNano(), dmq.BridgeID, roomID, beforeTS.UnixNano())
 }
 
 func (dmq *DisappearingMessageQuery) GetUpcoming(ctx context.Context, duration time.Duration, limit int) ([]*DisappearingMessage, error) {
@@ -113,17 +124,19 @@ func (dmq *DisappearingMessageQuery) Delete(ctx context.Context, eventID id.Even
 }
 
 func (d *DisappearingMessage) Scan(row dbutil.Scannable) (*DisappearingMessage, error) {
+	var timestamp int64
 	var disappearAt sql.NullInt64
-	err := row.Scan(&d.BridgeID, &d.RoomID, &d.EventID, &d.Type, &d.Timer, &disappearAt)
+	err := row.Scan(&d.BridgeID, &d.RoomID, &d.EventID, &timestamp, &d.Type, &d.Timer, &disappearAt)
 	if err != nil {
 		return nil, err
 	}
 	if disappearAt.Valid {
 		d.DisappearAt = time.Unix(0, disappearAt.Int64)
 	}
+	d.Timestamp = time.Unix(0, timestamp)
 	return d, nil
 }
 
 func (d *DisappearingMessage) sqlVariables() []any {
-	return []any{d.BridgeID, d.RoomID, d.EventID, d.Type, d.Timer, dbutil.ConvertedPtr(d.DisappearAt, time.Time.UnixNano)}
+	return []any{d.BridgeID, d.RoomID, d.EventID, d.Timestamp.UnixNano(), d.Type, d.Timer, dbutil.ConvertedPtr(d.DisappearAt, time.Time.UnixNano)}
 }

bridgev2/database/ghost.go

@@ -7,12 +7,17 @@
 package database
 
 import (
+	"bytes"
 	"context"
 	"encoding/hex"
+	"encoding/json"
+	"fmt"
 
 	"go.mau.fi/util/dbutil"
+	"go.mau.fi/util/exerrors"
 
 	"maunium.net/go/mautrix/bridgev2/networkid"
+	"maunium.net/go/mautrix/crypto/canonicaljson"
 	"maunium.net/go/mautrix/id"
 )
 
@@ -22,6 +27,55 @@ type GhostQuery struct {
 	*dbutil.QueryHelper[*Ghost]
 }
 
+type ExtraProfile map[string]json.RawMessage
+
+func (ep *ExtraProfile) Set(key string, value any) error {
+	if key == "displayname" || key == "avatar_url" {
+		return fmt.Errorf("cannot set reserved profile key %q", key)
+	}
+	marshaled, err := json.Marshal(value)
+	if err != nil {
+		return err
+	}
+	if *ep == nil {
+		*ep = make(ExtraProfile)
+	}
+	(*ep)[key] = canonicaljson.CanonicalJSONAssumeValid(marshaled)
+	return nil
+}
+
+func (ep *ExtraProfile) With(key string, value any) *ExtraProfile {
+	exerrors.PanicIfNotNil(ep.Set(key, value))
+	return ep
+}
+
+func canonicalizeIfObject(data json.RawMessage) json.RawMessage {
+	if len(data) > 0 && (data[0] == '{' || data[0] == '[') {
+		return canonicaljson.CanonicalJSONAssumeValid(data)
+	}
+	return data
+}
+
+func (ep *ExtraProfile) CopyTo(dest *ExtraProfile) (changed bool) {
+	if len(*ep) == 0 {
+		return
+	}
+	if *dest == nil {
+		*dest = make(ExtraProfile)
+	}
+	for key, val := range *ep {
+		if key == "displayname" || key == "avatar_url" {
+			continue
+		}
+		existing, exists := (*dest)[key]
+		if !exists || !bytes.Equal(canonicalizeIfObject(existing), val) {
+			(*dest)[key] = val
+			changed = true
+		}
+	}
+	return
+}
+
 type Ghost struct {
 	BridgeID networkid.BridgeID
 	ID       networkid.UserID
@@ -35,13 +89,14 @@ type Ghost struct {
 	ContactInfoSet bool
 	IsBot          bool
 	Identifiers    []string
+	ExtraProfile   ExtraProfile
 	Metadata       any
 }
 
 const (
 	getGhostBaseQuery = `
 		SELECT bridge_id, id, name, avatar_id, avatar_hash, avatar_mxc,
-		       name_set, avatar_set, contact_info_set, is_bot, identifiers, metadata
+		       name_set, avatar_set, contact_info_set, is_bot, identifiers, extra_profile, metadata
 		FROM ghost
 	`
 	getGhostByIDQuery       = getGhostBaseQuery + `WHERE bridge_id=$1 AND id=$2`
@@ -49,13 +104,14 @@ const (
 	insertGhostQuery        = `
 		INSERT INTO ghost (
 			bridge_id, id, name, avatar_id, avatar_hash, avatar_mxc,
-			name_set, avatar_set, contact_info_set, is_bot, identifiers, metadata
+			name_set, avatar_set, contact_info_set, is_bot, identifiers, extra_profile, metadata
 		)
-		VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12)
+		VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13)
 	`
 	updateGhostQuery = `
 		UPDATE ghost SET name=$3, avatar_id=$4, avatar_hash=$5, avatar_mxc=$6,
-		                 name_set=$7, avatar_set=$8, contact_info_set=$9, is_bot=$10, identifiers=$11, metadata=$12
+		                 name_set=$7, avatar_set=$8, contact_info_set=$9, is_bot=$10,
+		                 identifiers=$11, extra_profile=$12, metadata=$13
 		WHERE bridge_id=$1 AND id=$2
 	`
 )
@@ -86,7 +142,7 @@ func (g *Ghost) Scan(row dbutil.Scannable) (*Ghost, error) {
 		&g.BridgeID, &g.ID,
 		&g.Name, &g.AvatarID, &avatarHash, &g.AvatarMXC,
 		&g.NameSet, &g.AvatarSet, &g.ContactInfoSet, &g.IsBot,
-		dbutil.JSON{Data: &g.Identifiers}, dbutil.JSON{Data: g.Metadata},
+		dbutil.JSON{Data: &g.Identifiers}, dbutil.JSON{Data: &g.ExtraProfile}, dbutil.JSON{Data: g.Metadata},
 	)
 	if err != nil {
 		return nil, err
@@ -116,6 +172,6 @@ func (g *Ghost) sqlVariables() []any {
 		g.BridgeID, g.ID,
 		g.Name, g.AvatarID, avatarHash, g.AvatarMXC,
 		g.NameSet, g.AvatarSet, g.ContactInfoSet, g.IsBot,
-		dbutil.JSON{Data: &g.Identifiers}, dbutil.JSON{Data: g.Metadata},
+		dbutil.JSON{Data: &g.Identifiers}, dbutil.JSON{Data: g.ExtraProfile}, dbutil.JSON{Data: g.Metadata},
 	}
 }

bridgev2/database/message.go

@@ -11,9 +11,12 @@ import (
 	"crypto/sha256"
 	"database/sql"
 	"encoding/base64"
+	"fmt"
 	"strings"
+	"sync"
 	"time"
 
+	"github.com/rs/zerolog"
 	"go.mau.fi/util/dbutil"
 
 	"maunium.net/go/mautrix/bridgev2/networkid"
@@ -24,6 +27,7 @@ type MessageQuery struct {
 	BridgeID networkid.BridgeID
 	MetaType MetaTypeCreator
 	*dbutil.QueryHelper[*Message]
+	chunkDeleteLock sync.Mutex
 }
 
 type Message struct {
@@ -64,8 +68,8 @@ const (
 	getFirstMessagePartByIDQuery = getMessageBaseQuery + `WHERE bridge_id=$1 AND (room_receiver=$2 OR room_receiver='') AND id=$3 ORDER BY part_id ASC LIMIT 1`
 	getMessagesBetweenTimeQuery  = getMessageBaseQuery + `WHERE bridge_id=$1 AND room_id=$2 AND room_receiver=$3 AND timestamp>$4 AND timestamp<=$5`
 	getOldestMessageInPortal     = getMessageBaseQuery + `WHERE bridge_id=$1 AND room_id=$2 AND room_receiver=$3 ORDER BY timestamp ASC, part_id ASC LIMIT 1`
-	getFirstMessageInThread      = getMessageBaseQuery + `WHERE bridge_id=$1 AND room_id=$2 AND room_receiver=$3 AND (id=$4 OR thread_root_id=$4) ORDER BY timestamp ASC, part_id ASC LIMIT 1`
-	getLastMessageInThread       = getMessageBaseQuery + `WHERE bridge_id=$1 AND room_id=$2 AND room_receiver=$3 AND (id=$4 OR thread_root_id=$4) ORDER BY timestamp DESC, part_id DESC LIMIT 1`
+	getFirstMessageInThread      = getMessageBaseQuery + `WHERE bridge_id=$1 AND room_id=$2 AND room_receiver=$3 AND (id=$4 OR thread_root_id=$4) ORDER BY thread_root_id NULLS FIRST, timestamp ASC, part_id ASC LIMIT 1`
+	getLastMessageInThread       = getMessageBaseQuery + `WHERE bridge_id=$1 AND room_id=$2 AND room_receiver=$3 AND (id=$4 OR thread_root_id=$4) ORDER BY thread_root_id NULLS LAST, timestamp DESC, part_id DESC LIMIT 1`
 	getLastNInPortal             = getMessageBaseQuery + `WHERE bridge_id=$1 AND room_id=$2 AND room_receiver=$3 ORDER BY timestamp DESC, part_id DESC LIMIT $4`
 
 	getLastMessagePartAtOrBeforeTimeQuery        = getMessageBaseQuery + `WHERE bridge_id = $1 AND room_id=$2 AND room_receiver=$3 AND timestamp<=$4 ORDER BY timestamp DESC, part_id DESC LIMIT 1`
@@ -96,6 +100,10 @@ const (
 	deleteMessagePartByRowIDQuery = `
 		DELETE FROM message WHERE bridge_id=$1 AND rowid=$2
 	`
+	deleteMessageChunkQuery = `
+		DELETE FROM message WHERE bridge_id=$1 AND room_id=$2 AND room_receiver=$3 AND rowid > $4 AND rowid <= $5
+	`
+	getMaxMessageRowIDQuery = `SELECT MAX(rowid) FROM message WHERE bridge_id=$1`
 )
 
 func (mq *MessageQuery) GetAllPartsByID(ctx context.Context, receiver networkid.UserLoginID, id networkid.MessageID) ([]*Message, error) {
@@ -180,6 +188,85 @@ func (mq *MessageQuery) Delete(ctx context.Context, rowID int64) error {
 	return mq.Exec(ctx, deleteMessagePartByRowIDQuery, mq.BridgeID, rowID)
 }
 
+func (mq *MessageQuery) deleteChunk(ctx context.Context, portal networkid.PortalKey, minRowID, maxRowID int64) (int64, error) {
+	res, err := mq.GetDB().Exec(ctx, deleteMessageChunkQuery, mq.BridgeID, portal.ID, portal.Receiver, minRowID, maxRowID)
+	if err != nil {
+		return 0, err
+	}
+	return res.RowsAffected()
+}
+
+func (mq *MessageQuery) getMaxRowID(ctx context.Context) (maxRowID int64, err error) {
+	err = mq.GetDB().QueryRow(ctx, getMaxMessageRowIDQuery, mq.BridgeID).Scan(&maxRowID)
+	return
+}
+
+const deleteChunkSize = 100_000
+
+func (mq *MessageQuery) DeleteInChunks(ctx context.Context, portal networkid.PortalKey) error {
+	if mq.GetDB().Dialect != dbutil.SQLite {
+		return nil
+	}
+	log := zerolog.Ctx(ctx).With().
+		Str("action", "delete messages in chunks").
+		Stringer("portal_key", portal).
+		Logger()
+	if !mq.chunkDeleteLock.TryLock() {
+		log.Warn().Msg("Portal deletion lock is being held, waiting...")
+		mq.chunkDeleteLock.Lock()
+		log.Debug().Msg("Acquired portal deletion lock after waiting")
+	}
+	defer mq.chunkDeleteLock.Unlock()
+	total, err := mq.CountMessagesInPortal(ctx, portal)
+	if err != nil {
+		return fmt.Errorf("failed to count messages in portal: %w", err)
+	} else if total < deleteChunkSize/3 {
+		return nil
+	}
+	globalMaxRowID, err := mq.getMaxRowID(ctx)
+	if err != nil {
+		return fmt.Errorf("failed to get max row ID: %w", err)
+	}
+	log.Debug().
+		Int("total_count", total).
+		Int64("global_max_row_id", globalMaxRowID).
+		Msg("Portal has lots of messages, deleting in chunks to avoid database locks")
+	maxRowID := int64(deleteChunkSize)
+	globalMaxRowID += deleteChunkSize * 1.2
+	var dbTimeUsed time.Duration
+	globalStart := time.Now()
+	for total > 500 && maxRowID < globalMaxRowID {
+		start := time.Now()
+		count, err := mq.deleteChunk(ctx, portal, maxRowID-deleteChunkSize, maxRowID)
+		duration := time.Since(start)
+		dbTimeUsed += duration
+		if err != nil {
+			return fmt.Errorf("failed to delete chunk of messages before %d: %w", maxRowID, err)
+		}
+		total -= int(count)
+		maxRowID += deleteChunkSize
+		sleepTime := max(10*time.Millisecond, min(250*time.Millisecond, time.Duration(count/100)*time.Millisecond))
+		log.Debug().
+			Int64("max_row_id", maxRowID).
+			Int64("deleted_count", count).
+			Int("remaining_count", total).
+			Dur("duration", duration).
+			Dur("sleep_time", sleepTime).
+			Msg("Deleted chunk of messages")
+		select {
+		case <-time.After(sleepTime):
+		case <-ctx.Done():
+			return ctx.Err()
+		}
+	}
+	log.Debug().
+		Int("remaining_count", total).
+		Dur("db_time_used", dbTimeUsed).
+		Dur("total_duration", time.Since(globalStart)).
+		Msg("Finished chunked delete of messages in portal")
+	return nil
+}
+
 func (mq *MessageQuery) CountMessagesInPortal(ctx context.Context, key networkid.PortalKey) (count int, err error) {
 	err = mq.GetDB().QueryRow(ctx, countMessagesInPortalQuery, mq.BridgeID, key.ID, key.Receiver).Scan(&count)
 	return

bridgev2/database/portal.go

@@ -56,30 +56,31 @@ type Portal struct {
 	networkid.PortalKey
 	MXID id.RoomID
 
-	ParentKey    networkid.PortalKey
-	RelayLoginID networkid.UserLoginID
-	OtherUserID  networkid.UserID
-	Name         string
-	Topic        string
-	AvatarID     networkid.AvatarID
-	AvatarHash   [32]byte
-	AvatarMXC    id.ContentURIString
-	NameSet      bool
-	TopicSet     bool
-	AvatarSet    bool
-	NameIsCustom bool
-	InSpace      bool
-	RoomType     RoomType
-	Disappear    DisappearingSetting
-	CapState     CapabilityState
-	Metadata     any
+	ParentKey      networkid.PortalKey
+	RelayLoginID   networkid.UserLoginID
+	OtherUserID    networkid.UserID
+	Name           string
+	Topic          string
+	AvatarID       networkid.AvatarID
+	AvatarHash     [32]byte
+	AvatarMXC      id.ContentURIString
+	NameSet        bool
+	TopicSet       bool
+	AvatarSet      bool
+	NameIsCustom   bool
+	InSpace        bool
+	MessageRequest bool
+	RoomType       RoomType
+	Disappear      DisappearingSetting
+	CapState       CapabilityState
+	Metadata       any
 }
 
 const (
 	getPortalBaseQuery = `
 		SELECT bridge_id, id, receiver, mxid, parent_id, parent_receiver, relay_login_id, other_user_id,
 		       name, topic, avatar_id, avatar_hash, avatar_mxc,
-		       name_set, topic_set, avatar_set, name_is_custom, in_space,
+		       name_set, topic_set, avatar_set, name_is_custom, in_space, message_request,
 		       room_type, disappear_type, disappear_timer, cap_state,
 		       metadata
 		FROM portal
@@ -88,8 +89,9 @@ const (
 	getPortalByIDWithUncertainReceiverQuery = getPortalBaseQuery + `WHERE bridge_id=$1 AND id=$2 AND (receiver=$3 OR receiver='')`
 	getPortalByMXIDQuery                    = getPortalBaseQuery + `WHERE bridge_id=$1 AND mxid=$2`
 	getAllPortalsWithMXIDQuery              = getPortalBaseQuery + `WHERE bridge_id=$1 AND mxid IS NOT NULL`
-	getAllPortalsWithoutReceiver            = getPortalBaseQuery + `WHERE bridge_id=$1 AND receiver=''`
+	getAllPortalsWithoutReceiver            = getPortalBaseQuery + `WHERE bridge_id=$1 AND (receiver='' OR (parent_id<>'' AND parent_receiver='')) ORDER BY parent_id DESC`
 	getAllDMPortalsQuery                    = getPortalBaseQuery + `WHERE bridge_id=$1 AND room_type='dm' AND other_user_id=$2`
+	getDMPortalQuery                        = getPortalBaseQuery + `WHERE bridge_id=$1 AND room_type='dm' AND receiver=$2 AND other_user_id=$3`
 	getAllPortalsQuery                      = getPortalBaseQuery + `WHERE bridge_id=$1`
 	getChildPortalsQuery                    = getPortalBaseQuery + `WHERE bridge_id=$1 AND parent_id=$2 AND parent_receiver=$3`
 
@@ -100,11 +102,11 @@ const (
 			bridge_id, id, receiver, mxid,
 			parent_id, parent_receiver, relay_login_id, other_user_id,
 			name, topic, avatar_id, avatar_hash, avatar_mxc,
-			name_set, avatar_set, topic_set, name_is_custom, in_space,
+			name_set, avatar_set, topic_set, name_is_custom, in_space, message_request,
 			room_type, disappear_type, disappear_timer, cap_state,
 			metadata, relay_bridge_id
 		) VALUES (
-			$1, $2, $3, $4, $5, $6, cast($7 AS TEXT), $8, $9, $10, $11, $12, $13, $14, $15, $16, $17, $18, $19, $20, $21, $22, $23,
+			$1, $2, $3, $4, $5, $6, cast($7 AS TEXT), $8, $9, $10, $11, $12, $13, $14, $15, $16, $17, $18, $19, $20, $21, $22, $23, $24,
 			CASE WHEN cast($7 AS TEXT) IS NULL THEN NULL ELSE $1 END
 		)
 	`
@@ -113,8 +115,8 @@ const (
 		SET mxid=$4, parent_id=$5, parent_receiver=$6,
 		    relay_login_id=cast($7 AS TEXT), relay_bridge_id=CASE WHEN cast($7 AS TEXT) IS NULL THEN NULL ELSE bridge_id END,
 		    other_user_id=$8, name=$9, topic=$10, avatar_id=$11, avatar_hash=$12, avatar_mxc=$13,
-		    name_set=$14, avatar_set=$15, topic_set=$16, name_is_custom=$17, in_space=$18,
-		    room_type=$19, disappear_type=$20, disappear_timer=$21, cap_state=$22, metadata=$23
+		    name_set=$14, avatar_set=$15, topic_set=$16, name_is_custom=$17, in_space=$18, message_request=$19,
+		    room_type=$20, disappear_type=$21, disappear_timer=$22, cap_state=$23, metadata=$24
 		WHERE bridge_id=$1 AND id=$2 AND receiver=$3
 	`
 	deletePortalQuery = `
@@ -147,7 +149,10 @@ const (
 		)
 	`
 	fixParentsAfterSplitPortalMigrationQuery = `
-		UPDATE portal SET parent_receiver=receiver WHERE bridge_id=$1 AND parent_receiver='' AND receiver<>'' AND parent_id<>'';
+		UPDATE portal
+		SET parent_receiver=receiver
+		WHERE bridge_id=$1 AND parent_receiver='' AND receiver<>'' AND parent_id<>''
+		  AND EXISTS(SELECT 1 FROM portal pp WHERE pp.bridge_id=$1 AND pp.id=portal.parent_id AND pp.receiver=portal.receiver);
 	`
 )
 
@@ -187,6 +192,10 @@ func (pq *PortalQuery) GetAllDMsWith(ctx context.Context, otherUserID networkid.
 	return pq.QueryMany(ctx, getAllDMPortalsQuery, pq.BridgeID, otherUserID)
 }
 
+func (pq *PortalQuery) GetDM(ctx context.Context, receiver networkid.UserLoginID, otherUserID networkid.UserID) (*Portal, error) {
+	return pq.QueryOne(ctx, getDMPortalQuery, pq.BridgeID, receiver, otherUserID)
+}
+
 func (pq *PortalQuery) GetChildren(ctx context.Context, parentKey networkid.PortalKey) ([]*Portal, error) {
 	return pq.QueryMany(ctx, getChildPortalsQuery, pq.BridgeID, parentKey.ID, parentKey.Receiver)
 }
@@ -233,7 +242,7 @@ func (p *Portal) Scan(row dbutil.Scannable) (*Portal, error) {
 		&p.BridgeID, &p.ID, &p.Receiver, &mxid,
 		&parentID, &parentReceiver, &relayLoginID, &otherUserID,
 		&p.Name, &p.Topic, &p.AvatarID, &avatarHash, &p.AvatarMXC,
-		&p.NameSet, &p.TopicSet, &p.AvatarSet, &p.NameIsCustom, &p.InSpace,
+		&p.NameSet, &p.TopicSet, &p.AvatarSet, &p.NameIsCustom, &p.InSpace, &p.MessageRequest,
 		&p.RoomType, &disappearType, &disappearTimer,
 		dbutil.JSON{Data: &p.CapState}, dbutil.JSON{Data: p.Metadata},
 	)
@@ -280,7 +289,7 @@ func (p *Portal) sqlVariables() []any {
 		p.BridgeID, p.ID, p.Receiver, dbutil.StrPtr(p.MXID),
 		dbutil.StrPtr(p.ParentKey.ID), p.ParentKey.Receiver, dbutil.StrPtr(p.RelayLoginID), dbutil.StrPtr(p.OtherUserID),
 		p.Name, p.Topic, p.AvatarID, avatarHash, p.AvatarMXC,
-		p.NameSet, p.TopicSet, p.AvatarSet, p.NameIsCustom, p.InSpace,
+		p.NameSet, p.TopicSet, p.AvatarSet, p.NameIsCustom, p.InSpace, p.MessageRequest,
 		p.RoomType, dbutil.StrPtr(p.Disappear.Type), dbutil.NumPtr(p.Disappear.Timer),
 		dbutil.JSON{Data: p.CapState}, dbutil.JSON{Data: p.Metadata},
 	}

bridgev2/database/publicmedia.go

@@ -0,0 +1,72 @@
+// Copyright (c) 2025 Tulir Asokan
+//
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+package database
+
+import (
+	"context"
+	"database/sql"
+	"time"
+
+	"go.mau.fi/util/dbutil"
+
+	"maunium.net/go/mautrix/bridgev2/networkid"
+	"maunium.net/go/mautrix/crypto/attachment"
+	"maunium.net/go/mautrix/id"
+)
+
+type PublicMediaQuery struct {
+	BridgeID networkid.BridgeID
+	*dbutil.QueryHelper[*PublicMedia]
+}
+
+type PublicMedia struct {
+	BridgeID networkid.BridgeID
+	PublicID string
+	MXC      id.ContentURI
+	Keys     *attachment.EncryptedFile
+	MimeType string
+	Expiry   time.Time
+}
+
+const (
+	upsertPublicMediaQuery = `
+		INSERT INTO public_media (bridge_id, public_id, mxc, keys, mimetype, expiry)
+		VALUES ($1, $2, $3, $4, $5, $6)
+		ON CONFLICT (bridge_id, public_id) DO UPDATE SET expiry=EXCLUDED.expiry
+	`
+	getPublicMediaQuery = `
+		SELECT bridge_id, public_id, mxc, keys, mimetype, expiry
+		FROM public_media WHERE bridge_id=$1 AND public_id=$2
+	`
+)
+
+func (pmq *PublicMediaQuery) Put(ctx context.Context, pm *PublicMedia) error {
+	ensureBridgeIDMatches(&pm.BridgeID, pmq.BridgeID)
+	return pmq.Exec(ctx, upsertPublicMediaQuery, pm.sqlVariables()...)
+}
+
+func (pmq *PublicMediaQuery) Get(ctx context.Context, publicID string) (*PublicMedia, error) {
+	return pmq.QueryOne(ctx, getPublicMediaQuery, pmq.BridgeID, publicID)
+}
+
+func (pm *PublicMedia) Scan(row dbutil.Scannable) (*PublicMedia, error) {
+	var expiry sql.NullInt64
+	var mimetype sql.NullString
+	err := row.Scan(&pm.BridgeID, &pm.PublicID, &pm.MXC, dbutil.JSON{Data: &pm.Keys}, &mimetype, &expiry)
+	if err != nil {
+		return nil, err
+	}
+	if expiry.Valid {
+		pm.Expiry = time.Unix(0, expiry.Int64)
+	}
+	pm.MimeType = mimetype.String
+	return pm, nil
+}
+
+func (pm *PublicMedia) sqlVariables() []any {
+	return []any{pm.BridgeID, pm.PublicID, &pm.MXC, dbutil.JSONPtr(pm.Keys), dbutil.StrPtr(pm.MimeType), dbutil.ConvertedPtr(pm.Expiry, time.Time.UnixNano)}
+}

bridgev2/database/upgrades/00-latest.sql

@@ -1,4 +1,4 @@
--- v0 -> v22 (compatible with v9+): Latest revision
+-- v0 -> v27 (compatible with v9+): Latest revision
 CREATE TABLE "user" (
 	bridge_id       TEXT NOT NULL,
 	mxid            TEXT NOT NULL,
@@ -48,6 +48,7 @@ CREATE TABLE portal (
 	topic_set       BOOLEAN NOT NULL,
 	name_is_custom  BOOLEAN NOT NULL DEFAULT false,
 	in_space        BOOLEAN NOT NULL,
+	message_request BOOLEAN NOT NULL DEFAULT false,
 	room_type       TEXT    NOT NULL,
 	disappear_type  TEXT,
 	disappear_timer BIGINT,
@@ -64,6 +65,7 @@ CREATE TABLE portal (
 		ON DELETE SET NULL ON UPDATE CASCADE
 );
 CREATE UNIQUE INDEX portal_bridge_mxid_idx ON portal (bridge_id, mxid);
+CREATE INDEX portal_parent_idx ON portal (bridge_id, parent_id, parent_receiver);
 
 CREATE TABLE ghost (
 	bridge_id        TEXT    NOT NULL,
@@ -78,6 +80,7 @@ CREATE TABLE ghost (
 	contact_info_set BOOLEAN NOT NULL,
 	is_bot           BOOLEAN NOT NULL,
 	identifiers      jsonb   NOT NULL,
+	extra_profile    jsonb,
 	metadata         jsonb   NOT NULL,
 
 	PRIMARY KEY (bridge_id, id)
@@ -127,6 +130,7 @@ CREATE TABLE disappearing_message (
 	bridge_id    TEXT   NOT NULL,
 	mx_room      TEXT   NOT NULL,
 	mxid         TEXT   NOT NULL,
+	timestamp    BIGINT NOT NULL DEFAULT 0,
 	type         TEXT   NOT NULL,
 	timer        BIGINT NOT NULL,
 	disappear_at BIGINT,
@@ -137,6 +141,7 @@ CREATE TABLE disappearing_message (
         REFERENCES portal (bridge_id, mxid)
         ON DELETE CASCADE
 );
+CREATE INDEX disappearing_message_portal_idx ON disappearing_message (bridge_id, mx_room);
 
 CREATE TABLE reaction (
 	bridge_id       TEXT   NOT NULL,
@@ -215,3 +220,14 @@ CREATE TABLE kv_store (
 
 	PRIMARY KEY (bridge_id, key)
 );
+
+CREATE TABLE public_media (
+	bridge_id TEXT   NOT NULL,
+	public_id TEXT   NOT NULL,
+	mxc       TEXT   NOT NULL,
+	keys      jsonb,
+	mimetype  TEXT,
+	expiry    BIGINT,
+
+	PRIMARY KEY (bridge_id, public_id)
+);

bridgev2/database/upgrades/23-disappearing-timer-ts.sql

@@ -0,0 +1,2 @@
+-- v23 (compatible with v9+): Add event timestamp for disappearing messages
+ALTER TABLE disappearing_message ADD COLUMN timestamp BIGINT NOT NULL DEFAULT 0;

bridgev2/database/upgrades/24-public-media.sql

@@ -0,0 +1,11 @@
+-- v24 (compatible with v9+): Custom URLs for public media
+CREATE TABLE public_media (
+	bridge_id TEXT   NOT NULL,
+	public_id TEXT   NOT NULL,
+	mxc       TEXT   NOT NULL,
+	keys      jsonb,
+	mimetype  TEXT,
+	expiry    BIGINT,
+
+	PRIMARY KEY (bridge_id, public_id)
+);

bridgev2/database/upgrades/25-message-requests.sql

@@ -0,0 +1,2 @@
+-- v25 (compatible with v9+): Flag for message request portals
+ALTER TABLE portal ADD COLUMN message_request BOOLEAN NOT NULL DEFAULT false;

bridgev2/database/upgrades/26-disappearing-message-portal-index.sql

@@ -0,0 +1,3 @@
+-- v26 (compatible with v9+): Add room index for disappearing message table and portal parents
+CREATE INDEX disappearing_message_portal_idx ON disappearing_message (bridge_id, mx_room);
+CREATE INDEX portal_parent_idx ON portal (bridge_id, parent_id, parent_receiver);

bridgev2/database/upgrades/27-ghost-extra-profile.sql

@@ -0,0 +1,2 @@
+-- v27 (compatible with v9+): Add column for extra ghost profile metadata
+ALTER TABLE ghost ADD COLUMN extra_profile jsonb;

bridgev2/database/userlogin.go

@@ -116,7 +116,7 @@ func (u *UserLogin) ensureHasMetadata(metaType MetaTypeCreator) *UserLogin {
 
 func (u *UserLogin) sqlVariables() []any {
 	var remoteProfile dbutil.JSON
-	if !u.RemoteProfile.IsEmpty() {
+	if !u.RemoteProfile.IsZero() {
 		remoteProfile.Data = &u.RemoteProfile
 	}
 	return []any{u.BridgeID, u.UserMXID, u.ID, u.RemoteName, remoteProfile, dbutil.StrPtr(u.SpaceRoom), dbutil.JSON{Data: u.Metadata}}

bridgev2/disappear.go

@@ -86,8 +86,8 @@ func (dl *DisappearLoop) Stop() {
 	}
 }
 
-func (dl *DisappearLoop) StartAll(ctx context.Context, roomID id.RoomID) {
-	startedMessages, err := dl.br.DB.DisappearingMessage.StartAll(ctx, roomID)
+func (dl *DisappearLoop) StartAllBefore(ctx context.Context, roomID id.RoomID, beforeTS time.Time) {
+	startedMessages, err := dl.br.DB.DisappearingMessage.StartAllBefore(ctx, roomID, beforeTS)
 	if err != nil {
 		zerolog.Ctx(ctx).Err(err).Msg("Failed to start disappearing messages")
 		return

bridgev2/errors.go

@@ -38,40 +38,51 @@ var ErrNotLoggedIn = errors.New("not logged in")
 // but direct media is not enabled.
 var ErrDirectMediaNotEnabled = errors.New("direct media is not enabled")
 
+var ErrPortalIsDeleted = errors.New("portal is deleted")
+var ErrPortalNotFoundInEventHandler = errors.New("portal not found to handle remote event")
+
 // Common message status errors
 var (
-	ErrPanicInEventHandler             error = WrapErrorInStatus(errors.New("panic in event handler")).WithSendNotice(true).WithErrorAsMessage()
-	ErrNoPortal                        error = WrapErrorInStatus(errors.New("room is not a portal")).WithIsCertain(true).WithSendNotice(false)
-	ErrIgnoringReactionFromRelayedUser error = WrapErrorInStatus(errors.New("ignoring reaction event from relayed user")).WithIsCertain(true).WithSendNotice(false)
-	ErrIgnoringPollFromRelayedUser     error = WrapErrorInStatus(errors.New("ignoring poll event from relayed user")).WithIsCertain(true).WithSendNotice(false)
-	ErrIgnoringDeleteChatRelayedUser   error = WrapErrorInStatus(errors.New("ignoring delete chat event from relayed user")).WithIsCertain(true).WithSendNotice(false)
-	ErrEditsNotSupported               error = WrapErrorInStatus(errors.New("this bridge does not support edits")).WithIsCertain(true).WithErrorAsMessage().WithErrorReason(event.MessageStatusUnsupported)
-	ErrEditsNotSupportedInPortal       error = WrapErrorInStatus(errors.New("edits are not allowed in this chat")).WithIsCertain(true).WithErrorAsMessage().WithErrorReason(event.MessageStatusUnsupported)
-	ErrCaptionsNotAllowed              error = WrapErrorInStatus(errors.New("captions are not supported here")).WithIsCertain(true).WithErrorAsMessage().WithErrorReason(event.MessageStatusUnsupported)
-	ErrLocationMessagesNotAllowed      error = WrapErrorInStatus(errors.New("location messages are not supported here")).WithIsCertain(true).WithErrorAsMessage().WithErrorReason(event.MessageStatusUnsupported)
-	ErrEditTargetTooOld                error = WrapErrorInStatus(errors.New("the message is too old to be edited")).WithIsCertain(true).WithErrorAsMessage().WithErrorReason(event.MessageStatusUnsupported)
-	ErrEditTargetTooManyEdits          error = WrapErrorInStatus(errors.New("the message has been edited too many times")).WithIsCertain(true).WithErrorAsMessage().WithErrorReason(event.MessageStatusUnsupported)
-	ErrReactionsNotSupported           error = WrapErrorInStatus(errors.New("this bridge does not support reactions")).WithIsCertain(true).WithErrorAsMessage().WithErrorReason(event.MessageStatusUnsupported)
-	ErrPollsNotSupported               error = WrapErrorInStatus(errors.New("this bridge does not support polls")).WithIsCertain(true).WithErrorAsMessage().WithErrorReason(event.MessageStatusUnsupported)
-	ErrRoomMetadataNotSupported        error = WrapErrorInStatus(errors.New("this bridge does not support changing room metadata")).WithIsCertain(true).WithErrorAsMessage().WithSendNotice(false).WithErrorReason(event.MessageStatusUnsupported)
-	ErrRedactionsNotSupported          error = WrapErrorInStatus(errors.New("this bridge does not support deleting messages")).WithIsCertain(true).WithErrorAsMessage().WithErrorReason(event.MessageStatusUnsupported)
-	ErrUnexpectedParsedContentType     error = WrapErrorInStatus(errors.New("unexpected parsed content type")).WithErrorAsMessage().WithIsCertain(true).WithSendNotice(true)
-	ErrInvalidStateKey                 error = WrapErrorInStatus(errors.New("room metadata state key is unset or non-empty")).WithErrorAsMessage().WithIsCertain(true).WithSendNotice(false)
-	ErrDatabaseError                   error = WrapErrorInStatus(errors.New("database error")).WithMessage("internal database error").WithIsCertain(true).WithSendNotice(true)
-	ErrTargetMessageNotFound           error = WrapErrorInStatus(errors.New("target message not found")).WithErrorAsMessage().WithIsCertain(true).WithSendNotice(false)
-	ErrUnsupportedMessageType          error = WrapErrorInStatus(errors.New("unsupported message type")).WithErrorAsMessage().WithIsCertain(true).WithSendNotice(true).WithErrorReason(event.MessageStatusUnsupported)
-	ErrUnsupportedMediaType            error = WrapErrorInStatus(errors.New("unsupported media type")).WithErrorAsMessage().WithIsCertain(true).WithSendNotice(true).WithErrorReason(event.MessageStatusUnsupported)
-	ErrMediaDurationTooLong            error = WrapErrorInStatus(errors.New("media duration too long")).WithErrorAsMessage().WithSendNotice(true).WithErrorReason(event.MessageStatusUnsupported)
-	ErrMediaTooLarge                   error = WrapErrorInStatus(errors.New("media too large")).WithErrorAsMessage().WithIsCertain(true).WithSendNotice(true).WithErrorReason(event.MessageStatusUnsupported)
-	ErrIgnoringMNotice                 error = WrapErrorInStatus(errors.New("ignoring m.notice message")).WithIsCertain(true).WithErrorAsMessage().WithSendNotice(false)
-	ErrMediaDownloadFailed             error = WrapErrorInStatus(errors.New("failed to download media")).WithMessage("failed to download media").WithIsCertain(true).WithSendNotice(true)
-	ErrMediaReuploadFailed             error = WrapErrorInStatus(errors.New("failed to reupload media")).WithMessage("failed to reupload media").WithIsCertain(true).WithSendNotice(true)
-	ErrMediaConvertFailed              error = WrapErrorInStatus(errors.New("failed to convert media")).WithMessage("failed to convert media").WithIsCertain(true).WithSendNotice(true)
-	ErrMembershipNotSupported          error = WrapErrorInStatus(errors.New("this bridge does not support changing group membership")).WithIsCertain(true).WithErrorAsMessage().WithSendNotice(false).WithErrorReason(event.MessageStatusUnsupported)
-	ErrDeleteChatNotSupported          error = WrapErrorInStatus(errors.New("this bridge does not support deleting chats")).WithIsCertain(true).WithErrorAsMessage().WithSendNotice(false).WithErrorReason(event.MessageStatusUnsupported)
-	ErrPowerLevelsNotSupported         error = WrapErrorInStatus(errors.New("this bridge does not support changing group power levels")).WithIsCertain(true).WithErrorAsMessage().WithSendNotice(false).WithErrorReason(event.MessageStatusUnsupported)
-	ErrRemoteEchoTimeout                     = WrapErrorInStatus(errors.New("remote echo timed out")).WithIsCertain(false).WithSendNotice(true).WithErrorReason(event.MessageStatusTooOld)
-	ErrRemoteAckTimeout                      = WrapErrorInStatus(errors.New("remote ack timed out")).WithIsCertain(false).WithSendNotice(true).WithErrorReason(event.MessageStatusTooOld)
+	ErrPanicInEventHandler              error = WrapErrorInStatus(errors.New("panic in event handler")).WithSendNotice(true).WithErrorAsMessage()
+	ErrNoPortal                         error = WrapErrorInStatus(errors.New("room is not a portal")).WithIsCertain(true).WithSendNotice(false)
+	ErrIgnoringReactionFromRelayedUser  error = WrapErrorInStatus(errors.New("ignoring reaction event from relayed user")).WithIsCertain(true).WithSendNotice(false)
+	ErrIgnoringPollFromRelayedUser      error = WrapErrorInStatus(errors.New("ignoring poll event from relayed user")).WithIsCertain(true).WithSendNotice(false)
+	ErrIgnoringDeleteChatRelayedUser    error = WrapErrorInStatus(errors.New("ignoring delete chat event from relayed user")).WithIsCertain(true).WithSendNotice(false)
+	ErrIgnoringAcceptRequestRelayedUser error = WrapErrorInStatus(errors.New("ignoring accept message request event from relayed user")).WithIsCertain(true).WithSendNotice(false)
+	ErrEditsNotSupported                error = WrapErrorInStatus(errors.New("this bridge does not support edits")).WithIsCertain(true).WithErrorAsMessage().WithErrorReason(event.MessageStatusUnsupported)
+	ErrEditsNotSupportedInPortal        error = WrapErrorInStatus(errors.New("edits are not allowed in this chat")).WithIsCertain(true).WithErrorAsMessage().WithErrorReason(event.MessageStatusUnsupported)
+	ErrCaptionsNotAllowed               error = WrapErrorInStatus(errors.New("captions are not supported here")).WithIsCertain(true).WithErrorAsMessage().WithErrorReason(event.MessageStatusUnsupported)
+	ErrLocationMessagesNotAllowed       error = WrapErrorInStatus(errors.New("location messages are not supported here")).WithIsCertain(true).WithErrorAsMessage().WithErrorReason(event.MessageStatusUnsupported)
+	ErrEditTargetTooOld                 error = WrapErrorInStatus(errors.New("the message is too old to be edited")).WithIsCertain(true).WithErrorAsMessage().WithErrorReason(event.MessageStatusUnsupported)
+	ErrEditTargetTooManyEdits           error = WrapErrorInStatus(errors.New("the message has been edited too many times")).WithIsCertain(true).WithErrorAsMessage().WithErrorReason(event.MessageStatusUnsupported)
+	ErrReactionsNotSupported            error = WrapErrorInStatus(errors.New("this bridge does not support reactions")).WithIsCertain(true).WithErrorAsMessage().WithErrorReason(event.MessageStatusUnsupported)
+	ErrPollsNotSupported                error = WrapErrorInStatus(errors.New("this bridge does not support polls")).WithIsCertain(true).WithErrorAsMessage().WithErrorReason(event.MessageStatusUnsupported)
+	ErrRoomMetadataNotSupported         error = WrapErrorInStatus(errors.New("this bridge does not support changing room metadata")).WithIsCertain(true).WithErrorAsMessage().WithSendNotice(false).WithErrorReason(event.MessageStatusUnsupported)
+	ErrRoomMetadataNotAllowed           error = WrapErrorInStatus(errors.New("changes are not allowed here")).WithIsCertain(true).WithErrorAsMessage().WithSendNotice(false).WithErrorReason(event.MessageStatusUnsupported)
+	ErrRedactionsNotSupported           error = WrapErrorInStatus(errors.New("this bridge does not support deleting messages")).WithIsCertain(true).WithErrorAsMessage().WithErrorReason(event.MessageStatusUnsupported)
+	ErrUnexpectedParsedContentType      error = WrapErrorInStatus(errors.New("unexpected parsed content type")).WithErrorAsMessage().WithIsCertain(true).WithSendNotice(true)
+	ErrInvalidStateKey                  error = WrapErrorInStatus(errors.New("room metadata state key is unset or non-empty")).WithErrorAsMessage().WithIsCertain(true).WithSendNotice(false)
+	ErrDatabaseError                    error = WrapErrorInStatus(errors.New("database error")).WithMessage("internal database error").WithIsCertain(true).WithSendNotice(true)
+	ErrTargetMessageNotFound            error = WrapErrorInStatus(errors.New("target message not found")).WithErrorAsMessage().WithIsCertain(true).WithSendNotice(false)
+	ErrUnsupportedMessageType           error = WrapErrorInStatus(errors.New("unsupported message type")).WithErrorAsMessage().WithIsCertain(true).WithSendNotice(true).WithErrorReason(event.MessageStatusUnsupported)
+	ErrUnsupportedMediaType             error = WrapErrorInStatus(errors.New("unsupported media type")).WithErrorAsMessage().WithIsCertain(true).WithSendNotice(true).WithErrorReason(event.MessageStatusUnsupported)
+	ErrMediaDurationTooLong             error = WrapErrorInStatus(errors.New("media duration too long")).WithErrorAsMessage().WithSendNotice(true).WithErrorReason(event.MessageStatusUnsupported)
+	ErrVoiceMessageDurationTooLong      error = WrapErrorInStatus(errors.New("voice message too long")).WithErrorAsMessage().WithSendNotice(true).WithErrorReason(event.MessageStatusUnsupported)
+	ErrMediaTooLarge                    error = WrapErrorInStatus(errors.New("media too large")).WithErrorAsMessage().WithIsCertain(true).WithSendNotice(true).WithErrorReason(event.MessageStatusUnsupported)
+	ErrIgnoringMNotice                  error = WrapErrorInStatus(errors.New("ignoring m.notice message")).WithIsCertain(true).WithErrorAsMessage().WithSendNotice(false)
+	ErrMediaDownloadFailed              error = WrapErrorInStatus(errors.New("failed to download media")).WithMessage("failed to download media").WithIsCertain(true).WithSendNotice(true)
+	ErrMediaReuploadFailed              error = WrapErrorInStatus(errors.New("failed to reupload media")).WithMessage("failed to reupload media").WithIsCertain(true).WithSendNotice(true)
+	ErrMediaConvertFailed               error = WrapErrorInStatus(errors.New("failed to convert media")).WithMessage("failed to convert media").WithIsCertain(true).WithSendNotice(true)
+	ErrMembershipNotSupported           error = WrapErrorInStatus(errors.New("this bridge does not support changing group membership")).WithIsCertain(true).WithErrorAsMessage().WithSendNotice(false).WithErrorReason(event.MessageStatusUnsupported)
+	ErrDeleteChatNotSupported           error = WrapErrorInStatus(errors.New("this bridge does not support deleting chats")).WithIsCertain(true).WithErrorAsMessage().WithSendNotice(false).WithErrorReason(event.MessageStatusUnsupported)
+	ErrBeeperAIStreamNotSupported       error = WrapErrorInStatus(errors.New("this bridge does not support Beeper AI stream events")).WithIsCertain(true).WithErrorAsMessage().WithSendNotice(false).WithErrorReason(event.MessageStatusUnsupported)
+	ErrPowerLevelsNotSupported          error = WrapErrorInStatus(errors.New("this bridge does not support changing group power levels")).WithIsCertain(true).WithErrorAsMessage().WithSendNotice(false).WithErrorReason(event.MessageStatusUnsupported)
+	ErrRemoteEchoTimeout                      = WrapErrorInStatus(errors.New("remote echo timed out")).WithIsCertain(false).WithSendNotice(true).WithErrorReason(event.MessageStatusTooOld)
+	ErrRemoteAckTimeout                       = WrapErrorInStatus(errors.New("remote ack timed out")).WithIsCertain(false).WithSendNotice(true).WithErrorReason(event.MessageStatusTooOld)
+
+	ErrPublicMediaDisabled         = WrapErrorInStatus(errors.New("public media is not enabled in the bridge config")).WithIsCertain(true).WithErrorAsMessage().WithErrorReason(event.MessageStatusUnsupported).WithSendNotice(true)
+	ErrPublicMediaDatabaseDisabled = WrapErrorInStatus(errors.New("public media database storage is disabled")).WithIsCertain(true).WithErrorAsMessage().WithErrorReason(event.MessageStatusUnsupported).WithSendNotice(true)
+	ErrPublicMediaGenerateFailed   = WrapErrorInStatus(errors.New("failed to generate public media URL")).WithIsCertain(true).WithMessage("failed to generate public media URL").WithErrorReason(event.MessageStatusUnsupported).WithSendNotice(true)
 
 	ErrDisappearingTimerUnsupported error = WrapErrorInStatus(errors.New("invalid disappearing timer")).WithIsCertain(true)
 )

bridgev2/ghost.go

@@ -9,12 +9,15 @@ package bridgev2
 import (
 	"context"
 	"crypto/sha256"
+	"encoding/json"
 	"fmt"
+	"maps"
 	"net/http"
+	"slices"
 
 	"github.com/rs/zerolog"
+	"go.mau.fi/util/exerrors"
 	"go.mau.fi/util/exmime"
-	"golang.org/x/exp/slices"
 
 	"maunium.net/go/mautrix/bridgev2/database"
 	"maunium.net/go/mautrix/bridgev2/networkid"
@@ -134,10 +137,11 @@ func (a *Avatar) Reupload(ctx context.Context, intent MatrixAPI, currentHash [32
 }
 
 type UserInfo struct {
-	Identifiers []string
-	Name        *string
-	Avatar      *Avatar
-	IsBot       *bool
+	Identifiers  []string
+	Name         *string
+	Avatar       *Avatar
+	IsBot        *bool
+	ExtraProfile database.ExtraProfile
 
 	ExtraUpdates ExtraUpdater[*Ghost]
 }
@@ -185,9 +189,9 @@ func (ghost *Ghost) UpdateAvatar(ctx context.Context, avatar *Avatar) bool {
 	return true
 }
 
-func (ghost *Ghost) getExtraProfileMeta() *event.BeeperProfileExtra {
+func (ghost *Ghost) getExtraProfileMeta() any {
 	bridgeName := ghost.Bridge.Network.GetName()
-	return &event.BeeperProfileExtra{
+	baseExtra := &event.BeeperProfileExtra{
 		RemoteID:     string(ghost.ID),
 		Identifiers:  ghost.Identifiers,
 		Service:      bridgeName.BeeperBridgeType,
@@ -195,23 +199,35 @@ func (ghost *Ghost) getExtraProfileMeta() *event.BeeperProfileExtra {
 		IsBridgeBot:  false,
 		IsNetworkBot: ghost.IsBot,
 	}
+	if len(ghost.ExtraProfile) == 0 {
+		return baseExtra
+	}
+	mergedExtra := maps.Clone(ghost.ExtraProfile)
+	baseExtraMarshaled := exerrors.Must(json.Marshal(baseExtra))
+	exerrors.PanicIfNotNil(json.Unmarshal(baseExtraMarshaled, &mergedExtra))
+	return mergedExtra
 }
 
-func (ghost *Ghost) UpdateContactInfo(ctx context.Context, identifiers []string, isBot *bool) bool {
-	if identifiers != nil {
-		slices.Sort(identifiers)
-	}
-	if ghost.ContactInfoSet &&
-		(identifiers == nil || slices.Equal(identifiers, ghost.Identifiers)) &&
-		(isBot == nil || *isBot == ghost.IsBot) {
+func (ghost *Ghost) UpdateContactInfo(ctx context.Context, identifiers []string, isBot *bool, extraProfile database.ExtraProfile) bool {
+	if !ghost.Bridge.Matrix.GetCapabilities().ExtraProfileMeta {
+		ghost.ContactInfoSet = false
 		return false
 	}
 	if identifiers != nil {
+		slices.Sort(identifiers)
+	}
+	changed := extraProfile.CopyTo(&ghost.ExtraProfile)
+	if identifiers != nil {
+		changed = changed || !slices.Equal(identifiers, ghost.Identifiers)
 		ghost.Identifiers = identifiers
 	}
 	if isBot != nil {
+		changed = changed || *isBot != ghost.IsBot
 		ghost.IsBot = *isBot
 	}
+	if ghost.ContactInfoSet && !changed {
+		return false
+	}
 	err := ghost.Intent.SetExtraProfileMeta(ctx, ghost.getExtraProfileMeta())
 	if err != nil {
 		zerolog.Ctx(ctx).Err(err).Msg("Failed to set extra profile metadata")
@@ -234,7 +250,7 @@ func (br *Bridge) allowAggressiveUpdateForType(evtType RemoteEventType) bool {
 }
 
 func (ghost *Ghost) UpdateInfoIfNecessary(ctx context.Context, source *UserLogin, evtType RemoteEventType) {
-	if ghost.Name != "" && ghost.NameSet && !ghost.Bridge.allowAggressiveUpdateForType(evtType) {
+	if ghost.Name != "" && ghost.NameSet && ghost.AvatarSet && !ghost.Bridge.allowAggressiveUpdateForType(evtType) {
 		return
 	}
 	info, err := source.Client.GetUserInfo(ctx, ghost)
@@ -244,12 +260,16 @@ func (ghost *Ghost) UpdateInfoIfNecessary(ctx context.Context, source *UserLogin
 		zerolog.Ctx(ctx).Debug().
 			Bool("has_name", ghost.Name != "").
 			Bool("name_set", ghost.NameSet).
+			Bool("has_avatar", ghost.AvatarMXC != "").
+			Bool("avatar_set", ghost.AvatarSet).
 			Msg("Updating ghost info in IfNecessary call")
 		ghost.UpdateInfo(ctx, info)
 	} else {
 		zerolog.Ctx(ctx).Trace().
 			Bool("has_name", ghost.Name != "").
 			Bool("name_set", ghost.NameSet).
+			Bool("has_avatar", ghost.AvatarMXC != "").
+			Bool("avatar_set", ghost.AvatarSet).
 			Msg("No ghost info received in IfNecessary call")
 	}
 }
@@ -277,9 +297,14 @@ func (ghost *Ghost) UpdateInfo(ctx context.Context, info *UserInfo) {
 	}
 	if info.Avatar != nil {
 		update = ghost.UpdateAvatar(ctx, info.Avatar) || update
+	} else if oldAvatar == "" && !ghost.AvatarSet {
+		// Special case: nil avatar means we're not expecting one ever, if we don't currently have
+		// one we flag it as set to avoid constantly refetching in UpdateInfoIfNecessary.
+		ghost.AvatarSet = true
+		update = true
 	}
-	if info.Identifiers != nil || info.IsBot != nil {
-		update = ghost.UpdateContactInfo(ctx, info.Identifiers, info.IsBot) || update
+	if info.Identifiers != nil || info.IsBot != nil || info.ExtraProfile != nil {
+		update = ghost.UpdateContactInfo(ctx, info.Identifiers, info.IsBot, info.ExtraProfile) || update
 	}
 	if info.ExtraUpdates != nil {
 		update = info.ExtraUpdates(ctx, ghost) || update

bridgev2/login.go

@@ -13,6 +13,7 @@ import (
 	"strings"
 
 	"maunium.net/go/mautrix/bridgev2/networkid"
+	"maunium.net/go/mautrix/event"
 )
 
 // LoginProcess represents a single occurrence of a user logging into the remote network.
@@ -178,6 +179,8 @@ const (
 	LoginInputFieldTypeToken       LoginInputFieldType = "token"
 	LoginInputFieldTypeURL         LoginInputFieldType = "url"
 	LoginInputFieldTypeDomain      LoginInputFieldType = "domain"
+	LoginInputFieldTypeSelect      LoginInputFieldType = "select"
+	LoginInputFieldTypeCaptchaCode LoginInputFieldType = "captcha_code"
 )
 
 type LoginInputDataField struct {
@@ -189,8 +192,13 @@ type LoginInputDataField struct {
 	Name string `json:"name"`
 	// The description of the field shown to the user.
 	Description string `json:"description"`
+	// A default value that the client can pre-fill the field with.
+	DefaultValue string `json:"default_value,omitempty"`
 	// A regex pattern that the client can use to validate input client-side.
 	Pattern string `json:"pattern,omitempty"`
+	// For fields of type select, the valid options.
+	// Pattern may also be filled with a regex that matches the same options.
+	Options []string `json:"options,omitempty"`
 	// A function that validates the input and optionally cleans it up before it's submitted to the connector.
 	Validate func(string) (string, error) `json:"-"`
 }
@@ -265,6 +273,23 @@ func (f *LoginInputDataField) FillDefaultValidate() {
 type LoginUserInputParams struct {
 	// The fields that the user needs to fill in.
 	Fields []LoginInputDataField `json:"fields"`
+
+	// Attachments to display alongside the input fields.
+	Attachments []*LoginUserInputAttachment `json:"attachments"`
+}
+
+type LoginUserInputAttachment struct {
+	Type     event.MessageType            `json:"type,omitempty"`
+	FileName string                       `json:"filename,omitempty"`
+	Content  []byte                       `json:"content,omitempty"`
+	Info     LoginUserInputAttachmentInfo `json:"info,omitempty"`
+}
+
+type LoginUserInputAttachmentInfo struct {
+	MimeType string `json:"mimetype,omitempty"`
+	Width    int    `json:"w,omitempty"`
+	Height   int    `json:"h,omitempty"`
+	Size     int    `json:"size,omitempty"`
 }
 
 type LoginCompleteParams struct {

bridgev2/matrix/connector.go

@@ -26,6 +26,7 @@ import (
 	_ "go.mau.fi/util/dbutil/litestream"
 	"go.mau.fi/util/exbytes"
 	"go.mau.fi/util/exsync"
+	"go.mau.fi/util/ptr"
 	"go.mau.fi/util/random"
 	"golang.org/x/sync/semaphore"
 
@@ -80,6 +81,8 @@ type Connector struct {
 
 	MediaConfig             mautrix.RespMediaConfig
 	SpecVersions            *mautrix.RespVersions
+	SpecCaps                *mautrix.RespCapabilities
+	specCapsLock            sync.Mutex
 	Capabilities            *bridgev2.MatrixCapabilities
 	IgnoreUnsupportedServer bool
 
@@ -141,16 +144,20 @@ func (br *Connector) Init(bridge *bridgev2.Bridge) {
 	br.EventProcessor.On(event.EventReaction, br.handleRoomEvent)
 	br.EventProcessor.On(event.EventRedaction, br.handleRoomEvent)
 	br.EventProcessor.On(event.EventEncrypted, br.handleEncryptedEvent)
+	br.EventProcessor.On(event.EphemeralEventEncrypted, br.handleEncryptedEvent)
 	br.EventProcessor.On(event.StateMember, br.handleRoomEvent)
 	br.EventProcessor.On(event.StatePowerLevels, br.handleRoomEvent)
 	br.EventProcessor.On(event.StateRoomName, br.handleRoomEvent)
+	br.EventProcessor.On(event.BeeperSendState, br.handleRoomEvent)
 	br.EventProcessor.On(event.StateRoomAvatar, br.handleRoomEvent)
 	br.EventProcessor.On(event.StateTopic, br.handleRoomEvent)
 	br.EventProcessor.On(event.StateTombstone, br.handleRoomEvent)
 	br.EventProcessor.On(event.StateBeeperDisappearingTimer, br.handleRoomEvent)
 	br.EventProcessor.On(event.BeeperDeleteChat, br.handleRoomEvent)
+	br.EventProcessor.On(event.BeeperAcceptMessageRequest, br.handleRoomEvent)
 	br.EventProcessor.On(event.EphemeralEventReceipt, br.handleEphemeralEvent)
 	br.EventProcessor.On(event.EphemeralEventTyping, br.handleEphemeralEvent)
+	br.EventProcessor.On(event.BeeperEphemeralEventAIStream, br.handleEphemeralEvent)
 	br.Bot = br.AS.BotIntent()
 	br.Crypto = NewCryptoHelper(br)
 	br.Bridge.Commands.(*commands.Processor).AddHandlers(
@@ -275,7 +282,7 @@ func (br *Connector) GetPublicAddress() string {
 	if br.Config.AppService.PublicAddress == "https://bridge.example.com" {
 		return ""
 	}
-	return br.Config.AppService.PublicAddress
+	return strings.TrimRight(br.Config.AppService.PublicAddress, "/")
 }
 
 func (br *Connector) GetRouter() *http.ServeMux {
@@ -337,16 +344,18 @@ func (br *Connector) logInitialRequestError(err error, defaultMessage string) {
 }
 
 func (br *Connector) ensureConnection(ctx context.Context) {
+	triedToRegister := false
 	for {
 		versions, err := br.Bot.Versions(ctx)
 		if err != nil {
-			if errors.Is(err, mautrix.MForbidden) {
+			if errors.Is(err, mautrix.MForbidden) && !triedToRegister {
 				br.Log.Debug().Msg("M_FORBIDDEN in /versions, trying to register before retrying")
 				err = br.Bot.EnsureRegistered(ctx)
 				if err != nil {
 					br.logInitialRequestError(err, "Failed to register after /versions failed with M_FORBIDDEN")
 					os.Exit(16)
 				}
+				triedToRegister = true
 			} else if errors.Is(err, mautrix.MUnknownToken) || errors.Is(err, mautrix.MExclusive) {
 				br.logInitialRequestError(err, "/versions request failed with auth error")
 				os.Exit(16)
@@ -359,6 +368,9 @@ func (br *Connector) ensureConnection(ctx context.Context) {
 			*br.AS.SpecVersions = *versions
 			br.Capabilities.AutoJoinInvites = br.SpecVersions.Supports(mautrix.BeeperFeatureAutojoinInvites)
 			br.Capabilities.BatchSending = br.SpecVersions.Supports(mautrix.BeeperFeatureBatchSending)
+			br.Capabilities.ArbitraryMemberChange = br.SpecVersions.Supports(mautrix.BeeperFeatureArbitraryMemberChange)
+			br.Capabilities.ExtraProfileMeta = br.SpecVersions.Supports(mautrix.BeeperFeatureArbitraryProfileMeta) ||
+				(br.SpecVersions.Supports(mautrix.FeatureArbitraryProfileFields) && br.Config.Matrix.GhostExtraProfileInfo)
 			break
 		}
 	}
@@ -403,6 +415,21 @@ func (br *Connector) ensureConnection(ctx context.Context) {
 	br.Bot.EnsureAppserviceConnection(ctx)
 }
 
+func (br *Connector) fetchCapabilities(ctx context.Context) *mautrix.RespCapabilities {
+	br.specCapsLock.Lock()
+	defer br.specCapsLock.Unlock()
+	if br.SpecCaps != nil {
+		return br.SpecCaps
+	}
+	caps, err := br.Bot.Capabilities(ctx)
+	if err != nil {
+		br.Log.Err(err).Msg("Failed to fetch capabilities from homeserver")
+		return nil
+	}
+	br.SpecCaps = caps
+	return caps
+}
+
 func (br *Connector) fetchMediaConfig(ctx context.Context) {
 	cfg, err := br.Bot.GetMediaConfig(ctx)
 	if err != nil {
@@ -511,7 +538,8 @@ func (br *Connector) internalSendMessageStatus(ctx context.Context, ms *bridgev2
 				Msg("Failed to send MSS event")
 		}
 	}
-	if ms.SendNotice && br.Config.Matrix.MessageErrorNotices && (ms.Status == event.MessageStatusFail || ms.Status == event.MessageStatusRetriable || ms.Step == status.MsgStepDecrypted) {
+	if ms.SendNotice && br.Config.Matrix.MessageErrorNotices && evt.MessageType != event.MsgNotice &&
+		(ms.Status == event.MessageStatusFail || ms.Status == event.MessageStatusRetriable || ms.Step == status.MsgStepDecrypted) {
 		content := ms.ToNoticeEvent(evt)
 		if editEvent != "" {
 			content.SetEdit(editEvent)
@@ -595,13 +623,28 @@ func (br *Connector) GetPowerLevels(ctx context.Context, roomID id.RoomID) (*eve
 }
 
 func (br *Connector) GetStateEvent(ctx context.Context, roomID id.RoomID, eventType event.Type, stateKey string) (*event.Event, error) {
-	if eventType == event.StateCreate && stateKey == "" {
-		createEvt, err := br.Bot.StateStore.GetCreate(ctx, roomID)
-		if err != nil || createEvt != nil {
-			return createEvt, err
+	if stateKey == "" {
+		switch eventType {
+		case event.StateCreate:
+			createEvt, err := br.Bot.StateStore.GetCreate(ctx, roomID)
+			if err != nil || createEvt != nil {
+				return createEvt, err
+			}
+		case event.StateJoinRules:
+			joinRulesContent, err := br.Bot.StateStore.GetJoinRules(ctx, roomID)
+			if err != nil {
+				return nil, err
+			} else if joinRulesContent != nil {
+				return &event.Event{
+					Type:     event.StateJoinRules,
+					RoomID:   roomID,
+					StateKey: ptr.Ptr(""),
+					Content:  event.Content{Parsed: joinRulesContent},
+				}, nil
+			}
 		}
 	}
-	return br.Bot.FullStateEvent(ctx, roomID, eventType, "")
+	return br.Bot.FullStateEvent(ctx, roomID, eventType, stateKey)
 }
 
 func (br *Connector) GetMembers(ctx context.Context, roomID id.RoomID) (map[id.UserID]*event.MemberEventContent, error) {

bridgev2/matrix/crypto.go

@@ -38,9 +38,9 @@ func init() {
 
 var _ crypto.StateStore = (*sqlstatestore.SQLStateStore)(nil)
 
-var NoSessionFound = crypto.NoSessionFound
-var DuplicateMessageIndex = crypto.DuplicateMessageIndex
-var UnknownMessageIndex = olm.UnknownMessageIndex
+var NoSessionFound = crypto.ErrNoSessionFound
+var DuplicateMessageIndex = crypto.ErrDuplicateMessageIndex
+var UnknownMessageIndex = olm.ErrUnknownMessageIndex
 
 type CryptoHelper struct {
 	bridge *Connector
@@ -439,7 +439,7 @@ func (helper *CryptoHelper) Encrypt(ctx context.Context, roomID id.RoomID, evtTy
 	var encrypted *event.EncryptedEventContent
 	encrypted, err = helper.mach.EncryptMegolmEvent(ctx, roomID, evtType, content)
 	if err != nil {
-		if !errors.Is(err, crypto.SessionExpired) && !errors.Is(err, crypto.SessionNotShared) && !errors.Is(err, crypto.NoGroupSession) {
+		if !errors.Is(err, crypto.ErrSessionExpired) && !errors.Is(err, crypto.ErrSessionNotShared) && !errors.Is(err, crypto.ErrNoGroupSession) {
 			return
 		}
 		helper.log.Debug().Err(err).

bridgev2/matrix/intent.go

@@ -9,6 +9,7 @@ package matrix
 import (
 	"bytes"
 	"context"
+	"encoding/json"
 	"errors"
 	"fmt"
 	"io"
@@ -27,6 +28,7 @@ import (
 	"maunium.net/go/mautrix/bridgev2"
 	"maunium.net/go/mautrix/bridgev2/bridgeconfig"
 	"maunium.net/go/mautrix/crypto/attachment"
+	"maunium.net/go/mautrix/crypto/canonicaljson"
 	"maunium.net/go/mautrix/event"
 	"maunium.net/go/mautrix/id"
 	"maunium.net/go/mautrix/pushrules"
@@ -43,13 +45,13 @@ type ASIntent struct {
 
 var _ bridgev2.MatrixAPI = (*ASIntent)(nil)
 var _ bridgev2.MarkAsDMMatrixAPI = (*ASIntent)(nil)
+var _ bridgev2.EphemeralSendingMatrixAPI = (*ASIntent)(nil)
 
 func (as *ASIntent) SendMessage(ctx context.Context, roomID id.RoomID, eventType event.Type, content *event.Content, extra *bridgev2.MatrixSendExtra) (*mautrix.RespSendEvent, error) {
 	if extra == nil {
 		extra = &bridgev2.MatrixSendExtra{}
 	}
-	// TODO remove this once hungryserv and synapse support sending m.room.redactions directly in all room versions
-	if eventType == event.EventRedaction {
+	if eventType == event.EventRedaction && !as.Connector.SpecVersions.Supports(mautrix.FeatureRedactSendAsEvent) {
 		parsedContent := content.Parsed.(*event.RedactionEventContent)
 		as.Matrix.AddDoublePuppetValue(content)
 		return as.Matrix.RedactEvent(ctx, roomID, parsedContent.Redacts, mautrix.ReqRedact{
@@ -57,7 +59,7 @@ func (as *ASIntent) SendMessage(ctx context.Context, roomID id.RoomID, eventType
 			Extra:  content.Raw,
 		})
 	}
-	if eventType != event.EventReaction && eventType != event.EventRedaction {
+	if (eventType != event.EventReaction || as.Connector.Config.Encryption.MSC4392) && eventType != event.EventRedaction {
 		msgContent, ok := content.Parsed.(*event.MessageEventContent)
 		if ok {
 			msgContent.AddPerMessageProfileFallback()
@@ -82,16 +84,27 @@ func (as *ASIntent) SendMessage(ctx context.Context, roomID id.RoomID, eventType
 			eventType = event.EventEncrypted
 		}
 	}
-	if extra.Timestamp.IsZero() {
-		return as.Matrix.SendMessageEvent(ctx, roomID, eventType, content)
-	} else {
-		return as.Matrix.SendMassagedMessageEvent(ctx, roomID, eventType, content, extra.Timestamp.UnixMilli())
+	return as.Matrix.SendMessageEvent(ctx, roomID, eventType, content, mautrix.ReqSendEvent{Timestamp: extra.Timestamp.UnixMilli()})
+}
+
+func (as *ASIntent) BeeperSendEphemeralEvent(ctx context.Context, roomID id.RoomID, eventType event.Type, content *event.Content, txnID string) (*mautrix.RespSendEvent, error) {
+	if !as.Connector.SpecVersions.Supports(mautrix.BeeperFeatureEphemeralEvents) {
+		return nil, mautrix.MUnrecognized.WithMessage("Homeserver does not advertise com.beeper.ephemeral support")
 	}
+	if encrypted, err := as.Matrix.StateStore.IsEncrypted(ctx, roomID); err != nil {
+		return nil, fmt.Errorf("failed to check if room is encrypted: %w", err)
+	} else if encrypted && as.Connector.Crypto != nil {
+		if err = as.Connector.Crypto.Encrypt(ctx, roomID, eventType, content); err != nil {
+			return nil, err
+		}
+		eventType = event.EventEncrypted
+	}
+	return as.Matrix.BeeperSendEphemeralEvent(ctx, roomID, eventType, content, mautrix.ReqSendEvent{TransactionID: txnID})
 }
 
 func (as *ASIntent) fillMemberEvent(ctx context.Context, roomID id.RoomID, userID id.UserID, content *event.Content) {
-	targetContent := content.Parsed.(*event.MemberEventContent)
-	if targetContent.Displayname != "" || targetContent.AvatarURL != "" {
+	targetContent, ok := content.Parsed.(*event.MemberEventContent)
+	if !ok || targetContent.Displayname != "" || targetContent.AvatarURL != "" {
 		return
 	}
 	memberContent, err := as.Matrix.StateStore.TryGetMember(ctx, roomID, userID)
@@ -126,11 +139,7 @@ func (as *ASIntent) SendState(ctx context.Context, roomID id.RoomID, eventType e
 	if eventType == event.StateMember {
 		as.fillMemberEvent(ctx, roomID, id.UserID(stateKey), content)
 	}
-	if ts.IsZero() {
-		resp, err = as.Matrix.SendStateEvent(ctx, roomID, eventType, stateKey, content)
-	} else {
-		resp, err = as.Matrix.SendMassagedStateEvent(ctx, roomID, eventType, stateKey, content, ts.UnixMilli())
-	}
+	resp, err = as.Matrix.SendStateEvent(ctx, roomID, eventType, stateKey, content, mautrix.ReqSendEvent{Timestamp: ts.UnixMilli()})
 	if err != nil && eventType == event.StateMember {
 		var httpErr mautrix.HTTPError
 		if errors.As(err, &httpErr) && httpErr.RespError != nil &&
@@ -412,6 +421,7 @@ func (as *ASIntent) UploadMediaStream(
 			removeAndClose(replFile)
 			removeAndClose(tempFile)
 		}
+		req.AsyncContext = zerolog.Ctx(ctx).WithContext(as.Connector.Bridge.BackgroundCtx)
 		startedAsyncUpload = true
 		var resp *mautrix.RespCreateMXC
 		resp, err = as.Matrix.UploadAsync(ctx, req)
@@ -444,6 +454,7 @@ func (as *ASIntent) doUploadReq(ctx context.Context, file *event.EncryptedFileIn
 				as.Connector.uploadSema.Release(int64(len(req.ContentBytes)))
 			}
 		}
+		req.AsyncContext = zerolog.Ctx(ctx).WithContext(as.Connector.Bridge.BackgroundCtx)
 		var resp *mautrix.RespCreateMXC
 		resp, err = as.Matrix.UploadAsync(ctx, req)
 		if resp != nil {
@@ -475,11 +486,62 @@ func (as *ASIntent) SetAvatarURL(ctx context.Context, avatarURL id.ContentURIStr
 	return as.Matrix.SetAvatarURL(ctx, parsedAvatarURL)
 }
 
-func (as *ASIntent) SetExtraProfileMeta(ctx context.Context, data any) error {
-	if !as.Connector.SpecVersions.Supports(mautrix.BeeperFeatureArbitraryProfileMeta) {
-		return nil
+func dataToFields(data any) (map[string]json.RawMessage, error) {
+	fields, ok := data.(map[string]json.RawMessage)
+	if ok {
+		return fields, nil
 	}
-	return as.Matrix.BeeperUpdateProfile(ctx, data)
+	d, err := json.Marshal(data)
+	if err != nil {
+		return nil, err
+	}
+	d = canonicaljson.CanonicalJSONAssumeValid(d)
+	err = json.Unmarshal(d, &fields)
+	return fields, err
+}
+
+func marshalField(val any) json.RawMessage {
+	data, _ := json.Marshal(val)
+	if len(data) > 0 && (data[0] == '{' || data[0] == '[') {
+		return canonicaljson.CanonicalJSONAssumeValid(data)
+	}
+	return data
+}
+
+var nullJSON = json.RawMessage("null")
+
+func (as *ASIntent) SetExtraProfileMeta(ctx context.Context, data any) error {
+	if as.Connector.SpecVersions.Supports(mautrix.BeeperFeatureArbitraryProfileMeta) {
+		return as.Matrix.BeeperUpdateProfile(ctx, data)
+	} else if as.Connector.SpecVersions.Supports(mautrix.FeatureArbitraryProfileFields) && as.Connector.Config.Matrix.GhostExtraProfileInfo {
+		fields, err := dataToFields(data)
+		if err != nil {
+			return fmt.Errorf("failed to marshal fields: %w", err)
+		}
+		currentProfile, err := as.Matrix.GetProfile(ctx, as.Matrix.UserID)
+		if err != nil {
+			return fmt.Errorf("failed to get current profile: %w", err)
+		}
+		for key, val := range fields {
+			existing, ok := currentProfile.Extra[key]
+			if !ok {
+				if bytes.Equal(val, nullJSON) {
+					continue
+				}
+				err = as.Matrix.SetProfileField(ctx, key, val)
+			} else if !bytes.Equal(marshalField(existing), val) {
+				if bytes.Equal(val, nullJSON) {
+					err = as.Matrix.DeleteProfileField(ctx, key)
+				} else {
+					err = as.Matrix.SetProfileField(ctx, key, val)
+				}
+			}
+			if err != nil {
+				return fmt.Errorf("failed to set profile field %q: %w", key, err)
+			}
+		}
+	}
+	return nil
 }
 
 func (as *ASIntent) GetMXID() id.UserID {
@@ -521,6 +583,39 @@ func (br *Connector) getDefaultEncryptionEvent() *event.EncryptionEventContent {
 	return content
 }
 
+func (as *ASIntent) filterCreateRequestForV12(ctx context.Context, req *mautrix.ReqCreateRoom) {
+	if as.Connector.Config.Homeserver.Software == bridgeconfig.SoftwareHungry {
+		// Hungryserv doesn't override the capabilities endpoint nor do room versions
+		return
+	}
+	caps := as.Connector.fetchCapabilities(ctx)
+	roomVer := req.RoomVersion
+	if roomVer == "" && caps != nil && caps.RoomVersions != nil {
+		roomVer = id.RoomVersion(caps.RoomVersions.Default)
+	}
+	if roomVer != "" && !roomVer.PrivilegedRoomCreators() {
+		return
+	}
+	creators, _ := req.CreationContent["additional_creators"].([]id.UserID)
+	creators = append(slices.Clone(creators), as.GetMXID())
+	if req.PowerLevelOverride != nil {
+		for _, creator := range creators {
+			delete(req.PowerLevelOverride.Users, creator)
+		}
+	}
+	for _, evt := range req.InitialState {
+		if evt.Type != event.StatePowerLevels {
+			continue
+		}
+		content, ok := evt.Content.Parsed.(*event.PowerLevelsEventContent)
+		if ok {
+			for _, creator := range creators {
+				delete(content.Users, creator)
+			}
+		}
+	}
+}
+
 func (as *ASIntent) CreateRoom(ctx context.Context, req *mautrix.ReqCreateRoom) (id.RoomID, error) {
 	if as.Connector.Config.Encryption.Default {
 		req.InitialState = append(req.InitialState, &event.Event{
@@ -536,6 +631,7 @@ func (as *ASIntent) CreateRoom(ctx context.Context, req *mautrix.ReqCreateRoom)
 		}
 		req.CreationContent["m.federate"] = false
 	}
+	as.filterCreateRequestForV12(ctx, req)
 	resp, err := as.Matrix.CreateRoom(ctx, req)
 	if err != nil {
 		return "", err
@@ -689,10 +785,10 @@ func (as *ASIntent) GetEvent(ctx context.Context, roomID id.RoomID, eventID id.E
 	}
 
 	if evt.Type == event.EventEncrypted {
-		if as.Connector.Config.Encryption.DeleteKeys.RatchetOnDecrypt {
+		if as.Connector.Crypto == nil || as.Connector.Config.Encryption.DeleteKeys.RatchetOnDecrypt {
 			return nil, errors.New("can't decrypt the event")
 		}
-		return as.Matrix.Crypto.Decrypt(ctx, evt)
+		return as.Connector.Crypto.Decrypt(ctx, evt)
 	}
 
 	return evt, nil

bridgev2/matrix/matrix.go

@@ -27,6 +27,11 @@ func (br *Connector) handleRoomEvent(ctx context.Context, evt *event.Event) {
 	if br.shouldIgnoreEvent(evt) {
 		return
 	}
+	if !br.Config.Bridge.Permissions.Get(evt.Sender).SendEvents && evt.Type != event.StateMember {
+		zerolog.Ctx(ctx).Debug().Msg("Dropping event from user with no permission to send events")
+		br.SendMessageStatus(ctx, &bridgev2.ErrNoPermissionToInteract, bridgev2.StatusEventInfoFromEvent(evt))
+		return
+	}
 	if (evt.Type == event.EventMessage || evt.Type == event.EventSticker) && !evt.Mautrix.WasEncrypted && br.Config.Encryption.Require {
 		zerolog.Ctx(ctx).Warn().Msg("Dropping unencrypted event as encryption is configured to be required")
 		br.sendCryptoStatusError(ctx, evt, errMessageNotEncrypted, nil, 0, true)
@@ -63,6 +68,10 @@ func (br *Connector) handleEphemeralEvent(ctx context.Context, evt *event.Event)
 	case event.EphemeralEventTyping:
 		typingContent := evt.Content.AsTyping()
 		typingContent.UserIDs = slices.DeleteFunc(typingContent.UserIDs, br.shouldIgnoreEventFromUser)
+	case event.BeeperEphemeralEventAIStream:
+		if br.shouldIgnoreEvent(evt) {
+			return
+		}
 	}
 	br.Bridge.QueueMatrixEvent(ctx, evt)
 }
@@ -76,6 +85,11 @@ func (br *Connector) handleEncryptedEvent(ctx context.Context, evt *event.Event)
 		Str("event_id", evt.ID.String()).
 		Str("session_id", content.SessionID.String()).
 		Logger()
+	if !br.Config.Bridge.Permissions.Get(evt.Sender).SendEvents {
+		log.Debug().Msg("Dropping event from user with no permission to send events")
+		br.SendMessageStatus(ctx, &bridgev2.ErrNoPermissionToInteract, bridgev2.StatusEventInfoFromEvent(evt))
+		return
+	}
 	ctx = log.WithContext(ctx)
 	if br.Crypto == nil {
 		br.sendCryptoStatusError(ctx, evt, errNoCrypto, nil, 0, true)
@@ -117,6 +131,7 @@ func (br *Connector) waitLongerForSession(ctx context.Context, evt *event.Event,
 		Int("wait_seconds", int(extendedSessionWaitTimeout.Seconds())).
 		Msg("Couldn't find session, requesting keys and waiting longer...")
 
+	//lint:ignore SA1019 RequestSession will gracefully request from all devices if DeviceID is blank
 	go br.Crypto.RequestSession(ctx, evt.RoomID, content.SenderKey, content.SessionID, evt.Sender, content.DeviceID)
 	go br.sendCryptoStatusError(ctx, evt, fmt.Errorf("%w. The bridge will retry for %d seconds", errNoDecryptionKeys, int(extendedSessionWaitTimeout.Seconds())), errorEventID, 1, false)
 
@@ -220,7 +235,6 @@ func (br *Connector) postDecrypt(ctx context.Context, original, decrypted *event
 	go br.sendSuccessCheckpoint(ctx, decrypted, status.MsgStepDecrypted, retryCount)
 	decrypted.Mautrix.CheckpointSent = true
 	decrypted.Mautrix.DecryptionDuration = duration
-	decrypted.Mautrix.EventSource |= event.SourceDecrypted
 	br.EventProcessor.Dispatch(ctx, decrypted)
 	if errorEventID != nil && *errorEventID != "" {
 		_, _ = br.Bot.RedactEvent(ctx, decrypted.RoomID, *errorEventID)

bridgev2/matrix/mxmain/dberror.go

@@ -66,7 +66,12 @@ func (br *BridgeMain) LogDBUpgradeErrorAndExit(name string, err error, message s
 	} else if errors.Is(err, dbutil.ErrForeignTables) {
 		br.Log.Info().Msg("See https://docs.mau.fi/faq/foreign-tables for more info")
 	} else if errors.Is(err, dbutil.ErrNotOwned) {
-		br.Log.Info().Msg("Sharing the same database with different programs is not supported")
+		var noe dbutil.NotOwnedError
+		if errors.As(err, &noe) && noe.Owner == br.Name {
+			br.Log.Info().Msg("The database appears to be on a very old pre-megabridge schema. Perhaps you need to run an older version of the bridge with migration support first?")
+		} else {
+			br.Log.Info().Msg("Sharing the same database with different programs is not supported")
+		}
 	} else if errors.Is(err, dbutil.ErrUnsupportedDatabaseVersion) {
 		br.Log.Info().Msg("Downgrading the bridge is not supported")
 	}

bridgev2/matrix/mxmain/envconfig.go

@@ -0,0 +1,161 @@
+// Copyright (c) 2025 Tulir Asokan
+//
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+package mxmain
+
+import (
+	"fmt"
+	"iter"
+	"os"
+	"reflect"
+	"strconv"
+	"strings"
+
+	"go.mau.fi/util/random"
+)
+
+var randomParseFilePrefix = random.String(16) + "READFILE:"
+
+func parseEnv(prefix string) iter.Seq2[[]string, string] {
+	return func(yield func([]string, string) bool) {
+		for _, s := range os.Environ() {
+			if !strings.HasPrefix(s, prefix) {
+				continue
+			}
+			kv := strings.SplitN(s, "=", 2)
+			key := strings.TrimPrefix(kv[0], prefix)
+			value := kv[1]
+			if strings.HasSuffix(key, "_FILE") {
+				key = strings.TrimSuffix(key, "_FILE")
+				value = randomParseFilePrefix + value
+			}
+			key = strings.ToLower(key)
+			if !strings.ContainsRune(key, '.') {
+				key = strings.ReplaceAll(key, "__", ".")
+			}
+			if !yield(strings.Split(key, "."), value) {
+				return
+			}
+		}
+	}
+}
+
+func reflectYAMLFieldName(f *reflect.StructField) string {
+	parts := strings.SplitN(f.Tag.Get("yaml"), ",", 2)
+	fieldName := parts[0]
+	if fieldName == "-" && len(parts) == 1 {
+		return ""
+	}
+	if fieldName == "" {
+		return strings.ToLower(f.Name)
+	}
+	return fieldName
+}
+
+type reflectGetResult struct {
+	val           reflect.Value
+	valKind       reflect.Kind
+	remainingPath []string
+}
+
+func reflectGetYAML(rv reflect.Value, path []string) (*reflectGetResult, bool) {
+	if len(path) == 0 {
+		return &reflectGetResult{val: rv, valKind: rv.Kind()}, true
+	}
+	if rv.Kind() == reflect.Ptr {
+		rv = rv.Elem()
+	}
+	switch rv.Kind() {
+	case reflect.Map:
+		return &reflectGetResult{val: rv, remainingPath: path, valKind: rv.Type().Elem().Kind()}, true
+	case reflect.Struct:
+		fields := reflect.VisibleFields(rv.Type())
+		for _, field := range fields {
+			fieldName := reflectYAMLFieldName(&field)
+			if fieldName != "" && fieldName == path[0] {
+				return reflectGetYAML(rv.FieldByIndex(field.Index), path[1:])
+			}
+		}
+	default:
+	}
+	return nil, false
+}
+
+func reflectGetFromMainOrNetwork(main, network reflect.Value, path []string) (*reflectGetResult, bool) {
+	if len(path) > 0 && path[0] == "network" {
+		return reflectGetYAML(network, path[1:])
+	}
+	return reflectGetYAML(main, path)
+}
+
+func formatKeyString(key []string) string {
+	return strings.Join(key, "->")
+}
+
+func UpdateConfigFromEnv(cfg, networkData any, prefix string) error {
+	cfgVal := reflect.ValueOf(cfg)
+	networkVal := reflect.ValueOf(networkData)
+	for key, value := range parseEnv(prefix) {
+		field, ok := reflectGetFromMainOrNetwork(cfgVal, networkVal, key)
+		if !ok {
+			return fmt.Errorf("%s not found", formatKeyString(key))
+		}
+		if strings.HasPrefix(value, randomParseFilePrefix) {
+			filepath := strings.TrimPrefix(value, randomParseFilePrefix)
+			fileData, err := os.ReadFile(filepath)
+			if err != nil {
+				return fmt.Errorf("failed to read file %s for %s: %w", filepath, formatKeyString(key), err)
+			}
+			value = strings.TrimSpace(string(fileData))
+		}
+		var parsedVal any
+		var err error
+		switch field.valKind {
+		case reflect.String:
+			parsedVal = value
+		case reflect.Bool:
+			parsedVal, err = strconv.ParseBool(value)
+			if err != nil {
+				return fmt.Errorf("invalid value for %s: %w", formatKeyString(key), err)
+			}
+		case reflect.Int, reflect.Int8, reflect.Int16, reflect.Int32, reflect.Int64:
+			parsedVal, err = strconv.ParseInt(value, 10, 64)
+			if err != nil {
+				return fmt.Errorf("invalid value for %s: %w", formatKeyString(key), err)
+			}
+		case reflect.Uint, reflect.Uint8, reflect.Uint16, reflect.Uint32, reflect.Uint64:
+			parsedVal, err = strconv.ParseUint(value, 10, 64)
+			if err != nil {
+				return fmt.Errorf("invalid value for %s: %w", formatKeyString(key), err)
+			}
+		case reflect.Float32, reflect.Float64:
+			parsedVal, err = strconv.ParseFloat(value, 64)
+			if err != nil {
+				return fmt.Errorf("invalid value for %s: %w", formatKeyString(key), err)
+			}
+		default:
+			return fmt.Errorf("unsupported type %s in %s", field.valKind, formatKeyString(key))
+		}
+		if field.val.Kind() == reflect.Ptr {
+			if field.val.IsNil() {
+				field.val.Set(reflect.New(field.val.Type().Elem()))
+			}
+			field.val = field.val.Elem()
+		}
+		if field.val.Kind() == reflect.Map {
+			key = key[:len(key)-len(field.remainingPath)]
+			mapKeyStr := strings.Join(field.remainingPath, ".")
+			key = append(key, mapKeyStr)
+			if field.val.Type().Key().Kind() != reflect.String {
+				return fmt.Errorf("unsupported map key type %s in %s", field.val.Type().Key().Kind(), formatKeyString(key))
+			}
+			field.val.SetMapIndex(reflect.ValueOf(mapKeyStr), reflect.ValueOf(parsedVal))
+		} else {
+			field.val.Set(reflect.ValueOf(parsedVal))
+		}
+	}
+	return nil
+}

bridgev2/matrix/mxmain/example-config.yaml

@@ -29,6 +29,9 @@ bridge:
     # How long after an unknown error should the bridge attempt a full reconnect?
     # Must be at least 1 minute. The bridge will add an extra ±20% jitter to this value.
     unknown_error_auto_reconnect: null
+    # Maximum number of times to do the auto-reconnect above.
+    # The counter is per login, but is never reset except on logout and restart.
+    unknown_error_max_auto_reconnects: 10
 
     # Should leaving Matrix rooms be bridged as leaving groups on the remote network?
     bridge_matrix_leave: false
@@ -47,6 +50,11 @@ bridge:
     # Should cross-room reply metadata be bridged?
     # Most Matrix clients don't support this and servers may reject such messages too.
     cross_room_replies: false
+    # If a state event fails to bridge, should the bridge revert any state changes made by that event?
+    revert_failed_state_changes: false
+    # In portals with no relay set, should Matrix users be kicked if they're
+    # not logged into an account that's in the remote chat?
+    kick_matrix_users: true
 
     # What should be done to portal rooms when a user logs out or is logged out?
     # Permitted values:
@@ -236,6 +244,9 @@ matrix:
     # The threshold as bytes after which the bridge should roundtrip uploads via the disk
     # rather than keeping the whole file in memory.
     upload_file_threshold: 5242880
+    # Should the bridge set additional custom profile info for ghosts?
+    # This can make a lot of requests, as there's no batch profile update endpoint.
+    ghost_extra_profile_info: false
 
 # Segment-compatible analytics endpoint for tracking some events, like provisioning API login and encryption errors.
 analytics:
@@ -275,6 +286,14 @@ public_media:
     expiry: 0
     # Length of hash to use for public media URLs. Must be between 0 and 32.
     hash_length: 32
+    # The path prefix for generated URLs. Note that this will NOT change the path where media is actually served.
+    # If you change this, you must configure your reverse proxy to rewrite the path accordingly.
+    path_prefix: /_mautrix/publicmedia
+    # Should the bridge store media metadata in the database in order to support encrypted media and generate shorter URLs?
+    # If false, the generated URLs will just have the MXC URI and a HMAC signature.
+    # The hash_length field will be used to decide the length of the generated URL.
+    # This also allows invalidating URLs by deleting the database entry.
+    use_database: false
 
 # Settings for converting remote media to custom mxc:// URIs instead of reuploading.
 # More details can be found at https://docs.mau.fi/bridges/go/discord/direct-media.html
@@ -365,6 +384,8 @@ encryption:
     # Only relevant when using end-to-bridge encryption, required when using encryption with next-gen auth (MSC3861).
     # Changing this option requires updating the appservice registration file.
     msc4190: false
+    # Whether to encrypt reactions and reply metadata as per MSC4392.
+    msc4392: false
     # Should the bridge bot generate a recovery key and cross-signing keys and verify itself?
     # Note that without the latest version of MSC4190, this will fail if you reset the bridge database.
     # The generated recovery key will be saved in the kv_store table under `recovery_key`.
@@ -431,6 +452,16 @@ encryption:
         # You should not enable this option unless you understand all the implications.
         disable_device_change_key_rotation: false
 
+# Prefix for environment variables. All variables with this prefix must map to valid config fields.
+# Nesting in variable names is represented with a dot (.).
+# If there are no dots in the name, two underscores (__) are replaced with a dot.
+#
+# e.g. if the prefix is set to `BRIDGE_`, then `BRIDGE_APPSERVICE__AS_TOKEN` will set appservice.as_token.
+# `BRIDGE_appservice.as_token` would work as well, but can't be set in a shell as easily.
+#
+# If this is null, reading config fields from environment will be disabled.
+env_config_prefix: null
+
 # Logging config. See https://github.com/tulir/zeroconfig for details.
 logging:
     min_level: debug

bridgev2/matrix/mxmain/legacymigrate.go

@@ -135,7 +135,10 @@ func (br *BridgeMain) CheckLegacyDB(
 	}
 	var dbVersion int
 	err = br.DB.QueryRow(ctx, "SELECT version FROM version").Scan(&dbVersion)
-	if dbVersion < expectedVersion {
+	if err != nil {
+		log.Fatal().Err(err).Msg("Failed to get database version")
+		return
+	} else if dbVersion < expectedVersion {
 		log.Fatal().
 			Int("expected_version", expectedVersion).
 			Int("version", dbVersion).

bridgev2/matrix/mxmain/main.go

@@ -354,6 +354,13 @@ func (br *BridgeMain) LoadConfig() {
 		}
 	}
 	cfg.Bridge.Backfill = cfg.Backfill
+	if cfg.EnvConfigPrefix != "" {
+		err = UpdateConfigFromEnv(&cfg, networkData, cfg.EnvConfigPrefix)
+		if err != nil {
+			_, _ = fmt.Fprintln(os.Stderr, "Failed to parse environment variables:", err)
+			os.Exit(10)
+		}
+	}
 	br.Config = &cfg
 }
 

bridgev2/matrix/provisioning.go

@@ -85,10 +85,9 @@ const (
 	provisioningUserKey provisioningContextKey = iota
 	provisioningUserLoginKey
 	provisioningLoginProcessKey
+	ProvisioningKeyRequest
 )
 
-const ProvisioningKeyRequest = "fi.mau.provision.request"
-
 func (prov *ProvisioningAPI) GetUser(r *http.Request) *bridgev2.User {
 	return r.Context().Value(provisioningUserKey).(*bridgev2.User)
 }
@@ -97,12 +96,7 @@ func (prov *ProvisioningAPI) GetRouter() *http.ServeMux {
 	return prov.Router
 }
 
-type IProvisioningAPI interface {
-	GetRouter() *http.ServeMux
-	GetUser(r *http.Request) *bridgev2.User
-}
-
-func (br *Connector) GetProvisioning() IProvisioningAPI {
+func (br *Connector) GetProvisioning() bridgev2.IProvisioningAPI {
 	return br.Provisioning
 }
 
@@ -330,7 +324,7 @@ func (prov *ProvisioningAPI) GetWhoami(w http.ResponseWriter, r *http.Request) {
 		prevState.UserID = ""
 		prevState.RemoteID = ""
 		prevState.RemoteName = ""
-		prevState.RemoteProfile = nil
+		prevState.RemoteProfile = status.RemoteProfile{}
 		resp.Logins[i] = RespWhoamiLogin{
 			StateEvent:  prevState.StateEvent,
 			StateTS:     prevState.Timestamp,
@@ -367,17 +361,19 @@ func (prov *ProvisioningAPI) GetCapabilities(w http.ResponseWriter, r *http.Requ
 }
 
 var ErrNilStep = errors.New("bridge returned nil step with no error")
+var ErrTooManyLogins = bridgev2.RespError{ErrCode: "FI.MAU.BRIDGE.TOO_MANY_LOGINS", Err: "Maximum number of logins exceeded"}
 
 func (prov *ProvisioningAPI) PostLoginStart(w http.ResponseWriter, r *http.Request) {
 	overrideLogin, failed := prov.GetExplicitLoginForRequest(w, r)
 	if failed {
 		return
 	}
-	login, err := prov.net.CreateLogin(
-		r.Context(),
-		prov.GetUser(r),
-		r.PathValue("flowID"),
-	)
+	user := prov.GetUser(r)
+	if overrideLogin == nil && user.HasTooManyLogins() {
+		ErrTooManyLogins.AppendMessage(" (%d)", user.Permissions.MaxLogins).Write(w)
+		return
+	}
+	login, err := prov.net.CreateLogin(r.Context(), user, r.PathValue("flowID"))
 	if err != nil {
 		zerolog.Ctx(r.Context()).Err(err).Msg("Failed to create login process")
 		RespondWithError(w, err, "Internal error creating login process")
@@ -407,10 +403,18 @@ func (prov *ProvisioningAPI) PostLoginStart(w http.ResponseWriter, r *http.Reque
 		Override: overrideLogin,
 	}
 	prov.loginsLock.Unlock()
+	zerolog.Ctx(r.Context()).Info().
+		Any("first_step", firstStep).
+		Msg("Created login process")
 	exhttp.WriteJSONResponse(w, http.StatusOK, &RespSubmitLogin{LoginID: loginID, LoginStep: firstStep})
 }
 
 func (prov *ProvisioningAPI) handleCompleteStep(ctx context.Context, login *ProvLogin, step *bridgev2.LoginStep) {
+	zerolog.Ctx(ctx).Info().
+		Str("step_id", step.StepID).
+		Str("user_login_id", string(step.CompleteParams.UserLoginID)).
+		Msg("Login completed successfully")
+	prov.deleteLogin(login, false)
 	if login.Override == nil || login.Override.ID == step.CompleteParams.UserLoginID {
 		return
 	}
@@ -424,6 +428,15 @@ func (prov *ProvisioningAPI) handleCompleteStep(ctx context.Context, login *Prov
 	}, bridgev2.DeleteOpts{LogoutRemote: true})
 }
 
+func (prov *ProvisioningAPI) deleteLogin(login *ProvLogin, cancel bool) {
+	if cancel {
+		login.Process.Cancel()
+	}
+	prov.loginsLock.Lock()
+	delete(prov.logins, login.ID)
+	prov.loginsLock.Unlock()
+}
+
 func (prov *ProvisioningAPI) PostLoginStep(w http.ResponseWriter, r *http.Request) {
 	loginID := r.PathValue("loginProcessID")
 	prov.loginsLock.RLock()
@@ -494,11 +507,14 @@ func (prov *ProvisioningAPI) PostLoginSubmitInput(w http.ResponseWriter, r *http
 	if err != nil {
 		zerolog.Ctx(r.Context()).Err(err).Msg("Failed to submit input")
 		RespondWithError(w, err, "Internal error submitting input")
+		prov.deleteLogin(login, true)
 		return
 	}
 	login.NextStep = nextStep
 	if nextStep.Type == bridgev2.LoginStepTypeComplete {
 		prov.handleCompleteStep(r.Context(), login, nextStep)
+	} else {
+		zerolog.Ctx(r.Context()).Debug().Any("next_step", nextStep).Msg("Returning next login step")
 	}
 	exhttp.WriteJSONResponse(w, http.StatusOK, &RespSubmitLogin{LoginID: login.ID, LoginStep: nextStep})
 }
@@ -512,11 +528,14 @@ func (prov *ProvisioningAPI) PostLoginWait(w http.ResponseWriter, r *http.Reques
 	if err != nil {
 		zerolog.Ctx(r.Context()).Err(err).Msg("Failed to wait")
 		RespondWithError(w, err, "Internal error waiting for login")
+		prov.deleteLogin(login, true)
 		return
 	}
 	login.NextStep = nextStep
 	if nextStep.Type == bridgev2.LoginStepTypeComplete {
 		prov.handleCompleteStep(r.Context(), login, nextStep)
+	} else {
+		zerolog.Ctx(r.Context()).Debug().Any("next_step", nextStep).Msg("Returning next login step")
 	}
 	exhttp.WriteJSONResponse(w, http.StatusOK, &RespSubmitLogin{LoginID: login.ID, LoginStep: nextStep})
 }

bridgev2/matrix/provisioning.yaml

@@ -714,7 +714,7 @@ components:
                     type:
                       type: string
                       description: The type of field.
-                      enum: [ username, phone_number, email, password, 2fa_code, token, url, domain ]
+                      enum: [ username, phone_number, email, password, 2fa_code, token, url, domain, select ]
                     id:
                       type: string
                       description: The internal ID of the field. This must be used as the key in the object when submitting the data back to the bridge.
@@ -728,10 +728,53 @@ components:
                       description: A more detailed description of the field shown to the user.
                       examples:
                       - Include the country code with a +
+                    default_value:
+                      type: string
+                      description: A default value that the client can pre-fill the field with.
                     pattern:
                       type: string
                       format: regex
                       description: A regular expression that the field value must match.
+                    options:
+                      type: array
+                      description: For fields of type select, the valid options.
+                      items:
+                        type: string
+              attachments:
+                type: array
+                description: A list of media attachments to show the user alongside the form fields.
+                items:
+                  type: object
+                  description: A media attachment to show the user.
+                  required: [ type, filename, content ]
+                  properties:
+                    type:
+                      type: string
+                      description: The type of media attachment, using the same media type identifiers as Matrix attachments. Only some are supported.
+                      enum: [ m.image, m.audio ]
+                    filename:
+                      type: string
+                      description: The filename for the media attachment.
+                    content:
+                      type: string
+                      description: The raw file content for the attachment encoded in base64.
+                    info:
+                      type: object
+                      description: Optional but recommended metadata for the attachment. Can generally be derived from the raw content if omitted.
+                      properties:
+                        mimetype:
+                          type: string
+                          description: The MIME type for the media content.
+                          examples: [ image/png, audio/mpeg ]
+                        w:
+                          type: number
+                          description: The width of the media in pixels. Only applicable for images and videos.
+                        h:
+                          type: number
+                          description: The height of the media in pixels. Only applicable for images and videos.
+                        size:
+                          type: number
+                          description: The size of the media content in number of bytes. Strongly recommended to include.
       - description: Cookie login step
         required: [ type, cookies ]
         properties:

bridgev2/matrix/publicmedia.go

@@ -7,16 +7,26 @@
 package matrix
 
 import (
+	"context"
 	"crypto/hmac"
 	"crypto/sha256"
 	"encoding/base64"
 	"encoding/binary"
 	"fmt"
 	"io"
+	"mime"
 	"net/http"
+	"net/url"
+	"slices"
+	"strings"
 	"time"
 
+	"github.com/rs/zerolog"
+
 	"maunium.net/go/mautrix/bridgev2"
+	"maunium.net/go/mautrix/bridgev2/database"
+	"maunium.net/go/mautrix/crypto/attachment"
+	"maunium.net/go/mautrix/event"
 	"maunium.net/go/mautrix/id"
 )
 
@@ -33,7 +43,10 @@ func (br *Connector) initPublicMedia() error {
 		return fmt.Errorf("public media hash length is negative")
 	}
 	br.pubMediaSigKey = []byte(br.Config.PublicMedia.SigningKey)
+	br.AS.Router.HandleFunc("GET /_mautrix/publicmedia/{customID}", br.serveDatabasePublicMedia)
+	br.AS.Router.HandleFunc("GET /_mautrix/publicmedia/{customID}/{filename}", br.serveDatabasePublicMedia)
 	br.AS.Router.HandleFunc("GET /_mautrix/publicmedia/{server}/{mediaID}/{checksum}", br.servePublicMedia)
+	br.AS.Router.HandleFunc("GET /_mautrix/publicmedia/{server}/{mediaID}/{checksum}/{filename}", br.servePublicMedia)
 	return nil
 }
 
@@ -44,6 +57,20 @@ func (br *Connector) hashContentURI(uri id.ContentURI, expiry []byte) []byte {
 	return hasher.Sum(expiry)[:br.Config.PublicMedia.HashLength+len(expiry)]
 }
 
+func (br *Connector) hashDBPublicMedia(pm *database.PublicMedia) []byte {
+	hasher := hmac.New(sha256.New, br.pubMediaSigKey)
+	hasher.Write([]byte(pm.MXC.String()))
+	hasher.Write([]byte(pm.MimeType))
+	if pm.Keys != nil {
+		hasher.Write([]byte(pm.Keys.Version))
+		hasher.Write([]byte(pm.Keys.Key.Algorithm))
+		hasher.Write([]byte(pm.Keys.Key.Key))
+		hasher.Write([]byte(pm.Keys.InitVector))
+		hasher.Write([]byte(pm.Keys.Hashes.SHA256))
+	}
+	return hasher.Sum(nil)[:br.Config.PublicMedia.HashLength]
+}
+
 func (br *Connector) makePublicMediaChecksum(uri id.ContentURI) []byte {
 	var expiresAt []byte
 	if br.Config.PublicMedia.Expiry > 0 {
@@ -93,9 +120,47 @@ func (br *Connector) servePublicMedia(w http.ResponseWriter, r *http.Request) {
 		http.Error(w, "checksum expired", http.StatusGone)
 		return
 	}
+	br.doProxyMedia(w, r, contentURI, nil, "")
+}
+
+func (br *Connector) serveDatabasePublicMedia(w http.ResponseWriter, r *http.Request) {
+	if !br.Config.PublicMedia.UseDatabase {
+		http.Error(w, "public media short links are disabled", http.StatusNotFound)
+		return
+	}
+	log := zerolog.Ctx(r.Context())
+	media, err := br.Bridge.DB.PublicMedia.Get(r.Context(), r.PathValue("customID"))
+	if err != nil {
+		log.Err(err).Msg("Failed to get public media from database")
+		http.Error(w, "failed to get media metadata", http.StatusInternalServerError)
+		return
+	} else if media == nil {
+		http.Error(w, "media ID not found", http.StatusNotFound)
+		return
+	} else if !media.Expiry.IsZero() && media.Expiry.Before(time.Now()) {
+		// This is not gone as it can still be refreshed in the DB
+		http.Error(w, "media expired", http.StatusNotFound)
+		return
+	} else if media.Keys != nil && media.Keys.PrepareForDecryption() != nil {
+		http.Error(w, "media keys are malformed", http.StatusInternalServerError)
+		return
+	}
+	br.doProxyMedia(w, r, media.MXC, media.Keys, media.MimeType)
+}
+
+var safeMimes = []string{
+	"text/css", "text/plain", "text/csv",
+	"application/json", "application/ld+json",
+	"image/jpeg", "image/gif", "image/png", "image/apng", "image/webp", "image/avif",
+	"video/mp4", "video/webm", "video/ogg", "video/quicktime",
+	"audio/mp4", "audio/webm", "audio/aac", "audio/mpeg", "audio/ogg", "audio/wave",
+	"audio/wav", "audio/x-wav", "audio/x-pn-wav", "audio/flac", "audio/x-flac",
+}
+
+func (br *Connector) doProxyMedia(w http.ResponseWriter, r *http.Request, contentURI id.ContentURI, encInfo *attachment.EncryptedFile, mimeType string) {
 	resp, err := br.Bot.Download(r.Context(), contentURI)
 	if err != nil {
-		br.Log.Warn().Stringer("uri", contentURI).Err(err).Msg("Failed to download media to proxy")
+		zerolog.Ctx(r.Context()).Warn().Stringer("uri", contentURI).Err(err).Msg("Failed to download media to proxy")
 		http.Error(w, "failed to download media", http.StatusInternalServerError)
 		return
 	}
@@ -103,11 +168,41 @@ func (br *Connector) servePublicMedia(w http.ResponseWriter, r *http.Request) {
 	for _, hdr := range proxyHeadersToCopy {
 		w.Header()[hdr] = resp.Header[hdr]
 	}
+	stream := resp.Body
+	if encInfo != nil {
+		if mimeType == "" {
+			mimeType = "application/octet-stream"
+		}
+		contentDisposition := "attachment"
+		if slices.Contains(safeMimes, mimeType) {
+			contentDisposition = "inline"
+		}
+		dispositionArgs := map[string]string{}
+		if filename := r.PathValue("filename"); filename != "" {
+			dispositionArgs["filename"] = filename
+		}
+		w.Header().Set("Content-Type", mimeType)
+		w.Header().Set("Content-Disposition", mime.FormatMediaType(contentDisposition, dispositionArgs))
+		// Note: this won't check the Close result like it should, but it's probably not a big deal here
+		stream = encInfo.DecryptStream(stream)
+	} else if filename := r.PathValue("filename"); filename != "" {
+		contentDisposition, _, _ := mime.ParseMediaType(resp.Header.Get("Content-Disposition"))
+		if contentDisposition == "" {
+			contentDisposition = "attachment"
+		}
+		w.Header().Set("Content-Disposition", mime.FormatMediaType(contentDisposition, map[string]string{
+			"filename": filename,
+		}))
+	}
 	w.WriteHeader(http.StatusOK)
-	_, _ = io.Copy(w, resp.Body)
+	_, _ = io.Copy(w, stream)
 }
 
 func (br *Connector) GetPublicMediaAddress(contentURI id.ContentURIString) string {
+	return br.getPublicMediaAddressWithFileName(contentURI, "")
+}
+
+func (br *Connector) getPublicMediaAddressWithFileName(contentURI id.ContentURIString, fileName string) string {
 	if br.pubMediaSigKey == nil {
 		return ""
 	}
@@ -115,11 +210,69 @@ func (br *Connector) GetPublicMediaAddress(contentURI id.ContentURIString) strin
 	if err != nil || !parsed.IsValid() {
 		return ""
 	}
-	return fmt.Sprintf(
-		"%s/_mautrix/publicmedia/%s/%s/%s",
+	fileName = url.PathEscape(strings.ReplaceAll(fileName, "/", "_"))
+	if fileName == ".." {
+		fileName = ""
+	}
+	parts := []string{
 		br.GetPublicAddress(),
+		strings.Trim(br.Config.PublicMedia.PathPrefix, "/"),
 		parsed.Homeserver,
 		parsed.FileID,
 		base64.RawURLEncoding.EncodeToString(br.makePublicMediaChecksum(parsed)),
-	)
+		fileName,
+	}
+	if fileName == "" {
+		parts = parts[:len(parts)-1]
+	}
+	return strings.Join(parts, "/")
+}
+
+func (br *Connector) GetPublicMediaAddressForEvent(ctx context.Context, evt *event.MessageEventContent) (string, error) {
+	if br.pubMediaSigKey == nil {
+		return "", bridgev2.ErrPublicMediaDisabled
+	}
+	if !br.Config.PublicMedia.UseDatabase {
+		if evt.File != nil {
+			return "", fmt.Errorf("can't generate address for encrypted file: %w", bridgev2.ErrPublicMediaDatabaseDisabled)
+		}
+		return br.getPublicMediaAddressWithFileName(evt.URL, evt.GetFileName()), nil
+	}
+	mxc := evt.URL
+	var keys *attachment.EncryptedFile
+	if evt.File != nil {
+		mxc = evt.File.URL
+		keys = &evt.File.EncryptedFile
+	}
+	parsedMXC, err := mxc.Parse()
+	if err != nil {
+		return "", fmt.Errorf("%w: failed to parse MXC: %w", bridgev2.ErrPublicMediaGenerateFailed, err)
+	}
+	pm := &database.PublicMedia{
+		MXC:      parsedMXC,
+		Keys:     keys,
+		MimeType: evt.GetInfo().MimeType,
+	}
+	if br.Config.PublicMedia.Expiry > 0 {
+		pm.Expiry = time.Now().Add(time.Duration(br.Config.PublicMedia.Expiry) * time.Second)
+	}
+	pm.PublicID = base64.RawURLEncoding.EncodeToString(br.hashDBPublicMedia(pm))
+	err = br.Bridge.DB.PublicMedia.Put(ctx, pm)
+	if err != nil {
+		return "", fmt.Errorf("%w: failed to store public media in database: %w", bridgev2.ErrPublicMediaGenerateFailed, err)
+	}
+	fileName := url.PathEscape(strings.ReplaceAll(evt.GetFileName(), "/", "_"))
+	if fileName == ".." {
+		fileName = ""
+	}
+	parts := []string{
+		br.GetPublicAddress(),
+		strings.Trim(br.Config.PublicMedia.PathPrefix, "/"),
+		pm.PublicID,
+		fileName,
+	}
+	if fileName == "" {
+		parts = parts[:len(parts)-1]
+	}
+	return strings.Join(parts, "/"), nil
 }

bridgev2/matrixinterface.go

@@ -14,6 +14,8 @@ import (
 	"os"
 	"time"
 
+	"go.mau.fi/util/exhttp"
+
 	"maunium.net/go/mautrix"
 	"maunium.net/go/mautrix/bridgev2/database"
 	"maunium.net/go/mautrix/bridgev2/networkid"
@@ -23,8 +25,10 @@ import (
 )
 
 type MatrixCapabilities struct {
-	AutoJoinInvites bool
-	BatchSending    bool
+	AutoJoinInvites       bool
+	BatchSending          bool
+	ArbitraryMemberChange bool
+	ExtraProfileMeta      bool
 }
 
 type MatrixConnector interface {
@@ -58,35 +62,54 @@ type MatrixConnector interface {
 }
 
 type MatrixConnectorWithArbitraryRoomState interface {
+	MatrixConnector
 	GetStateEvent(ctx context.Context, roomID id.RoomID, eventType event.Type, stateKey string) (*event.Event, error)
 }
 
 type MatrixConnectorWithServer interface {
+	MatrixConnector
 	GetPublicAddress() string
 	GetRouter() *http.ServeMux
 }
 
+type IProvisioningAPI interface {
+	GetRouter() *http.ServeMux
+	GetUser(r *http.Request) *User
+}
+
+type MatrixConnectorWithProvisioning interface {
+	MatrixConnector
+	GetProvisioning() IProvisioningAPI
+}
+
 type MatrixConnectorWithPublicMedia interface {
+	MatrixConnector
 	GetPublicMediaAddress(contentURI id.ContentURIString) string
+	GetPublicMediaAddressForEvent(ctx context.Context, evt *event.MessageEventContent) (string, error)
 }
 
 type MatrixConnectorWithNameDisambiguation interface {
+	MatrixConnector
 	IsConfusableName(ctx context.Context, roomID id.RoomID, userID id.UserID, name string) ([]id.UserID, error)
 }
 
 type MatrixConnectorWithBridgeIdentifier interface {
+	MatrixConnector
 	GetUniqueBridgeID() string
 }
 
 type MatrixConnectorWithURLPreviews interface {
+	MatrixConnector
 	GetURLPreview(ctx context.Context, url string) (*event.LinkPreview, error)
 }
 
 type MatrixConnectorWithPostRoomBridgeHandling interface {
+	MatrixConnector
 	HandleNewlyBridgedRoom(ctx context.Context, roomID id.RoomID) error
 }
 
 type MatrixConnectorWithAnalytics interface {
+	MatrixConnector
 	TrackAnalytics(userID id.UserID, event string, properties map[string]any)
 }
 
@@ -101,9 +124,15 @@ type DirectNotificationData struct {
 }
 
 type MatrixConnectorWithNotifications interface {
+	MatrixConnector
 	DisplayNotification(ctx context.Context, data *DirectNotificationData)
 }
 
+type MatrixConnectorWithHTTPSettings interface {
+	MatrixConnector
+	GetHTTPClientSettings() exhttp.ClientSettings
+}
+
 type MatrixSendExtra struct {
 	Timestamp    time.Time
 	MessageMeta  *database.Message
@@ -181,9 +210,16 @@ type MatrixAPI interface {
 }
 
 type StreamOrderReadingMatrixAPI interface {
+	MatrixAPI
 	MarkStreamOrderRead(ctx context.Context, roomID id.RoomID, streamOrder int64, ts time.Time) error
 }
 
 type MarkAsDMMatrixAPI interface {
+	MatrixAPI
 	MarkAsDM(ctx context.Context, roomID id.RoomID, otherUser id.UserID) error
 }
+
+type EphemeralSendingMatrixAPI interface {
+	MatrixAPI
+	BeeperSendEphemeralEvent(ctx context.Context, roomID id.RoomID, eventType event.Type, content *event.Content, txnID string) (*mautrix.RespSendEvent, error)
+}

bridgev2/matrixinvite.go

@@ -88,6 +88,36 @@ func sendErrorAndLeave(ctx context.Context, evt *event.Event, intent MatrixAPI,
 	rejectInvite(ctx, evt, intent, "")
 }
 
+func (portal *Portal) CleanupOrphanedDM(ctx context.Context, userMXID id.UserID) {
+	if portal.MXID == "" {
+		return
+	}
+	log := zerolog.Ctx(ctx)
+	existingPortalMembers, err := portal.Bridge.Matrix.GetMembers(ctx, portal.MXID)
+	if err != nil {
+		log.Err(err).
+			Stringer("old_portal_mxid", portal.MXID).
+			Msg("Failed to check existing portal members, deleting room")
+	} else if targetUserMember, ok := existingPortalMembers[userMXID]; !ok {
+		log.Debug().
+			Stringer("old_portal_mxid", portal.MXID).
+			Msg("Inviter has no member event in old portal, deleting room")
+	} else if targetUserMember.Membership.IsInviteOrJoin() {
+		return
+	} else {
+		log.Debug().
+			Stringer("old_portal_mxid", portal.MXID).
+			Str("membership", string(targetUserMember.Membership)).
+			Msg("Inviter is not in old portal, deleting room")
+	}
+
+	if err = portal.RemoveMXID(ctx); err != nil {
+		log.Err(err).Msg("Failed to delete old portal mxid")
+	} else if err = portal.Bridge.Bot.DeleteRoom(ctx, portal.MXID, true); err != nil {
+		log.Err(err).Msg("Failed to clean up old portal room")
+	}
+}
+
 func (br *Bridge) handleGhostDMInvite(ctx context.Context, evt *event.Event, sender *User) EventHandlingResult {
 	ghostID, _ := br.Matrix.ParseGhostMXID(id.UserID(evt.GetStateKey()))
 	validator, ok := br.Network.(IdentifierValidatingNetwork)
@@ -165,34 +195,7 @@ func (br *Bridge) handleGhostDMInvite(ctx context.Context, evt *event.Event, sen
 			return EventHandlingResultFailed
 		}
 	}
-	if portal.MXID != "" {
-		doCleanup := true
-		existingPortalMembers, err := br.Matrix.GetMembers(ctx, portal.MXID)
-		if err != nil {
-			log.Err(err).
-				Stringer("old_portal_mxid", portal.MXID).
-				Msg("Failed to check existing portal members, deleting room")
-		} else if targetUserMember, ok := existingPortalMembers[sender.MXID]; !ok {
-			log.Debug().
-				Stringer("old_portal_mxid", portal.MXID).
-				Msg("Inviter has no member event in old portal, deleting room")
-		} else if targetUserMember.Membership.IsInviteOrJoin() {
-			doCleanup = false
-		} else {
-			log.Debug().
-				Stringer("old_portal_mxid", portal.MXID).
-				Str("membership", string(targetUserMember.Membership)).
-				Msg("Inviter is not in old portal, deleting room")
-		}
-
-		if doCleanup {
-			if err = portal.RemoveMXID(ctx); err != nil {
-				log.Err(err).Msg("Failed to delete old portal mxid")
-			} else if err = br.Bot.DeleteRoom(ctx, portal.MXID, true); err != nil {
-				log.Err(err).Msg("Failed to clean up old portal room")
-			}
-		}
-	}
+	portal.CleanupOrphanedDM(ctx, sender.MXID)
 	err = invitedGhost.Intent.EnsureInvited(ctx, evt.RoomID, br.Bot.GetMXID())
 	if err != nil {
 		log.Err(err).Msg("Failed to ensure bot is invited to room")
@@ -221,11 +224,12 @@ func (br *Bridge) handleGhostDMInvite(ctx context.Context, evt *event.Event, sen
 		rejectInvite(ctx, evt, br.Bot, "")
 		return EventHandlingResultSuccess
 	}
+	overrideIntent := invitedGhost.Intent
 	if resp.DMRedirectedTo != "" && resp.DMRedirectedTo != invitedGhost.ID {
 		log.Debug().
 			Str("dm_redirected_to_id", string(resp.DMRedirectedTo)).
 			Msg("Created DM was redirected to another user ID")
-		_, err = invitedGhost.Intent.SendState(ctx, portal.MXID, event.StateMember, invitedGhost.Intent.GetMXID().String(), &event.Content{
+		_, err = invitedGhost.Intent.SendState(ctx, evt.RoomID, event.StateMember, invitedGhost.Intent.GetMXID().String(), &event.Content{
 			Parsed: &event.MemberEventContent{
 				Membership: event.MembershipLeave,
 				Reason:     "Direct chat redirected to another internal user ID",
@@ -234,11 +238,13 @@ func (br *Bridge) handleGhostDMInvite(ctx context.Context, evt *event.Event, sen
 		if err != nil {
 			log.Err(err).Msg("Failed to make incorrect ghost leave new DM room")
 		}
-		otherUserGhost, err := br.GetGhostByID(ctx, resp.DMRedirectedTo)
-		if err != nil {
+		if resp.DMRedirectedTo == SpecialValueDMRedirectedToBot {
+			overrideIntent = br.Bot
+		} else if otherUserGhost, err := br.GetGhostByID(ctx, resp.DMRedirectedTo); err != nil {
 			log.Err(err).Msg("Failed to get ghost of real portal other user ID")
 		} else {
 			invitedGhost = otherUserGhost
+			overrideIntent = otherUserGhost.Intent
 		}
 	}
 	err = portal.UpdateMatrixRoomID(ctx, evt.RoomID, UpdateMatrixRoomIDParams{
@@ -251,7 +257,7 @@ func (br *Bridge) handleGhostDMInvite(ctx context.Context, evt *event.Event, sen
 	})
 	if err != nil {
 		log.Err(err).Msg("Failed to update Matrix room ID for new DM portal")
-		sendNotice(ctx, evt, invitedGhost.Intent, "Failed to finish configuring portal. The chat may or may not work")
+		sendNotice(ctx, evt, overrideIntent, "Failed to finish configuring portal. The chat may or may not work")
 		return EventHandlingResultSuccess
 	}
 	message := "Private chat portal created"
@@ -263,7 +269,7 @@ func (br *Bridge) handleGhostDMInvite(ctx context.Context, evt *event.Event, sen
 			message += fmt.Sprintf("\n\nWarning: %s", err.Error())
 		}
 	}
-	sendNotice(ctx, evt, invitedGhost.Intent, message)
+	sendNotice(ctx, evt, overrideIntent, message)
 	return EventHandlingResultSuccess
 }
 

bridgev2/messagestatus.go

@@ -20,6 +20,7 @@ import (
 
 type MessageStatusEventInfo struct {
 	RoomID        id.RoomID
+	TransactionID string
 	SourceEventID id.EventID
 	NewEventID    id.EventID
 	EventType     event.Type
@@ -41,6 +42,7 @@ func StatusEventInfoFromEvent(evt *event.Event) *MessageStatusEventInfo {
 
 	return &MessageStatusEventInfo{
 		RoomID:        evt.RoomID,
+		TransactionID: evt.Unsigned.TransactionID,
 		SourceEventID: evt.ID,
 		EventType:     evt.Type,
 		MessageType:   evt.Content.AsMessage().MsgType,
@@ -182,9 +184,10 @@ func (ms *MessageStatus) ToMSSEvent(evt *MessageStatusEventInfo) *event.BeeperMe
 			Type:    event.RelReference,
 			EventID: evt.SourceEventID,
 		},
-		Status:  ms.Status,
-		Reason:  ms.ErrorReason,
-		Message: ms.Message,
+		TargetTxnID: evt.TransactionID,
+		Status:      ms.Status,
+		Reason:      ms.ErrorReason,
+		Message:     ms.Message,
 	}
 	if ms.InternalError != nil {
 		content.InternalError = ms.InternalError.Error()

bridgev2/networkinterface.go

@@ -16,7 +16,9 @@ import (
 	"github.com/rs/zerolog"
 	"go.mau.fi/util/configupgrade"
 	"go.mau.fi/util/ptr"
+	"go.mau.fi/util/random"
 
+	"maunium.net/go/mautrix"
 	"maunium.net/go/mautrix/bridgev2/database"
 	"maunium.net/go/mautrix/bridgev2/networkid"
 	"maunium.net/go/mautrix/event"
@@ -259,6 +261,7 @@ type NetworkConnector interface {
 }
 
 type StoppableNetwork interface {
+	NetworkConnector
 	// Stop is called when the bridge is stopping, after all network clients have been disconnected.
 	Stop()
 }
@@ -315,6 +318,16 @@ type MaxFileSizeingNetwork interface {
 	SetMaxFileSize(maxSize int64)
 }
 
+type NetworkResettingNetwork interface {
+	NetworkConnector
+	// ResetHTTPTransport should recreate the HTTP client used by the bridge.
+	// It should refetch settings from the Matrix connector using GetHTTPClientSettings if applicable.
+	ResetHTTPTransport()
+	// ResetNetworkConnections should forcefully disconnect and restart any persistent network connections.
+	// ResetHTTPTransport will usually be called before this, so resetting the transport is not necessary here.
+	ResetNetworkConnections()
+}
+
 type RemoteEchoHandler func(RemoteMessage, *database.Message) (bool, error)
 
 type MatrixMessageResponse struct {
@@ -705,6 +718,19 @@ type DeleteChatHandlingNetworkAPI interface {
 	HandleMatrixDeleteChat(ctx context.Context, msg *MatrixDeleteChat) error
 }
 
+// MessageRequestAcceptingNetworkAPI is an optional interface that network connectors
+// can implement to accept message requests from the remote network.
+type MessageRequestAcceptingNetworkAPI interface {
+	NetworkAPI
+	// HandleMatrixAcceptMessageRequest is called when the user accepts a message request.
+	HandleMatrixAcceptMessageRequest(ctx context.Context, msg *MatrixAcceptMessageRequest) error
+}
+
+type BeeperAIStreamHandlingNetworkAPI interface {
+	NetworkAPI
+	HandleMatrixBeeperAIStream(ctx context.Context, msg *MatrixBeeperAIStream) error
+}
+
 type ResolveIdentifierResponse struct {
 	// Ghost is the ghost of the user that the identifier resolves to.
 	// This field should be set whenever possible. However, it is not required,
@@ -724,6 +750,8 @@ type ResolveIdentifierResponse struct {
 	Chat *CreateChatResponse
 }
 
+var SpecialValueDMRedirectedToBot = networkid.UserID("__fi.mau.bridgev2.dm_redirected_to_bot::" + random.String(10))
+
 type CreateChatResponse struct {
 	PortalKey networkid.PortalKey
 	// Portal and PortalInfo are not required, the caller will fetch them automatically based on PortalKey if necessary.
@@ -732,6 +760,17 @@ type CreateChatResponse struct {
 	// If a start DM request (CreateChatWithGhost or ResolveIdentifier) returns the DM to a different user,
 	// this field should have the user ID of said different user.
 	DMRedirectedTo networkid.UserID
+
+	FailedParticipants map[networkid.UserID]*CreateChatFailedParticipant
+}
+
+type CreateChatFailedParticipant struct {
+	Reason          string         `json:"reason"`
+	InviteEventType string         `json:"invite_event_type,omitempty"`
+	InviteContent   *event.Content `json:"invite_content,omitempty"`
+
+	UserMXID   id.UserID `json:"user_mxid,omitempty"`
+	DMRoomMXID id.RoomID `json:"dm_room_mxid,omitempty"`
 }
 
 // IdentifierResolvingNetworkAPI is an optional interface that network connectors can implement to support starting new direct chats.
@@ -764,6 +803,16 @@ type UserSearchingNetworkAPI interface {
 	SearchUsers(ctx context.Context, query string) ([]*ResolveIdentifierResponse, error)
 }
 
+type GroupCreatingNetworkAPI interface {
+	IdentifierResolvingNetworkAPI
+	CreateGroup(ctx context.Context, params *GroupCreateParams) (*CreateChatResponse, error)
+}
+
+type PersonalFilteringCustomizingNetworkAPI interface {
+	NetworkAPI
+	CustomizePersonalFilteringSpace(req *mautrix.ReqCreateRoom)
+}
+
 type ProvisioningCapabilities struct {
 	ResolveIdentifier ResolveIdentifierCapabilities    `json:"resolve_identifier"`
 	GroupCreation     map[string]GroupTypeCapabilities `json:"group_creation"`
@@ -812,12 +861,17 @@ type GroupFieldCapability struct {
 
 	// Only for the disappear field: allowed disappearing settings
 	DisappearSettings *event.DisappearingTimerCapability `json:"settings,omitempty"`
+
+	// This can be used to tell provisionutil not to call ValidateUserID on each participant.
+	// It only meant to allow hacks where ResolveIdentifier returns a fake ID that isn't actually valid for MXIDs.
+	SkipIdentifierValidation bool `json:"-"`
 }
 
 type GroupCreateParams struct {
 	Type string `json:"type,omitempty"`
 
-	Username     string               `json:"username,omitempty"`
+	Username string `json:"username,omitempty"`
+	// Clients may also provide MXIDs here, but provisionutil will normalize them, so bridges only need to handle network IDs
 	Participants []networkid.UserID   `json:"participants,omitempty"`
 	Parent       *networkid.PortalKey `json:"parent,omitempty"`
 
@@ -830,11 +884,6 @@ type GroupCreateParams struct {
 	RoomID id.RoomID `json:"room_id,omitempty"`
 }
 
-type GroupCreatingNetworkAPI interface {
-	IdentifierResolvingNetworkAPI
-	CreateGroup(ctx context.Context, params *GroupCreateParams) (*CreateChatResponse, error)
-}
-
 type MembershipChangeType struct {
 	From   event.Membership
 	To     event.Membership
@@ -872,16 +921,15 @@ type MatrixMembershipChange struct {
 	MatrixRoomMeta[*event.MemberEventContent]
 	Target GhostOrUserLogin
 	Type   MembershipChangeType
+}
 
-	// Deprecated: Use Target instead
-	TargetGhost *Ghost
-	// Deprecated: Use Target instead
-	TargetUserLogin *UserLogin
+type MatrixMembershipResult struct {
+	RedirectTo networkid.UserID
 }
 
 type MembershipHandlingNetworkAPI interface {
 	NetworkAPI
-	HandleMatrixMembership(ctx context.Context, msg *MatrixMembershipChange) (bool, error)
+	HandleMatrixMembership(ctx context.Context, msg *MatrixMembershipChange) (*MatrixMembershipResult, error)
 }
 
 type SinglePowerLevelChange struct {
@@ -1067,6 +1115,11 @@ type RemoteEvent interface {
 	GetSender() EventSender
 }
 
+type RemoteEventWithContextMutation interface {
+	RemoteEvent
+	MutateContext(ctx context.Context) context.Context
+}
+
 type RemoteEventWithUncertainPortalReceiver interface {
 	RemoteEvent
 	PortalReceiverIsUncertain() bool
@@ -1120,6 +1173,11 @@ type RemoteChatDelete interface {
 	RemoteDeleteOnlyForMe
 }
 
+type RemoteChatDeleteWithChildren interface {
+	RemoteChatDelete
+	DeleteChildren() bool
+}
+
 type RemoteEventThatMayCreatePortal interface {
 	RemoteEvent
 	ShouldCreatePortal() bool
@@ -1352,7 +1410,8 @@ type MatrixMessageRemove struct {
 
 type MatrixRoomMeta[ContentType any] struct {
 	MatrixEventBase[ContentType]
-	PrevContent ContentType
+	PrevContent    ContentType
+	IsStateRequest bool
 }
 
 type MatrixRoomName = MatrixRoomMeta[*event.RoomNameEventContent]
@@ -1389,6 +1448,8 @@ type MatrixViewingChat struct {
 }
 
 type MatrixDeleteChat = MatrixEventBase[*event.BeeperChatDeleteEventContent]
+type MatrixAcceptMessageRequest = MatrixEventBase[*event.BeeperAcceptMessageRequestEventContent]
+type MatrixBeeperAIStream = MatrixEventBase[*event.BeeperAIStreamEventContent]
 type MatrixMarkedUnread = MatrixRoomMeta[*event.MarkedUnreadEventContent]
 type MatrixMute = MatrixRoomMeta[*event.BeeperMuteEventContent]
 type MatrixRoomTag = MatrixRoomMeta[*event.TagEventContent]

bridgev2/portalbackfill.go

@@ -194,6 +194,9 @@ func (portal *Portal) doThreadBackfill(ctx context.Context, source *UserLogin, t
 	if err != nil {
 		log.Err(err).Msg("Failed to get last thread message")
 		return
+	} else if anchorMessage == nil {
+		log.Warn().Msg("No messages found in thread?")
+		return
 	}
 	resp := portal.fetchThreadBackfill(ctx, source, anchorMessage)
 	if resp != nil {
@@ -387,12 +390,16 @@ func (portal *Portal) compileBatchMessage(ctx context.Context, source *UserLogin
 			out.Disappear = append(out.Disappear, &database.DisappearingMessage{
 				RoomID:              portal.MXID,
 				EventID:             evtID,
+				Timestamp:           msg.Timestamp,
 				DisappearingSetting: msg.Disappear,
 			})
 		}
 	}
 	slices.Sort(partIDs)
 	for _, reaction := range msg.Reactions {
+		if reaction == nil {
+			continue
+		}
 		reactionIntent, ok := portal.GetIntentFor(ctx, reaction.Sender, source, RemoteEventReactionRemove)
 		if !ok {
 			continue
@@ -403,6 +410,7 @@ func (portal *Portal) compileBatchMessage(ctx context.Context, source *UserLogin
 		if reaction.Timestamp.IsZero() {
 			reaction.Timestamp = msg.Timestamp.Add(10 * time.Millisecond)
 		}
+		//lint:ignore SA4006 it's a todo
 		targetPart, ok := partMap[*reaction.TargetPart]
 		if !ok {
 			// TODO warning log and/or skip reaction?

bridgev2/portalinternal.go

@@ -49,6 +49,10 @@ func (portal *PortalInternals) HandleSingleEvent(ctx context.Context, rawEvt any
 	(*Portal)(portal).handleSingleEvent(ctx, rawEvt, doneCallback)
 }
 
+func (portal *PortalInternals) UnwrapBeeperSendState(ctx context.Context, evt *event.Event) error {
+	return (*Portal)(portal).unwrapBeeperSendState(ctx, evt)
+}
+
 func (portal *PortalInternals) SendSuccessStatus(ctx context.Context, evt *event.Event, streamOrder int64, newEventID id.EventID) {
 	(*Portal)(portal).sendSuccessStatus(ctx, evt, streamOrder, newEventID)
 }
@@ -61,8 +65,8 @@ func (portal *PortalInternals) CheckConfusableName(ctx context.Context, userID i
 	return (*Portal)(portal).checkConfusableName(ctx, userID, name)
 }
 
-func (portal *PortalInternals) HandleMatrixEvent(ctx context.Context, sender *User, evt *event.Event) EventHandlingResult {
-	return (*Portal)(portal).handleMatrixEvent(ctx, sender, evt)
+func (portal *PortalInternals) HandleMatrixEvent(ctx context.Context, sender *User, evt *event.Event, isStateRequest bool) EventHandlingResult {
+	return (*Portal)(portal).handleMatrixEvent(ctx, sender, evt, isStateRequest)
 }
 
 func (portal *PortalInternals) HandleMatrixReceipts(ctx context.Context, evt *event.Event) EventHandlingResult {
@@ -125,12 +129,12 @@ func (portal *PortalInternals) HandleMatrixDeleteChat(ctx context.Context, sende
 	return (*Portal)(portal).handleMatrixDeleteChat(ctx, sender, origSender, evt)
 }
 
-func (portal *PortalInternals) HandleMatrixMembership(ctx context.Context, sender *UserLogin, origSender *OrigSender, evt *event.Event) EventHandlingResult {
-	return (*Portal)(portal).handleMatrixMembership(ctx, sender, origSender, evt)
+func (portal *PortalInternals) HandleMatrixMembership(ctx context.Context, sender *UserLogin, origSender *OrigSender, evt *event.Event, isStateRequest bool) EventHandlingResult {
+	return (*Portal)(portal).handleMatrixMembership(ctx, sender, origSender, evt, isStateRequest)
 }
 
-func (portal *PortalInternals) HandleMatrixPowerLevels(ctx context.Context, sender *UserLogin, origSender *OrigSender, evt *event.Event) EventHandlingResult {
-	return (*Portal)(portal).handleMatrixPowerLevels(ctx, sender, origSender, evt)
+func (portal *PortalInternals) HandleMatrixPowerLevels(ctx context.Context, sender *UserLogin, origSender *OrigSender, evt *event.Event, isStateRequest bool) EventHandlingResult {
+	return (*Portal)(portal).handleMatrixPowerLevels(ctx, sender, origSender, evt, isStateRequest)
 }
 
 func (portal *PortalInternals) HandleMatrixTombstone(ctx context.Context, evt *event.Event) EventHandlingResult {
@@ -289,8 +293,12 @@ func (portal *PortalInternals) SendStateWithIntentOrBot(ctx context.Context, sen
 	return (*Portal)(portal).sendStateWithIntentOrBot(ctx, sender, eventType, stateKey, content, ts)
 }
 
-func (portal *PortalInternals) SendRoomMeta(ctx context.Context, sender MatrixAPI, ts time.Time, eventType event.Type, stateKey string, content any, excludeFromTimeline bool) bool {
-	return (*Portal)(portal).sendRoomMeta(ctx, sender, ts, eventType, stateKey, content, excludeFromTimeline)
+func (portal *PortalInternals) SendRoomMeta(ctx context.Context, sender MatrixAPI, ts time.Time, eventType event.Type, stateKey string, content any, excludeFromTimeline bool, extra map[string]any) bool {
+	return (*Portal)(portal).sendRoomMeta(ctx, sender, ts, eventType, stateKey, content, excludeFromTimeline, extra)
+}
+
+func (portal *PortalInternals) RevertRoomMeta(ctx context.Context, evt *event.Event) {
+	(*Portal)(portal).revertRoomMeta(ctx, evt)
 }
 
 func (portal *PortalInternals) GetInitialMemberList(ctx context.Context, members *ChatMemberList, source *UserLogin, pl *event.PowerLevelsEventContent) (invite, functional []id.UserID, err error) {
@@ -301,6 +309,10 @@ func (portal *PortalInternals) UpdateOtherUser(ctx context.Context, members *Cha
 	return (*Portal)(portal).updateOtherUser(ctx, members)
 }
 
+func (portal *PortalInternals) RoomIsPublic(ctx context.Context) bool {
+	return (*Portal)(portal).roomIsPublic(ctx)
+}
+
 func (portal *PortalInternals) SyncParticipants(ctx context.Context, members *ChatMemberList, source *UserLogin, sender MatrixAPI, ts time.Time) error {
 	return (*Portal)(portal).syncParticipants(ctx, members, source, sender, ts)
 }

bridgev2/portalreid.go

@@ -32,21 +32,40 @@ func (br *Bridge) ReIDPortal(ctx context.Context, source, target networkid.Porta
 	if source == target {
 		return ReIDResultError, nil, fmt.Errorf("illegal re-ID call: source and target are the same")
 	}
-	log := zerolog.Ctx(ctx)
-	log.Debug().Msg("Re-ID'ing portal")
+	log := zerolog.Ctx(ctx).With().
+		Str("action", "re-id portal").
+		Stringer("source_portal_key", source).
+		Stringer("target_portal_key", target).
+		Logger()
+	ctx = log.WithContext(ctx)
 	defer func() {
 		log.Debug().Msg("Finished handling portal re-ID")
 	}()
-	br.cacheLock.Lock()
-	defer br.cacheLock.Unlock()
-	sourcePortal, err := br.UnlockedGetPortalByKey(ctx, source, true)
+	acquireCacheLock := func() {
+		if !br.cacheLock.TryLock() {
+			log.Debug().Msg("Waiting for global cache lock")
+			br.cacheLock.Lock()
+			log.Debug().Msg("Acquired global cache lock after waiting")
+		} else {
+			log.Trace().Msg("Acquired global cache lock without waiting")
+		}
+	}
+	log.Debug().Msg("Re-ID'ing portal")
+	sourcePortal, err := br.GetExistingPortalByKey(ctx, source)
 	if err != nil {
 		return ReIDResultError, nil, fmt.Errorf("failed to get source portal: %w", err)
 	} else if sourcePortal == nil {
 		log.Debug().Msg("Source portal not found, re-ID is no-op")
 		return ReIDResultNoOp, nil, nil
 	}
-	sourcePortal.roomCreateLock.Lock()
+	if !sourcePortal.roomCreateLock.TryLock() {
+		if cancelCreate := sourcePortal.cancelRoomCreate.Swap(nil); cancelCreate != nil {
+			(*cancelCreate)()
+		}
+		log.Debug().Msg("Waiting for source portal room creation lock")
+		sourcePortal.roomCreateLock.Lock()
+		log.Debug().Msg("Acquired source portal room creation lock after waiting")
+	}
 	defer sourcePortal.roomCreateLock.Unlock()
 	if sourcePortal.MXID == "" {
 		log.Info().Msg("Source portal doesn't have Matrix room, deleting row")
@@ -59,22 +78,37 @@ func (br *Bridge) ReIDPortal(ctx context.Context, source, target networkid.Porta
 	log.UpdateContext(func(c zerolog.Context) zerolog.Context {
 		return c.Stringer("source_portal_mxid", sourcePortal.MXID)
 	})
+
+	acquireCacheLock()
 	targetPortal, err := br.UnlockedGetPortalByKey(ctx, target, true)
 	if err != nil {
+		br.cacheLock.Unlock()
 		return ReIDResultError, nil, fmt.Errorf("failed to get target portal: %w", err)
 	}
 	if targetPortal == nil {
 		log.Info().Msg("Target portal doesn't exist, re-ID'ing source portal")
 		err = sourcePortal.unlockedReID(ctx, target)
+		br.cacheLock.Unlock()
 		if err != nil {
 			return ReIDResultError, nil, fmt.Errorf("failed to re-ID source portal: %w", err)
 		}
 		return ReIDResultSourceReIDd, sourcePortal, nil
 	}
-	targetPortal.roomCreateLock.Lock()
+	br.cacheLock.Unlock()
+
+	if !targetPortal.roomCreateLock.TryLock() {
+		if cancelCreate := targetPortal.cancelRoomCreate.Swap(nil); cancelCreate != nil {
+			(*cancelCreate)()
+		}
+		log.Debug().Msg("Waiting for target portal room creation lock")
+		targetPortal.roomCreateLock.Lock()
+		log.Debug().Msg("Acquired target portal room creation lock after waiting")
+	}
 	defer targetPortal.roomCreateLock.Unlock()
 	if targetPortal.MXID == "" {
 		log.Info().Msg("Target portal row exists, but doesn't have a Matrix room. Deleting target portal row and re-ID'ing source portal")
+		acquireCacheLock()
+		defer br.cacheLock.Unlock()
 		err = targetPortal.unlockedDelete(ctx)
 		if err != nil {
 			return ReIDResultError, nil, fmt.Errorf("failed to delete target portal: %w", err)
@@ -89,6 +123,9 @@ func (br *Bridge) ReIDPortal(ctx context.Context, source, target networkid.Porta
 			return c.Stringer("target_portal_mxid", targetPortal.MXID)
 		})
 		log.Info().Msg("Both target and source portals have Matrix rooms, tombstoning source portal")
+		sourcePortal.removeInPortalCache(ctx)
+		acquireCacheLock()
+		defer br.cacheLock.Unlock()
 		err = sourcePortal.unlockedDelete(ctx)
 		if err != nil {
 			return ReIDResultError, nil, fmt.Errorf("failed to delete source portal row: %w", err)
@@ -96,7 +133,7 @@ func (br *Bridge) ReIDPortal(ctx context.Context, source, target networkid.Porta
 		go func() {
 			_, err := br.Bot.SendState(ctx, sourcePortal.MXID, event.StateTombstone, "", &event.Content{
 				Parsed: &event.TombstoneEventContent{
-					Body:            fmt.Sprintf("This room has been merged"),
+					Body:            "This room has been merged",
 					ReplacementRoom: targetPortal.MXID,
 				},
 			}, time.Now())

bridgev2/provisionutil/creategroup.go

@@ -15,6 +15,7 @@ import (
 	"maunium.net/go/mautrix"
 	"maunium.net/go/mautrix/bridgev2"
 	"maunium.net/go/mautrix/bridgev2/networkid"
+	"maunium.net/go/mautrix/event"
 	"maunium.net/go/mautrix/id"
 )
 
@@ -22,6 +23,8 @@ type RespCreateGroup struct {
 	ID     networkid.PortalID `json:"id"`
 	MXID   id.RoomID          `json:"mxid"`
 	Portal *bridgev2.Portal   `json:"-"`
+
+	FailedParticipants map[networkid.UserID]*bridgev2.CreateChatFailedParticipant `json:"failed_participants,omitempty"`
 }
 
 func CreateGroup(ctx context.Context, login *bridgev2.UserLogin, params *bridgev2.GroupCreateParams) (*RespCreateGroup, error) {
@@ -29,6 +32,9 @@ func CreateGroup(ctx context.Context, login *bridgev2.UserLogin, params *bridgev
 	if !ok {
 		return nil, bridgev2.RespError(mautrix.MUnrecognized.WithMessage("This bridge does not support creating groups"))
 	}
+	zerolog.Ctx(ctx).Debug().
+		Any("create_params", params).
+		Msg("Creating group chat on remote network")
 	caps := login.Bridge.Network.GetCapabilities()
 	typeSpec, validType := caps.Provisioning.GroupCreation[params.Type]
 	if !validType {
@@ -36,11 +42,20 @@ func CreateGroup(ctx context.Context, login *bridgev2.UserLogin, params *bridgev
 	}
 	if len(params.Participants) < typeSpec.Participants.MinLength {
 		return nil, bridgev2.RespError(mautrix.MInvalidParam.WithMessage("Must have at least %d members", typeSpec.Participants.MinLength))
+	} else if typeSpec.Participants.MaxLength > 0 && len(params.Participants) > typeSpec.Participants.MaxLength {
+		return nil, bridgev2.RespError(mautrix.MInvalidParam.WithMessage("Must have at most %d members", typeSpec.Participants.MaxLength))
 	}
 	userIDValidatingNetwork, uidValOK := login.Bridge.Network.(bridgev2.IdentifierValidatingNetwork)
-	for _, participant := range params.Participants {
-		if uidValOK && !userIDValidatingNetwork.ValidateUserID(participant) {
-			return nil, bridgev2.RespError(mautrix.MInvalidParam.WithMessage("User ID %q is not valid on this network", participant))
+	for i, participant := range params.Participants {
+		parsedParticipant, ok := login.Bridge.Matrix.ParseGhostMXID(id.UserID(participant))
+		if ok {
+			participant = parsedParticipant
+			params.Participants[i] = participant
+		}
+		if !typeSpec.Participants.SkipIdentifierValidation {
+			if uidValOK && !userIDValidatingNetwork.ValidateUserID(participant) {
+				return nil, bridgev2.RespError(mautrix.MInvalidParam.WithMessage("User ID %q is not valid on this network", participant))
+			}
 		}
 		if api.IsThisUser(ctx, participant) {
 			return nil, bridgev2.RespError(mautrix.MInvalidParam.WithMessage("You can't include yourself in the participants list", participant))
@@ -50,7 +65,7 @@ func CreateGroup(ctx context.Context, login *bridgev2.UserLogin, params *bridgev
 		return nil, bridgev2.RespError(mautrix.MInvalidParam.WithMessage("Name is required"))
 	} else if nameLen := len(ptr.Val(params.Name).Name); nameLen > 0 && nameLen < typeSpec.Name.MinLength {
 		return nil, bridgev2.RespError(mautrix.MInvalidParam.WithMessage("Name must be at least %d characters", typeSpec.Name.MinLength))
-	} else if nameLen > typeSpec.Name.MaxLength {
+	} else if typeSpec.Name.MaxLength > 0 && nameLen > typeSpec.Name.MaxLength {
 		return nil, bridgev2.RespError(mautrix.MInvalidParam.WithMessage("Name must be at most %d characters", typeSpec.Name.MaxLength))
 	}
 	if (params.Avatar == nil || params.Avatar.URL == "") && typeSpec.Avatar.Required {
@@ -60,7 +75,7 @@ func CreateGroup(ctx context.Context, login *bridgev2.UserLogin, params *bridgev
 		return nil, bridgev2.RespError(mautrix.MInvalidParam.WithMessage("Topic is required"))
 	} else if topicLen := len(ptr.Val(params.Topic).Topic); topicLen > 0 && topicLen < typeSpec.Topic.MinLength {
 		return nil, bridgev2.RespError(mautrix.MInvalidParam.WithMessage("Topic must be at least %d characters", typeSpec.Topic.MinLength))
-	} else if topicLen > typeSpec.Topic.MaxLength {
+	} else if typeSpec.Topic.MaxLength > 0 && topicLen > typeSpec.Topic.MaxLength {
 		return nil, bridgev2.RespError(mautrix.MInvalidParam.WithMessage("Topic must be at most %d characters", typeSpec.Topic.MaxLength))
 	}
 	if (params.Disappear == nil || params.Disappear.Timer.Duration == 0) && typeSpec.Disappear.Required {
@@ -72,7 +87,7 @@ func CreateGroup(ctx context.Context, login *bridgev2.UserLogin, params *bridgev
 		return nil, bridgev2.RespError(mautrix.MInvalidParam.WithMessage("Username is required"))
 	} else if len(params.Username) > 0 && len(params.Username) < typeSpec.Username.MinLength {
 		return nil, bridgev2.RespError(mautrix.MInvalidParam.WithMessage("Username must be at least %d characters", typeSpec.Username.MinLength))
-	} else if len(params.Username) > typeSpec.Username.MaxLength {
+	} else if typeSpec.Username.MaxLength > 0 && len(params.Username) > typeSpec.Username.MaxLength {
 		return nil, bridgev2.RespError(mautrix.MInvalidParam.WithMessage("Username must be at most %d characters", typeSpec.Username.MaxLength))
 	}
 	if params.Parent == nil && typeSpec.Parent.Required {
@@ -86,6 +101,9 @@ func CreateGroup(ctx context.Context, login *bridgev2.UserLogin, params *bridgev
 	if resp.PortalKey.IsEmpty() {
 		return nil, ErrNoPortalKey
 	}
+	zerolog.Ctx(ctx).Debug().
+		Object("portal_key", resp.PortalKey).
+		Msg("Successfully created group on remote network")
 	if resp.Portal == nil {
 		resp.Portal, err = login.Bridge.GetPortalByKey(ctx, resp.PortalKey)
 		if err != nil {
@@ -100,9 +118,32 @@ func CreateGroup(ctx context.Context, login *bridgev2.UserLogin, params *bridgev
 			return nil, bridgev2.RespError(mautrix.MUnknown.WithMessage("Failed to create portal room"))
 		}
 	}
+	for key, fp := range resp.FailedParticipants {
+		if fp.InviteEventType == "" {
+			fp.InviteEventType = event.EventMessage.Type
+		}
+		if fp.UserMXID == "" {
+			ghost, err := login.Bridge.GetGhostByID(ctx, key)
+			if err != nil {
+				zerolog.Ctx(ctx).Err(err).Msg("Failed to get ghost for failed participant")
+			} else if ghost != nil {
+				fp.UserMXID = ghost.Intent.GetMXID()
+			}
+		}
+		if fp.DMRoomMXID == "" {
+			portal, err := login.Bridge.GetDMPortal(ctx, login.ID, key)
+			if err != nil {
+				zerolog.Ctx(ctx).Err(err).Msg("Failed to get DM portal for failed participant")
+			} else if portal != nil {
+				fp.DMRoomMXID = portal.MXID
+			}
+		}
+	}
 	return &RespCreateGroup{
 		ID:     resp.Portal.ID,
 		MXID:   resp.Portal.MXID,
 		Portal: resp.Portal,
+
+		FailedParticipants: resp.FailedParticipants,
 	}, nil
 }

bridgev2/provisionutil/resolveidentifier.go

@@ -109,6 +109,7 @@ func ResolveIdentifier(
 				return nil, bridgev2.RespError(mautrix.MUnknown.WithMessage("Failed to get portal"))
 			}
 		}
+		resp.Chat.Portal.CleanupOrphanedDM(ctx, login.UserMXID)
 		if createChat && resp.Chat.Portal.MXID == "" {
 			apiResp.JustCreated = true
 			err := resp.Chat.Portal.CreateMatrixRoom(ctx, login, resp.Chat.PortalInfo)

bridgev2/queue.go

@@ -63,6 +63,13 @@ func (br *Bridge) rejectInviteOnNoPermission(ctx context.Context, evt *event.Eve
 	return true
 }
 
+var (
+	ErrEventSenderUserNotFound = WrapErrorInStatus(errors.New("sender not found for event")).WithIsCertain(true).WithErrorAsMessage()
+	ErrNoPermissionToInteract  = WrapErrorInStatus(errors.New("you don't have permission to send messages")).WithIsCertain(true).WithSendNotice(false).WithErrorAsMessage()
+	ErrNoPermissionForCommands = WrapErrorInStatus(WrapErrorInStatus(errors.New("you don't have permission to use commands")).WithIsCertain(true).WithSendNotice(false).WithErrorAsMessage())
+	ErrCantRelayStateRequest   = WrapErrorInStatus(errors.New("relayed users can't use beeper state requests")).WithIsCertain(true).WithErrorAsMessage()
+)
+
 func (br *Bridge) QueueMatrixEvent(ctx context.Context, evt *event.Event) EventHandlingResult {
 	// TODO maybe HandleMatrixEvent would be more appropriate as this also handles bot invites and commands
 
@@ -78,13 +85,11 @@ func (br *Bridge) QueueMatrixEvent(ctx context.Context, evt *event.Event) EventH
 			return EventHandlingResultFailed
 		} else if sender == nil {
 			log.Error().Msg("Couldn't get sender for incoming non-ephemeral Matrix event")
-			status := WrapErrorInStatus(errors.New("sender not found for event")).WithIsCertain(true).WithErrorAsMessage()
-			br.Matrix.SendMessageStatus(ctx, &status, StatusEventInfoFromEvent(evt))
+			br.Matrix.SendMessageStatus(ctx, &ErrEventSenderUserNotFound, StatusEventInfoFromEvent(evt))
 			return EventHandlingResultFailed
 		} else if !sender.Permissions.SendEvents {
 			if !br.rejectInviteOnNoPermission(ctx, evt, "interact with") {
-				status := WrapErrorInStatus(errors.New("you don't have permission to send messages")).WithIsCertain(true).WithSendNotice(false).WithErrorAsMessage()
-				br.Matrix.SendMessageStatus(ctx, &status, StatusEventInfoFromEvent(evt))
+				br.Matrix.SendMessageStatus(ctx, &ErrNoPermissionToInteract, StatusEventInfoFromEvent(evt))
 			}
 			return EventHandlingResultIgnored
 		} else if !sender.Permissions.Commands && br.rejectInviteOnNoPermission(ctx, evt, "send commands to") {
@@ -92,8 +97,7 @@ func (br *Bridge) QueueMatrixEvent(ctx context.Context, evt *event.Event) EventH
 		}
 	} else if evt.Type.Class != event.EphemeralEventType {
 		log.Error().Msg("Missing sender for incoming non-ephemeral Matrix event")
-		status := WrapErrorInStatus(errors.New("sender not found for event")).WithIsCertain(true).WithErrorAsMessage()
-		br.Matrix.SendMessageStatus(ctx, &status, StatusEventInfoFromEvent(evt))
+		br.Matrix.SendMessageStatus(ctx, &ErrEventSenderUserNotFound, StatusEventInfoFromEvent(evt))
 		return EventHandlingResultIgnored
 	}
 	if evt.Type == event.EventMessage && sender != nil {
@@ -102,8 +106,7 @@ func (br *Bridge) QueueMatrixEvent(ctx context.Context, evt *event.Event) EventH
 		msg.RemovePerMessageProfileFallback()
 		if strings.HasPrefix(msg.Body, br.Config.CommandPrefix) || evt.RoomID == sender.ManagementRoom {
 			if !sender.Permissions.Commands {
-				status := WrapErrorInStatus(errors.New("you don't have permission to use commands")).WithIsCertain(true).WithSendNotice(false).WithErrorAsMessage()
-				br.Matrix.SendMessageStatus(ctx, &status, StatusEventInfoFromEvent(evt))
+				br.Matrix.SendMessageStatus(ctx, &ErrNoPermissionForCommands, StatusEventInfoFromEvent(evt))
 				return EventHandlingResultIgnored
 			}
 			go br.Commands.Handle(
@@ -157,10 +160,27 @@ type EventHandlingResult struct {
 	Ignored bool
 	Queued  bool
 
+	SkipStateEcho bool
+
 	// Error is an optional reason for failure. It is not required, Success may be false even without a specific error.
 	Error error
 	// Whether the Error should be sent as a MSS event.
 	SendMSS bool
+
+	// EventID from the network
+	EventID id.EventID
+	// Stream order from the network
+	StreamOrder int64
+}
+
+func (ehr EventHandlingResult) WithEventID(id id.EventID) EventHandlingResult {
+	ehr.EventID = id
+	return ehr
+}
+
+func (ehr EventHandlingResult) WithStreamOrder(order int64) EventHandlingResult {
+	ehr.StreamOrder = order
+	return ehr
 }
 
 func (ehr EventHandlingResult) WithError(err error) EventHandlingResult {
@@ -177,6 +197,11 @@ func (ehr EventHandlingResult) WithMSS() EventHandlingResult {
 	return ehr
 }
 
+func (ehr EventHandlingResult) WithSkipStateEcho(skip bool) EventHandlingResult {
+	ehr.SkipStateEcho = skip
+	return ehr
+}
+
 func (ehr EventHandlingResult) WithMSSError(err error) EventHandlingResult {
 	if err == nil {
 		return ehr
@@ -195,7 +220,7 @@ func (ul *UserLogin) QueueRemoteEvent(evt RemoteEvent) EventHandlingResult {
 	return ul.Bridge.QueueRemoteEvent(ul, evt)
 }
 
-func (br *Bridge) QueueRemoteEvent(login *UserLogin, evt RemoteEvent) (res EventHandlingResult) {
+func (br *Bridge) QueueRemoteEvent(login *UserLogin, evt RemoteEvent) EventHandlingResult {
 	log := login.Log
 	ctx := log.WithContext(br.BackgroundCtx)
 	maybeUncertain, ok := evt.(RemoteEventWithUncertainPortalReceiver)
@@ -211,14 +236,14 @@ func (br *Bridge) QueueRemoteEvent(login *UserLogin, evt RemoteEvent) (res Event
 	if err != nil {
 		log.Err(err).Object("portal_key", key).Bool("uncertain_receiver", isUncertain).
 			Msg("Failed to get portal to handle remote event")
-		return
+		return EventHandlingResultFailed.WithError(fmt.Errorf("failed to get portal: %w", err))
 	} else if portal == nil {
 		log.Warn().
 			Stringer("event_type", evt.GetType()).
 			Object("portal_key", key).
 			Bool("uncertain_receiver", isUncertain).
 			Msg("Portal not found to handle remote event")
-		return
+		return EventHandlingResultFailed.WithError(ErrPortalNotFoundInEventHandler)
 	}
 	// TODO put this in a better place, and maybe cache to avoid constant db queries
 	login.MarkInPortal(ctx, portal)

bridgev2/simplevent/chat.go

@@ -65,14 +65,19 @@ func (evt *ChatResync) GetChatInfo(ctx context.Context, portal *bridgev2.Portal)
 type ChatDelete struct {
 	EventMeta
 	OnlyForMe bool
+	Children  bool
 }
 
-var _ bridgev2.RemoteChatDelete = (*ChatDelete)(nil)
+var _ bridgev2.RemoteChatDeleteWithChildren = (*ChatDelete)(nil)
 
 func (evt *ChatDelete) DeleteOnlyForMe() bool {
 	return evt.OnlyForMe
 }
 
+func (evt *ChatDelete) DeleteChildren() bool {
+	return evt.Children
+}
+
 // ChatInfoChange is a simple implementation of [bridgev2.RemoteChatInfoChange].
 type ChatInfoChange struct {
 	EventMeta

bridgev2/simplevent/meta.go

@@ -27,8 +27,9 @@ type EventMeta struct {
 	Timestamp         time.Time
 	StreamOrder       int64
 
-	PreHandleFunc  func(context.Context, *bridgev2.Portal)
-	PostHandleFunc func(context.Context, *bridgev2.Portal)
+	PreHandleFunc     func(context.Context, *bridgev2.Portal)
+	PostHandleFunc    func(context.Context, *bridgev2.Portal)
+	MutateContextFunc func(context.Context) context.Context
 }
 
 var (
@@ -39,6 +40,7 @@ var (
 	_ bridgev2.RemoteEventWithStreamOrder             = (*EventMeta)(nil)
 	_ bridgev2.RemotePreHandler                       = (*EventMeta)(nil)
 	_ bridgev2.RemotePostHandler                      = (*EventMeta)(nil)
+	_ bridgev2.RemoteEventWithContextMutation         = (*EventMeta)(nil)
 )
 
 func (evt *EventMeta) AddLogContext(c zerolog.Context) zerolog.Context {
@@ -91,6 +93,13 @@ func (evt *EventMeta) PostHandle(ctx context.Context, portal *bridgev2.Portal) {
 	}
 }
 
+func (evt *EventMeta) MutateContext(ctx context.Context) context.Context {
+	if evt.MutateContextFunc == nil {
+		return ctx
+	}
+	return evt.MutateContextFunc(ctx)
+}
+
 func (evt EventMeta) WithType(t bridgev2.RemoteEventType) EventMeta {
 	evt.Type = t
 	return evt
@@ -101,6 +110,18 @@ func (evt EventMeta) WithLogContext(f func(c zerolog.Context) zerolog.Context) E
 	return evt
 }
 
+func (evt EventMeta) WithMoreLogContext(f func(c zerolog.Context) zerolog.Context) EventMeta {
+	origFunc := evt.LogContext
+	if origFunc == nil {
+		evt.LogContext = f
+		return evt
+	}
+	evt.LogContext = func(c zerolog.Context) zerolog.Context {
+		return f(origFunc(c))
+	}
+	return evt
+}
+
 func (evt EventMeta) WithPortalKey(p networkid.PortalKey) EventMeta {
 	evt.PortalKey = p
 	return evt

bridgev2/space.go

@@ -164,14 +164,17 @@ func (ul *UserLogin) GetSpaceRoom(ctx context.Context) (id.RoomID, error) {
 				ul.UserMXID:             50,
 			},
 		},
-		RoomVersion: id.RoomV11,
-		Invite:      []id.UserID{ul.UserMXID},
+		Invite: []id.UserID{ul.UserMXID},
 	}
 	if autoJoin {
 		req.BeeperInitialMembers = []id.UserID{ul.UserMXID}
 		// TODO remove this after initial_members is supported in hungryserv
 		req.BeeperAutoJoinInvites = true
 	}
+	pfc, ok := ul.Client.(PersonalFilteringCustomizingNetworkAPI)
+	if ok {
+		pfc.CustomizePersonalFilteringSpace(req)
+	}
 	ul.SpaceRoom, err = ul.Bridge.Bot.CreateRoom(ctx, req)
 	if err != nil {
 		return "", fmt.Errorf("failed to create space room: %w", err)

bridgev2/status/bridgestate.go

@@ -19,7 +19,6 @@ import (
 
 	"github.com/tidwall/sjson"
 	"go.mau.fi/util/jsontime"
-	"go.mau.fi/util/ptr"
 
 	"maunium.net/go/mautrix"
 	"maunium.net/go/mautrix/bridgev2/networkid"
@@ -112,7 +111,7 @@ func (rp *RemoteProfile) Merge(other RemoteProfile) RemoteProfile {
 	return other
 }
 
-func (rp *RemoteProfile) IsEmpty() bool {
+func (rp *RemoteProfile) IsZero() bool {
 	return rp == nil || (rp.Phone == "" && rp.Email == "" && rp.Username == "" && rp.Name == "" && rp.Avatar == "" && rp.AvatarFile == nil)
 }
 
@@ -130,7 +129,7 @@ type BridgeState struct {
 	UserID        id.UserID             `json:"user_id,omitempty"`
 	RemoteID      networkid.UserLoginID `json:"remote_id,omitempty"`
 	RemoteName    string                `json:"remote_name,omitempty"`
-	RemoteProfile *RemoteProfile        `json:"remote_profile,omitempty"`
+	RemoteProfile RemoteProfile         `json:"remote_profile,omitzero"`
 
 	Reason string                 `json:"reason,omitempty"`
 	Info   map[string]interface{} `json:"info,omitempty"`
@@ -210,7 +209,7 @@ func (pong *BridgeState) ShouldDeduplicate(newPong *BridgeState) bool {
 		pong.StateEvent == newPong.StateEvent &&
 		pong.RemoteName == newPong.RemoteName &&
 		pong.UserAction == newPong.UserAction &&
-		ptr.Val(pong.RemoteProfile) == ptr.Val(newPong.RemoteProfile) &&
+		pong.RemoteProfile == newPong.RemoteProfile &&
 		pong.Error == newPong.Error &&
 		maps.EqualFunc(pong.Info, newPong.Info, reflect.DeepEqual) &&
 		pong.Timestamp.Add(time.Duration(pong.TTL)*time.Second).After(time.Now())

bridgev2/user.go

@@ -176,6 +176,10 @@ func (user *User) GetUserLogins() []*UserLogin {
 	return maps.Values(user.logins)
 }
 
+func (user *User) HasTooManyLogins() bool {
+	return user.Permissions.MaxLogins > 0 && len(user.GetUserLoginIDs()) >= user.Permissions.MaxLogins
+}
+
 func (user *User) GetFormattedUserLogins() string {
 	user.Bridge.cacheLock.Lock()
 	logins := make([]string, len(user.logins))
@@ -225,9 +229,8 @@ func (user *User) GetManagementRoom(ctx context.Context) (id.RoomID, error) {
 				user.MXID:                 50,
 			},
 		},
-		RoomVersion: id.RoomV11,
-		Invite:      []id.UserID{user.MXID},
-		IsDirect:    true,
+		Invite:   []id.UserID{user.MXID},
+		IsDirect: true,
 	}
 	if autoJoin {
 		req.BeeperInitialMembers = []id.UserID{user.MXID}

bridgev2/userlogin.go

@@ -10,6 +10,7 @@ import (
 	"cmp"
 	"context"
 	"fmt"
+	"maps"
 	"slices"
 	"sync"
 	"time"
@@ -50,6 +51,8 @@ func (br *Bridge) loadUserLogin(ctx context.Context, user *User, dbUserLogin *da
 		if err != nil {
 			return nil, fmt.Errorf("failed to get user: %w", err)
 		}
+		// TODO if loading the user caused the provided userlogin to be loaded, cancel here?
+		//      Currently this will double-load it
 	}
 	userLogin := &UserLogin{
 		UserLogin: dbUserLogin,
@@ -140,6 +143,12 @@ func (br *Bridge) GetCachedUserLoginByID(id networkid.UserLoginID) *UserLogin {
 	return br.userLoginsByID[id]
 }
 
+func (br *Bridge) GetAllCachedUserLogins() (logins []*UserLogin) {
+	br.cacheLock.Lock()
+	defer br.cacheLock.Unlock()
+	return slices.Collect(maps.Values(br.userLoginsByID))
+}
+
 func (br *Bridge) GetCurrentBridgeStates() (states []status.BridgeState) {
 	br.cacheLock.Lock()
 	defer br.cacheLock.Unlock()
@@ -503,7 +512,7 @@ func (ul *UserLogin) FillBridgeState(state status.BridgeState) status.BridgeStat
 	state.UserID = ul.UserMXID
 	state.RemoteID = ul.ID
 	state.RemoteName = ul.RemoteName
-	state.RemoteProfile = &ul.RemoteProfile
+	state.RemoteProfile = ul.RemoteProfile
 	filler, ok := ul.Client.(status.BridgeStateFiller)
 	if ok {
 		return filler.FillBridgeState(state)

client.go

@@ -111,6 +111,8 @@ type Client struct {
 	// Set to true to disable automatically sleeping on 429 errors.
 	IgnoreRateLimit bool
 
+	ResponseSizeLimit int64
+
 	txnID int32
 
 	// Should the ?user_id= query parameter be set in requests?
@@ -143,6 +145,8 @@ func DiscoverClientAPI(ctx context.Context, serverName string) (*ClientWellKnown
 	return DiscoverClientAPIWithClient(ctx, &http.Client{Timeout: 30 * time.Second}, serverName)
 }
 
+const WellKnownMaxSize = 64 * 1024
+
 func DiscoverClientAPIWithClient(ctx context.Context, client *http.Client, serverName string) (*ClientWellKnown, error) {
 	wellKnownURL := url.URL{
 		Scheme: "https",
@@ -168,11 +172,15 @@ func DiscoverClientAPIWithClient(ctx context.Context, client *http.Client, serve
 
 	if resp.StatusCode == http.StatusNotFound {
 		return nil, nil
+	} else if resp.ContentLength > WellKnownMaxSize {
+		return nil, errors.New(".well-known response too large")
 	}
 
-	data, err := io.ReadAll(resp.Body)
+	data, err := io.ReadAll(io.LimitReader(resp.Body, WellKnownMaxSize))
 	if err != nil {
 		return nil, err
+	} else if len(data) >= WellKnownMaxSize {
+		return nil, errors.New(".well-known response too large")
 	}
 
 	var wellKnown ClientWellKnown
@@ -378,7 +386,14 @@ func (cli *Client) LogRequestDone(req *http.Request, resp *http.Response, err er
 		}
 	}
 	if body := req.Context().Value(LogBodyContextKey); body != nil {
-		evt.Interface("req_body", body)
+		switch typedLogBody := body.(type) {
+		case json.RawMessage:
+			evt.RawJSON("req_body", typedLogBody)
+		case string:
+			evt.Str("req_body", typedLogBody)
+		default:
+			panic(fmt.Errorf("invalid type for LogBodyContextKey: %T", body))
+		}
 	}
 	if errors.Is(err, context.Canceled) {
 		evt.Msg("Request canceled")
@@ -395,24 +410,25 @@ func (cli *Client) MakeRequest(ctx context.Context, method string, httpURL strin
 	return cli.MakeFullRequest(ctx, FullRequest{Method: method, URL: httpURL, RequestJSON: reqBody, ResponseJSON: resBody})
 }
 
-type ClientResponseHandler = func(req *http.Request, res *http.Response, responseJSON interface{}) ([]byte, error)
+type ClientResponseHandler = func(req *http.Request, res *http.Response, responseJSON any, sizeLimit int64) ([]byte, error)
 
 type FullRequest struct {
-	Method           string
-	URL              string
-	Headers          http.Header
-	RequestJSON      interface{}
-	RequestBytes     []byte
-	RequestBody      io.Reader
-	RequestLength    int64
-	ResponseJSON     interface{}
-	MaxAttempts      int
-	BackoffDuration  time.Duration
-	SensitiveContent bool
-	Handler          ClientResponseHandler
-	DontReadResponse bool
-	Logger           *zerolog.Logger
-	Client           *http.Client
+	Method            string
+	URL               string
+	Headers           http.Header
+	RequestJSON       interface{}
+	RequestBytes      []byte
+	RequestBody       io.Reader
+	RequestLength     int64
+	ResponseJSON      interface{}
+	MaxAttempts       int
+	BackoffDuration   time.Duration
+	SensitiveContent  bool
+	Handler           ClientResponseHandler
+	DontReadResponse  bool
+	ResponseSizeLimit int64
+	Logger            *zerolog.Logger
+	Client            *http.Client
 }
 
 var requestID int32
@@ -441,8 +457,10 @@ func (params *FullRequest) compileRequest(ctx context.Context) (*http.Request, e
 		}
 		if params.SensitiveContent && !logSensitiveContent {
 			logBody = "<sensitive content omitted>"
+		} else if len(jsonStr) > 32768 {
+			logBody = fmt.Sprintf("<large content omitted (%d bytes)>", len(jsonStr))
 		} else {
-			logBody = params.RequestJSON
+			logBody = json.RawMessage(jsonStr)
 		}
 		reqBody = bytes.NewReader(jsonStr)
 		reqLen = int64(len(jsonStr))
@@ -467,7 +485,7 @@ func (params *FullRequest) compileRequest(ctx context.Context) (*http.Request, e
 		}
 	} else if params.Method != http.MethodGet && params.Method != http.MethodHead {
 		params.RequestJSON = struct{}{}
-		logBody = params.RequestJSON
+		logBody = json.RawMessage("{}")
 		reqBody = bytes.NewReader([]byte("{}"))
 		reqLen = 2
 	}
@@ -537,10 +555,25 @@ func (cli *Client) MakeFullRequestWithResp(ctx context.Context, params FullReque
 	if len(cli.AccessToken) > 0 {
 		req.Header.Set("Authorization", "Bearer "+cli.AccessToken)
 	}
+	if params.ResponseSizeLimit == 0 {
+		params.ResponseSizeLimit = cli.ResponseSizeLimit
+	}
+	if params.ResponseSizeLimit == 0 {
+		params.ResponseSizeLimit = DefaultResponseSizeLimit
+	}
 	if params.Client == nil {
 		params.Client = cli.Client
 	}
-	return cli.executeCompiledRequest(req, params.MaxAttempts-1, params.BackoffDuration, params.ResponseJSON, params.Handler, params.DontReadResponse, params.Client)
+	return cli.executeCompiledRequest(
+		req,
+		params.MaxAttempts-1,
+		params.BackoffDuration,
+		params.ResponseJSON,
+		params.Handler,
+		params.DontReadResponse,
+		params.ResponseSizeLimit,
+		params.Client,
+	)
 }
 
 func (cli *Client) cliOrContextLog(ctx context.Context) *zerolog.Logger {
@@ -551,7 +584,17 @@ func (cli *Client) cliOrContextLog(ctx context.Context) *zerolog.Logger {
 	return log
 }
 
-func (cli *Client) doRetry(req *http.Request, cause error, retries int, backoff time.Duration, responseJSON any, handler ClientResponseHandler, dontReadResponse bool, client *http.Client) ([]byte, *http.Response, error) {
+func (cli *Client) doRetry(
+	req *http.Request,
+	cause error,
+	retries int,
+	backoff time.Duration,
+	responseJSON any,
+	handler ClientResponseHandler,
+	dontReadResponse bool,
+	sizeLimit int64,
+	client *http.Client,
+) ([]byte, *http.Response, error) {
 	log := zerolog.Ctx(req.Context())
 	if req.Body != nil {
 		var err error
@@ -580,16 +623,30 @@ func (cli *Client) doRetry(req *http.Request, cause error, retries int, backoff
 	select {
 	case <-time.After(backoff):
 	case <-req.Context().Done():
-		return nil, nil, req.Context().Err()
+		if !errors.Is(context.Cause(req.Context()), ErrContextCancelRetry) {
+			return nil, nil, req.Context().Err()
+		}
 	}
 	if cli.UpdateRequestOnRetry != nil {
 		req = cli.UpdateRequestOnRetry(req, cause)
 	}
-	return cli.executeCompiledRequest(req, retries-1, backoff*2, responseJSON, handler, dontReadResponse, client)
+	return cli.executeCompiledRequest(req, retries-1, backoff*2, responseJSON, handler, dontReadResponse, sizeLimit, client)
 }
 
-func readResponseBody(req *http.Request, res *http.Response) ([]byte, error) {
-	contents, err := io.ReadAll(res.Body)
+func readResponseBody(req *http.Request, res *http.Response, limit int64) ([]byte, error) {
+	if res.ContentLength > limit {
+		return nil, HTTPError{
+			Request:  req,
+			Response: res,
+
+			Message:      "not reading response",
+			WrappedError: fmt.Errorf("%w (%.2f MiB)", ErrResponseTooLong, float64(res.ContentLength)/1024/1024),
+		}
+	}
+	contents, err := io.ReadAll(io.LimitReader(res.Body, limit+1))
+	if err == nil && len(contents) > int(limit) {
+		err = ErrBodyReadReachedLimit
+	}
 	if err != nil {
 		return nil, HTTPError{
 			Request:  req,
@@ -610,17 +667,20 @@ func closeTemp(log *zerolog.Logger, file *os.File) {
 	}
 }
 
-func streamResponse(req *http.Request, res *http.Response, responseJSON interface{}) ([]byte, error) {
+func streamResponse(req *http.Request, res *http.Response, responseJSON any, limit int64) ([]byte, error) {
 	log := zerolog.Ctx(req.Context())
 	file, err := os.CreateTemp("", "mautrix-response-")
 	if err != nil {
 		log.Warn().Err(err).Msg("Failed to create temporary file for streaming response")
-		_, err = handleNormalResponse(req, res, responseJSON)
+		_, err = handleNormalResponse(req, res, responseJSON, limit)
 		return nil, err
 	}
 	defer closeTemp(log, file)
-	if _, err = io.Copy(file, res.Body); err != nil {
+	var n int64
+	if n, err = io.Copy(file, io.LimitReader(res.Body, limit+1)); err != nil {
 		return nil, fmt.Errorf("failed to copy response to file: %w", err)
+	} else if n > limit {
+		return nil, ErrBodyReadReachedLimit
 	} else if _, err = file.Seek(0, 0); err != nil {
 		return nil, fmt.Errorf("failed to seek to beginning of response file: %w", err)
 	} else if err = json.NewDecoder(file).Decode(responseJSON); err != nil {
@@ -630,12 +690,12 @@ func streamResponse(req *http.Request, res *http.Response, responseJSON interfac
 	}
 }
 
-func noopHandleResponse(req *http.Request, res *http.Response, responseJSON interface{}) ([]byte, error) {
+func noopHandleResponse(req *http.Request, res *http.Response, responseJSON any, limit int64) ([]byte, error) {
 	return nil, nil
 }
 
-func handleNormalResponse(req *http.Request, res *http.Response, responseJSON interface{}) ([]byte, error) {
-	if contents, err := readResponseBody(req, res); err != nil {
+func handleNormalResponse(req *http.Request, res *http.Response, responseJSON any, limit int64) ([]byte, error) {
+	if contents, err := readResponseBody(req, res, limit); err != nil {
 		return nil, err
 	} else if responseJSON == nil {
 		return contents, nil
@@ -653,8 +713,13 @@ func handleNormalResponse(req *http.Request, res *http.Response, responseJSON in
 	}
 }
 
+const ErrorResponseSizeLimit = 512 * 1024
+
+var DefaultResponseSizeLimit int64 = 512 * 1024 * 1024
+
 func ParseErrorResponse(req *http.Request, res *http.Response) ([]byte, error) {
-	contents, err := readResponseBody(req, res)
+	defer res.Body.Close()
+	contents, err := readResponseBody(req, res, ErrorResponseSizeLimit)
 	if err != nil {
 		return contents, err
 	}
@@ -673,17 +738,31 @@ func ParseErrorResponse(req *http.Request, res *http.Response) ([]byte, error) {
 	}
 }
 
-func (cli *Client) executeCompiledRequest(req *http.Request, retries int, backoff time.Duration, responseJSON any, handler ClientResponseHandler, dontReadResponse bool, client *http.Client) ([]byte, *http.Response, error) {
+func (cli *Client) executeCompiledRequest(
+	req *http.Request,
+	retries int,
+	backoff time.Duration,
+	responseJSON any,
+	handler ClientResponseHandler,
+	dontReadResponse bool,
+	sizeLimit int64,
+	client *http.Client,
+) ([]byte, *http.Response, error) {
 	cli.RequestStart(req)
 	startTime := time.Now()
 	res, err := client.Do(req)
-	duration := time.Now().Sub(startTime)
+	duration := time.Since(startTime)
 	if res != nil && !dontReadResponse {
 		defer res.Body.Close()
 	}
 	if err != nil {
-		if retries > 0 && !errors.Is(err, context.Canceled) {
-			return cli.doRetry(req, err, retries, backoff, responseJSON, handler, dontReadResponse, client)
+		// Either error is *not* canceled or the underlying cause of cancelation explicitly asks to retry
+		canRetry := !errors.Is(err, context.Canceled) ||
+			errors.Is(context.Cause(req.Context()), ErrContextCancelRetry)
+		if retries > 0 && canRetry {
+			return cli.doRetry(
+				req, err, retries, backoff, responseJSON, handler, dontReadResponse, sizeLimit, client,
+			)
 		}
 		err = HTTPError{
 			Request:  req,
@@ -698,7 +777,9 @@ func (cli *Client) executeCompiledRequest(req *http.Request, retries int, backof
 
 	if retries > 0 && retryafter.Should(res.StatusCode, !cli.IgnoreRateLimit) {
 		backoff = retryafter.Parse(res.Header.Get("Retry-After"), backoff)
-		return cli.doRetry(req, fmt.Errorf("HTTP %d", res.StatusCode), retries, backoff, responseJSON, handler, dontReadResponse, client)
+		return cli.doRetry(
+			req, fmt.Errorf("HTTP %d", res.StatusCode), retries, backoff, responseJSON, handler, dontReadResponse, sizeLimit, client,
+		)
 	}
 
 	var body []byte
@@ -706,7 +787,7 @@ func (cli *Client) executeCompiledRequest(req *http.Request, retries int, backof
 		body, err = ParseErrorResponse(req, res)
 		cli.LogRequestDone(req, res, nil, nil, len(body), duration)
 	} else {
-		body, err = handler(req, res, responseJSON)
+		body, err = handler(req, res, responseJSON, sizeLimit)
 		cli.LogRequestDone(req, res, nil, err, len(body), duration)
 	}
 	return body, res, err
@@ -790,7 +871,7 @@ func (cli *Client) FullSyncRequest(ctx context.Context, req ReqSync) (resp *Resp
 	}
 	start := time.Now()
 	_, err = cli.MakeFullRequest(ctx, fullReq)
-	duration := time.Now().Sub(start)
+	duration := time.Since(start)
 	timeout := time.Duration(req.Timeout) * time.Millisecond
 	buffer := 10 * time.Second
 	if req.Since == "" {
@@ -837,7 +918,7 @@ func (cli *Client) RegisterAvailable(ctx context.Context, username string) (resp
 	return
 }
 
-func (cli *Client) register(ctx context.Context, url string, req *ReqRegister) (resp *RespRegister, uiaResp *RespUserInteractive, err error) {
+func (cli *Client) register(ctx context.Context, url string, req *ReqRegister[any]) (resp *RespRegister, uiaResp *RespUserInteractive, err error) {
 	var bodyBytes []byte
 	bodyBytes, err = cli.MakeFullRequest(ctx, FullRequest{
 		Method:           http.MethodPost,
@@ -861,7 +942,7 @@ func (cli *Client) register(ctx context.Context, url string, req *ReqRegister) (
 // Register makes an HTTP request according to https://spec.matrix.org/v1.2/client-server-api/#post_matrixclientv3register
 //
 // Registers with kind=user. For kind=guest, see RegisterGuest.
-func (cli *Client) Register(ctx context.Context, req *ReqRegister) (*RespRegister, *RespUserInteractive, error) {
+func (cli *Client) Register(ctx context.Context, req *ReqRegister[any]) (*RespRegister, *RespUserInteractive, error) {
 	u := cli.BuildClientURL("v3", "register")
 	return cli.register(ctx, u, req)
 }
@@ -870,7 +951,7 @@ func (cli *Client) Register(ctx context.Context, req *ReqRegister) (*RespRegiste
 // with kind=guest.
 //
 // For kind=user, see Register.
-func (cli *Client) RegisterGuest(ctx context.Context, req *ReqRegister) (*RespRegister, *RespUserInteractive, error) {
+func (cli *Client) RegisterGuest(ctx context.Context, req *ReqRegister[any]) (*RespRegister, *RespUserInteractive, error) {
 	query := map[string]string{
 		"kind": "guest",
 	}
@@ -893,8 +974,8 @@ func (cli *Client) RegisterGuest(ctx context.Context, req *ReqRegister) (*RespRe
 //		panic(err)
 //	}
 //	token := res.AccessToken
-func (cli *Client) RegisterDummy(ctx context.Context, req *ReqRegister) (*RespRegister, error) {
-	res, uia, err := cli.Register(ctx, req)
+func (cli *Client) RegisterDummy(ctx context.Context, req *ReqRegister[any]) (*RespRegister, error) {
+	_, uia, err := cli.Register(ctx, req)
 	if err != nil && uia == nil {
 		return nil, err
 	} else if uia == nil {
@@ -903,7 +984,7 @@ func (cli *Client) RegisterDummy(ctx context.Context, req *ReqRegister) (*RespRe
 		return nil, errors.New("server does not support m.login.dummy")
 	}
 	req.Auth = BaseAuthData{Type: AuthTypeDummy, Session: uia.Session}
-	res, _, err = cli.Register(ctx, req)
+	res, _, err := cli.Register(ctx, req)
 	if err != nil {
 		return nil, err
 	}
@@ -1077,7 +1158,9 @@ func (cli *Client) SearchUserDirectory(ctx context.Context, query string, limit
 }
 
 func (cli *Client) GetMutualRooms(ctx context.Context, otherUserID id.UserID, extras ...ReqMutualRooms) (resp *RespMutualRooms, err error) {
-	if cli.SpecVersions != nil && !cli.SpecVersions.Supports(FeatureMutualRooms) {
+	supportsStable := cli.SpecVersions.Supports(FeatureStableMutualRooms)
+	supportsUnstable := cli.SpecVersions.Supports(FeatureUnstableMutualRooms)
+	if cli.SpecVersions != nil && !supportsUnstable && !supportsStable {
 		err = fmt.Errorf("server does not support fetching mutual rooms")
 		return
 	}
@@ -1087,7 +1170,10 @@ func (cli *Client) GetMutualRooms(ctx context.Context, otherUserID id.UserID, ex
 	if len(extras) > 0 {
 		query["from"] = extras[0].From
 	}
-	urlPath := cli.BuildURLWithQuery(ClientURLPath{"unstable", "uk.half-shot.msc2666", "user", "mutual_rooms"}, query)
+	urlPath := cli.BuildURLWithQuery(ClientURLPath{"v1", "mutual_rooms"}, query)
+	if !supportsStable && supportsUnstable {
+		urlPath = cli.BuildURLWithQuery(ClientURLPath{"unstable", "uk.half-shot.msc2666", "user", "mutual_rooms"}, query)
+	}
 	_, err = cli.MakeRequest(ctx, http.MethodGet, urlPath, nil, &resp)
 	return
 }
@@ -1252,6 +1338,9 @@ func (cli *Client) SendMessageEvent(ctx context.Context, roomID id.RoomID, event
 	if req.UnstableDelay > 0 {
 		queryParams["org.matrix.msc4140.delay"] = strconv.FormatInt(req.UnstableDelay.Milliseconds(), 10)
 	}
+	if req.UnstableStickyDuration > 0 {
+		queryParams["org.matrix.msc4354.sticky_duration_ms"] = strconv.FormatInt(req.UnstableStickyDuration.Milliseconds(), 10)
+	}
 
 	if !req.DontEncrypt && cli != nil && cli.Crypto != nil && eventType != event.EventReaction && eventType != event.EventEncrypted {
 		var isEncrypted bool
@@ -1275,9 +1364,51 @@ func (cli *Client) SendMessageEvent(ctx context.Context, roomID id.RoomID, event
 	return
 }
 
-// SendStateEvent sends a state event into a room. See https://spec.matrix.org/v1.2/client-server-api/#put_matrixclientv3roomsroomidstateeventtypestatekey
+// BeeperSendEphemeralEvent sends an ephemeral event into a room using Beeper's unstable endpoint.
+// contentJSON should be a value that can be encoded as JSON using json.Marshal.
+func (cli *Client) BeeperSendEphemeralEvent(ctx context.Context, roomID id.RoomID, eventType event.Type, contentJSON any, extra ...ReqSendEvent) (resp *RespSendEvent, err error) {
+	var req ReqSendEvent
+	if len(extra) > 0 {
+		req = extra[0]
+	}
+
+	var txnID string
+	if len(req.TransactionID) > 0 {
+		txnID = req.TransactionID
+	} else {
+		txnID = cli.TxnID()
+	}
+
+	queryParams := map[string]string{}
+	if req.Timestamp > 0 {
+		queryParams["ts"] = strconv.FormatInt(req.Timestamp, 10)
+	}
+
+	if !req.DontEncrypt && cli != nil && cli.Crypto != nil && eventType != event.EventEncrypted {
+		var isEncrypted bool
+		isEncrypted, err = cli.StateStore.IsEncrypted(ctx, roomID)
+		if err != nil {
+			err = fmt.Errorf("failed to check if room is encrypted: %w", err)
+			return
+		}
+		if isEncrypted {
+			if contentJSON, err = cli.Crypto.Encrypt(ctx, roomID, eventType, contentJSON); err != nil {
+				err = fmt.Errorf("failed to encrypt event: %w", err)
+				return
+			}
+			eventType = event.EventEncrypted
+		}
+	}
+
+	urlData := ClientURLPath{"unstable", "com.beeper.ephemeral", "rooms", roomID, "ephemeral", eventType.String(), txnID}
+	urlPath := cli.BuildURLWithQuery(urlData, queryParams)
+	_, err = cli.MakeRequest(ctx, http.MethodPut, urlPath, contentJSON, &resp)
+	return
+}
+
+// SendStateEvent sends a state event into a room. See https://spec.matrix.org/v1.16/client-server-api/#put_matrixclientv3roomsroomidstateeventtypestatekey
 // contentJSON should be a pointer to something that can be encoded as JSON using json.Marshal.
-func (cli *Client) SendStateEvent(ctx context.Context, roomID id.RoomID, eventType event.Type, stateKey string, contentJSON interface{}, extra ...ReqSendEvent) (resp *RespSendEvent, err error) {
+func (cli *Client) SendStateEvent(ctx context.Context, roomID id.RoomID, eventType event.Type, stateKey string, contentJSON any, extra ...ReqSendEvent) (resp *RespSendEvent, err error) {
 	var req ReqSendEvent
 	if len(extra) > 0 {
 		req = extra[0]
@@ -1287,9 +1418,18 @@ func (cli *Client) SendStateEvent(ctx context.Context, roomID id.RoomID, eventTy
 	if req.MeowEventID != "" {
 		queryParams["fi.mau.event_id"] = req.MeowEventID.String()
 	}
+	if req.TransactionID != "" {
+		queryParams["fi.mau.transaction_id"] = req.TransactionID
+	}
 	if req.UnstableDelay > 0 {
 		queryParams["org.matrix.msc4140.delay"] = strconv.FormatInt(req.UnstableDelay.Milliseconds(), 10)
 	}
+	if req.UnstableStickyDuration > 0 {
+		queryParams["org.matrix.msc4354.sticky_duration_ms"] = strconv.FormatInt(req.UnstableStickyDuration.Milliseconds(), 10)
+	}
+	if req.Timestamp > 0 {
+		queryParams["ts"] = strconv.FormatInt(req.Timestamp, 10)
+	}
 
 	urlData := ClientURLPath{"v3", "rooms", roomID, "state", eventType.String(), stateKey}
 	urlPath := cli.BuildURLWithQuery(urlData, queryParams)
@@ -1302,14 +1442,12 @@ func (cli *Client) SendStateEvent(ctx context.Context, roomID id.RoomID, eventTy
 
 // SendMassagedStateEvent sends a state event into a room with a custom timestamp. See https://spec.matrix.org/v1.2/client-server-api/#put_matrixclientv3roomsroomidstateeventtypestatekey
 // contentJSON should be a pointer to something that can be encoded as JSON using json.Marshal.
+//
+// Deprecated: SendStateEvent accepts a timestamp via ReqSendEvent and should be used instead.
 func (cli *Client) SendMassagedStateEvent(ctx context.Context, roomID id.RoomID, eventType event.Type, stateKey string, contentJSON interface{}, ts int64) (resp *RespSendEvent, err error) {
-	urlPath := cli.BuildURLWithQuery(ClientURLPath{"v3", "rooms", roomID, "state", eventType.String(), stateKey}, map[string]string{
-		"ts": strconv.FormatInt(ts, 10),
+	resp, err = cli.SendStateEvent(ctx, roomID, eventType, stateKey, contentJSON, ReqSendEvent{
+		Timestamp: ts,
 	})
-	_, err = cli.MakeRequest(ctx, http.MethodPut, urlPath, contentJSON, &resp)
-	if err == nil && cli.StateStore != nil {
-		cli.updateStoreWithOutgoingEvent(ctx, roomID, eventType, stateKey, contentJSON)
-	}
 	return
 }
 
@@ -1628,11 +1766,20 @@ func (cli *Client) FullStateEvent(ctx context.Context, roomID id.RoomID, eventTy
 }
 
 // parseRoomStateArray parses a JSON array as a stream and stores the events inside it in a room state map.
-func parseRoomStateArray(_ *http.Request, res *http.Response, responseJSON interface{}) ([]byte, error) {
+func parseRoomStateArray(req *http.Request, res *http.Response, responseJSON any, limit int64) ([]byte, error) {
+	if res.ContentLength > limit {
+		return nil, HTTPError{
+			Request:  req,
+			Response: res,
+
+			Message:      "not reading response",
+			WrappedError: fmt.Errorf("%w (%.2f MiB)", ErrResponseTooLong, float64(res.ContentLength)/1024/1024),
+		}
+	}
 	response := make(RoomStateMap)
 	responsePtr := responseJSON.(*map[event.Type]map[string]*event.Event)
 	*responsePtr = response
-	dec := json.NewDecoder(res.Body)
+	dec := json.NewDecoder(io.LimitReader(res.Body, limit))
 
 	arrayStart, err := dec.Token()
 	if err != nil {
@@ -1666,6 +1813,8 @@ func parseRoomStateArray(_ *http.Request, res *http.Response, responseJSON inter
 	return nil, nil
 }
 
+type RoomStateMap = map[event.Type]map[string]*event.Event
+
 // State gets all state in a room.
 // See https://spec.matrix.org/v1.2/client-server-api/#get_matrixclientv3roomsroomidstate
 func (cli *Client) State(ctx context.Context, roomID id.RoomID) (stateMap RoomStateMap, err error) {
@@ -1748,6 +1897,9 @@ func (cli *Client) UploadLink(ctx context.Context, link string) (*RespMediaUploa
 }
 
 func (cli *Client) Download(ctx context.Context, mxcURL id.ContentURI) (*http.Response, error) {
+	if mxcURL.IsEmpty() {
+		return nil, fmt.Errorf("empty mxc uri provided to Download")
+	}
 	_, resp, err := cli.MakeFullRequestWithResp(ctx, FullRequest{
 		Method:           http.MethodGet,
 		URL:              cli.BuildClientURL("v1", "media", "download", mxcURL.Homeserver, mxcURL.FileID),
@@ -1762,6 +1914,9 @@ type DownloadThumbnailExtra struct {
 }
 
 func (cli *Client) DownloadThumbnail(ctx context.Context, mxcURL id.ContentURI, height, width int, extras ...DownloadThumbnailExtra) (*http.Response, error) {
+	if mxcURL.IsEmpty() {
+		return nil, fmt.Errorf("empty mxc uri provided to DownloadThumbnail")
+	}
 	if len(extras) > 1 {
 		panic(fmt.Errorf("invalid number of arguments to DownloadThumbnail: %d", len(extras)))
 	}
@@ -1834,10 +1989,15 @@ func (cli *Client) UploadAsync(ctx context.Context, req ReqUploadMedia) (*RespCr
 	}
 	req.MXC = resp.ContentURI
 	req.UnstableUploadURL = resp.UnstableUploadURL
+	if req.AsyncContext == nil {
+		req.AsyncContext = cli.cliOrContextLog(ctx).WithContext(context.Background())
+	}
 	go func() {
-		_, err = cli.UploadMedia(ctx, req)
+		_, err = cli.UploadMedia(req.AsyncContext, req)
 		if err != nil {
-			cli.Log.Error().Stringer("mxc", req.MXC).Err(err).Msg("Async upload of media failed")
+			zerolog.Ctx(req.AsyncContext).Err(err).
+				Stringer("mxc", req.MXC).
+				Msg("Async upload of media failed")
 		}
 	}()
 	return resp, nil
@@ -1873,6 +2033,7 @@ type ReqUploadMedia struct {
 	ContentType   string
 	FileName      string
 
+	AsyncContext context.Context
 	DoneCallback func()
 
 	// MXC specifies an existing MXC URI which doesn't have content yet to upload into.
@@ -1885,7 +2046,10 @@ type ReqUploadMedia struct {
 }
 
 func (cli *Client) tryUploadMediaToURL(ctx context.Context, url, contentType string, content io.Reader, contentLength int64) (*http.Response, error) {
-	cli.Log.Debug().Str("url", url).Msg("Uploading media to external URL")
+	cli.Log.Debug().
+		Str("url", url).
+		Int64("content_length", contentLength).
+		Msg("Uploading media to external URL")
 	req, err := http.NewRequestWithContext(ctx, http.MethodPut, url, content)
 	if err != nil {
 		return nil, err
@@ -1934,8 +2098,16 @@ func (cli *Client) uploadMediaToURL(ctx context.Context, data ReqUploadMedia) (*
 				Msg("Error uploading media to external URL, not retrying")
 			return nil, err
 		}
-		cli.Log.Warn().Str("url", data.UnstableUploadURL).Err(err).
+		backoff := time.Second * time.Duration(cli.DefaultHTTPRetries-retries)
+		cli.Log.Warn().Err(err).
+			Str("url", data.UnstableUploadURL).
+			Int("retry_in_seconds", int(backoff.Seconds())).
 			Msg("Error uploading media to external URL, retrying")
+		select {
+		case <-time.After(backoff):
+		case <-ctx.Done():
+			return nil, ctx.Err()
+		}
 		retries--
 		_, err = readerSeeker.Seek(0, io.SeekStart)
 		if err != nil {
@@ -2515,13 +2687,13 @@ func (cli *Client) SetDeviceInfo(ctx context.Context, deviceID id.DeviceID, req
 	return err
 }
 
-func (cli *Client) DeleteDevice(ctx context.Context, deviceID id.DeviceID, req *ReqDeleteDevice) error {
+func (cli *Client) DeleteDevice(ctx context.Context, deviceID id.DeviceID, req *ReqDeleteDevice[any]) error {
 	urlPath := cli.BuildClientURL("v3", "devices", deviceID)
 	_, err := cli.MakeRequest(ctx, http.MethodDelete, urlPath, req, nil)
 	return err
 }
 
-func (cli *Client) DeleteDevices(ctx context.Context, req *ReqDeleteDevices) error {
+func (cli *Client) DeleteDevices(ctx context.Context, req *ReqDeleteDevices[any]) error {
 	urlPath := cli.BuildClientURL("v3", "delete_devices")
 	_, err := cli.MakeRequest(ctx, http.MethodPost, urlPath, req, nil)
 	return err
@@ -2532,7 +2704,7 @@ type UIACallback = func(*RespUserInteractive) interface{}
 // UploadCrossSigningKeys uploads the given cross-signing keys to the server.
 // Because the endpoint requires user-interactive authentication a callback must be provided that,
 // given the UI auth parameters, produces the required result (or nil to end the flow).
-func (cli *Client) UploadCrossSigningKeys(ctx context.Context, keys *UploadCrossSigningKeysReq, uiaCallback UIACallback) error {
+func (cli *Client) UploadCrossSigningKeys(ctx context.Context, keys *UploadCrossSigningKeysReq[any], uiaCallback UIACallback) error {
 	content, err := cli.MakeFullRequest(ctx, FullRequest{
 		Method:           http.MethodPost,
 		URL:              cli.BuildClientURL("v3", "keys", "device_signing", "upload"),
@@ -2614,30 +2786,60 @@ func (cli *Client) ReportRoom(ctx context.Context, roomID id.RoomID, reason stri
 	return err
 }
 
-// UnstableGetSuspendedStatus uses MSC4323 to check if a user is suspended.
-func (cli *Client) UnstableGetSuspendedStatus(ctx context.Context, userID id.UserID) (res *RespSuspended, err error) {
-	urlPath := cli.BuildClientURL("unstable", "uk.timedout.msc4323", "admin", "suspend", userID)
+// AdminWhoIs fetches session information belonging to a specific user. Typically requires being a server admin.
+//
+// https://spec.matrix.org/v1.15/client-server-api/#get_matrixclientv3adminwhoisuserid
+func (cli *Client) AdminWhoIs(ctx context.Context, userID id.UserID) (resp RespWhoIs, err error) {
+	urlPath := cli.BuildClientURL("v3", "admin", "whois", userID)
+	_, err = cli.MakeRequest(ctx, http.MethodGet, urlPath, nil, &resp)
+	return
+}
+
+func (cli *Client) makeMSC4323URL(action string, target id.UserID) string {
+	if cli.SpecVersions.Supports(FeatureUnstableAccountModeration) {
+		return cli.BuildClientURL("unstable", "uk.timedout.msc4323", "admin", action, target)
+	} else if cli.SpecVersions.Supports(FeatureStableAccountModeration) {
+		return cli.BuildClientURL("v1", "admin", action, target)
+	}
+	return ""
+}
+
+// GetSuspendedStatus uses MSC4323 to check if a user is suspended.
+func (cli *Client) GetSuspendedStatus(ctx context.Context, userID id.UserID) (res *RespSuspended, err error) {
+	urlPath := cli.makeMSC4323URL("suspend", userID)
+	if urlPath == "" {
+		return nil, MUnrecognized.WithMessage("Homeserver does not advertise MSC4323 support")
+	}
 	_, err = cli.MakeRequest(ctx, http.MethodGet, urlPath, nil, res)
 	return
 }
 
-// UnstableGetLockStatus uses MSC4323 to check if a user is locked.
-func (cli *Client) UnstableGetLockStatus(ctx context.Context, userID id.UserID) (res *RespLocked, err error) {
-	urlPath := cli.BuildClientURL("unstable", "uk.timedout.msc4323", "admin", "lock", userID)
+// GetLockStatus uses MSC4323 to check if a user is locked.
+func (cli *Client) GetLockStatus(ctx context.Context, userID id.UserID) (res *RespLocked, err error) {
+	urlPath := cli.makeMSC4323URL("lock", userID)
+	if urlPath == "" {
+		return nil, MUnrecognized.WithMessage("Homeserver does not advertise MSC4323 support")
+	}
 	_, err = cli.MakeRequest(ctx, http.MethodGet, urlPath, nil, res)
 	return
 }
 
-// UnstableSetSuspendedStatus uses MSC4323 to set whether a user account is suspended.
-func (cli *Client) UnstableSetSuspendedStatus(ctx context.Context, userID id.UserID, suspended bool) (res *RespSuspended, err error) {
-	urlPath := cli.BuildClientURL("unstable", "uk.timedout.msc4323", "admin", "suspend", userID)
+// SetSuspendedStatus uses MSC4323 to set whether a user account is suspended.
+func (cli *Client) SetSuspendedStatus(ctx context.Context, userID id.UserID, suspended bool) (res *RespSuspended, err error) {
+	urlPath := cli.makeMSC4323URL("suspend", userID)
+	if urlPath == "" {
+		return nil, MUnrecognized.WithMessage("Homeserver does not advertise MSC4323 support")
+	}
 	_, err = cli.MakeRequest(ctx, http.MethodPut, urlPath, &ReqSuspend{Suspended: suspended}, res)
 	return
 }
 
-// UnstableSetLockStatus uses MSC4323 to set whether a user account is locked.
-func (cli *Client) UnstableSetLockStatus(ctx context.Context, userID id.UserID, locked bool) (res *RespLocked, err error) {
-	urlPath := cli.BuildClientURL("unstable", "uk.timedout.msc4323", "admin", "lock", userID)
+// SetLockStatus uses MSC4323 to set whether a user account is locked.
+func (cli *Client) SetLockStatus(ctx context.Context, userID id.UserID, locked bool) (res *RespLocked, err error) {
+	urlPath := cli.makeMSC4323URL("lock", userID)
+	if urlPath == "" {
+		return nil, MUnrecognized.WithMessage("Homeserver does not advertise MSC4323 support")
+	}
 	_, err = cli.MakeRequest(ctx, http.MethodPut, urlPath, &ReqLocked{Locked: locked}, res)
 	return
 }

client_ephemeral_test.go

@@ -0,0 +1,158 @@
+// Copyright (c) 2026 Tulir Asokan
+//
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this
+// file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+package mautrix_test
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"maunium.net/go/mautrix"
+	"maunium.net/go/mautrix/event"
+	"maunium.net/go/mautrix/id"
+)
+
+func TestClient_SendEphemeralEvent_UsesUnstablePathTxnAndTS(t *testing.T) {
+	roomID := id.RoomID("!room:example.com")
+	evtType := event.Type{Type: "com.example.ephemeral", Class: event.EphemeralEventType}
+	txnID := "txn-123"
+
+	var gotPath string
+	var gotQueryTS string
+	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		gotPath = r.URL.Path
+		gotQueryTS = r.URL.Query().Get("ts")
+		assert.Equal(t, http.MethodPut, r.Method)
+		_, _ = w.Write([]byte(`{"event_id":"$evt"}`))
+	}))
+	defer ts.Close()
+
+	cli, err := mautrix.NewClient(ts.URL, "", "")
+	require.NoError(t, err)
+
+	_, err = cli.BeeperSendEphemeralEvent(
+		context.Background(),
+		roomID,
+		evtType,
+		map[string]any{"foo": "bar"},
+		mautrix.ReqSendEvent{TransactionID: txnID, Timestamp: 1234},
+	)
+	require.NoError(t, err)
+
+	assert.True(t, strings.Contains(gotPath, "/_matrix/client/unstable/com.beeper.ephemeral/rooms/"))
+	assert.True(t, strings.HasSuffix(gotPath, "/ephemeral/com.example.ephemeral/"+txnID))
+	assert.Equal(t, "1234", gotQueryTS)
+}
+
+func TestClient_SendEphemeralEvent_UnsupportedReturnsMUnrecognized(t *testing.T) {
+	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+		w.WriteHeader(http.StatusNotFound)
+		_, _ = w.Write([]byte(`{"errcode":"M_UNRECOGNIZED","error":"Unrecognized endpoint"}`))
+	}))
+	defer ts.Close()
+
+	cli, err := mautrix.NewClient(ts.URL, "", "")
+	require.NoError(t, err)
+
+	_, err = cli.BeeperSendEphemeralEvent(
+		context.Background(),
+		id.RoomID("!room:example.com"),
+		event.Type{Type: "com.example.ephemeral", Class: event.EphemeralEventType},
+		map[string]any{"foo": "bar"},
+	)
+	require.Error(t, err)
+	assert.True(t, errors.Is(err, mautrix.MUnrecognized))
+}
+
+func TestClient_SendEphemeralEvent_EncryptsInEncryptedRooms(t *testing.T) {
+	roomID := id.RoomID("!room:example.com")
+	evtType := event.Type{Type: "com.example.ephemeral", Class: event.EphemeralEventType}
+	txnID := "txn-encrypted"
+
+	stateStore := mautrix.NewMemoryStateStore()
+	err := stateStore.SetEncryptionEvent(context.Background(), roomID, &event.EncryptionEventContent{
+		Algorithm: id.AlgorithmMegolmV1,
+	})
+	require.NoError(t, err)
+
+	fakeCrypto := &fakeCryptoHelper{
+		encryptedContent: &event.EncryptedEventContent{
+			Algorithm:        id.AlgorithmMegolmV1,
+			MegolmCiphertext: []byte("ciphertext"),
+		},
+	}
+
+	var gotPath string
+	var gotBody map[string]any
+	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		gotPath = r.URL.Path
+		assert.Equal(t, http.MethodPut, r.Method)
+		err := json.NewDecoder(r.Body).Decode(&gotBody)
+		require.NoError(t, err)
+		_, _ = w.Write([]byte(`{"event_id":"$evt"}`))
+	}))
+	defer ts.Close()
+
+	cli, err := mautrix.NewClient(ts.URL, "", "")
+	require.NoError(t, err)
+	cli.StateStore = stateStore
+	cli.Crypto = fakeCrypto
+
+	_, err = cli.BeeperSendEphemeralEvent(
+		context.Background(),
+		roomID,
+		evtType,
+		map[string]any{"foo": "bar"},
+		mautrix.ReqSendEvent{TransactionID: txnID},
+	)
+	require.NoError(t, err)
+
+	assert.True(t, strings.HasSuffix(gotPath, "/ephemeral/m.room.encrypted/"+txnID))
+	assert.Equal(t, string(id.AlgorithmMegolmV1), gotBody["algorithm"])
+	assert.Equal(t, 1, fakeCrypto.encryptCalls)
+	assert.Equal(t, roomID, fakeCrypto.lastRoomID)
+	assert.Equal(t, evtType, fakeCrypto.lastEventType)
+}
+
+type fakeCryptoHelper struct {
+	encryptCalls     int
+	lastRoomID       id.RoomID
+	lastEventType    event.Type
+	lastEncryptInput any
+	encryptedContent *event.EncryptedEventContent
+}
+
+func (f *fakeCryptoHelper) Encrypt(_ context.Context, roomID id.RoomID, eventType event.Type, content any) (*event.EncryptedEventContent, error) {
+	f.encryptCalls++
+	f.lastRoomID = roomID
+	f.lastEventType = eventType
+	f.lastEncryptInput = content
+	return f.encryptedContent, nil
+}
+
+func (f *fakeCryptoHelper) Decrypt(context.Context, *event.Event) (*event.Event, error) {
+	return nil, nil
+}
+
+func (f *fakeCryptoHelper) WaitForSession(context.Context, id.RoomID, id.SenderKey, id.SessionID, time.Duration) bool {
+	return false
+}
+
+func (f *fakeCryptoHelper) RequestSession(context.Context, id.RoomID, id.SenderKey, id.SessionID, id.UserID, id.DeviceID) {
+}
+
+func (f *fakeCryptoHelper) Init(context.Context) error {
+	return nil
+}

commands/container.go

@@ -1,4 +1,4 @@
-// Copyright (c) 2025 Tulir Asokan
+// Copyright (c) 2026 Tulir Asokan
 //
 // This Source Code Form is subject to the terms of the Mozilla Public
 // License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -8,14 +8,20 @@ package commands
 
 import (
 	"fmt"
+	"slices"
 	"strings"
 	"sync"
+
+	"go.mau.fi/util/exmaps"
+
+	"maunium.net/go/mautrix/event/cmdschema"
 )
 
 type CommandContainer[MetaType any] struct {
 	commands map[string]*Handler[MetaType]
 	aliases  map[string]string
 	lock     sync.RWMutex
+	parent   *Handler[MetaType]
 }
 
 func NewCommandContainer[MetaType any]() *CommandContainer[MetaType] {
@@ -25,6 +31,29 @@ func NewCommandContainer[MetaType any]() *CommandContainer[MetaType] {
 	}
 }
 
+func (cont *CommandContainer[MetaType]) AllSpecs() []*cmdschema.EventContent {
+	data := make(exmaps.Set[*Handler[MetaType]])
+	cont.collectHandlers(data)
+	specs := make([]*cmdschema.EventContent, 0, data.Size())
+	for handler := range data.Iter() {
+		if handler.Parameters != nil {
+			specs = append(specs, handler.Spec())
+		}
+	}
+	return specs
+}
+
+func (cont *CommandContainer[MetaType]) collectHandlers(into exmaps.Set[*Handler[MetaType]]) {
+	cont.lock.RLock()
+	defer cont.lock.RUnlock()
+	for _, handler := range cont.commands {
+		into.Add(handler)
+		if handler.subcommandContainer != nil {
+			handler.subcommandContainer.collectHandlers(into)
+		}
+	}
+}
+
 // Register registers the given command handlers.
 func (cont *CommandContainer[MetaType]) Register(handlers ...*Handler[MetaType]) {
 	if cont == nil {
@@ -32,7 +61,10 @@ func (cont *CommandContainer[MetaType]) Register(handlers ...*Handler[MetaType])
 	}
 	cont.lock.Lock()
 	defer cont.lock.Unlock()
-	for _, handler := range handlers {
+	for i, handler := range handlers {
+		if handler == nil {
+			panic(fmt.Errorf("handler #%d is nil", i+1))
+		}
 		cont.registerOne(handler)
 	}
 }
@@ -45,6 +77,10 @@ func (cont *CommandContainer[MetaType]) registerOne(handler *Handler[MetaType])
 	} else if aliasTarget, alreadyExists := cont.aliases[handler.Name]; alreadyExists {
 		panic(fmt.Errorf("tried to register command %q, but it's already registered as an alias for %q", handler.Name, aliasTarget))
 	}
+	if !slices.Contains(handler.parents, cont.parent) {
+		handler.parents = append(handler.parents, cont.parent)
+		handler.nestedNameCache = nil
+	}
 	cont.commands[handler.Name] = handler
 	for _, alias := range handler.Aliases {
 		if strings.ToLower(alias) != alias {

commands/event.go

@@ -1,4 +1,4 @@
-// Copyright (c) 2025 Tulir Asokan
+// Copyright (c) 2026 Tulir Asokan
 //
 // This Source Code Form is subject to the terms of the Mozilla Public
 // License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -8,6 +8,7 @@ package commands
 
 import (
 	"context"
+	"encoding/json"
 	"fmt"
 	"strings"
 
@@ -35,6 +36,8 @@ type Event[MetaType any] struct {
 	// RawArgs is the same as args, but without the splitting by whitespace.
 	RawArgs string
 
+	StructuredArgs json.RawMessage
+
 	Ctx     context.Context
 	Log     *zerolog.Logger
 	Proc    *Processor[MetaType]
@@ -61,7 +64,7 @@ var IDHTMLParser = &format.HTMLParser{
 }
 
 // ParseEvent parses a message into a command event struct.
-func ParseEvent[MetaType any](ctx context.Context, evt *event.Event) *Event[MetaType] {
+func (proc *Processor[MetaType]) ParseEvent(ctx context.Context, evt *event.Event) *Event[MetaType] {
 	content, ok := evt.Content.Parsed.(*event.MessageEventContent)
 	if !ok || content.MsgType == event.MsgNotice || content.RelatesTo.GetReplaceID() != "" {
 		return nil
@@ -70,12 +73,34 @@ func ParseEvent[MetaType any](ctx context.Context, evt *event.Event) *Event[Meta
 	if content.Format == event.FormatHTML {
 		text = IDHTMLParser.Parse(content.FormattedBody, format.NewContext(ctx))
 	}
+	if content.MSC4391BotCommand != nil {
+		if !content.Mentions.Has(proc.Client.UserID) || len(content.Mentions.UserIDs) != 1 {
+			return nil
+		}
+		wrapped := StructuredCommandToEvent[MetaType](ctx, evt, content.MSC4391BotCommand)
+		wrapped.RawInput = text
+		return wrapped
+	}
 	if len(text) == 0 {
 		return nil
 	}
 	return RawTextToEvent[MetaType](ctx, evt, text)
 }
 
+func StructuredCommandToEvent[MetaType any](ctx context.Context, evt *event.Event, content *event.MSC4391BotCommandInput) *Event[MetaType] {
+	commandParts := strings.Split(content.Command, " ")
+	return &Event[MetaType]{
+		Event: evt,
+		// Fake a command and args to let the subcommand finder in Process work.
+		Command: commandParts[0],
+		Args:    commandParts[1:],
+		Ctx:     ctx,
+		Log:     zerolog.Ctx(ctx),
+
+		StructuredArgs: content.Arguments,
+	}
+}
+
 func RawTextToEvent[MetaType any](ctx context.Context, evt *event.Event, text string) *Event[MetaType] {
 	parts := strings.Fields(text)
 	if len(parts) == 0 {
@@ -188,3 +213,25 @@ func (evt *Event[MetaType]) UnshiftArg(arg string) {
 	evt.RawArgs = arg + " " + evt.RawArgs
 	evt.Args = append([]string{arg}, evt.Args...)
 }
+
+func (evt *Event[MetaType]) ParseArgs(into any) error {
+	return json.Unmarshal(evt.StructuredArgs, into)
+}
+
+func ParseArgs[T, MetaType any](evt *Event[MetaType]) (into T, err error) {
+	err = evt.ParseArgs(&into)
+	return
+}
+
+func WithParsedArgs[T, MetaType any](fn func(*Event[MetaType], T)) func(*Event[MetaType]) {
+	return func(evt *Event[MetaType]) {
+		parsed, err := ParseArgs[T, MetaType](evt)
+		if err != nil {
+			evt.Log.Debug().Err(err).Msg("Failed to parse structured args into struct")
+			// TODO better error, usage info? deduplicate with Process
+			evt.Reply("Failed to parse arguments: %v", err)
+			return
+		}
+		fn(evt, parsed)
+	}
+}

commands/handler.go

@@ -1,4 +1,4 @@
-// Copyright (c) 2025 Tulir Asokan
+// Copyright (c) 2026 Tulir Asokan
 //
 // This Source Code Form is subject to the terms of the Mozilla Public
 // License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -8,6 +8,9 @@ package commands
 
 import (
 	"strings"
+
+	"maunium.net/go/mautrix/event"
+	"maunium.net/go/mautrix/event/cmdschema"
 )
 
 type Handler[MetaType any] struct {
@@ -25,12 +28,63 @@ type Handler[MetaType any] struct {
 	// Event.ShiftArg will likely be useful for implementing such parameters.
 	PreFunc func(ce *Event[MetaType])
 
+	// Description is a short description of the command.
+	Description *event.ExtensibleTextContainer
+	// Parameters is a description of structured command parameters.
+	// If set, the StructuredArgs field of Event will be populated.
+	Parameters []*cmdschema.Parameter
+	TailParam  string
+
+	parents             []*Handler[MetaType]
+	nestedNameCache     []string
 	subcommandContainer *CommandContainer[MetaType]
 }
 
+func (h *Handler[MetaType]) NestedNames() []string {
+	if h.nestedNameCache != nil {
+		return h.nestedNameCache
+	}
+	nestedNames := make([]string, 0, (1+len(h.Aliases))*len(h.parents))
+	for _, parent := range h.parents {
+		if parent == nil {
+			nestedNames = append(nestedNames, h.Name)
+			nestedNames = append(nestedNames, h.Aliases...)
+		} else {
+			for _, parentName := range parent.NestedNames() {
+				nestedNames = append(nestedNames, parentName+" "+h.Name)
+				for _, alias := range h.Aliases {
+					nestedNames = append(nestedNames, parentName+" "+alias)
+				}
+			}
+		}
+	}
+	h.nestedNameCache = nestedNames
+	return nestedNames
+}
+
+func (h *Handler[MetaType]) Spec() *cmdschema.EventContent {
+	names := h.NestedNames()
+	return &cmdschema.EventContent{
+		Command:     names[0],
+		Aliases:     names[1:],
+		Parameters:  h.Parameters,
+		Description: h.Description,
+		TailParam:   h.TailParam,
+	}
+}
+
+func (h *Handler[MetaType]) CopyFrom(other *Handler[MetaType]) {
+	if h.Parameters == nil {
+		h.Parameters = other.Parameters
+		h.TailParam = other.TailParam
+	}
+	h.Func = other.Func
+}
+
 func (h *Handler[MetaType]) initSubcommandContainer() {
 	if len(h.Subcommands) > 0 {
 		h.subcommandContainer = NewCommandContainer[MetaType]()
+		h.subcommandContainer.parent = h
 		h.subcommandContainer.Register(h.Subcommands...)
 	} else {
 		h.subcommandContainer = nil

commands/processor.go

@@ -1,4 +1,4 @@
-// Copyright (c) 2025 Tulir Asokan
+// Copyright (c) 2026 Tulir Asokan
 //
 // This Source Code Form is subject to the terms of the Mozilla Public
 // License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -72,9 +72,9 @@ func (proc *Processor[MetaType]) Process(ctx context.Context, evt *event.Event)
 	case event.EventReaction:
 		parsed = proc.ParseReaction(ctx, evt)
 	case event.EventMessage:
-		parsed = ParseEvent[MetaType](ctx, evt)
+		parsed = proc.ParseEvent(ctx, evt)
 	}
-	if parsed == nil || !proc.PreValidator.Validate(parsed) {
+	if parsed == nil || (!proc.PreValidator.Validate(parsed) && parsed.StructuredArgs == nil) {
 		return
 	}
 	parsed.Proc = proc
@@ -107,6 +107,12 @@ func (proc *Processor[MetaType]) Process(ctx context.Context, evt *event.Event)
 			break
 		}
 	}
+	if parsed.StructuredArgs != nil && len(parsed.Args) > 0 {
+		// TODO allow unknown command handlers to be called?
+		// The client sent MSC4391 data, but the target command wasn't found
+		log.Debug().Msg("Didn't find handler for MSC4391 command")
+		return
+	}
 
 	logWith := log.With().
 		Str("command", parsed.Command).
@@ -116,11 +122,31 @@ func (proc *Processor[MetaType]) Process(ctx context.Context, evt *event.Event)
 	}
 	if proc.LogArgs {
 		logWith = logWith.Strs("args", parsed.Args)
+		if parsed.StructuredArgs != nil {
+			logWith = logWith.RawJSON("structured_args", parsed.StructuredArgs)
+		}
 	}
 	log = logWith.Logger()
 	parsed.Ctx = log.WithContext(ctx)
 	parsed.Log = &log
 
+	if handler.Parameters != nil && parsed.StructuredArgs == nil {
+		// The handler wants structured parameters, but the client didn't send MSC4391 data
+		var err error
+		parsed.StructuredArgs, err = handler.Spec().ParseArguments(parsed.RawArgs)
+		if err != nil {
+			log.Debug().Err(err).Msg("Failed to parse structured arguments")
+			// TODO better error, usage info? deduplicate with WithParsedArgs
+			parsed.Reply("Failed to parse arguments: %v", err)
+			return
+		}
+		if proc.LogArgs {
+			log.UpdateContext(func(c zerolog.Context) zerolog.Context {
+				return c.RawJSON("structured_args", parsed.StructuredArgs)
+			})
+		}
+	}
+
 	log.Debug().Msg("Processing command")
 	handler.Func(parsed)
 }

commands/reactions.go

@@ -1,4 +1,4 @@
-// Copyright (c) 2025 Tulir Asokan
+// Copyright (c) 2026 Tulir Asokan
 //
 // This Source Code Form is subject to the terms of the Mozilla Public
 // License, v. 2.0. If a copy of the MPL was not distributed with this
@@ -8,6 +8,7 @@ package commands
 
 import (
 	"context"
+	"encoding/json"
 	"strings"
 
 	"github.com/rs/zerolog"
@@ -19,6 +20,11 @@ import (
 const ReactionCommandsKey = "fi.mau.reaction_commands"
 const ReactionMultiUseKey = "fi.mau.reaction_multi_use"
 
+type ReactionCommandData struct {
+	Command string `json:"command"`
+	Args    any    `json:"args,omitempty"`
+}
+
 func (proc *Processor[MetaType]) ParseReaction(ctx context.Context, evt *event.Event) *Event[MetaType] {
 	content, ok := evt.Content.Parsed.(*event.ReactionEventContent)
 	if !ok {
@@ -67,21 +73,33 @@ func (proc *Processor[MetaType]) ParseReaction(ctx context.Context, evt *event.E
 			Msg("Reaction command not found in target event")
 		return nil
 	}
-	cmdString, ok := rawCmd.(string)
-	if !ok {
+	var wrappedEvt *Event[MetaType]
+	switch typedCmd := rawCmd.(type) {
+	case string:
+		wrappedEvt = RawTextToEvent[MetaType](ctx, evt, typedCmd)
+	case map[string]any:
+		var input event.MSC4391BotCommandInput
+		if marshaled, err := json.Marshal(typedCmd); err != nil {
+
+		} else if err = json.Unmarshal(marshaled, &input); err != nil {
+
+		} else {
+			wrappedEvt = StructuredCommandToEvent[MetaType](ctx, evt, &input)
+		}
+	}
+	if wrappedEvt == nil {
 		zerolog.Ctx(ctx).Debug().
 			Stringer("target_event_id", evtID).
 			Str("reaction_key", content.RelatesTo.Key).
 			Msg("Reaction command data is invalid")
 		return nil
 	}
-	wrappedEvt := RawTextToEvent[MetaType](ctx, evt, cmdString)
 	wrappedEvt.Proc = proc
 	wrappedEvt.Redact()
 	if !isMultiUse {
 		DeleteAllReactions(ctx, proc.Client, evt)
 	}
-	if cmdString == "" {
+	if wrappedEvt.Command == "" {
 		return nil
 	}
 	return wrappedEvt

crypto/attachment/attachments.go

@@ -21,13 +21,24 @@ import (
 )
 
 var (
-	HashMismatch         = errors.New("mismatching SHA-256 digest")
-	UnsupportedVersion   = errors.New("unsupported Matrix file encryption version")
-	UnsupportedAlgorithm = errors.New("unsupported JWK encryption algorithm")
-	InvalidKey           = errors.New("failed to decode key")
-	InvalidInitVector    = errors.New("failed to decode initialization vector")
-	InvalidHash          = errors.New("failed to decode SHA-256 hash")
-	ReaderClosed         = errors.New("encrypting reader was already closed")
+	ErrHashMismatch         = errors.New("mismatching SHA-256 digest")
+	ErrUnsupportedVersion   = errors.New("unsupported Matrix file encryption version")
+	ErrUnsupportedAlgorithm = errors.New("unsupported JWK encryption algorithm")
+	ErrInvalidKey           = errors.New("failed to decode key")
+	ErrInvalidInitVector    = errors.New("failed to decode initialization vector")
+	ErrInvalidHash          = errors.New("failed to decode SHA-256 hash")
+	ErrReaderClosed         = errors.New("encrypting reader was already closed")
+)
+
+// Deprecated: use variables prefixed with Err
+var (
+	HashMismatch         = ErrHashMismatch
+	UnsupportedVersion   = ErrUnsupportedVersion
+	UnsupportedAlgorithm = ErrUnsupportedAlgorithm
+	InvalidKey           = ErrInvalidKey
+	InvalidInitVector    = ErrInvalidInitVector
+	InvalidHash          = ErrInvalidHash
+	ReaderClosed         = ErrReaderClosed
 )
 
 var (
@@ -85,25 +96,25 @@ func (ef *EncryptedFile) decodeKeys(includeHash bool) error {
 	if ef.decoded != nil {
 		return nil
 	} else if len(ef.Key.Key) != keyBase64Length {
-		return InvalidKey
+		return ErrInvalidKey
 	} else if len(ef.InitVector) != ivBase64Length {
-		return InvalidInitVector
+		return ErrInvalidInitVector
 	} else if includeHash && len(ef.Hashes.SHA256) != hashBase64Length {
-		return InvalidHash
+		return ErrInvalidHash
 	}
 	ef.decoded = &decodedKeys{}
 	_, err := base64.RawURLEncoding.Decode(ef.decoded.key[:], []byte(ef.Key.Key))
 	if err != nil {
-		return InvalidKey
+		return ErrInvalidKey
 	}
 	_, err = base64.RawStdEncoding.Decode(ef.decoded.iv[:], []byte(ef.InitVector))
 	if err != nil {
-		return InvalidInitVector
+		return ErrInvalidInitVector
 	}
 	if includeHash {
 		_, err = base64.RawStdEncoding.Decode(ef.decoded.sha256[:], []byte(ef.Hashes.SHA256))
 		if err != nil {
-			return InvalidHash
+			return ErrInvalidHash
 		}
 	}
 	return nil
@@ -179,7 +190,7 @@ var _ io.ReadSeekCloser = (*encryptingReader)(nil)
 
 func (r *encryptingReader) Seek(offset int64, whence int) (int64, error) {
 	if r.closed {
-		return 0, ReaderClosed
+		return 0, ErrReaderClosed
 	}
 	if offset != 0 || whence != io.SeekStart {
 		return 0, fmt.Errorf("attachments.EncryptStream: only seeking to the beginning is supported")
@@ -200,7 +211,7 @@ func (r *encryptingReader) Seek(offset int64, whence int) (int64, error) {
 
 func (r *encryptingReader) Read(dst []byte) (n int, err error) {
 	if r.closed {
-		return 0, ReaderClosed
+		return 0, ErrReaderClosed
 	} else if r.isDecrypting && r.file.decoded == nil {
 		if err = r.file.PrepareForDecryption(); err != nil {
 			return
@@ -224,7 +235,7 @@ func (r *encryptingReader) Close() (err error) {
 	}
 	if r.isDecrypting {
 		if !hmac.Equal(r.hash.Sum(nil), r.file.decoded.sha256[:]) {
-			return HashMismatch
+			return ErrHashMismatch
 		}
 	} else {
 		r.file.Hashes.SHA256 = base64.RawStdEncoding.EncodeToString(r.hash.Sum(nil))
@@ -265,9 +276,9 @@ func (ef *EncryptedFile) Decrypt(ciphertext []byte) ([]byte, error) {
 // DecryptInPlace will always call this automatically, so calling this manually is not necessary when using that function.
 func (ef *EncryptedFile) PrepareForDecryption() error {
 	if ef.Version != "v2" {
-		return UnsupportedVersion
+		return ErrUnsupportedVersion
 	} else if ef.Key.Algorithm != "A256CTR" {
-		return UnsupportedAlgorithm
+		return ErrUnsupportedAlgorithm
 	} else if err := ef.decodeKeys(true); err != nil {
 		return err
 	}
@@ -281,7 +292,7 @@ func (ef *EncryptedFile) DecryptInPlace(data []byte) error {
 	}
 	dataHash := sha256.Sum256(data)
 	if !hmac.Equal(ef.decoded.sha256[:], dataHash[:]) {
-		return HashMismatch
+		return ErrHashMismatch
 	}
 	utils.XorA256CTR(data, ef.decoded.key, ef.decoded.iv)
 	return nil

crypto/attachment/attachments_test.go

@@ -53,33 +53,33 @@ func TestUnsupportedVersion(t *testing.T) {
 	file := parseHelloWorld()
 	file.Version = "foo"
 	err := file.DecryptInPlace([]byte(helloWorldCiphertext))
-	assert.ErrorIs(t, err, UnsupportedVersion)
+	assert.ErrorIs(t, err, ErrUnsupportedVersion)
 }
 
 func TestUnsupportedAlgorithm(t *testing.T) {
 	file := parseHelloWorld()
 	file.Key.Algorithm = "bar"
 	err := file.DecryptInPlace([]byte(helloWorldCiphertext))
-	assert.ErrorIs(t, err, UnsupportedAlgorithm)
+	assert.ErrorIs(t, err, ErrUnsupportedAlgorithm)
 }
 
 func TestHashMismatch(t *testing.T) {
 	file := parseHelloWorld()
 	file.Hashes.SHA256 = base64.RawStdEncoding.EncodeToString([]byte(random32Bytes))
 	err := file.DecryptInPlace([]byte(helloWorldCiphertext))
-	assert.ErrorIs(t, err, HashMismatch)
+	assert.ErrorIs(t, err, ErrHashMismatch)
 }
 
 func TestTooLongHash(t *testing.T) {
 	file := parseHelloWorld()
 	file.Hashes.SHA256 = "TG9yZW0gaXBzdW0gZG9sb3Igc2l0IGFtZXQsIGNvbnNlY3RldHVlciBhZGlwaXNjaW5nIGVsaXQuIFNlZCBwb3N1ZXJlIGludGVyZHVtIHNlbS4gUXVpc3F1ZSBsaWd1bGEgZXJvcyB1bGxhbWNvcnBlciBxdWlzLCBsYWNpbmlhIHF1aXMgZmFjaWxpc2lzIHNlZCBzYXBpZW4uCg"
 	err := file.DecryptInPlace([]byte(helloWorldCiphertext))
-	assert.ErrorIs(t, err, InvalidHash)
+	assert.ErrorIs(t, err, ErrInvalidHash)
 }
 
 func TestTooShortHash(t *testing.T) {
 	file := parseHelloWorld()
 	file.Hashes.SHA256 = "5/Gy1JftyyQ"
 	err := file.DecryptInPlace([]byte(helloWorldCiphertext))
-	assert.ErrorIs(t, err, InvalidHash)
+	assert.ErrorIs(t, err, ErrInvalidHash)
 }

crypto/cross_sign_key.go

@@ -135,7 +135,7 @@ func (mach *OlmMachine) PublishCrossSigningKeys(ctx context.Context, keys *Cross
 	}
 	userKey.Signatures = signatures.NewSingleSignature(userID, id.KeyAlgorithmEd25519, keys.MasterKey.PublicKey().String(), userSig)
 
-	err = mach.Client.UploadCrossSigningKeys(ctx, &mautrix.UploadCrossSigningKeysReq{
+	err = mach.Client.UploadCrossSigningKeys(ctx, &mautrix.UploadCrossSigningKeysReq[any]{
 		Master:      masterKey,
 		SelfSigning: selfKey,
 		UserSigning: userKey,

crypto/cross_sign_pubkey.go

@@ -63,8 +63,8 @@ func (mach *OlmMachine) GetCrossSigningPublicKeys(ctx context.Context, userID id
 	if len(dbKeys) > 0 {
 		masterKey, ok := dbKeys[id.XSUsageMaster]
 		if ok {
-			selfSigning, _ := dbKeys[id.XSUsageSelfSigning]
-			userSigning, _ := dbKeys[id.XSUsageUserSigning]
+			selfSigning := dbKeys[id.XSUsageSelfSigning]
+			userSigning := dbKeys[id.XSUsageUserSigning]
 			return &CrossSigningPublicKeysCache{
 				MasterKey:      masterKey.Key,
 				SelfSigningKey: selfSigning.Key,

crypto/cross_sign_ssss.go

@@ -8,6 +8,7 @@ package crypto
 
 import (
 	"context"
+	"errors"
 	"fmt"
 
 	"maunium.net/go/mautrix"
@@ -77,7 +78,11 @@ func (mach *OlmMachine) VerifyWithRecoveryKey(ctx context.Context, recoveryKey s
 		return fmt.Errorf("failed to get default SSSS key data: %w", err)
 	}
 	key, err := keyData.VerifyRecoveryKey(keyID, recoveryKey)
-	if err != nil {
+	if errors.Is(err, ssss.ErrUnverifiableKey) {
+		mach.machOrContextLog(ctx).Warn().
+			Str("key_id", keyID).
+			Msg("SSSS key is unverifiable, trying to use without verifying")
+	} else if err != nil {
 		return err
 	}
 	err = mach.FetchCrossSigningKeysFromSSSS(ctx, key)

crypto/cross_sign_store.go

@@ -26,24 +26,22 @@ func (mach *OlmMachine) storeCrossSigningKeys(ctx context.Context, crossSigningK
 			log.Error().Err(err).
 				Msg("Error fetching current cross-signing keys of user")
 		}
-		if currentKeys != nil {
-			for curKeyUsage, curKey := range currentKeys {
-				log := log.With().Stringer("old_key", curKey.Key).Str("old_key_usage", string(curKeyUsage)).Logger()
-				// got a new key with the same usage as an existing key
-				for _, newKeyUsage := range userKeys.Usage {
-					if newKeyUsage == curKeyUsage {
-						if _, ok := userKeys.Keys[id.NewKeyID(id.KeyAlgorithmEd25519, curKey.Key.String())]; !ok {
-							// old key is not in the new key map, so we drop signatures made by it
-							if count, err := mach.CryptoStore.DropSignaturesByKey(ctx, userID, curKey.Key); err != nil {
-								log.Error().Err(err).Msg("Error deleting old signatures made by user")
-							} else {
-								log.Debug().
-									Int64("signature_count", count).
-									Msg("Dropped signatures made by old key as it has been replaced")
-							}
+		for curKeyUsage, curKey := range currentKeys {
+			log := log.With().Stringer("old_key", curKey.Key).Str("old_key_usage", string(curKeyUsage)).Logger()
+			// got a new key with the same usage as an existing key
+			for _, newKeyUsage := range userKeys.Usage {
+				if newKeyUsage == curKeyUsage {
+					if _, ok := userKeys.Keys[id.NewKeyID(id.KeyAlgorithmEd25519, curKey.Key.String())]; !ok {
+						// old key is not in the new key map, so we drop signatures made by it
+						if count, err := mach.CryptoStore.DropSignaturesByKey(ctx, userID, curKey.Key); err != nil {
+							log.Error().Err(err).Msg("Error deleting old signatures made by user")
+						} else {
+							log.Debug().
+								Int64("signature_count", count).
+								Msg("Dropped signatures made by old key as it has been replaced")
 						}
-						break
 					}
+					break
 				}
 			}
 		}

crypto/cryptohelper/cryptohelper.go

@@ -278,7 +278,7 @@ func (helper *CryptoHelper) verifyDeviceKeysOnServer(ctx context.Context) error
 	}
 }
 
-var NoSessionFound = crypto.NoSessionFound
+var NoSessionFound = crypto.ErrNoSessionFound
 
 const initialSessionWaitTimeout = 3 * time.Second
 const extendedSessionWaitTimeout = 22 * time.Second
@@ -371,6 +371,7 @@ func (helper *CryptoHelper) waitLongerForSession(ctx context.Context, evt *event
 	content := evt.Content.AsEncrypted()
 	log.Debug().Int("wait_seconds", int(extendedSessionWaitTimeout.Seconds())).Msg("Couldn't find session, requesting keys and waiting longer...")
 
+	//lint:ignore SA1019 RequestSession will gracefully request from all devices if DeviceID is blank
 	go helper.RequestSession(context.TODO(), evt.RoomID, content.SenderKey, content.SessionID, evt.Sender, content.DeviceID)
 
 	if !helper.mach.WaitForSession(ctx, evt.RoomID, content.SenderKey, content.SessionID, extendedSessionWaitTimeout) {
@@ -418,7 +419,7 @@ func (helper *CryptoHelper) EncryptWithStateKey(ctx context.Context, roomID id.R
 	defer helper.lock.RUnlock()
 	encrypted, err = helper.mach.EncryptMegolmEventWithStateKey(ctx, roomID, evtType, stateKey, content)
 	if err != nil {
-		if !errors.Is(err, crypto.SessionExpired) && err != crypto.NoGroupSession && !errors.Is(err, crypto.SessionNotShared) {
+		if !errors.Is(err, crypto.ErrSessionExpired) && err != crypto.ErrNoGroupSession && !errors.Is(err, crypto.ErrSessionNotShared) {
 			return
 		}
 		helper.log.Debug().

crypto/decryptmegolm.go

@@ -24,13 +24,23 @@ import (
 )
 
 var (
-	IncorrectEncryptedContentType = errors.New("event content is not instance of *event.EncryptedEventContent")
-	NoSessionFound                = errors.New("failed to decrypt megolm event: no session with given ID found")
-	DuplicateMessageIndex         = errors.New("duplicate megolm message index")
-	WrongRoom                     = errors.New("encrypted megolm event is not intended for this room")
-	DeviceKeyMismatch             = errors.New("device keys in event and verified device info do not match")
-	SenderKeyMismatch             = errors.New("sender keys in content and megolm session do not match")
-	RatchetError                  = errors.New("failed to ratchet session after use")
+	ErrIncorrectEncryptedContentType = errors.New("event content is not instance of *event.EncryptedEventContent")
+	ErrNoSessionFound                = errors.New("failed to decrypt megolm event: no session with given ID found")
+	ErrDuplicateMessageIndex         = errors.New("duplicate megolm message index")
+	ErrWrongRoom                     = errors.New("encrypted megolm event is not intended for this room")
+	ErrDeviceKeyMismatch             = errors.New("device keys in event and verified device info do not match")
+	ErrRatchetError                  = errors.New("failed to ratchet session after use")
+	ErrCorruptedMegolmPayload        = errors.New("corrupted megolm payload")
+)
+
+// Deprecated: use variables prefixed with Err
+var (
+	IncorrectEncryptedContentType = ErrIncorrectEncryptedContentType
+	NoSessionFound                = ErrNoSessionFound
+	DuplicateMessageIndex         = ErrDuplicateMessageIndex
+	WrongRoom                     = ErrWrongRoom
+	DeviceKeyMismatch             = ErrDeviceKeyMismatch
+	RatchetError                  = ErrRatchetError
 )
 
 type megolmEvent struct {
@@ -45,13 +55,30 @@ var (
 	relatesToTopLevelPath = exgjson.Path("content", "m.relates_to")
 )
 
+const sessionIDLength = 43
+
+func validateCiphertextCharacters(ciphertext []byte) bool {
+	for _, b := range ciphertext {
+		if (b < 'a' || b > 'z') && (b < 'A' || b > 'Z') && (b < '0' || b > '9') && b != '+' && b != '/' {
+			return false
+		}
+	}
+	return true
+}
+
 // DecryptMegolmEvent decrypts an m.room.encrypted event where the algorithm is m.megolm.v1.aes-sha2
 func (mach *OlmMachine) DecryptMegolmEvent(ctx context.Context, evt *event.Event) (*event.Event, error) {
 	content, ok := evt.Content.Parsed.(*event.EncryptedEventContent)
 	if !ok {
-		return nil, IncorrectEncryptedContentType
+		return nil, ErrIncorrectEncryptedContentType
 	} else if content.Algorithm != id.AlgorithmMegolmV1 {
-		return nil, UnsupportedAlgorithm
+		return nil, ErrUnsupportedAlgorithm
+	} else if len(content.MegolmCiphertext) < 74 {
+		return nil, fmt.Errorf("%w: ciphertext too short (%d bytes)", ErrCorruptedMegolmPayload, len(content.MegolmCiphertext))
+	} else if len(content.SessionID) != sessionIDLength {
+		return nil, fmt.Errorf("%w: invalid session ID length %d", ErrCorruptedMegolmPayload, len(content.SessionID))
+	} else if !validateCiphertextCharacters(content.MegolmCiphertext) {
+		return nil, fmt.Errorf("%w: invalid characters in ciphertext", ErrCorruptedMegolmPayload)
 	}
 	log := mach.machOrContextLog(ctx).With().
 		Str("action", "decrypt megolm event").
@@ -97,7 +124,13 @@ func (mach *OlmMachine) DecryptMegolmEvent(ctx context.Context, evt *event.Event
 					Msg("Couldn't resolve trust level of session: sent by unknown device")
 				trustLevel = id.TrustStateUnknownDevice
 			} else if device.SigningKey != sess.SigningKey || device.IdentityKey != sess.SenderKey {
-				return nil, DeviceKeyMismatch
+				log.Debug().
+					Stringer("session_sender_key", sess.SenderKey).
+					Stringer("device_sender_key", device.IdentityKey).
+					Stringer("session_signing_key", sess.SigningKey).
+					Stringer("device_signing_key", device.SigningKey).
+					Msg("Device keys don't match keys in session, marking as untrusted")
+				trustLevel = id.TrustStateDeviceKeyMismatch
 			} else {
 				trustLevel, err = mach.ResolveTrustContext(ctx, device)
 				if err != nil {
@@ -147,7 +180,7 @@ func (mach *OlmMachine) DecryptMegolmEvent(ctx context.Context, evt *event.Event
 	if err != nil {
 		return nil, fmt.Errorf("failed to parse megolm payload: %w", err)
 	} else if megolmEvt.RoomID != encryptionRoomID {
-		return nil, WrongRoom
+		return nil, ErrWrongRoom
 	}
 	if evt.StateKey != nil && megolmEvt.StateKey != nil && mach.AllowEncryptedState {
 		megolmEvt.Type.Class = event.StateEventType
@@ -180,6 +213,7 @@ func (mach *OlmMachine) DecryptMegolmEvent(ctx context.Context, evt *event.Event
 			TrustSource:   device,
 			ForwardedKeys: forwardedKeys,
 			WasEncrypted:  true,
+			EventSource:   evt.Mautrix.EventSource | event.SourceDecrypted,
 			ReceivedAt:    evt.Mautrix.ReceivedAt,
 		},
 	}, nil
@@ -201,19 +235,19 @@ func (mach *OlmMachine) checkUndecryptableMessageIndexDuplication(ctx context.Co
 	messageIndex, decodeErr := ParseMegolmMessageIndex(content.MegolmCiphertext)
 	if decodeErr != nil {
 		log.Warn().Err(decodeErr).Msg("Failed to parse message index to check if it's a duplicate for message that failed to decrypt")
-		return 0, fmt.Errorf("%w (also failed to parse message index)", olm.UnknownMessageIndex)
+		return 0, fmt.Errorf("%w (also failed to parse message index)", olm.ErrUnknownMessageIndex)
 	}
 	firstKnown := sess.Internal.FirstKnownIndex()
 	log = log.With().Uint("message_index", messageIndex).Uint32("first_known_index", firstKnown).Logger()
 	if ok, err := mach.CryptoStore.ValidateMessageIndex(ctx, sess.SenderKey, content.SessionID, evt.ID, messageIndex, evt.Timestamp); err != nil {
 		log.Debug().Err(err).Msg("Failed to check if message index is duplicate")
-		return messageIndex, fmt.Errorf("%w (failed to check if index is duplicate; received: %d, earliest known: %d)", olm.UnknownMessageIndex, messageIndex, firstKnown)
+		return messageIndex, fmt.Errorf("%w (failed to check if index is duplicate; received: %d, earliest known: %d)", olm.ErrUnknownMessageIndex, messageIndex, firstKnown)
 	} else if !ok {
 		log.Debug().Msg("Failed to decrypt message due to unknown index and found duplicate")
-		return messageIndex, fmt.Errorf("%w %d (also failed to decrypt because earliest known index is %d)", DuplicateMessageIndex, messageIndex, firstKnown)
+		return messageIndex, fmt.Errorf("%w %d (also failed to decrypt because earliest known index is %d)", ErrDuplicateMessageIndex, messageIndex, firstKnown)
 	}
 	log.Debug().Msg("Failed to decrypt message due to unknown index, but index is not duplicate")
-	return messageIndex, fmt.Errorf("%w (not duplicate index; received: %d, earliest known: %d)", olm.UnknownMessageIndex, messageIndex, firstKnown)
+	return messageIndex, fmt.Errorf("%w (not duplicate index; received: %d, earliest known: %d)", olm.ErrUnknownMessageIndex, messageIndex, firstKnown)
 }
 
 func (mach *OlmMachine) actuallyDecryptMegolmEvent(ctx context.Context, evt *event.Event, encryptionRoomID id.RoomID, content *event.EncryptedEventContent) (*InboundGroupSession, []byte, uint, error) {
@@ -224,13 +258,11 @@ func (mach *OlmMachine) actuallyDecryptMegolmEvent(ctx context.Context, evt *eve
 	if err != nil {
 		return nil, nil, 0, fmt.Errorf("failed to get group session: %w", err)
 	} else if sess == nil {
-		return nil, nil, 0, fmt.Errorf("%w (ID %s)", NoSessionFound, content.SessionID)
-	} else if content.SenderKey != "" && content.SenderKey != sess.SenderKey {
-		return sess, nil, 0, SenderKeyMismatch
+		return nil, nil, 0, fmt.Errorf("%w (ID %s)", ErrNoSessionFound, content.SessionID)
 	}
 	plaintext, messageIndex, err := sess.Internal.Decrypt(content.MegolmCiphertext)
 	if err != nil {
-		if errors.Is(err, olm.UnknownMessageIndex) && mach.RatchetKeysOnDecrypt {
+		if errors.Is(err, olm.ErrUnknownMessageIndex) && mach.RatchetKeysOnDecrypt {
 			messageIndex, err = mach.checkUndecryptableMessageIndexDuplication(ctx, sess, evt, content)
 			return sess, nil, messageIndex, fmt.Errorf("failed to decrypt megolm event: %w", err)
 		}
@@ -238,7 +270,7 @@ func (mach *OlmMachine) actuallyDecryptMegolmEvent(ctx context.Context, evt *eve
 	} else if ok, err := mach.CryptoStore.ValidateMessageIndex(ctx, sess.SenderKey, content.SessionID, evt.ID, messageIndex, evt.Timestamp); err != nil {
 		return sess, nil, messageIndex, fmt.Errorf("failed to check if message index is duplicate: %w", err)
 	} else if !ok {
-		return sess, nil, messageIndex, fmt.Errorf("%w %d", DuplicateMessageIndex, messageIndex)
+		return sess, nil, messageIndex, fmt.Errorf("%w %d", ErrDuplicateMessageIndex, messageIndex)
 	}
 
 	// Normal clients don't care about tracking the ratchet state, so let them bypass the rest of the function
@@ -290,24 +322,24 @@ func (mach *OlmMachine) actuallyDecryptMegolmEvent(ctx context.Context, evt *eve
 		err = mach.CryptoStore.RedactGroupSession(ctx, sess.RoomID, sess.ID(), "maximum messages reached")
 		if err != nil {
 			log.Err(err).Msg("Failed to delete fully used session")
-			return sess, plaintext, messageIndex, RatchetError
+			return sess, plaintext, messageIndex, ErrRatchetError
 		} else {
 			log.Info().Msg("Deleted fully used session")
 		}
 	} else if ratchetCurrentIndex < ratchetTargetIndex && mach.RatchetKeysOnDecrypt {
 		if err = sess.RatchetTo(ratchetTargetIndex); err != nil {
 			log.Err(err).Msg("Failed to ratchet session")
-			return sess, plaintext, messageIndex, RatchetError
+			return sess, plaintext, messageIndex, ErrRatchetError
 		} else if err = mach.CryptoStore.PutGroupSession(ctx, sess); err != nil {
 			log.Err(err).Msg("Failed to store ratcheted session")
-			return sess, plaintext, messageIndex, RatchetError
+			return sess, plaintext, messageIndex, ErrRatchetError
 		} else {
 			log.Info().Msg("Ratcheted session forward")
 		}
 	} else if didModify {
 		if err = mach.CryptoStore.PutGroupSession(ctx, sess); err != nil {
 			log.Err(err).Msg("Failed to store updated ratchet safety data")
-			return sess, plaintext, messageIndex, RatchetError
+			return sess, plaintext, messageIndex, ErrRatchetError
 		} else {
 			log.Debug().Msg("Ratchet safety data changed (ratchet state didn't change)")
 		}

crypto/decryptolm.go

@@ -26,15 +26,27 @@ import (
 )
 
 var (
-	UnsupportedAlgorithm                = errors.New("unsupported event encryption algorithm")
-	NotEncryptedForMe                   = errors.New("olm event doesn't contain ciphertext for this device")
-	UnsupportedOlmMessageType           = errors.New("unsupported olm message type")
-	DecryptionFailedWithMatchingSession = errors.New("decryption failed with matching session")
-	DecryptionFailedForNormalMessage    = errors.New("decryption failed for normal message")
-	SenderMismatch                      = errors.New("mismatched sender in olm payload")
-	RecipientMismatch                   = errors.New("mismatched recipient in olm payload")
-	RecipientKeyMismatch                = errors.New("mismatched recipient key in olm payload")
-	ErrDuplicateMessage                 = errors.New("duplicate olm message")
+	ErrUnsupportedAlgorithm                = errors.New("unsupported event encryption algorithm")
+	ErrNotEncryptedForMe                   = errors.New("olm event doesn't contain ciphertext for this device")
+	ErrUnsupportedOlmMessageType           = errors.New("unsupported olm message type")
+	ErrDecryptionFailedWithMatchingSession = errors.New("decryption failed with matching session")
+	ErrDecryptionFailedForNormalMessage    = errors.New("decryption failed for normal message")
+	ErrSenderMismatch                      = errors.New("mismatched sender in olm payload")
+	ErrRecipientMismatch                   = errors.New("mismatched recipient in olm payload")
+	ErrRecipientKeyMismatch                = errors.New("mismatched recipient key in olm payload")
+	ErrDuplicateMessage                    = errors.New("duplicate olm message")
+)
+
+// Deprecated: use variables prefixed with Err
+var (
+	UnsupportedAlgorithm                = ErrUnsupportedAlgorithm
+	NotEncryptedForMe                   = ErrNotEncryptedForMe
+	UnsupportedOlmMessageType           = ErrUnsupportedOlmMessageType
+	DecryptionFailedWithMatchingSession = ErrDecryptionFailedWithMatchingSession
+	DecryptionFailedForNormalMessage    = ErrDecryptionFailedForNormalMessage
+	SenderMismatch                      = ErrSenderMismatch
+	RecipientMismatch                   = ErrRecipientMismatch
+	RecipientKeyMismatch                = ErrRecipientKeyMismatch
 )
 
 // DecryptedOlmEvent represents an event that was decrypted from an event encrypted with the m.olm.v1.curve25519-aes-sha2 algorithm.
@@ -56,13 +68,13 @@ type DecryptedOlmEvent struct {
 func (mach *OlmMachine) decryptOlmEvent(ctx context.Context, evt *event.Event) (*DecryptedOlmEvent, error) {
 	content, ok := evt.Content.Parsed.(*event.EncryptedEventContent)
 	if !ok {
-		return nil, IncorrectEncryptedContentType
+		return nil, ErrIncorrectEncryptedContentType
 	} else if content.Algorithm != id.AlgorithmOlmV1 {
-		return nil, UnsupportedAlgorithm
+		return nil, ErrUnsupportedAlgorithm
 	}
 	ownContent, ok := content.OlmCiphertext[mach.account.IdentityKey()]
 	if !ok {
-		return nil, NotEncryptedForMe
+		return nil, ErrNotEncryptedForMe
 	}
 	decrypted, err := mach.decryptAndParseOlmCiphertext(ctx, evt, content.SenderKey, ownContent.Type, ownContent.Body)
 	if err != nil {
@@ -78,7 +90,7 @@ type OlmEventKeys struct {
 
 func (mach *OlmMachine) decryptAndParseOlmCiphertext(ctx context.Context, evt *event.Event, senderKey id.SenderKey, olmType id.OlmMsgType, ciphertext string) (*DecryptedOlmEvent, error) {
 	if olmType != id.OlmMsgTypePreKey && olmType != id.OlmMsgTypeMsg {
-		return nil, UnsupportedOlmMessageType
+		return nil, ErrUnsupportedOlmMessageType
 	}
 
 	log := mach.machOrContextLog(ctx).With().
@@ -102,11 +114,11 @@ func (mach *OlmMachine) decryptAndParseOlmCiphertext(ctx context.Context, evt *e
 	}
 	olmEvt.Type.Class = evt.Type.Class
 	if evt.Sender != olmEvt.Sender {
-		return nil, SenderMismatch
+		return nil, ErrSenderMismatch
 	} else if mach.Client.UserID != olmEvt.Recipient {
-		return nil, RecipientMismatch
+		return nil, ErrRecipientMismatch
 	} else if mach.account.SigningKey() != olmEvt.RecipientKeys.Ed25519 {
-		return nil, RecipientKeyMismatch
+		return nil, ErrRecipientKeyMismatch
 	}
 
 	if len(olmEvt.Content.VeryRaw) > 0 {
@@ -122,6 +134,9 @@ func (mach *OlmMachine) decryptAndParseOlmCiphertext(ctx context.Context, evt *e
 }
 
 func olmMessageHash(ciphertext string) ([32]byte, error) {
+	if ciphertext == "" {
+		return [32]byte{}, fmt.Errorf("empty ciphertext")
+	}
 	ciphertextBytes, err := base64.RawStdEncoding.DecodeString(ciphertext)
 	return sha256.Sum256(ciphertextBytes), err
 }
@@ -151,7 +166,7 @@ func (mach *OlmMachine) tryDecryptOlmCiphertext(ctx context.Context, sender id.U
 
 	plaintext, err := mach.tryDecryptOlmCiphertextWithExistingSession(ctx, senderKey, olmType, ciphertext, ciphertextHash)
 	if err != nil {
-		if err == DecryptionFailedWithMatchingSession {
+		if err == ErrDecryptionFailedWithMatchingSession {
 			log.Warn().Msg("Found matching session, but decryption failed")
 			go mach.unwedgeDevice(log, sender, senderKey)
 		}
@@ -169,10 +184,10 @@ func (mach *OlmMachine) tryDecryptOlmCiphertext(ctx context.Context, sender id.U
 	// if it isn't one at this point in time anymore, so return early.
 	if olmType != id.OlmMsgTypePreKey {
 		go mach.unwedgeDevice(log, sender, senderKey)
-		return nil, DecryptionFailedForNormalMessage
+		return nil, ErrDecryptionFailedForNormalMessage
 	}
 
-	accountBackup, err := mach.account.Internal.Pickle([]byte("tmp"))
+	accountBackup, _ := mach.account.Internal.Pickle([]byte("tmp"))
 	log.Trace().Msg("Trying to create inbound session")
 	endTimeTrace = mach.timeTrace(ctx, "creating inbound olm session", time.Second)
 	session, err := mach.createInboundSession(ctx, senderKey, ciphertext)
@@ -302,7 +317,7 @@ func (mach *OlmMachine) tryDecryptOlmCiphertextWithExistingSession(
 				Str("session_description", session.Describe()).
 				Msg("Failed to decrypt olm message")
 			if olmType == id.OlmMsgTypePreKey {
-				return nil, DecryptionFailedWithMatchingSession
+				return nil, ErrDecryptionFailedWithMatchingSession
 			}
 		} else {
 			endTimeTrace = mach.timeTrace(ctx, "updating session in database", time.Second)
@@ -345,7 +360,7 @@ func (mach *OlmMachine) unwedgeDevice(log zerolog.Logger, sender id.UserID, send
 	ctx := log.WithContext(mach.backgroundCtx)
 	mach.recentlyUnwedgedLock.Lock()
 	prevUnwedge, ok := mach.recentlyUnwedged[senderKey]
-	delta := time.Now().Sub(prevUnwedge)
+	delta := time.Since(prevUnwedge)
 	if ok && delta < MinUnwedgeInterval {
 		log.Debug().
 			Str("previous_recreation", delta.String()).

crypto/devicelist.go

@@ -22,14 +22,23 @@ import (
 )
 
 var (
-	MismatchingDeviceID   = errors.New("mismatching device ID in parameter and keys object")
-	MismatchingUserID     = errors.New("mismatching user ID in parameter and keys object")
-	MismatchingSigningKey = errors.New("received update for device with different signing key")
-	NoSigningKeyFound     = errors.New("didn't find ed25519 signing key")
-	NoIdentityKeyFound    = errors.New("didn't find curve25519 identity key")
-	InvalidKeySignature   = errors.New("invalid signature on device keys")
+	ErrMismatchingDeviceID   = errors.New("mismatching device ID in parameter and keys object")
+	ErrMismatchingUserID     = errors.New("mismatching user ID in parameter and keys object")
+	ErrMismatchingSigningKey = errors.New("received update for device with different signing key")
+	ErrNoSigningKeyFound     = errors.New("didn't find ed25519 signing key")
+	ErrNoIdentityKeyFound    = errors.New("didn't find curve25519 identity key")
+	ErrInvalidKeySignature   = errors.New("invalid signature on device keys")
+	ErrUserNotTracked        = errors.New("user is not tracked")
+)
 
-	ErrUserNotTracked = errors.New("user is not tracked")
+// Deprecated: use variables prefixed with Err
+var (
+	MismatchingDeviceID   = ErrMismatchingDeviceID
+	MismatchingUserID     = ErrMismatchingUserID
+	MismatchingSigningKey = ErrMismatchingSigningKey
+	NoSigningKeyFound     = ErrNoSigningKeyFound
+	NoIdentityKeyFound    = ErrNoIdentityKeyFound
+	InvalidKeySignature   = ErrInvalidKeySignature
 )
 
 func (mach *OlmMachine) LoadDevices(ctx context.Context, user id.UserID) (keys map[id.DeviceID]*id.Device) {
@@ -312,28 +321,28 @@ func (mach *OlmMachine) OnDevicesChanged(ctx context.Context, userID id.UserID)
 
 func (mach *OlmMachine) validateDevice(userID id.UserID, deviceID id.DeviceID, deviceKeys mautrix.DeviceKeys, existing *id.Device) (*id.Device, error) {
 	if deviceID != deviceKeys.DeviceID {
-		return nil, fmt.Errorf("%w (expected %s, got %s)", MismatchingDeviceID, deviceID, deviceKeys.DeviceID)
+		return nil, fmt.Errorf("%w (expected %s, got %s)", ErrMismatchingDeviceID, deviceID, deviceKeys.DeviceID)
 	} else if userID != deviceKeys.UserID {
-		return nil, fmt.Errorf("%w (expected %s, got %s)", MismatchingUserID, userID, deviceKeys.UserID)
+		return nil, fmt.Errorf("%w (expected %s, got %s)", ErrMismatchingUserID, userID, deviceKeys.UserID)
 	}
 
 	signingKey := deviceKeys.Keys.GetEd25519(deviceID)
 	identityKey := deviceKeys.Keys.GetCurve25519(deviceID)
 	if signingKey == "" {
-		return nil, NoSigningKeyFound
+		return nil, ErrNoSigningKeyFound
 	} else if identityKey == "" {
-		return nil, NoIdentityKeyFound
+		return nil, ErrNoIdentityKeyFound
 	}
 
 	if existing != nil && existing.SigningKey != signingKey {
-		return existing, fmt.Errorf("%w (expected %s, got %s)", MismatchingSigningKey, existing.SigningKey, signingKey)
+		return existing, fmt.Errorf("%w (expected %s, got %s)", ErrMismatchingSigningKey, existing.SigningKey, signingKey)
 	}
 
 	ok, err := signatures.VerifySignatureJSON(deviceKeys, userID, deviceID.String(), signingKey)
 	if err != nil {
 		return existing, fmt.Errorf("failed to verify signature: %w", err)
 	} else if !ok {
-		return existing, InvalidKeySignature
+		return existing, ErrInvalidKeySignature
 	}
 
 	name, ok := deviceKeys.Unsigned["device_display_name"].(string)

crypto/encryptmegolm.go

@@ -25,7 +25,12 @@ import (
 )
 
 var (
-	NoGroupSession = errors.New("no group session created")
+	ErrNoGroupSession = errors.New("no group session created")
+)
+
+// Deprecated: use variables prefixed with Err
+var (
+	NoGroupSession = ErrNoGroupSession
 )
 
 func getRawJSON[T any](content json.RawMessage, path ...string) *T {
@@ -82,15 +87,20 @@ type rawMegolmEvent struct {
 
 // IsShareError returns true if the error is caused by the lack of an outgoing megolm session and can be solved with OlmMachine.ShareGroupSession
 func IsShareError(err error) bool {
-	return err == SessionExpired || err == SessionNotShared || err == NoGroupSession
+	return err == ErrSessionExpired || err == ErrSessionNotShared || err == ErrNoGroupSession
 }
 
 func ParseMegolmMessageIndex(ciphertext []byte) (uint, error) {
+	if len(ciphertext) == 0 {
+		return 0, fmt.Errorf("empty ciphertext")
+	}
 	decoded := make([]byte, base64.RawStdEncoding.DecodedLen(len(ciphertext)))
 	var err error
 	_, err = base64.RawStdEncoding.Decode(decoded, ciphertext)
 	if err != nil {
 		return 0, err
+	} else if len(decoded) < 2+binary.MaxVarintLen64 {
+		return 0, fmt.Errorf("decoded ciphertext too short: %d bytes", len(decoded))
 	} else if decoded[0] != 3 || decoded[1] != 8 {
 		return 0, fmt.Errorf("unexpected initial bytes %d and %d", decoded[0], decoded[1])
 	}
@@ -120,7 +130,7 @@ func (mach *OlmMachine) EncryptMegolmEventWithStateKey(ctx context.Context, room
 	if err != nil {
 		return nil, fmt.Errorf("failed to get outbound group session: %w", err)
 	} else if session == nil {
-		return nil, NoGroupSession
+		return nil, ErrNoGroupSession
 	}
 	plaintext, err := json.Marshal(&rawMegolmEvent{
 		RoomID:   roomID,
@@ -164,6 +174,15 @@ func (mach *OlmMachine) EncryptMegolmEventWithStateKey(ctx context.Context, room
 		SenderKey: mach.account.IdentityKey(),
 		DeviceID:  mach.Client.DeviceID,
 	}
+	if mach.MSC4392Relations && encrypted.RelatesTo != nil {
+		// When MSC4392 mode is enabled, reply and reaction metadata is stripped from the unencrypted content.
+		// Other relations like threads are still left unencrypted.
+		encrypted.RelatesTo.InReplyTo = nil
+		encrypted.RelatesTo.IsFallingBack = false
+		if evtType == event.EventReaction || encrypted.RelatesTo.Type == "" {
+			encrypted.RelatesTo = nil
+		}
+	}
 	if mach.PlaintextMentions {
 		encrypted.Mentions = getMentions(content)
 	}
@@ -351,26 +370,19 @@ func (mach *OlmMachine) encryptAndSendGroupSession(ctx context.Context, session
 	log.Trace().Msg("Encrypting group session for all found devices")
 	deviceCount := 0
 	toDevice := &mautrix.ReqSendToDevice{Messages: make(map[id.UserID]map[id.DeviceID]*event.Content)}
+	logUsers := zerolog.Dict()
 	for userID, sessions := range olmSessions {
 		if len(sessions) == 0 {
 			continue
 		}
+		logDevices := zerolog.Dict()
 		output := make(map[id.DeviceID]*event.Content)
 		toDevice.Messages[userID] = output
 		for deviceID, device := range sessions {
-			log.Trace().
-				Stringer("target_user_id", userID).
-				Stringer("target_device_id", deviceID).
-				Stringer("target_identity_key", device.identity.IdentityKey).
-				Msg("Encrypting group session for device")
 			content := mach.encryptOlmEvent(ctx, device.session, device.identity, event.ToDeviceRoomKey, session.ShareContent())
 			output[deviceID] = &event.Content{Parsed: content}
+			logDevices.Str(string(deviceID), string(device.identity.IdentityKey))
 			deviceCount++
-			log.Debug().
-				Stringer("target_user_id", userID).
-				Stringer("target_device_id", deviceID).
-				Stringer("target_identity_key", device.identity.IdentityKey).
-				Msg("Encrypted group session for device")
 			if !mach.DisableSharedGroupSessionTracking {
 				err := mach.CryptoStore.MarkOutboundGroupSessionShared(ctx, userID, device.identity.IdentityKey, session.id)
 				if err != nil {
@@ -384,11 +396,13 @@ func (mach *OlmMachine) encryptAndSendGroupSession(ctx context.Context, session
 				}
 			}
 		}
+		logUsers.Dict(string(userID), logDevices)
 	}
 
 	log.Debug().
 		Int("device_count", deviceCount).
 		Int("user_count", len(toDevice.Messages)).
+		Dict("destination_map", logUsers).
 		Msg("Sending to-device messages to share group session")
 	_, err := mach.Client.SendToDevice(ctx, event.ToDeviceEncrypted, toDevice)
 	return err

crypto/encryptolm.go

@@ -96,15 +96,19 @@ func (mach *OlmMachine) encryptOlmEvent(ctx context.Context, session *OlmSession
 		panic(err)
 	}
 	log := mach.machOrContextLog(ctx)
-	log.Debug().
-		Str("recipient_identity_key", recipient.IdentityKey.String()).
-		Str("olm_session_id", session.ID().String()).
-		Str("olm_session_description", session.Describe()).
-		Msg("Encrypting olm message")
 	msgType, ciphertext, err := session.Encrypt(plaintext)
 	if err != nil {
 		panic(err)
 	}
+	ciphertextStr := string(ciphertext)
+	ciphertextHash, _ := olmMessageHash(ciphertextStr)
+	log.Debug().
+		Stringer("event_type", evtType).
+		Str("recipient_identity_key", recipient.IdentityKey.String()).
+		Str("olm_session_id", session.ID().String()).
+		Str("olm_session_description", session.Describe()).
+		Hex("ciphertext_hash", ciphertextHash[:]).
+		Msg("Encrypted olm message")
 	err = mach.CryptoStore.UpdateSession(ctx, recipient.IdentityKey, session)
 	if err != nil {
 		log.Error().Err(err).Msg("Failed to update olm session in crypto store after encrypting")
@@ -115,7 +119,7 @@ func (mach *OlmMachine) encryptOlmEvent(ctx context.Context, session *OlmSession
 		OlmCiphertext: event.OlmCiphertexts{
 			recipient.IdentityKey: {
 				Type: msgType,
-				Body: string(ciphertext),
+				Body: ciphertextStr,
 			},
 		},
 	}

crypto/goolm/account/account.go

@@ -334,7 +334,7 @@ func (a *Account) UnpickleLibOlm(buf []byte) error {
 	if err != nil {
 		return err
 	} else if pickledVersion != accountPickleVersionLibOLM && pickledVersion != 3 && pickledVersion != 2 {
-		return fmt.Errorf("unpickle account: %w (found version %d)", olm.ErrBadVersion, pickledVersion)
+		return fmt.Errorf("unpickle account: %w (found version %d)", olm.ErrUnknownOlmPickleVersion, pickledVersion)
 	} else if err = a.IdKeys.Ed25519.UnpickleLibOlm(decoder); err != nil { // read the ed25519 key pair
 		return err
 	} else if err = a.IdKeys.Curve25519.UnpickleLibOlm(decoder); err != nil { // read curve25519 key pair

crypto/goolm/account/account_test.go

@@ -124,7 +124,7 @@ func TestOldAccountPickle(t *testing.T) {
 	account, err := account.NewAccount()
 	assert.NoError(t, err)
 	err = account.Unpickle(pickled, pickleKey)
-	assert.ErrorIs(t, err, olm.ErrBadVersion)
+	assert.ErrorIs(t, err, olm.ErrUnknownOlmPickleVersion)
 }
 
 func TestLoopback(t *testing.T) {

crypto/goolm/crypto/curve25519.go

@@ -53,6 +53,7 @@ func (c Curve25519KeyPair) B64Encoded() id.Curve25519 {
 
 // SharedSecret returns the shared secret between the key pair and the given public key.
 func (c Curve25519KeyPair) SharedSecret(pubKey Curve25519PublicKey) ([]byte, error) {
+	// Note: the standard library checks that the output is non-zero
 	return c.PrivateKey.SharedSecret(pubKey)
 }
 

crypto/goolm/crypto/curve25519_test.go

@@ -25,6 +25,8 @@ func TestCurve25519(t *testing.T) {
 	fromPrivate, err := crypto.Curve25519GenerateFromPrivate(firstKeypair.PrivateKey)
 	assert.NoError(t, err)
 	assert.Equal(t, fromPrivate, firstKeypair)
+	_, err = secondKeypair.SharedSecret(make([]byte, crypto.Curve25519PublicKeyLength))
+	assert.Error(t, err)
 }
 
 func TestCurve25519Case1(t *testing.T) {

crypto/goolm/goolmbase64/base64.go

@@ -4,7 +4,8 @@ import (
 	"encoding/base64"
 )
 
-// Deprecated: base64.RawStdEncoding should be used directly
+// These methods should only be used for raw byte operations, never with string conversion
+
 func Decode(input []byte) ([]byte, error) {
 	decoded := make([]byte, base64.RawStdEncoding.DecodedLen(len(input)))
 	writtenBytes, err := base64.RawStdEncoding.Decode(decoded, input)
@@ -14,7 +15,6 @@ func Decode(input []byte) ([]byte, error) {
 	return decoded[:writtenBytes], nil
 }
 
-// Deprecated: base64.RawStdEncoding should be used directly
 func Encode(input []byte) []byte {
 	encoded := make([]byte, base64.RawStdEncoding.EncodedLen(len(input)))
 	base64.RawStdEncoding.Encode(encoded, input)

crypto/goolm/libolmpickle/picklejson.go

@@ -50,7 +50,7 @@ func UnpickleAsJSON(object any, pickled, key []byte, pickleVersion byte) error {
 		}
 	}
 	if decrypted[0] != pickleVersion {
-		return fmt.Errorf("unpickle: %w", olm.ErrWrongPickleVersion)
+		return fmt.Errorf("unpickle: %w", olm.ErrUnknownJSONPickleVersion)
 	}
 	err = json.Unmarshal(decrypted[1:], object)
 	if err != nil {

crypto/goolm/message/decoder.go

@@ -3,6 +3,9 @@ package message
 import (
 	"bytes"
 	"encoding/binary"
+	"fmt"
+
+	"maunium.net/go/mautrix/crypto/olm"
 )
 
 type Decoder struct {
@@ -20,6 +23,8 @@ func (d *Decoder) ReadVarInt() (uint64, error) {
 func (d *Decoder) ReadVarBytes() ([]byte, error) {
 	if n, err := d.ReadVarInt(); err != nil {
 		return nil, err
+	} else if n > uint64(d.Len()) {
+		return nil, fmt.Errorf("%w: var bytes length says %d, but only %d bytes left", olm.ErrInputToSmall, n, d.Available())
 	} else {
 		out := make([]byte, n)
 		_, err = d.Read(out)

crypto/goolm/message/group_message.go

@@ -2,10 +2,12 @@ package message
 
 import (
 	"bytes"
+	"fmt"
 	"io"
 
 	"maunium.net/go/mautrix/crypto/goolm/aessha2"
 	"maunium.net/go/mautrix/crypto/goolm/crypto"
+	"maunium.net/go/mautrix/crypto/olm"
 )
 
 const (
@@ -36,6 +38,9 @@ func (r *GroupMessage) Decode(input []byte) (err error) {
 	if err != nil {
 		return
 	}
+	if r.Version != protocolVersion {
+		return fmt.Errorf("GroupMessage.Decode: %w (got %d, expected %d)", olm.ErrWrongProtocolVersion, r.Version, protocolVersion)
+	}
 
 	for {
 		// Read Key

crypto/goolm/message/message.go

@@ -2,10 +2,12 @@ package message
 
 import (
 	"bytes"
+	"fmt"
 	"io"
 
 	"maunium.net/go/mautrix/crypto/goolm/aessha2"
 	"maunium.net/go/mautrix/crypto/goolm/crypto"
+	"maunium.net/go/mautrix/crypto/olm"
 )
 
 const (
@@ -40,6 +42,9 @@ func (r *Message) Decode(input []byte) (err error) {
 	if err != nil {
 		return
 	}
+	if r.Version != protocolVersion {
+		return fmt.Errorf("Message.Decode: %w (got %d, expected %d)", olm.ErrWrongProtocolVersion, r.Version, protocolVersion)
+	}
 
 	for {
 		// Read Key

crypto/goolm/message/prekey_message.go

@@ -1,6 +1,7 @@
 package message
 
 import (
+	"fmt"
 	"io"
 
 	"maunium.net/go/mautrix/crypto/goolm/crypto"
@@ -22,6 +23,11 @@ type PreKeyMessage struct {
 	Message     []byte                     `json:"message"`
 }
 
+// TODO deduplicate constant with one in session/olm_session.go
+const (
+	protocolVersion = 0x3
+)
+
 // Decodes decodes the input and populates the corresponding fileds.
 func (r *PreKeyMessage) Decode(input []byte) (err error) {
 	r.Version = 0
@@ -41,6 +47,9 @@ func (r *PreKeyMessage) Decode(input []byte) (err error) {
 		}
 		return
 	}
+	if r.Version != protocolVersion {
+		return fmt.Errorf("PreKeyMessage.Decode: %w (got %d, expected %d)", olm.ErrWrongProtocolVersion, r.Version, protocolVersion)
+	}
 
 	for {
 		// Read Key

crypto/goolm/message/session_export.go

@@ -35,7 +35,7 @@ func (s *MegolmSessionExport) Decode(input []byte) error {
 		return fmt.Errorf("decrypt: %w", olm.ErrBadInput)
 	}
 	if input[0] != sessionExportVersion {
-		return fmt.Errorf("decrypt: %w", olm.ErrBadVersion)
+		return fmt.Errorf("decrypt: %w", olm.ErrUnknownOlmPickleVersion)
 	}
 	s.Counter = binary.BigEndian.Uint32(input[1:5])
 	copy(s.RatchetData[:], input[5:133])

crypto/goolm/message/session_sharing.go

@@ -42,7 +42,7 @@ func (s *MegolmSessionSharing) VerifyAndDecode(input []byte) error {
 	}
 	s.PublicKey = publicKey
 	if input[0] != sessionSharingVersion {
-		return fmt.Errorf("verify: %w", olm.ErrBadVersion)
+		return fmt.Errorf("verify: %w", olm.ErrUnknownOlmPickleVersion)
 	}
 	s.Counter = binary.BigEndian.Uint32(input[1:5])
 	copy(s.RatchetData[:], input[5:133])

crypto/goolm/pk/decryption.go

@@ -103,7 +103,7 @@ func (a *Decryption) UnpickleLibOlm(unpickled []byte) error {
 	if pickledVersion == decryptionPickleVersionLibOlm {
 		return a.KeyPair.UnpickleLibOlm(decoder)
 	} else {
-		return fmt.Errorf("unpickle olmSession: %w (found %d, expected %d)", olm.ErrBadVersion, pickledVersion, decryptionPickleVersionLibOlm)
+		return fmt.Errorf("unpickle olmSession: %w (found %d, expected %d)", olm.ErrUnknownOlmPickleVersion, pickledVersion, decryptionPickleVersionLibOlm)
 	}
 }
 

crypto/goolm/pk/encryption.go

@@ -37,6 +37,9 @@ func (e Encryption) Encrypt(plaintext []byte, privateKey crypto.Curve25519Privat
 		return nil, nil, err
 	}
 	cipher, err := aessha2.NewAESSHA2(sharedSecret, nil)
+	if err != nil {
+		return nil, nil, err
+	}
 	ciphertext, err = cipher.Encrypt(plaintext)
 	if err != nil {
 		return nil, nil, err

crypto/goolm/ratchet/olm.go

@@ -142,7 +142,7 @@ func (r *Ratchet) Decrypt(input []byte) ([]byte, error) {
 		return nil, err
 	}
 	if message.Version != protocolVersion {
-		return nil, fmt.Errorf("decrypt: %w", olm.ErrWrongProtocolVersion)
+		return nil, fmt.Errorf("decrypt: %w (got %d, expected %d)", olm.ErrWrongProtocolVersion, message.Version, protocolVersion)
 	}
 	if !message.HasCounter || len(message.RatchetKey) == 0 || len(message.Ciphertext) == 0 {
 		return nil, fmt.Errorf("decrypt: %w", olm.ErrBadMessageFormat)

crypto/goolm/session/megolm_inbound_session.go

@@ -99,7 +99,7 @@ func (o *MegolmInboundSession) getRatchet(messageIndex uint32) (*megolm.Ratchet,
 	}
 	if (messageIndex - o.InitialRatchet.Counter) >= uint32(1<<31) {
 		// the counter is before our initial ratchet - we can't decode this
-		return nil, fmt.Errorf("decrypt: %w", olm.ErrRatchetNotAvailable)
+		return nil, fmt.Errorf("decrypt: %w", olm.ErrUnknownMessageIndex)
 	}
 	// otherwise, start from the initial ratchet. Take a copy so that we don't overwrite the initial ratchet
 	copiedRatchet := o.InitialRatchet
@@ -126,7 +126,7 @@ func (o *MegolmInboundSession) Decrypt(ciphertext []byte) ([]byte, uint, error)
 		return nil, 0, err
 	}
 	if msg.Version != protocolVersion {
-		return nil, 0, fmt.Errorf("decrypt: %w", olm.ErrWrongProtocolVersion)
+		return nil, 0, fmt.Errorf("decrypt: %w (got %d, expected %d)", olm.ErrWrongProtocolVersion, msg.Version, protocolVersion)
 	}
 	if msg.Ciphertext == nil || !msg.HasMessageIndex {
 		return nil, 0, fmt.Errorf("decrypt: %w", olm.ErrBadMessageFormat)
@@ -206,7 +206,7 @@ func (o *MegolmInboundSession) UnpickleLibOlm(value []byte) error {
 		return err
 	}
 	if pickledVersion != megolmInboundSessionPickleVersionLibOlm && pickledVersion != 1 {
-		return fmt.Errorf("unpickle MegolmInboundSession: %w (found version %d)", olm.ErrBadVersion, pickledVersion)
+		return fmt.Errorf("unpickle MegolmInboundSession: %w (found version %d)", olm.ErrUnknownOlmPickleVersion, pickledVersion)
 	}
 
 	if err = o.InitialRatchet.UnpickleLibOlm(decoder); err != nil {