Version 1.13.2

Note the STS headers are sent even if we comment it out in nginx because it apparently
comes from rails 6.1 - https://github.com/mastodon/mastodon/issues/17083

CHANGELOG

@@ -7,3 +7,475 @@
 [1.1.0]
 * Update Mastodon to 3.1.2
 
+[1.1.1]
+* Run db migration script on updates
+
+[1.1.2]
+* Update Mastodon to 3.1.3
+* Add ability to filter audit log in admin UI (Gargron)
+* Add titles to warning presets in admin UI (Gargron)
+* Add option to include resolved DNS records when blacklisting e-mail domains in admin UI (Gargron)
+* Add ability to delete files uploaded for settings in admin UI (ThibG)
+* Add sorting by username, creation and last activity in admin UI (ThibG)
+* Add explanation as to why unlocked accounts may have follow requests in web UI (ThibG)
+* Add link to bookmarks to dropdown in web UI (mayaeh)
+* Add support for links to statuses in announcements to be opened in web UI (ThibG, ThibG)
+* Add tooltips to audio/video player buttons in web UI (ariasuni)
+* Add submit button to the top of preferences pages (guigeekz)
+
+[1.2.0]
+* Use latest base image 2.0.0
+* Update the memory limit to 1.5.GB
+
+[1.3.0]
+* Add forumUrl
+
+[1.3.1]
+* Update Mastodon to 3.1.5
+* [Full changelog](https://github.com/tootsuite/mastodon/releases/tag/v3.1.5)
+* Security: Fix media attachment enumeration (ThibG)
+* Security: Change rate limits for various paths (Gargron)
+* Security: Fix other sessions not being logged out on password change (Gargron)
+
+[1.4.0]
+* Update Mastodon to 3.2.0
+* [Full changelog](https://github.com/tootsuite/mastodon/releases/tag/v3.2.0)
+* Add hotkey for toggling content warning input in web UI (ThibG)
+* Add support for summary field for media description in ActivityPub (ThibG)
+* Add hints about incomplete remote content to web UI (Gargron, noellabo)
+* Add personal notes for accounts (ThibG, Gargron, Sasha-Sorokin)
+* Add customizable thumbnails for audio and video attachments (Gargron, Gargron, Gargron, Gargron, ThibG, ThibG, noellabo, noellabo)
+* Add a visibility indicator to toots in web UI (noellabo, highemerly)
+* Add tootctl email_domain_blocks (tateisu, Gargron)
+* Add "Add new domain block" to header of federation page in admin UI (ariasuni)
+* Add ability to keep emoji picker open with ctrl+click in web UI (bclindner, noellabo)
+* Add custom icon for private boosts in web UI (ThibG)
+* Add support for Create and Update activities that don't inline objects in ActivityPub (ThibG)
+* Add support for Undo activities that don't inline activities in ActivityPub (ThibG)
+
+[1.4.1]
+* Add cron job to cleanup cached files
+
+[1.4.2]
+* Update Mastodon to 3.2.1
+* [Full changelog](https://github.com/tootsuite/mastodon/releases/tag/v3.2.1)
+* Add support for latest HTTP Signatures spec draft (ThibG)
+* Add support for inlined objects in ActivityPub to/cc (ThibG)
+* Fix crash when failing to load emoji picker in web UI (ThibG)
+* Fix contrast requirements in thumbnail color extraction (ThibG)
+* Fix audio/video player not using CDN_HOST on public pages (ThibG)
+* Fix private boost icon not being used on public pages (OmmyZhang)
+* Fix audio player on Safari in web UI (ThibG, ThibG)
+
+[1.4.3]
+* Install ffmpeg. This was causing sidekiq jobs to fail
+
+[1.4.4]
+* Update Mastodon to 3.2.2
+* Remove dependency on unused and unmaintained http_parser.rb gem (ThibG)
+* Fix Move handler not being triggered when failing to fetch target account (ThibG)
+* Fix downloading remote media files when server returns empty filename (ThibG)
+* Fix possible casing inconsistencies in hashtag search (ThibG)
+* Fix updating account counters when association is not yet created (Gargron)
+* Fix account processing failing because of large collections (ThibG)
+* Fix resolving an account through its non-canonical form (i.e. alternate domain) (ThibG)
+* Fix slow distinct queries where grouped queries are faster (Gargron)
+* Fix 2FA/sign-in token sessions being valid after password change (Gargron)
+* Fix resolving accounts sometimes creating duplicate records for a given ActivityPub identifier (ThibG)
+
+[1.5.0]
+* Update Mastodon to 3.3.0
+* [Full changelog](https://github.com/tootsuite/mastodon/releases/tag/v3.3.0)
+* Add hotkeys for audio/video control in web UI (Gargron, Gargron)
+* Add expand/compress button on media modal in web UI (mashirozx, mashirozx, mashirozx)
+* Add border around man_dancing emoji in web UI (ThibG)
+* Add border around beetle emoji in web UI (ThibG)
+* Add home link to the getting started column when home isn't mounted (ThibG)
+* Add option to disable swiping motions across the web UI (ThibG)
+* Add pop-out player for audio/video in web UI (Gargron, Gargron, Gargron, noellabo) 
+
+[1.6.0]
+* Update base image to v3
+
+[1.6.1]
+* Update Mastodon to 3.4.0
+* Add follow recommendations for onboarding
+* Update dependencies
+
+[1.6.2]
+* Update Mastodon to 3.4.1
+* Add new emoji assets from Twemoji 13.1.0
+* Fix some ActivityPub identifiers in server actor outbox (ClearlyClaire)
+* Fix custom CSS path setting cookies and being uncacheable due to it (tribela)
+* Fix unread notification count when polling in web UI (ClearlyClaire)
+* Fix health check not being accessible through localhost (ClearlyClaire)
+* Fix some redis locks auto-releasing too fast (ClearlyClaire, ClearlyClaire)
+* Fix e-mail confirmations API not working correctly (Gargron)
+* Fix migration script not being able to run if it fails midway (ClearlyClaire)
+* Fix account deletion sometimes failing because of optimistic locks (ClearlyClaire)
+* Fix deprecated slash as division in SASS files (ClearlyClaire)
+* Fix tootctl search deploy compatibility error on Ruby 3 (ClearlyClaire)
+* Fix mailer jobs for deleted notifications erroring out (ClearlyClaire)
+
+[1.7.0]
+* Add `/app/data/config.sh` to customize puma, sidekiq and streaming configs
+
+[1.7.1]
+* Update Mastodon to 3.4.3
+* [Full changelog](https://github.com/mastodon/mastodon/releases/tag/v3.4.2)
+* Fix handling of back button with modal windows in web UI (ClearlyClaire)
+* Fix pop-in player when author has long username in web UI (ClearlyClaire)
+* Fix crash when a status with a playing video gets deleted in web UI (ClearlyClaire)
+* Fix crash with Microsoft Translate in web UI (ClearlyClaire)
+* Fix PWA not being usable from alternate domains (HolgerHuo)
+* Fix locale-specific number rounding errors (ClearlyClaire)
+* Fix scheduling a status decreasing status count (ClearlyClaire)
+* Fix user's canonical email address being blocked when user deletes own account (ClearlyClaire)
+
+[1.7.2]
+* Update Mastodon to 3.4.4
+* [Full changelog](https://github.com/mastodon/mastodon/releases/tag/v3.4.4)
+* Fix error when suspending user with an already blocked canonical email (ClearlyClaire)
+* Fix overflow of long profile fields in admin UI (ClearlyClaire)
+* Fix confusing error when WebFinger request returns empty document (ClearlyClaire)
+* Fix upload of remote media with OpenStack Swift sometimes failing (ClearlyClaire)
+* Fix logout link not working in Safari (noellabo)
+* Fix “open” link of media modal not closing modal in web UI (ClearlyClaire)
+* Fix replying from modal in web UI (ClearlyClaire)
+
+[1.7.3]
+* Update base image to 3.2.0
+
+[1.7.4]
+* Update Mastodon to 3.4.5
+* [Full changelog](https://github.com/mastodon/mastodon/releases/tag/v3.4.5)
+
+[1.7.5]
+* Update Mastodon to 3.4.6
+* [Full changelog](https://github.com/mastodon/mastodon/releases/tag/v3.4.6)
+* Fix mastodon:webpush:generate_vapid_key task requiring a functional environment (ClearlyClaire)
+* Fix spurious errors when receiving an Add activity for a private post (ClearlyClaire)
+* Fix error-prone SQL queries (ClearlyClaire)
+* Fix not compacting incoming signed JSON-LD activities (puckipedia, ClearlyClaire) (CVE-2022-24307)
+* Fix insufficient sanitization of report comments (ClearlyClaire)
+* Fix stop condition of a Common Table Expression (ClearlyClaire)
+* Disable legacy XSS filtering (Wonderfall)
+
+[1.8.0]
+* Update Mastodon to 3.5.0
+* [Full changelog](https://github.com/mastodon/mastodon/releases/tag/v3.5.0)
+* Add support for incoming edited posts
+* Add appeals for moderator decisions
+* Add notifications for posts deleted by moderators
+* Add explore page with trending posts and links
+* Add graphs and retention metrics to admin dashboard
+* Add notifications for moderators about new sign-ups
+* Add ability to suspend accounts in batches in admin UI 
+
+[1.8.1]
+* Update Mastodon to 3.5.1
+* [Full changelog](https://github.com/mastodon/mastodon/releases/tag/v3.5.1)
+* Add pagination for trending statuses in web UI (Gargron)
+* Change e-mail notifications to only be sent when recipient is offline (Gargron)
+* Send e-mails for mentions and follows by default again
+* But only when recipient does not have push notifications through an app
+* Change website attribute to be nullable on Application entity in REST API (rinsuki)
+
+[1.8.2]
+* Update Mastodon to 3.5.2
+* [Full changelog](https://github.com/mastodon/mastodon/releases/tag/v3.5.2)
+* Add warning on direct messages screen in web UI (Gargron)
+  * We already had a warning when composing a direct message, it has now been reworded to be more clear
+  * Same warning is now displayed when viewing sent and received direct messages
+* Add ability to set approval-based registration through tootctl (ClearlyClaire)
+* Add pre-filling of domain from search filter in domain allow/block admin UI (ClearlyClaire)
+
+[1.8.3]
+* Update Mastodon to 3.5.3
+* [Full changelog](https://github.com/mastodon/mastodon/releases/tag/v3.5.3)
+* Add language dropdown to compose form in web UI (Gargron, ykzts)
+* Add warning for limited accounts in web UI (Gargron)
+* Add limited attribute to accounts in REST API (Gargron)
+
+[1.8.4]
+* Update Mastodon to 3.5.4
+* [Full changelog](https://github.com/mastodon/mastodon/releases/tag/v3.5.4)
+* Install ruby 3.0.4
+* Fix emoFix emoji substitution not applying only to text nodes in backend code (ClearlyClaire)
+* Fix emoji substitution not applying only to text nodes in Web UI (ClearlyClaire)
+* Fix rate limiting for paths with formats (Gargron)
+* Fix out-of-bound reads in blurhash transcoder (delroth)
+
+[1.8.5]
+* Update Mastodon to 3.5.5
+* [Full changelog](https://github.com/mastodon/mastodon/releases/tag/v3.5.5)
+* Fix nodes order being sometimes mangled when rewriting emoji (ClearlyClaire)
+
+[1.9.0]
+* Update Mastodon to 4.0.2
+* [Full changelog](https://github.com/mastodon/mastodon/releases/tag/v4.0.0)
+* Add ability to filter followed accounts' posts by language (Gargron, ClearlyClaire)
+* Add ability to follow hashtags (Gargron, Gargron, Gargron, noellabo)
+* Add ability to filter individual posts (ClearlyClaire)
+* Add ability to translate posts (Gargron, ClearlyClaire, Gargron, ClearlyClaire, Gargron, ykzts, Gargron)
+* Add featured tags to web UI (noellabo, noellabo, noellabo, noellabo, Gargron, ykzts, noellabo, noellabo, Gargron, Gargron, ClearlyClaire)
+* Add support for language preferences for trending statuses and links (Gargron, Gargron, ykzts)
+* Add server rules to sign-up flow (Gargron)
+* Add privacy icons to report modal in web UI (ClearlyClaire)
+* Add noopener to links to remote profiles in web UI (shleeable)
+* Add option to open original page in dropdowns of remote content in web UI (Gargron)
+* Add warning for sensitive audio posts in web UI (rgroothuijsen)
+* Add language attribute to posts in web UI (tribela)
+* Add support for uploading WebP files (Saiv46)
+* Add support for uploading audio/vnd.wave files (tribela)
+* Add support for uploading AVIF files (txt-file)
+* Add support for uploading HEIC files (Gargron)
+
+[1.9.0-1]
+* Cleanup preview-cards cache and orphaned media
+
+[1.9.1]
+* Only chown if needed
+
+[1.10.0]
+* Update base image to 4.0.0
+
+[1.11.0]
+* Update Mastodon to 4.1.0
+* [Full changelog](https://github.com/mastodon/mastodon/releases/tag/v4.1.0)
+* Add support for importing/exporting server-wide domain blocks (enbylenore, ClearlyClaire, dariusk, ClearlyClaire)
+* Add listing of followed hashtags (connorshea)
+* Add support for editing media description and focus point of already-sent posts (ClearlyClaire)
+* Add follow request banner on account header (ClearlyClaire)
+* Add confirmation screen when handling reports (ClearlyClaire, Gargron, tribela)
+* Add option to make the landing page be /about even when trends are enabled (ClearlyClaire)
+
+[1.11.1]
+* Update Mastodon to 4.1.1
+* [Full changelog](https://github.com/mastodon/mastodon/releases/tag/v4.1.1)
+* Add redirection from paths with url-encoded @ to their decoded form (thijskh)
+* Add lang attribute to native language names in language picker in Web UI (ClearlyClaire)
+* Add headers to outgoing mails to avoid auto-replies (ClearlyClaire)
+* Add support for refreshing many accounts at once with tootctl accounts refresh (9p4)
+* Add confirmation modal when clicking to edit a post with a non-empty compose form (PauloVilarinho)
+* Add support for the HAproxy PROXY protocol through the PROXY_PROTO_V1 environment variable (CSDUMMI)
+* Add SENDFILE_HEADER environment variable (Gargron)
+* Add cache headers to static files served through Rails (Gargron)
+* Increase contrast of upload progress bar background (toolmantim)
+* Change post auto-deletion throttling constants to better scale with server size (ClearlyClaire)
+* Change order of bookmark and favourite sidebar entries in single-column UI for consistency (TerryGarcia)
+* Change ActivityPub::DeliveryWorker retries to be spread out more (ClearlyClaire)
+* Fix “Remove all followers from the selected domains” also removing follows and notifications (ClearlyClaire)
+* Fix streaming metrics format (emilweth, emilweth)
+* Fix case-sensitive check for previously used hashtags in hashtag autocompletion (deanveloper)
+* Fix focus point of already-attached media not saving after edit (ClearlyClaire)
+* Fix sidebar behavior in settings/admin UI on mobile (wxt2005)
+* Fix inefficiency when searching accounts per username in admin interface (ClearlyClaire)
+* Fix duplicate “Publish” button on mobile (ClearlyClaire)
+* Fix server error when failing to follow back followers from /relationships (ClearlyClaire)
+* Fix server error when attempting to display the edit history of a trendable post in the admin interface (ClearlyClaire)
+* Fix tootctl accounts migrate crashing because of a typo (ClearlyClaire)
+* Fix original account being unfollowed on migration before the follow request to the new account could be sent (ClearlyClaire)
+* Fix the “Back” button in column headers sometimes leaving Mastodon (c960657)
+* Fix pgBouncer resetting application name on every transaction (Gargron)
+* Fix unconfirmed accounts being counted as active users (ClearlyClaire)
+* Fix /api/v1/streaming sub-paths not being redirected (ClearlyClaire)
+* Fix drag'n'drop upload area text that spans multiple lines not being centered (vintprox)
+* Fix sidekiq jobs not triggering Elasticsearch index updates (ClearlyClaire)
+* Fix tags being unnecessarily stripped from plain-text short site description (c960657)
+* Fix HTML entities not being un-escaped in extracted plain-text from remote posts (c960657)
+* Fix dashboard crash on ElasticSearch server error (ClearlyClaire)
+* Fix incorrect post links in strikes when the account is remote (ClearlyClaire)
+* Fix misleading error code when receiving invalid WebAuthn credentials (ClearlyClaire)
+* Fix duplicate mails being sent when the SMTP server is too slow to close the connection (ClearlyClaire)
+* Change user backups to use expiring URLs for download when possible (Gargron)
+* Add warning for object storage misconfiguration (ClearlyClaire)
+
+[1.11.2]
+* Update nginx config
+
+[1.11.3]
+* Update Mastodon to 4.1.2
+* [Full changelog](https://github.com/mastodon/mastodon/releases/tag/v4.1.2)
+* Fix crash in tootctl commands making use of parallelization when Elasticsearch is enabled (ClearlyClaire, ClearlyClaire)
+* Fix crash in db:setup when Elasticsearch is enabled (rrgeorge)
+* Fix user archive takeout when using OpenStack Swift or S3 providers with no ACL support (ClearlyClaire)
+* Fix invalid/expired invites being processed on sign-up (ClearlyClaire)
+* Update Ruby to 3.0.6 due to ReDoS vulnerabilities (saizai)
+* Fix unescaped user input in LDAP query (ClearlyClaire)
+
+[1.11.4]
+* Allow to customize cache retention days
+* Cleanup accounts cache
+
+[1.11.5]
+* Update Mastodon to 4.1.3
+* [Full changelog](https://github.com/mastodon/mastodon/releases/tag/v4.1.3)
+* fixing multiple critical security issues (CVE-2023-36460, CVE-2023-36459)
+* Change OpenGraph-based embeds to allow fullscreen (ClearlyClaire)
+* Change AccessTokensVacuum to also delete expired tokens (ClearlyClaire)
+* Change profile updates to be sent to recently-mentioned servers (ClearlyClaire)
+* Change automatic post deletion thresholds and load detection (ClearlyClaire)
+
+[1.11.6]
+* Update Mastodon to 4.1.4
+* [Full changelog](https://github.com/mastodon/mastodon/releases/tag/v4.1.4)
+* Fix branding:generate_app_icons failing because of disallowed ICO coder (ClearlyClaire)
+* Fix crash in admin interface when viewing a remote user with verified links (ClearlyClaire)
+* Fix processing of media files with unusual names (ClearlyClaire)
+
+[1.11.7]
+* Update Mastodon to 4.1.5
+* [Full changelog](https://github.com/mastodon/mastodon/releases/tag/v4.1.5)
+* Add check preventing Sidekiq workers from running with Makara configured (ClearlyClaire)
+* Change request timeout handling to use a longer deadline (ClearlyClaire)
+* Fix moderation interface for remote instances with a .zip TLD (ClearlyClaire)
+* Fix remote accounts being possibly persisted to database with incomplete protocol values (ClearlyClaire)
+* Fix trending publishers table not rendering correctly on narrow screens (vmstan)
+* Fix CSP headers being unintentionally wide (ClearlyClaire)
+
+[1.11.8]
+* Update Mastodon to 4.1.6
+* [Full changelog](https://github.com/mastodon/mastodon/releases/tag/v4.1.6)
+* Fix memory leak in streaming server (ThisIsMissEm)
+* Fix wrong filters sometimes applying in streaming (ClearlyClaire, ThisIsMissEm, renchap)
+* Fix incorrect connect timeout in outgoing requests (ClearlyClaire)
+
+[1.11.9]
+* Update Mastodon to 4.1.7
+* [Full changelog](https://github.com/mastodon/mastodon/releases/tag/v4.1.7)
+* Change remote report processing to accept reports with long comments, but truncate them (ThisIsMissEm)
+* Fix blocking subdomains of an already-blocked domain (ClearlyClaire)
+* Fix /api/v1/timelines/tag/:hashtag allowing for unauthenticated access when public preview is disabled (danielmbrasil)
+* Fix inefficiencies in PlainTextFormatter (ClearlyClaire)
+
+[1.11.10]
+* Update Mastodon to 4.1.8
+* [Full changelog](https://github.com/mastodon/mastodon/releases/tag/v4.1.8)
+* This release is an important security release fixing major security issues (CVE-2023-42451, CVE-2023-42452).
+* Fix post edits not being forwarded as expected (ClearlyClaire)
+* Fix moderator rights inconsistencies (ClearlyClaire)
+* Fix crash when encountering invalid URL (ClearlyClaire)
+* Fix cached posts including stale stats (ClearlyClaire)
+
+[1.11.11]
+* Update Mastodon to 4.1.9
+* [Full changelog](https://github.com/mastodon/mastodon/releases/tag/v4.1.9)
+* Fix post translation erroring out (ClearlyClaire)
+* Fix post edits not being forwarded as expected (ClearlyClaire)
+* Fix moderator rights inconsistencies (ClearlyClaire)
+* Fix crash when encountering invalid URL (ClearlyClaire)
+* Fix cached posts including stale stats (ClearlyClaire)
+* Fix uploading of video files for which ffprobe reports 0/0 average framerate (NicolaiSoeborg)
+* Fix unexpected audio stream transcoding when uploaded video is eligible to passthrough (yufushiro)
+* Fix missing HTML sanitization in translation API (CVE-2023-42452, GHSA-2693-xr3m-jhqr)
+* Fix incorrect domain name normalization (CVE-2023-42451, GHSA-v3xf-c9qf-j667)
+
+[1.12.0]
+* Update Mastodon to 4.2.0
+* [Full changelog](https://github.com/mastodon/mastodon/releases/tag/v4.2.0)
+* Add “Privacy and reach” tab in profile settings (Gargron, ClearlyClaire)
+* This reorganized scattered privacy and reach settings to a single place, as well as improve their wording.
+* Add display of out-of-band hashtags in the web interface (Gargron, arbolitoloco1, ClearlyClaire, ClearlyClaire, ClearlyClaire, Gargron, ClearlyClaire)
+* Add role badges to the web interface (ClearlyClaire, Gargron)
+* Add ability to pick domains to forward reports to using the forward_to_domains parameter in POST /api/v1/reports (ClearlyClaire, ClearlyClaire)
+* The forward_to_domains REST API parameter is a list of strings. If it is empty or omitted, the previous behavior is maintained.
+* The forward parameter still needs to be set for forward_to_domains to be taken into account.
+* The forwarded-to domains can only include that of the original author and people being replied to.
+* Add forwarding of reported replies to servers being replied to (Gargron, ClearlyClaire)
+* Add ONE_CLICK_SSO_LOGIN environment variable to directly link to the Single-Sign On provider if there is only one sign up method available (CSDUMMI, ClearlyClaire, CSDUMMI, ClearlyClaire)
+* Add webhook templating (Gargron)
+* Add webhooks for local status.created, status.updated, account.updated and report.updated (VyrCossont, VyrCossont, VyrCossont)
+
+[1.12.1]
+* Update Mastodon to 4.2.1
+* [Full changelog](https://github.com/mastodon/mastodon/releases/tag/v4.2.1)
+* Add redirection on /deck URLs for logged-out users (ClearlyClaire)
+* Add support for v4.2.0 migrations to tootctl maintenance fix-duplicates (ClearlyClaire)
+* Change some worker lock TTLs to be shorter-lived (ClearlyClaire)
+* Change user archive export allowed period from 7 days to 6 days (suddjian)
+
+[1.12.2]
+* Update Mastodon to 4.2.2
+* [Full changelog](https://github.com/mastodon/mastodon/releases/tag/v4.2.2)
+* Change dismissed banners to be stored server-side (ClearlyClaire)
+* Change GIF max matrix size error to explicitly mention GIF files (ClearlyClaire)
+* Change Follow activities delivery to bypass availability check (ShadowJonathan)
+* Change single-column navigation notice to be displayed outside of the logo container (renchap, renchap)
+* Change Content-Security-Policy to be tighter on media paths (ClearlyClaire)
+* Change post language code to include country code when relevant (gunchleoc, ClearlyClaire)
+* Fix upper border radius of onboarding columns (ClearlyClaire)
+* Fix incoming status creation date not being restricted to standard ISO8601 (ClearlyClaire, ClearlyClaire)
+* Fix some posts from threads received out-of-order sometimes not being inserted into timelines (ClearlyClaire)
+* Fix posts from force-sensitized accounts being able to trend (ClearlyClaire)
+* Fix error when trying to delete already-deleted file with OpenStack Swift (ClearlyClaire)
+* Fix batch attachment deletion when using OpenStack Swift (ClearlyClaire)
+* Fix processing LDSigned activities from actors with unknown public keys (ClearlyClaire)
+* Fix error and incorrect URLs in /api/v1/accounts/:id/featured_tags for remote accounts (ClearlyClaire)
+* Fix report processing notice not mentioning the report number when performing a custom action (ClearlyClaire)
+* Fix handling of inLanguage attribute in preview card processing (ClearlyClaire)
+* Fix own posts being removed from home timeline when unfollowing a used hashtag (kmycode)
+* Fix some link anchors being recognized as hashtags (ClearlyClaire, ClearlyClaire)
+* Fix format-dependent redirects being cached regardless of requested format (ClearlyClaire)
+
+[1.12.3]
+* Update Mastodon to 4.2.3
+* [Full changelog](https://github.com/mastodon/mastodon/releases/tag/v4.2.3)
+* Fix dependency on json-canonicalization version that has been made unavailable since last release
+
+[1.12.4]
+* Update Mastodon to 4.2.4
+* [Full changelog](https://github.com/mastodon/mastodon/releases/tag/v4.2.4)
+* Add rate-limit of TOTP authentication attempts at controller level (ClearlyClaire)
+* Fix error when processing remote files with unusually long names (ClearlyClaire)
+* Fix processing of compacted single-item JSON-LD collections (ClearlyClaire)
+* Retry 401 errors on replies fetching (ShadowJonathan)
+* Fix RecordNotUnique errors in LinkCrawlWorker (tribela)
+* Fix Mastodon not correctly processing HTTP Signatures with query strings (ClearlyClaire, ClearlyClaire)
+
+[1.12.5]
+* Update Mastodon to 4.2.5
+* [Full changelog](https://github.com/mastodon/mastodon/releases/tag/v4.2.5)
+* Fix insufficient origin validation (CVE-2024-23832, GHSA-3fjr-858r-92rw)
+
+[1.12.6]
+* Update Mastodon to 4.2.6
+* This release is an important security release fixing several security issue.
+* [Full changelog](https://github.com/mastodon/mastodon/releases/tag/v4.2.6)
+* Change external authentication behavior to never reattach a new identity to an existing user by default (GHSA-vm39-j3vx-pch3)
+* Update the nokogiri dependency (see GHSA-xc9x-jj77-9p9j)
+* Disable administrative Doorkeeper routes (ThisIsMissEm)
+* Fix ongoing streaming sessions not being invalidated when applications get deleted in some cases (GHSA-7w3c-p9j8-mq3x)
+* Update the sidekiq-unique-jobs dependency (see GHSA-cmh9-rx85-xj38)
+
+[1.13.0]
+* Update Mastodon to 4.2.7
+* This release is an important security release fixing several security issue.
+* With this package release, the app moves from LDAP authentication to OpenID Connect
+* [Full changelog](https://github.com/mastodon/mastodon/releases/tag/v4.2.7)
+* Fix OmniAuth tests and edge cases in error handling (ClearlyClaire, ClearlyClaire)
+* Fix new installs by upgrading to the latest release of the nsa gem, instead of a no longer existing commit (mjankowski)
+* Fix insufficient checking of remote posts (GHSA-jhrq-qvrm-qr36)
+
+[1.13.1]
+* Update Mastodon to 4.2.8
+* This update changes registrations to be closed by default.
+* [Full changelog](https://github.com/mastodon/mastodon/releases/tag/v4.2.8)
+* Add hourly task to automatically require approval for new registrations in the absence of moderators (ClearlyClaire, ClearlyClaire)
+* In order to prevent future abandoned Mastodon servers from being used for spam, harassment and other malicious activity, Mastodon will now automatically switch new user registrations to require moderator approval whenever they are left open and no activity (including non-moderation actions from apps) from any logged-in user with permission to access moderation reports has been detected in a full week.
+* When this happens, users with the permission to change server settings will receive an email notification.
+* This feature is disabled when EMAIL_DOMAIN_ALLOWLIST is used, and can also be disabled with DISABLE_AUTOMATIC_SWITCHING_TO_APPROVED_REGISTRATIONS=true.
+* Change registrations to be closed by default on new installations (ClearlyClaire)
+* If you are running a server and never changed your registrations mode from the default, updating will automatically close your registrations.
+* Simply re-enable them through the administration interface or using tootctl settings registrations open if you want to enable them again.
+* Fix processing of remote ActivityPub actors making use of Link objects as Image url (ClearlyClaire)
+* Fix link verifications when page size exceeds 1MB (ClearlyClaire)
+
+[1.13.2]
+* Update Mastodon to 4.2.9
+* [Full changelog](https://github.com/mastodon/mastodon/releases/tag/v4.2.9)
+* Update dependencies
+* Fix private mention filtering (GHSA-5fq7-3p3j-9vrf)
+* Fix password change endpoint not being rate-limited (GHSA-q3rg-xx5v-4mxh)
+* Add hardening around rate-limit bypass (GHSA-c2r5-cfqr-c553)
+

CloudronManifest.json

@@ -1,20 +1,28 @@
 {
   "id": "org.joinmastodon.cloudronapp",
   "title": "Mastodon",
-  "author": "Matodon Authors",
+  "author": "Mastodon Authors",
   "description": "file://DESCRIPTION.md",
   "changelog": "file://CHANGELOG",
   "tagline": "Federated social network",
-  "version": "1.1.0",
+  "version": "1.13.2",
+  "upstreamVersion": "4.2.9",
   "healthCheckPath": "/about",
   "httpPort": 8000,
-  "memoryLimit": 1073741824,
+  "memoryLimit": 1610612736,
+  "configurePath": "/admin/dashboard",
   "addons": {
     "localstorage": {},
     "postgresql": {},
     "redis": {},
     "sendmail": {},
-    "ldap": {}
+    "oidc": { "loginRedirectUri": "/auth/auth/openid_connect/callback" },
+    "scheduler": {
+      "cleanup": {
+        "schedule": "11 01 * * *",
+        "command": "/app/pkg/cleanup.sh"
+      }
+    }
   },
   "minBoxVersion": "4.1.4",
   "manifestVersion": 2,
@@ -22,16 +30,14 @@
   "contactEmail": "support@cloudron.io",
   "icon": "logo.png",
   "tags": [
-    "social",
-    "forum",
-    "chat",
-    "twitter"
-  ],
+    "social", "forum", "chat", "twitter", "federated"  ],
   "mediaLinks": [
-    "https://cloudron-app-screenshots.s3.amazonaws.com/org.joinmastodon.cloudronapp/5093bc19e9f74b38c1012c7fe0bc88153f5d054a/1.jpg",
-    "https://cloudron-app-screenshots.s3.amazonaws.com/org.joinmastodon.cloudronapp/5093bc19e9f74b38c1012c7fe0bc88153f5d054a/2.png"
+    "https://screenshots.cloudron.io/org.joinmastodon.cloudronapp/1.jpg",
+    "https://screenshots.cloudron.io/org.joinmastodon.cloudronapp/2.png"
   ],
-  "documentationUrl": "https://cloudron.io/documentation/apps/mastodon/",
+  "documentationUrl": "https://docs.cloudron.io/apps/mastodon/",
   "postInstallMessage": "file://POSTINSTALL.md",
-  "optionalSso": true
+  "optionalSso": true,
+  "minBoxVersion": "7.1.2",
+  "forumUrl": "https://forum.cloudron.io/category/41/mastodon"
 }

DESCRIPTION.md

@@ -1,6 +1,4 @@
-This app packages Mastodon <upstream>3.1.2</upstream>.
-
-Your self-hosted, globally interconnected microblogging community.
+## About
 
 Mastodon is a free, open-source social network server based on ActivityPub where users can follow friends and discover new ones. On Mastodon, users can publish anything they want: links, pictures, text, video. All Mastodon servers are interoperable as a federated network (users on one server can seamlessly communicate with users from another one, including non-Mastodon software that implements ActivityPub)!
 

Dockerfile

@@ -1,28 +1,47 @@
-FROM cloudron/base:1.0.0@sha256:147a648a068a2e746644746bbfb42eb7a50d682437cead3c67c933c546357617
+FROM cloudron/base:4.2.0@sha256:46da2fffb36353ef714f97ae8e962bd2c212ca091108d768ba473078319a47f4
 
 RUN mkdir -p /app/code /app/pkg
 WORKDIR /app/code
 
-ARG VERSION=3.1.2
+ARG NODE_VERSION=16.18.1
+RUN mkdir -p /usr/local/node-${NODE_VERSION} && \
+    curl -L https://nodejs.org/dist/v${NODE_VERSION}/node-v${NODE_VERSION}-linux-x64.tar.gz | tar zxf - --strip-components 1 -C /usr/local/node-${NODE_VERSION}
+ENV PATH /usr/local/node-${NODE_VERSION}/bin:$PATH
 
-RUN apt-key adv --fetch-keys http://dl.yarnpkg.com/debian/pubkey.gpg && \
-    echo "deb http://dl.yarnpkg.com/debian/ stable main" | sudo tee /etc/apt/sources.list.d/yarn.list && \
-    apt-get update && \
-    apt-get install -y yarn libprotobuf-dev protobuf-compiler libidn11-dev libicu-dev zlib1g-dev libncurses5-dev libffi-dev libgdbm5 libgdbm-dev libicu-dev libssl-dev libyaml-dev libreadline6-dev libxml2-dev libxslt1-dev && \
+RUN apt-get update && \
+    apt install -y imagemagick ffmpeg libpq-dev libxml2-dev libxslt1-dev file git-core \
+        g++ libprotobuf-dev protobuf-compiler pkg-config nodejs gcc autoconf \
+        bison build-essential libssl-dev libyaml-dev libreadline6-dev \
+        zlib1g-dev libncurses5-dev libffi-dev libgdbm-dev \
+        nginx redis-server redis-tools postgresql postgresql-contrib \
+        libidn11-dev libicu-dev libjemalloc-dev && \
     rm -rf /var/cache/apt /var/lib/apt/lists
 
-RUN mkdir -p /usr/local/node-10.15.3 && \
-    curl -L https://nodejs.org/dist/v10.15.3/node-v10.15.3-linux-x64.tar.gz | tar zxf - --strip-components 1 -C /usr/local/node-10.15.3
+# install rbenv since we need ruby 3.2.3
+RUN mkdir -p /usr/local/rbenv && curl -LSs "https://github.com/rbenv/rbenv/archive/refs/tags/v1.2.0.tar.gz" | tar -xz -C /usr/local/rbenv --strip-components 1 -f -
+ENV PATH /usr/local/rbenv/bin:$PATH
+ENV RBENV_ROOT /home/cloudron/rbenv
+RUN mkdir -p "$(rbenv root)"/plugins/ruby-build && curl -LSs "https://github.com/rbenv/ruby-build/archive/refs/tags/v20240530.1.tar.gz" | tar -xz -C "$(rbenv root)"/plugins/ruby-build --strip-components 1 -f -
 
-ENV PATH /usr/local/node-10.15.3/bin:$PATH
+# install specific ruby version (https://github.com/mastodon/mastodon/blob/main/Dockerfile)
+ARG RUBY_VERSION=3.2.3
+RUN rbenv install ${RUBY_VERSION}
+ENV PATH ${RBENV_ROOT}/versions/${RUBY_VERSION}/bin:$PATH
 
 RUN gem install --no-document bundler
 
 ENV RAILS_ENV production
 ENV NODE_ENV production
+
+ARG VERSION=4.2.9
+
 RUN curl -L https://github.com/tootsuite/mastodon/archive/v${VERSION}.tar.gz | tar -xz --strip-components 1 -f - && \
-    bundle config set deployment 'true' && \
-    bundle install --without test development && \
+    bundle config --local set deployment 'true' && \
+    bundle config --local set without 'development test' && \
+    bundle config --local set silence_root_warning true && \
+    bundle install && \
+    bundle clean --force && \
+    rm -rf ~/.bundle /usr/local/bundle/cache && \
     yarn install --pure-lockfile
 
 # secret keys are not built into assets, so precompiling is safe to do here
@@ -30,25 +49,27 @@ RUN curl -L https://github.com/tootsuite/mastodon/archive/v${VERSION}.tar.gz | t
 RUN SECRET_KEY_BASE=insecure.secret_key_base OTP_SECRET=insecure.otp_secret \
     bundle exec rake assets:precompile
 
+# https://github.com/rubygems/bundler/issues/5245 means that bundle exec writes to Gemfile.lock
+RUN ln -fs /run/mastodon/bullet.log /app/code/log/bullet.log && \
+    rm -rf /app/code/tmp && ln -fs /tmp/mastodon /app/code/tmp && \
+    mv /app/code/Gemfile.lock /app/code/Gemfile.lock.original && ln -s /run/mastodon/Gemfile.lock /app/code/Gemfile.lock
+
 # add nginx config
-USER root
-RUN rm /etc/nginx/sites-enabled/*
-RUN ln -sf /dev/stdout /var/log/nginx/access.log
-RUN ln -sf /dev/stderr /var/log/nginx/error.log
-ADD nginx_readonlyrootfs.conf /etc/nginx/conf.d/readonlyrootfs.conf
+RUN rm /etc/nginx/sites-enabled/* && \
+    ln -sf /dev/stdout /var/log/nginx/access.log && \
+    ln -sf /dev/stderr /var/log/nginx/error.log
+COPY nginx_readonlyrootfs.conf /etc/nginx/conf.d/readonlyrootfs.conf
 COPY nginx/mastodon.conf /etc/nginx/sites-available/mastodon
 RUN ln -s /etc/nginx/sites-available/mastodon /etc/nginx/sites-enabled/mastodon
 
 # add supervisor configs
-ADD supervisor/* /etc/supervisor/conf.d/
+COPY supervisor/* /etc/supervisor/conf.d/
 RUN ln -sf /run/mastodon/supervisord.log /var/log/supervisor/supervisord.log
 
 RUN ln -fs /app/data/env.production /app/code/.env.production
-RUN ln -fs /run/mastodon/bullet.log /app/code/log/bullet.log
 RUN ln -fs /app/data/system /app/code/public/system
-RUN rm -rf /app/code/tmp && ln -fs /tmp/mastodon /app/code/tmp
 
-COPY start.sh env.template /app/pkg/
+COPY start.sh cleanup.sh config.sh env.template cache-env.sh.template /app/pkg/
 
 CMD [ "/app/pkg/start.sh" ]
 

POSTINSTALL.md

@@ -1,9 +1,17 @@
+Accounts are created with the username and the subdomain under which this app is installed  e.g. `@$CLOUDRON-USERNAME@$CLOUDRON-APP-FQDN`.
+Mastodon does not allow changing the domain part of the account later.
+See [the docs](https://docs.cloudron.io/apps/mastodon/#federation) for more information, f you want to change this domain.
+
 <sso>
-This app integrates with Cloudron user management. Cloudron users can login and access
-Mastodon.
+**NOTE:**
+* Mastodon has [restrictions](https://docs.cloudron.io/apps/mastodon/#username-restriction) on usernames that might prevent some users from logging in.
+
+* External registration [does not work well](https://github.com/mastodon/mastodon/issues/20655) when Cloudron user management is enabled.
 </sso>
 
-**Important:** Accounts are created under with the username and the location under which
-this app was installed. e.g. `@username@mastodon.domain.com`. This cannot be changed later
-as it breaks federation.
+<nosso>
+**NOTE:**
+* Open registration is disabled by default. To enable this, see the [docs](https://docs.cloudron.io/apps/mastodon/#registration)
 
+* To add an initial account follow those [instructions](https://docs.cloudron.io/apps/mastodon/#adding-users)
+</nosso>

cache-env.sh.template

@@ -0,0 +1,4 @@
+#!/bin/bash
+
+# number of days to keep cache
+export CACHE_RETENTION_DAYS=2

cleanup.sh

@@ -0,0 +1,39 @@
+#!/bin/bash
+
+set -eu
+
+echo "=> Cleanup"
+cd /app/code
+
+if [[ ! -f /app/data/cache-env.sh ]]; then
+    echo "==> Creating initial cache-env.sh"
+    cp /app/pkg/cache-env.sh.template /app/data/cache-env.sh
+fi
+
+source /app/data/cache-env.sh
+
+echo "=> Retention days set to ${CACHE_RETENTION_DAYS}"
+
+echo "==> media cache ..."
+./bin/tootctl media remove --days=${CACHE_RETENTION_DAYS}
+
+echo "==> orphaned media ..."
+./bin/tootctl media remove-orphans
+
+echo "==> preview cards ..."
+./bin/tootctl preview-cards remove --days=${CACHE_RETENTION_DAYS}
+
+echo "==> prune profiles ..."
+./bin/tootctl media remove --prune-profiles --days=${CACHE_RETENTION_DAYS}
+
+echo "==> remove headers ..."
+./bin/tootctl media remove --remove-headers --days=${CACHE_RETENTION_DAYS}
+
+echo "==> clear cache ..."
+/app/code/bin/tootctl cache clear
+
+echo "==> remove unreferenced statuses ..."
+/app/code/bin/tootctl statuses remove --days=${CACHE_RETENTION_DAYS}
+
+echo "==> prune accounts ..."
+/app/code/bin/tootctl accounts prune

config.sh

@@ -0,0 +1,15 @@
+#!/bin/bash
+
+# Setup scaling related environment variables here - https://docs.joinmastodon.org/admin/scaling/
+
+# Puma
+export WEB_CONCURRENCY=2    # number of worker processes
+export MAX_THREADS=5        # the number of threads per process
+
+# Streaming API
+export STREAMING_CLUSTER_NUM=1  # number of worker processes
+
+# Sidekiq
+export SIDEKIQ_THREADS=2
+export DB_POOL=25               # must be at least the same as the number of threads
+

env.template

@@ -1,14 +1,13 @@
 # https://github.com/tootsuite/mastodon/blob/master/.env.production.sample
 
-SINGLE_USER_MODE=false
-
-# Note: Changing LOCAL_DOMAIN at a later time will cause unwanted side effects, including breaking all existing federation.
-# LOCAL_DOMAIN should *NOT* contain the protocol part of the domain e.g https://example.com.
-# Cloudron: this is fixed at installation time. it is not changed when you change this app's location
-LOCAL_DOMAIN=
+# Federation
+# ----------
+# This identifies your server and cannot be changed safely later
+# ----------
+LOCAL_DOMAIN=example.com
 
 # Use this only if you need to run mastodon on a different domain than the one used for federation.
-# Cloudron: this will change automatically when you change the app's location
+# Cloudron: this will change automatically when you change the app's location in Cloudron dashboard
 WEB_DOMAIN=
 
 # Database configuration
@@ -33,20 +32,22 @@ SMTP_AUTH_METHOD=plain
 SMTP_OPENSSL_VERIFY_MODE=none
 
 # SSO configuration
-LDAP_ENABLED=
-LDAP_HOST=
-LDAP_PORT=
-LDAP_BASE=
-LDAP_BIND_DN=
-LDAP_PASSWORD=
-LDAP_UID=username
-LDAP_SEARCH_FILTER=(|(%{uid}=%{email})(mail=%{email}))
-LDAP_METHOD=plain
+OIDC_ENABLED=
+OIDC_DISPLAY_NAME=
+OIDC_ISSUER=
+OIDC_CLIENT_ID=
+OIDC_CLIENT_SECRET=
+OIDC_REDIRECT_URI=
+OIDC_DISCOVERY=
+OIDC_SCOPE=
+OIDC_UID_FIELD=
 
 # Application secrets
 SECRET_KEY_BASE=
 OTP_SECRET=
 
+UPDATE_CHECK_URL=
+
 # Optionally change default language
 # DEFAULT_LOCALE=de
 

logo.svg

@@ -1,68 +1,142 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <svg
-   xmlns:dc="http://purl.org/dc/elements/1.1/"
-   xmlns:cc="http://creativecommons.org/ns#"
-   xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
-   xmlns:svg="http://www.w3.org/2000/svg"
-   xmlns="http://www.w3.org/2000/svg"
-   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
-   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
-   width="66mm"
-   height="66mm"
-   viewBox="0 0 233.85826 233.85827"
+   width="130"
+   height="130"
+   viewBox="0 0 121 130"
+   fill="none"
    version="1.1"
-   id="svg6"
+   id="svg44"
    sodipodi:docname="logo.svg"
-   inkscape:version="0.92.4 5da689c313, 2019-01-14"
-   inkscape:export-filename="/home/nebulon/projects/yellowtent/apps/mastodon-app/logo.png"
-   inkscape:export-xdpi="197.03999"
-   inkscape:export-ydpi="197.03999">
-  <metadata
-     id="metadata12">
-    <rdf:RDF>
-      <cc:Work
-         rdf:about="">
-        <dc:format>image/svg+xml</dc:format>
-        <dc:type
-           rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
-        <dc:title></dc:title>
-      </cc:Work>
-    </rdf:RDF>
-  </metadata>
-  <defs
-     id="defs10" />
+   inkscape:export-filename="logo.png"
+   inkscape:export-xdpi="378.09232"
+   inkscape:export-ydpi="378.09232"
+   inkscape:version="1.2.1 (9c6d41e410, 2022-07-14, custom)"
+   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
+   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
+   xmlns="http://www.w3.org/2000/svg"
+   xmlns:svg="http://www.w3.org/2000/svg">
   <sodipodi:namedview
+     id="namedview46"
      pagecolor="#ffffff"
      bordercolor="#666666"
-     borderopacity="1"
-     objecttolerance="10"
-     gridtolerance="10"
-     guidetolerance="10"
-     inkscape:pageopacity="0"
-     inkscape:pageshadow="2"
-     inkscape:window-width="2880"
-     inkscape:window-height="1564"
-     id="namedview8"
+     borderopacity="1.0"
+     inkscape:showpageshadow="2"
+     inkscape:pageopacity="0.0"
+     inkscape:pagecheckerboard="0"
+     inkscape:deskcolor="#d1d1d1"
      showgrid="false"
-     inkscape:zoom="0.95362368"
-     inkscape:cx="115.42102"
-     inkscape:cy="121.64127"
+     inkscape:zoom="3.95"
+     inkscape:cx="35.822785"
+     inkscape:cy="73.417721"
+     inkscape:window-width="1920"
+     inkscape:window-height="1048"
      inkscape:window-x="0"
-     inkscape:window-y="56"
+     inkscape:window-y="0"
      inkscape:window-maximized="1"
-     inkscape:current-layer="svg6" />
+     inkscape:current-layer="svg44" />
+  <rect
+     width="130"
+     height="130"
+     fill="url(#paint0_linear_2_2)"
+     x="-4.5"
+     id="rect2" />
   <g
-     id="g4524"
-     transform="translate(8.721935,-0.92425997)">
+     filter="url(#filter0_di_2_2)"
+     id="g6">
     <path
-       style="fill:#2b90d9"
-       inkscape:connector-curvature="0"
-       id="path2"
-       d="m 211.80734,140.93601 c -3.18125,16.36625 -28.4925,34.2775 -57.5625,37.74875 -15.15875,1.80875 -30.08375,3.47125 -45.99875,2.74125 -26.0275,-1.1925 -46.565,-6.2125 -46.565,-6.2125 0,2.53375 0.15625,4.94625 0.46875,7.2025 3.38375,25.68625 25.47,27.225 46.39125,27.9425 21.11625,0.7225 39.91875,-5.20625 39.91875,-5.20625 l 0.8675,19.09 c 0,0 -14.77,7.93125 -41.08125,9.39 -14.50875,0.7975 -32.52375,-0.365 -53.50625,-5.91875 -45.5075,-12.045 -53.33375,-60.55375 -54.53125,-109.77375 -0.365,-14.61375 -0.14,-28.393751 -0.14,-39.918751 0,-50.33 32.97625,-65.0825 32.97625,-65.0825 16.6275,-7.6362498 45.15875,-10.8474998 74.82,-11.0899998 h 0.72875 c 29.66125,0.2425 58.21125,3.45375 74.8375,11.0899998 0,0 32.975,14.7525 32.975,65.0825 0,0 0.41375,37.133751 -4.59875,62.915001" />
-    <path
-       style="fill:#ffffff"
-       inkscape:connector-curvature="0"
-       id="path4"
-       d="M 177.50984,81.925509 V 142.86676 H 153.36609 V 83.716759 c 0,-12.46875 -5.24625,-18.7975 -15.74,-18.7975 -11.6025,0 -17.4175,7.5075 -17.4175,22.3525 V 119.64801 H 96.20734 V 87.271759 c 0,-14.845 -5.81625,-22.3525 -17.41875,-22.3525 -10.49375,0 -15.74,6.32875 -15.74,18.7975 V 142.86676 H 38.90484 V 81.925509 c 0,-12.455 3.17125,-22.3525 9.54125,-29.675 6.56875,-7.3225 15.17125,-11.07625 25.85,-11.07625 12.355,0 21.71125,4.74875 27.8975,14.2475 l 6.01375,10.08125 6.015,-10.08125 c 6.185,-9.49875 15.54125,-14.2475 27.8975,-14.2475 10.6775,0 19.28,3.75375 25.85,11.07625 6.36875,7.3225 9.54,17.22 9.54,29.675" />
+       d="M95.7135 43.6043C94.6199 35.5459 87.5351 29.1953 79.1366 27.9647C77.7196 27.7568 72.351 27 59.9148 27H59.822C47.3824 27 44.7135 27.7568 43.2966 27.9647C35.1319 29.1612 27.6757 34.8675 25.8667 43.0214C24.9966 47.0369 24.9037 51.4888 25.0654 55.5726C25.2958 61.4289 25.3405 67.275 25.877 73.1075C26.2479 76.9817 26.895 80.8251 27.8133 84.6088C29.5329 91.5968 36.4938 97.4122 43.3138 99.7848C50.6155 102.259 58.468 102.67 65.9919 100.971C66.8196 100.78 67.6381 100.559 68.4475 100.306C70.2737 99.7302 72.4164 99.086 73.9915 97.9542C74.0131 97.9384 74.0308 97.9178 74.0433 97.8942C74.0558 97.8706 74.0628 97.8445 74.0637 97.8179V92.1661C74.0634 92.1412 74.0574 92.1167 74.0462 92.0944C74.035 92.0721 74.0189 92.0525 73.9992 92.0371C73.9794 92.0218 73.9564 92.011 73.9318 92.0056C73.9073 92.0002 73.8819 92.0003 73.8574 92.0059C69.0369 93.1472 64.0971 93.7193 59.141 93.7103C50.6118 93.7103 48.3178 89.6981 47.6609 88.0278C47.1329 86.5842 46.7976 85.0784 46.6636 83.5486C46.6622 83.5229 46.667 83.4973 46.6775 83.4738C46.688 83.4502 46.7039 83.4295 46.724 83.4132C46.7441 83.397 46.7678 83.3856 46.7931 83.3801C46.8185 83.3746 46.8448 83.3751 46.8699 83.3816C51.6101 84.5151 56.4693 85.0873 61.3455 85.086C62.5183 85.086 63.6876 85.086 64.8604 85.0553C69.7647 84.919 74.9339 84.6701 79.7591 83.7361C79.8794 83.7123 79.9998 83.6918 80.103 83.6611C87.7139 82.2124 94.9569 77.665 95.6929 66.1501C95.7204 65.6967 95.7892 61.4016 95.7892 60.9312C95.7926 59.3325 96.3085 49.5901 95.7135 43.6043ZM83.9996 72.3371H75.9966V52.9069C75.9966 48.8163 74.277 46.7302 70.7793 46.7302C66.9343 46.7302 65.0083 49.1981 65.0083 54.0727V64.7082H57.0534V54.0727C57.0534 49.1981 55.124 46.7302 51.279 46.7302C47.8019 46.7302 46.0651 48.8163 46.0617 52.9069V72.3371H38.0656V52.3172C38.0656 48.2266 39.1191 44.9769 41.2262 42.568C43.3998 40.1648 46.2509 38.9308 49.7898 38.9308C53.8859 38.9308 56.9812 40.492 59.0447 43.6111L61.036 46.9245L63.0308 43.6111C65.0943 40.492 68.1896 38.9308 72.2788 38.9308C75.8143 38.9308 78.6654 40.1648 80.8459 42.568C82.9529 44.9746 84.0065 48.2243 84.0065 52.3172L83.9996 72.3371Z"
+       fill="#FBFBFB"
+       fill-opacity="0.97"
+       id="path4" />
   </g>
+  <defs
+     id="defs42">
+    <filter
+       id="filter0_di_2_2"
+       x="21"
+       y="27"
+       width="79"
+       height="83"
+       filterUnits="userSpaceOnUse"
+       color-interpolation-filters="sRGB">
+      <feFlood
+         flood-opacity="0"
+         result="BackgroundImageFix"
+         id="feFlood8" />
+      <feColorMatrix
+         in="SourceAlpha"
+         type="matrix"
+         values="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 127 0"
+         result="hardAlpha"
+         id="feColorMatrix10" />
+      <feOffset
+         dy="4"
+         id="feOffset12" />
+      <feGaussianBlur
+         stdDeviation="2"
+         id="feGaussianBlur14" />
+      <feComposite
+         in2="hardAlpha"
+         operator="out"
+         id="feComposite16" />
+      <feColorMatrix
+         type="matrix"
+         values="0 0 0 0 0.261224 0 0 0 0 0.16597 0 0 0 0 0.662652 0 0 0 0.4 0"
+         id="feColorMatrix18" />
+      <feBlend
+         mode="normal"
+         in2="BackgroundImageFix"
+         result="effect1_dropShadow_2_2"
+         id="feBlend20" />
+      <feBlend
+         mode="normal"
+         in="SourceGraphic"
+         in2="effect1_dropShadow_2_2"
+         result="shape"
+         id="feBlend22" />
+      <feColorMatrix
+         in="SourceAlpha"
+         type="matrix"
+         values="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 127 0"
+         result="hardAlpha"
+         id="feColorMatrix24" />
+      <feOffset
+         dy="4"
+         id="feOffset26" />
+      <feGaussianBlur
+         stdDeviation="2"
+         id="feGaussianBlur28" />
+      <feComposite
+         in2="hardAlpha"
+         operator="arithmetic"
+         k2="-1"
+         k3="1"
+         id="feComposite30" />
+      <feColorMatrix
+         type="matrix"
+         values="0 0 0 0 0.337255 0 0 0 0 0.227451 0 0 0 0 0.8 0 0 0 0.05 0"
+         id="feColorMatrix32" />
+      <feBlend
+         mode="normal"
+         in2="shape"
+         result="effect2_innerShadow_2_2"
+         id="feBlend34" />
+    </filter>
+    <linearGradient
+       id="paint0_linear_2_2"
+       x1="61"
+       y1="130"
+       x2="61"
+       y2="-91.5"
+       gradientUnits="userSpaceOnUse">
+      <stop
+         offset="0.0755157"
+         stop-color="#563ACC"
+         id="stop37" />
+      <stop
+         offset="0.520094"
+         stop-color="#6364FF"
+         id="stop39" />
+    </linearGradient>
+  </defs>
 </svg>

nginx/mastodon.conf

@@ -1,8 +1,18 @@
+# derived from https://github.com/mastodon/mastodon/blob/main/dist/nginx.conf
+
 map $http_upgrade $connection_upgrade {
   default upgrade;
   ''      close;
 }
 
+upstream backend {
+    server 127.0.0.1:3000 fail_timeout=0;
+}
+
+upstream streaming {
+    server 127.0.0.1:4000 fail_timeout=0;
+}
+
 proxy_cache_path /run/nginx/cache levels=1:2 keys_zone=CACHE:10m inactive=7d max_size=1g;
 
 server {
@@ -11,7 +21,7 @@ server {
 
   keepalive_timeout    70;
   sendfile             on;
-  client_max_body_size 80m;
+  client_max_body_size 99m;
 
   root /app/code/public;
 
@@ -22,40 +32,96 @@ server {
   gzip_comp_level 6;
   gzip_buffers 16 8k;
   gzip_http_version 1.1;
-  gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
-
-  add_header Strict-Transport-Security "max-age=31536000";
+  gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript image/svg+xml image/x-icon;
 
   location / {
     try_files $uri @proxy;
   }
 
-  location ~ ^/(emoji|packs|system/accounts/avatars|system/media_attachments/files) {
-    add_header Cache-Control "public, max-age=31536000, immutable";
-    add_header Strict-Transport-Security "max-age=31536000";
-    try_files $uri @proxy;
+  location = /sw.js {
+    add_header Cache-Control "public, max-age=604800, must-revalidate";
+    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
+    try_files $uri =404;
   }
 
-  location /sw.js {
-    add_header Cache-Control "public, max-age=0";
-    add_header Strict-Transport-Security "max-age=31536000";
-    try_files $uri @proxy;
+  location ~ ^/assets/ {
+    add_header Cache-Control "public, max-age=2419200, must-revalidate";
+    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
+    try_files $uri =404;
+  }
+
+  location ~ ^/avatars/ {
+    add_header Cache-Control "public, max-age=2419200, must-revalidate";
+    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
+    try_files $uri =404;
+  }
+
+  location ~ ^/emoji/ {
+    add_header Cache-Control "public, max-age=2419200, must-revalidate";
+    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
+    try_files $uri =404;
+  }
+
+  location ~ ^/headers/ {
+    add_header Cache-Control "public, max-age=2419200, must-revalidate";
+    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
+    try_files $uri =404;
+  }
+
+  location ~ ^/packs/ {
+    add_header Cache-Control "public, max-age=2419200, must-revalidate";
+    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
+    try_files $uri =404;
+  }
+
+  location ~ ^/shortcuts/ {
+    add_header Cache-Control "public, max-age=2419200, must-revalidate";
+    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
+    try_files $uri =404;
+  }
+
+  location ~ ^/sounds/ {
+    add_header Cache-Control "public, max-age=2419200, must-revalidate";
+    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
+    try_files $uri =404;
+  }
+
+  location ~ ^/system/ {
+    add_header Cache-Control "public, max-age=2419200, immutable";
+    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
+    add_header X-Content-Type-Options nosniff;
+    add_header Content-Security-Policy "default-src 'none'; form-action 'none'";
+    try_files $uri =404;
+  }
+
+  location ^~ /api/v1/streaming {
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $http_x_real_ip;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto https;
+    proxy_set_header Proxy "";
+
+    proxy_pass http://streaming;
+    proxy_buffering off;
+    proxy_redirect off;
+    proxy_http_version 1.1;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection $connection_upgrade;
+
+    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
+
+    tcp_nodelay on;
   }
 
   location @proxy {
-    # forwarding cloudron's nginx proxy-proto headers
     proxy_set_header Host $host;
     proxy_set_header X-Real-IP $http_x_real_ip;
     proxy_set_header X-Forwarded-For $http_x_forwarded_for,$remote_addr;
     proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
-    proxy_set_header X-Forwarded-Host $http_x_forwarded_host;
-    proxy_set_header X-Forwarded-Port $http_x_forwarded_port;
-    proxy_set_header X-Forwarded-Server $http_x_forwarded_server;
-
     proxy_set_header Proxy "";
     proxy_pass_header Server;
 
-    proxy_pass http://127.0.0.1:3000;
+    proxy_pass http://backend;
     proxy_buffering on;
     proxy_redirect off;
     proxy_http_version 1.1;
@@ -64,29 +130,12 @@ server {
 
     proxy_cache CACHE;
     proxy_cache_valid 200 7d;
+    proxy_cache_valid 410 24h;
     proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
     add_header X-Cached $upstream_cache_status;
-    add_header Strict-Transport-Security "max-age=31536000";
 
     tcp_nodelay on;
   }
 
-  location /api/v1/streaming {
-    proxy_set_header Host $host;
-    proxy_set_header X-Real-IP $remote_addr;
-    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-    proxy_set_header X-Forwarded-Proto https;
-    proxy_set_header Proxy "";
-
-    proxy_pass http://127.0.0.1:4000;
-    proxy_buffering off;
-    proxy_redirect off;
-    proxy_http_version 1.1;
-    proxy_set_header Upgrade $http_upgrade;
-    proxy_set_header Connection $connection_upgrade;
-
-    tcp_nodelay on;
-  }
-
-  error_page 500 501 502 503 504 /500.html;
+  error_page 404 500 501 502 503 504 /500.html;
 }

start.sh

@@ -30,18 +30,23 @@ sed -e "s/DB_HOST=.*/DB_HOST=${CLOUDRON_POSTGRESQL_HOST}/g" \
     -e "s/WEB_DOMAIN=.*/WEB_DOMAIN=${CLOUDRON_APP_DOMAIN}/g" \
     -i /app/data/env.production
 
-if [[ -n "${CLOUDRON_LDAP_SERVER:-}" ]]; then
-    sed -e "s/LDAP_ENABLED=.*/LDAP_ENABLED=true/g" \
-        -e "s/LDAP_HOST=.*/LDAP_HOST=${CLOUDRON_LDAP_SERVER}/g" \
-        -e "s/LDAP_PORT=.*/LDAP_PORT=${CLOUDRON_LDAP_PORT}/g" \
-        -e "s/LDAP_BASE=.*/LDAP_BASE=${CLOUDRON_LDAP_USERS_BASE_DN}/g" \
-        -e "s/LDAP_BIND_DN=.*/LDAP_BIND_DN=${CLOUDRON_LDAP_BIND_DN}/g" \
-        -e "s/LDAP_BIND_PASSWORD=.*/LDAP_BIND_PASSWORD=${CLOUDRON_LDAP_BIND_PASSWORD}/g" \
+if [[ -n "${CLOUDRON_OIDC_ISSUER:-}" ]]; then
+    echo "==> Setting up OIDC"
+    sed -e "s/OIDC_ENABLED=.*/OIDC_ENABLED=true/g" \
+        -e "s/OIDC_DISPLAY_NAME=.*/OIDC_DISPLAY_NAME=Cloudron/g" \
+        -e "s/OIDC_ISSUER=.*/OIDC_ISSUER=${CLOUDRON_OIDC_ISSUER//\//\\\/}/g" \
+        -e "s/OIDC_CLIENT_ID=.*/OIDC_CLIENT_ID=${CLOUDRON_OIDC_CLIENT_ID}/g" \
+        -e "s/OIDC_CLIENT_SECRET=.*/OIDC_CLIENT_SECRET=${CLOUDRON_OIDC_CLIENT_SECRET}/g" \
+        -e "s/OIDC_REDIRECT_URI=.*/OIDC_REDIRECT_URI=${CLOUDRON_APP_ORIGIN//\//\\\/}\/auth\/auth\/openid_connect\/callback/g" \
+        -e "s/OIDC_DISCOVERY=.*/OIDC_DISCOVERY=true/g" \
+        -e "s/OIDC_SCOPE=.*/OIDC_SCOPE=openid,profile,email/g" \
+        -e "s/OIDC_UID_FIELD=.*/OIDC_UID_FIELD=sub/g" \
+        -e "s/OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED=.*/OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED=true/g" \
         -i /app/data/env.production
-else
-    sed -e "s/LDAP_ENABLED=.*/LDAP_ENABLED=false/g" -i /app/data/env.production
 fi
 
+rm -f /run/mastodon/Gemfile.lock && cp /app/code/Gemfile.lock.original /run/mastodon/Gemfile.lock
+
 if grep -q "^SECRET_KEY_BASE=$" /app/data/env.production; then
     echo "==> Generating secrets"
     export RANDFILE=/tmp/.rnd
@@ -55,14 +60,29 @@ if grep -q "^SECRET_KEY_BASE=$" /app/data/env.production; then
     echo "==> Init database"
     HOME=/app/data SAFETY_ASSURED=1 bundle exec rails db:schema:load db:seed
 
-    if [[ -n "${CLOUDRON_LDAP_SERVER:-}" ]]; then
+    if [[ -n "${CLOUDRON_OIDC_ISSUER:-}" ]]; then
         echo "Disabling registration by default"
         PGPASSWORD=${CLOUDRON_POSTGRESQL_PASSWORD} psql -h ${CLOUDRON_POSTGRESQL_HOST} -p ${CLOUDRON_POSTGRESQL_PORT} -U ${CLOUDRON_POSTGRESQL_USERNAME} -d ${CLOUDRON_POSTGRESQL_DATABASE} \
             -c "INSERT INTO settings (var, value) VALUES ('registrations_mode', 'none')"
     fi
+else
+    echo "==> Migrating database"
+    HOME=/app/data SAFETY_ASSURED=1 bundle exec rails db:migrate
 fi
 
-chown -R cloudron:cloudron /app/data /tmp/mastodon /run/mastodon
+if ! grep -q UPDATE_CHECK_URL /app/data/env.production; then
+    echo -e "\nUPDATE_CHECK_URL=" >> /app/data/env.production
+fi
+
+chown -R cloudron:cloudron /tmp/mastodon /run/mastodon
+
+if [[ "$(stat -c '%U' /app/data)" != "cloudron" ]]; then
+    chown -R cloudron:cloudron /app/data/* || true # if there are no files
+    chown cloudron:cloudron /app/data
+fi
+
+[[ ! -f /app/data/config.sh ]] && cp /app/pkg/config.sh /app/data/config.sh
+source /app/data/config.sh
 
 echo "==> Starting mastodon"
 exec /usr/bin/supervisord --configuration /etc/supervisor/supervisord.conf --nodaemon -i Mastodon

supervisor/sidekiq.conf

@@ -1,8 +1,8 @@
 [program:sidekiq]
 priority=10
 directory=/app/code
-environment=HOME=/app/code,DB_POOL=25,RAILS_ENV=production,MALLOC_ARENA_MAX=2
-command=bundle exec sidekiq -c 2 -e production
+environment=HOME=/app/code,RAILS_ENV=production,MALLOC_ARENA_MAX=2
+command=bundle exec sidekiq -c %(ENV_SIDEKIQ_THREADS)s -e production
 user=cloudron
 autostart=true
 autorestart=true

supervisor/streaming.conf

@@ -1,7 +1,7 @@
 [program:streaming]
 priority=10
 directory=/app/code
-environment=HOME=/app/code,NODE_ENV=production,PORT=4000,STREAMING_CLUSTER_NUM=1
+environment=HOME=/app/code,NODE_ENV=production,PORT=4000
 command=node /app/code/streaming
 user=cloudron
 autostart=true

test/package.json

@@ -9,16 +9,11 @@
   "author": "",
   "license": "ISC",
   "devDependencies": {
-    "ejs": "^3.0.1",
     "expect.js": "^0.3.1",
-    "mkdirp": "^0.5.1",
-    "mocha": "^7.0.0",
-    "rimraf": "^3.0.0",
-    "selenium-server-standalone-jar": "^3.141.59",
-    "selenium-webdriver": "^3.6.0",
-    "superagent": "^5.2.1"
+    "mocha": "^10.4.0",
+    "selenium-webdriver": "^4.21.0"
   },
   "dependencies": {
-    "chromedriver": "^79.0.0"
+    "chromedriver": "^125.0.2"
   }
 }

test/test.js

@@ -1,185 +1,140 @@
 #!/usr/bin/env node
 
-/* jslint node:true */
-/* global it:false */
-/* global xit:false */
-/* global describe:false */
-/* global before:false */
-/* global after:false */
+/* jshint esversion: 8 */
+/* global describe */
+/* global before */
+/* global after */
+/* global it */
+/* global xit */
 
 'use strict';
 
 require('chromedriver');
 
-var execSync = require('child_process').execSync,
+const execSync = require('child_process').execSync,
     expect = require('expect.js'),
-    fs = require('fs'),
     path = require('path'),
-    superagent = require('superagent'),
-    webdriver = require('selenium-webdriver');
+    { Builder, By, until } = require('selenium-webdriver'),
+    { Options } = require('selenium-webdriver/chrome');
 
-var by = require('selenium-webdriver').By,
-    until = require('selenium-webdriver').until,
-    Builder = require('selenium-webdriver').Builder;
-
-process.env.NODE_TLS_REJECT_UNAUTHORIZED = '0';
+if (!process.env.USERNAME || !process.env.PASSWORD) {
+    console.log('USERNAME and PASSWORD env vars need to be set');
+    process.exit(1);
+}
 
 describe('Application life cycle test', function () {
     this.timeout(0);
 
-    var server, browser = new Builder().forBrowser('chrome').build();
-    var uploadedImageUrl;
-    var username = process.env.USERNAME, password = process.env.PASSWORD;
+    const LOCATION = 'test';
+    const TEST_TIMEOUT = parseInt(process.env.TIMEOUT) || 10000;
+    const EXEC_ARGS = { cwd: path.resolve(__dirname, '..'), stdio: 'inherit' };
 
-    before(function (done) {
-        var seleniumJar= require('selenium-server-standalone-jar');
-        var SeleniumServer = require('selenium-webdriver/remote').SeleniumServer;
-        server = new SeleniumServer(seleniumJar.path, { port: 4444 });
-        server.start();
+    let browser, app;
+    var athenticated_by_oidc = false;
+    let username = process.env.USERNAME;
+    let password = process.env.PASSWORD;
+    let manifest = require('../CloudronManifest.json');
 
-        done();
+    before(function () {
+        browser = new Builder().forBrowser('chrome').setChromeOptions(new Options().windowSize({ width: 1280, height: 1024 })).build();
     });
 
-    after(function (done) {
+    after(function () {
         browser.quit();
-        server.stop();
-        done();
     });
 
-    var LOCATION = 'test';
-    var TIMEOUT = parseInt(process.env.TIMEOUT, 10) || 30000;
-    var app;
-    var email, token;
-
-    function waitForUrl(url) {
-        return browser.wait(function () {
-            return browser.getCurrentUrl().then(function (currentUrl) {
-                return currentUrl === url;
-            });
-        }, TIMEOUT);
+    function sleep(millis) {
+        return new Promise(resolve => setTimeout(resolve, millis));
     }
 
-    function checkRegistration(mode, done) {
-        browser.get('https://' + app.fqdn).then(function () {
-            return browser.sleep(2000);
-        }).then(function () {
-            if (mode === 'none') {
-                return browser.wait(until.elementLocated(by.xpath('//button[contains(text(), "is not accepting new members")]')), TIMEOUT);
-            } else if (mode === 'open') {
-                return browser.wait(until.elementLocated(by.xpath('//button[contains(text(), "Sign up")]')), TIMEOUT);
-            }
-        }).then(function () {
-            done();
-        });
+    async function waitForElement(elem) {
+        await browser.wait(until.elementLocated(elem), TEST_TIMEOUT);
+        await browser.wait(until.elementIsVisible(browser.findElement(elem)), TEST_TIMEOUT);
     }
 
-    function login(username, password, done) {
-        browser.get('https://' + app.fqdn + '/about').then(function () { // there is also separate login page at /users/sign_in
-            return browser.wait(until.elementLocated(by.xpath('//button[contains(text(), "Log in")]')), TIMEOUT);
-        }).then(function (done) {
-            return browser.findElement(by.id('login_user_email')).sendKeys(username);
-        }).then(function () {
-            return browser.findElement(by.id('login_user_password')).sendKeys(password);
-        }).then(function () {
-            return browser.findElement(by.xpath('//button[contains(text(), "Log in")]')).click();
-        }).then(function () {
-            return browser.sleep(3000); // can be wizard or timeline at this point
-        }).then(function () {
-            return done();
-        });
+    async function exists(selector) {
+        await browser.wait(until.elementLocated(selector), TEST_TIMEOUT);
     }
 
-    function skipTutorial(done) {
-        browser.findElement(by.xpath('//span[contains(text(), "Let\'s go")]')).click().then(function () {
-            return browser.sleep(2000);
-        }).then(function () {
-            return browser.findElement(by.xpath('//span[contains(text(), "Next")]')).click();
-        }).then(function () {
-            return browser.sleep(2000);
-        }).then(function () {
-            return browser.findElement(by.xpath('//span[contains(text(), "Finish tutorial!")]')).click();
-        }).then(function () {
-            return browser.sleep(3000);
-        }).then(function () {
-            return browser.findElement(by.xpath('//a/span[contains(text(), "the public timeline")]')).click();
-        }).then(function () {
-            return browser.sleep(3000);
-        }).then(function () {
-            done();
-        });
+    async function visible(selector) {
+        await exists(selector);
+        await browser.wait(until.elementIsVisible(browser.findElement(selector)), TEST_TIMEOUT);
     }
 
-    function checkTimeline(done) {
-        browser.get('https://' + app.fqdn + '/web/timelines/home').then(function () {
-            return browser.wait(until.elementLocated(by.xpath('//span[contains(text(), "Your home timeline is empty")]')), TIMEOUT);
-        }).then(function () {
-            done();
-        });
+    async function checkRegistration(mode) {
+        if (mode === 'none') {
+            await browser.get('https://' + app.fqdn);
+            await browser.sleep(2000);
+            await browser.findElement(By.xpath('//div[@class="sign-in-banner"]/descendant::button/span[contains(text(), "Create account")] | //div[@class="sign-in-banner"]/descendant::a/span[contains(text(), "Create account")]')).click();
+            await visible(By.xpath('//span[contains(text()[2], "is currently not possible")]'));
+        } else if (mode === 'open') {
+            await browser.get('https://' + app.fqdn + '/auth/sign_up');
+            await visible(By.xpath('//button[contains(text(), "Sign up")]'));
+        }
     }
 
-    xit('build app', function () {
-        execSync('cloudron build', { cwd: path.resolve(__dirname, '..'), stdio: 'inherit' });
-    });
+    async function login(username, password) {
+        await browser.get('https://' + app.fqdn + '/auth/sign_in'); // there is also separate login page at /users/sign_in
+        await visible(By.xpath('//button[contains(text(), "Log in")]'));
+        await browser.findElement(By.id('user_email')).sendKeys(username);
+        await browser.findElement(By.id('user_password')).sendKeys(password);
+        await browser.findElement(By.xpath('//button[contains(text(), "Log in")]')).click();
+        await browser.sleep(3000); // can be wizard or timeline at this point
+    }
 
-    it('install app', function () {
-        execSync('cloudron install --location ' + LOCATION, { cwd: path.resolve(__dirname, '..'), stdio: 'inherit' });
-    });
+    async function loginOIDC(username, password) {
+        browser.manage().deleteAllCookies();
+        await browser.get(`https://${app.fqdn}/auth/sign_in`);
+        await browser.sleep(4000);
 
-    it('can get app information', function () {
-        var inspect = JSON.parse(execSync('cloudron inspect'));
+        await browser.findElement(By.xpath('//a[contains(@class, "button") and text()="Cloudron"]')).click();
+        await browser.sleep(4000);
 
-        app = inspect.apps.filter(function (a) { return a.location === LOCATION; })[0];
+        if (!athenticated_by_oidc) {
+            await waitForElement(By.xpath('//input[@name="username"]'));
+            await browser.findElement(By.xpath('//input[@name="username"]')).sendKeys(username); 
+            await browser.findElement(By.xpath('//input[@name="password"]')).sendKeys(password);
+            await browser.sleep(2000);
+            await browser.findElement(By.id('loginSubmitButton')).click();
+            await browser.sleep(2000);
 
+            athenticated_by_oidc = true;
+        }
+
+        await waitForElement(By.xpath('//a[contains(., "Edit profile")] | //strong[text()="Successfully authenticated from Cloudron account."]'));
+    }
+
+    async function logout() {
+        await browser.get('https://' + app.fqdn + '/settings/preferences/appearance'); // there is also separate login page at /users/sign_in
+        await browser.wait(until.elementLocated(By.id('logout')), TEST_TIMEOUT);
+        await browser.findElement(By.id('logout')).click();
+        await visible(By.id('user_email'));
+    }
+
+    async function dismissHelp() {
+        await browser.get('https://' + app.fqdn + '/home');
+        await visible(By.xpath('//button[@title = "Dismiss"]'));
+        await browser.findElement(By.xpath('//button[@title ="Dismiss"]')).click();
+    }
+
+    async function checkTimeline() {
+        await browser.get('https://' + app.fqdn + '/home');
+        await visible(By.xpath('//span[contains(text(), "Your home timeline is empty")]'));
+    }
+
+    function getAppInfo() {
+        const inspect = JSON.parse(execSync('cloudron inspect'));
+        app = inspect.apps.filter(function (a) { return a.location === LOCATION || a.location === LOCATION + '2'; })[0];
         expect(app).to.be.an('object');
-    });
-    it('registration is disabled', checkRegistration.bind(null, 'none'));
-    it('can LDAP login', login.bind(null, username, password));
-    it('can skip tutorial', skipTutorial);
-    it('can see timeline', checkTimeline);
+    }
 
-    it('backup app', function () {
-        execSync('cloudron backup create --app ' + app.id, { cwd: path.resolve(__dirname, '..'), stdio: 'inherit' });
-    });
-    it('can see timeline', checkTimeline);
-
-    it('restore app', function () {
-        execSync('cloudron restore --app ' + app.id, { cwd: path.resolve(__dirname, '..'), stdio: 'inherit' });
-    });
-    it('can see timeline', checkTimeline);
-
-    it('can restart app', function (done) {
-        execSync('cloudron restart --app ' + app.id);
-        done();
-    });
-    it('can see timeline', checkTimeline);
-
-    it('move to different location', function () {
-        execSync('cloudron configure --location ' + LOCATION + '2 --app ' + app.id, { cwd: path.resolve(__dirname, '..'), stdio: 'inherit' });
-        var inspect = JSON.parse(execSync('cloudron inspect'));
-        app = inspect.apps.filter(function (a) { return a.location === LOCATION + '2'; })[0];
-        expect(app).to.be.an('object');
-    });
-    it('can LDAP login', login.bind(null, username, password));
-    it('can see timeline', checkTimeline);
-
-    it('uninstall app', function () {
-        execSync('cloudron uninstall --app ' + app.id, { cwd: path.resolve(__dirname, '..'), stdio: 'inherit' });
-    });
+    xit('build app', function () { execSync('cloudron build', EXEC_ARGS); });
 
     // No SSO
-    it('install app (no sso)', function () {
-        execSync('cloudron install --no-sso --location ' + LOCATION, { cwd: path.resolve(__dirname, '..'), stdio: 'inherit' });
-    });
+    it('install app (no sso)', function () { execSync('cloudron install --no-sso --location ' + LOCATION, EXEC_ARGS); });
+    it('can get app information', getAppInfo);
 
-    it('can get app information', function () {
-        var inspect = JSON.parse(execSync('cloudron inspect'));
-
-        app = inspect.apps.filter(function (a) { return a.location === LOCATION; })[0];
-
-        expect(app).to.be.an('object');
-    });
-
-    it('has registration open', checkRegistration.bind(null, 'open'));
+    it('has registration open', checkRegistration.bind(null, 'none'));
     let testPassword;
     it('create a user with CLI', function () {
         let output = execSync('cloudron exec --app ' + LOCATION + ' -- bin/tootctl accounts create test --email=test@cloudron.io', { cwd: path.resolve(__dirname, '..'), encoding: 'utf8' });
@@ -188,29 +143,71 @@ describe('Application life cycle test', function () {
         console.log(testPassword);
     });
 
-    it('can login (no sso)', (done) => login('test@cloudron.io', testPassword, done));
-    it('shows confirmation page', function () {
-        return browser.wait(until.elementLocated(by.xpath('//span[contains(text(), "Waiting for e-mail confirmation to be completed")]')), TIMEOUT);
+    it('can login (no sso)', async function () {
+        await login('test@cloudron.io', testPassword);
     });
 
-    it('uninstall app (no sso)', function () {
-        execSync('cloudron uninstall --app ' + app.id, { cwd: path.resolve(__dirname, '..'), stdio: 'inherit' });
+    it('shows confirmation page', function () {
+        return browser.wait(until.elementLocated(By.xpath('//div[contains(text(), "Waiting for e-mail confirmation to be completed")]')), TEST_TIMEOUT);
+    });
+
+    it('uninstall app (no sso)', async function () {
+        await browser.get('about:blank');
+        execSync('cloudron uninstall --app ' + app.id, EXEC_ARGS);
+    });
+
+    // SSO
+    it('install app (sso)', function () { execSync('cloudron install --location ' + LOCATION, EXEC_ARGS); });
+
+    it('can get app information', getAppInfo);
+    it('registration is disabled', checkRegistration.bind(null, 'none'));
+    it('can OIDC login', loginOIDC.bind(null, username, password));
+    it('can dismiss help', dismissHelp);
+    it('can see timeline', checkTimeline);
+    it('can logout', logout);
+
+    it('backup app', function () { execSync('cloudron backup create --app ' + app.id, EXEC_ARGS); });
+    it('restore app', function () {
+        const backups = JSON.parse(execSync('cloudron backup list --raw'));
+        execSync('cloudron uninstall --app ' + app.id, EXEC_ARGS);
+        execSync('cloudron install --location ' + LOCATION, EXEC_ARGS);
+        getAppInfo();
+        execSync(`cloudron restore --backup ${backups[0].id} --app ${app.id}`, EXEC_ARGS);
+    });
+
+    it('can OIDC login', loginOIDC.bind(null, username, password));
+    it('can see timeline', checkTimeline);
+
+    it('can restart app', function () { execSync('cloudron restart --app ' + app.id, EXEC_ARGS); });
+    it('can see timeline', checkTimeline);
+
+    it('move to different location', async function () {
+        await browser.get('about:blank');
+        execSync('cloudron configure --location ' + LOCATION + '2 --app ' + app.id, EXEC_ARGS);
+    });
+    it('can get app information', getAppInfo);
+
+    it('can OIDC login', loginOIDC.bind(null, username, password));
+    it('can see timeline', checkTimeline);
+
+    it('uninstall app', async function () {
+        await browser.get('about:blank');
+        execSync('cloudron uninstall --app ' + app.id, EXEC_ARGS);
     });
 
     // test update
-    it('can install app', function () {
-        execSync('cloudron install --appstore-id ' + app.manifest.id + ' --location ' + LOCATION, { cwd: path.resolve(__dirname, '..'), stdio: 'inherit' });
-        var inspect = JSON.parse(execSync('cloudron inspect'));
-        app = inspect.apps.filter(function (a) { return a.location === LOCATION; })[0];
-        expect(app).to.be.an('object');
-    });
-    it('can LDAP login', login.bind(null, username, password));
-    it('can update', function () {
-        execSync('cloudron update --app ' + LOCATION, { cwd: path.resolve(__dirname, '..'), stdio: 'inherit' });
-    });
-    it('can LDAP login', login.bind(null, username, password));
+    it('can install app', function () { execSync('cloudron install --appstore-id ' + manifest.id + ' --location ' + LOCATION, EXEC_ARGS); });
+    it('can get app information', getAppInfo);
+    // needs to be changed to loginOIDC on the next release
+    it('can OIDC login', loginOIDC.bind(null, username, password));
+    it('can logout', logout);
 
-    it('uninstall app', function () {
-        execSync('cloudron uninstall --app ' + app.id, { cwd: path.resolve(__dirname, '..'), stdio: 'inherit' });
+    it('can update', async function () {
+        await browser.get('about:blank');
+        execSync('cloudron update --app ' + LOCATION, EXEC_ARGS);
     });
+
+    it('can OIDC login', loginOIDC.bind(null, username, password));
+
+    it('uninstall app', function () { execSync('cloudron uninstall --app ' + app.id, EXEC_ARGS); });
 });