Bump version to v0.7.2

Obviously won't help if the encryption hardening options are enabled,
because the point of those is to prevent the bridge from decrypting old
messages.

Fixes #131

.github/ISSUE_TEMPLATE/bug.md

@@ -5,3 +5,10 @@ about: If something is definitely wrong in the bridge (rather than just a setup
 labels: bug
 
 ---
+
+<!--
+Remember to include relevant logs, the bridge version and any other details.
+
+If you aren't sure what's needed, ask in the Matrix room rather than opening an
+incomplete issue. Issues with insufficient detail will likely just be ignored.
+-->

.github/workflows/go.yml

@@ -5,13 +5,20 @@ on: [push, pull_request]
 jobs:
   lint:
     runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        go-version: ["1.22", "1.23"]
+    name: Lint ${{ matrix.go-version == '1.23' && '(latest)' || '(old)' }}
+
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - name: Set up Go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@v5
         with:
-          go-version: "1.20"
+          go-version: ${{ matrix.go-version }}
+          cache: true
 
       - name: Install libolm
         run: sudo apt-get install libolm-dev libolm3

.github/workflows/stale.yml

@@ -0,0 +1,29 @@
+name: 'Lock old issues'
+
+on:
+  schedule:
+    - cron: '0 21 * * *'
+  workflow_dispatch:
+
+permissions:
+  issues: write
+#  pull-requests: write
+#  discussions: write
+
+concurrency:
+  group: lock-threads
+
+jobs:
+  lock-stale:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: dessant/lock-threads@v5
+        id: lock
+        with:
+          issue-inactive-days: 90
+          process-only: issues
+      - name: Log processed threads
+        run: |
+          if [ '${{ steps.lock.outputs.issues }}' ]; then
+            echo "Issues:" && echo '${{ steps.lock.outputs.issues }}' | jq -r '.[] | "https://github.com/\(.owner)/\(.repo)/issues/\(.issue_number)"'
+          fi

.gitignore

@@ -4,3 +4,6 @@
 
 *.db*
 *.log*
+
+/mautrix-discord
+/start

.pre-commit-config.yaml

@@ -1,6 +1,6 @@
 repos:
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.4.0
+    rev: v4.5.0
     hooks:
       - id: trailing-whitespace
         exclude_types: [markdown]
@@ -13,3 +13,8 @@ repos:
     hooks:
       - id: go-imports-repo
       - id: go-vet-repo-mod
+
+  - repo: https://github.com/beeper/pre-commit-go
+    rev: v0.3.1
+    hooks:
+      - id: zerolog-ban-msgf

CHANGELOG.md

@@ -1,3 +1,43 @@
+# v0.7.2 (2024-12-16)
+
+* Fixed some headers being set incorrectly.
+
+# v0.7.1 (2024-11-16)
+
+* Bumped minimum Go version to 1.22.
+* Updated Discord version numbers.
+
+# v0.7.0 (2024-07-16)
+
+* Bumped minimum Go version to 1.21.
+* Added support for Matrix v1.11 authenticated media.
+  * This also changes how avatars are sent to Discord when using relay webhooks.
+    To keep avatars working, you must configure `public_address` in the *bridge*
+    section of the config and proxy `/mautrix-discord/avatar/*` from that
+    address to the bridge.
+* Added `create-portal` command to create individual portals bypassing the
+  bridging mode. When used in combination with the `if-portal-exists` bridging
+  mode, this can be used to bridge individual channels from a guild.
+* Changed how direct media access works to make it compatible with Discord's
+  signed URL requirement. The new system must be enabled manually, see
+  [docs](https://docs.mau.fi/bridges/go/discord/direct-media.html) for info.
+
+# v0.6.5 (2024-01-16)
+
+* Fixed adding reply embed to webhook sends if the Matrix room is encrypted.
+
+# v0.6.4 (2023-11-16)
+
+* Changed error messages to be sent in a thread if the errored message was in
+  a thread.
+
+# v0.6.3 (2023-10-16)
+
+* Fixed op7 reconnects during connection causing the bridge to get stuck
+  disconnected.
+* Fixed double puppet of recipient joining DM portals when both ends of a DM
+  are using the same bridge.
+
 # v0.6.2 (2023-09-16)
 
 * Added support for double puppeting with arbitrary `as_token`s.

ROADMAP.md

@@ -1,11 +1,12 @@
 # Features & roadmap
 * Matrix → Discord
-  * [x] Message content
+  * [ ] Message content
     * [x] Plain text
     * [x] Formatted messages
     * [x] Media/files
     * [x] Replies
     * [x] Threads
+    * [ ] Custom emojis
   * [x] Message redactions
   * [x] Reactions
     * [x] Unicode emojis
@@ -45,7 +46,7 @@
   * [x] Message deletions
   * [x] Reactions
     * [x] Unicode emojis
-    * [x] Custom emojis (not yet supported on Matrix)
+    * [x] Custom emojis ([MSC4027](https://github.com/matrix-org/matrix-spec-proposals/pull/4027))
   * [x] Avatars
   * [ ] Presence
   * [ ] Typing notifications (currently partial support: DMs work after you type in them)

attachments.go

@@ -29,7 +29,7 @@ import (
 	"go.mau.fi/mautrix-discord/database"
 )
 
-func downloadDiscordAttachment(url string, maxSize int64) ([]byte, error) {
+func downloadDiscordAttachment(cli *http.Client, url string, maxSize int64) ([]byte, error) {
 	req, err := http.NewRequest(http.MethodGet, url, nil)
 	if err != nil {
 		return nil, err
@@ -38,7 +38,7 @@ func downloadDiscordAttachment(url string, maxSize int64) ([]byte, error) {
 		req.Header.Set(key, value)
 	}
 
-	resp, err := http.DefaultClient.Do(req)
+	resp, err := cli.Do(req)
 	if err != nil {
 		return nil, err
 	}
@@ -65,16 +65,21 @@ func downloadDiscordAttachment(url string, maxSize int64) ([]byte, error) {
 	}
 }
 
-func uploadDiscordAttachment(url string, data []byte) error {
+func uploadDiscordAttachment(cli *http.Client, url string, data []byte) error {
 	req, err := http.NewRequest(http.MethodPut, url, bytes.NewReader(data))
 	if err != nil {
 		return err
 	}
-	for key, value := range discordgo.DroidFetchHeaders {
+	for key, value := range discordgo.DroidBaseHeaders {
 		req.Header.Set(key, value)
 	}
+	req.Header.Set("Content-Type", "application/octet-stream")
+	req.Header.Set("Referer", "https://discord.com/")
+	req.Header.Set("Sec-Fetch-Dest", "empty")
+	req.Header.Set("Sec-Fetch-Mode", "cors")
+	req.Header.Set("Sec-Fetch-Site", "cross-site")
 
-	resp, err := http.DefaultClient.Do(req)
+	resp, err := cli.Do(req)
 	if err != nil {
 		return err
 	}
@@ -295,7 +300,7 @@ func (br *DiscordBridge) copyAttachmentToMatrix(intent *appservice.IntentAPI, ur
 			}()
 
 			var data []byte
-			data, onceErr = downloadDiscordAttachment(url, br.MediaConfig.UploadSize)
+			data, onceErr = downloadDiscordAttachment(http.DefaultClient, url, br.MediaConfig.UploadSize)
 			if onceErr != nil {
 				return
 			}
@@ -323,19 +328,17 @@ func (br *DiscordBridge) copyAttachmentToMatrix(intent *appservice.IntentAPI, ur
 }
 
 func (portal *Portal) getEmojiMXCByDiscordID(emojiID, name string, animated bool) id.ContentURI {
-	var url, mimeType, ext string
+	mxc := portal.bridge.DMA.EmojiMXC(emojiID, name, animated)
+	if !mxc.IsEmpty() {
+		return mxc
+	}
+	var url, mimeType string
 	if animated {
 		url = discordgo.EndpointEmojiAnimated(emojiID)
 		mimeType = "image/gif"
-		ext = "gif"
 	} else {
 		url = discordgo.EndpointEmoji(emojiID)
 		mimeType = "image/png"
-		ext = "png"
-	}
-	mxc := portal.bridge.Config.Bridge.MediaPatterns.Emoji(emojiID, ext)
-	if !mxc.IsEmpty() {
-		return mxc
 	}
 	dbFile, err := portal.bridge.copyAttachmentToMatrix(portal.MainIntent(), url, false, AttachmentMeta{
 		AttachmentID: emojiID,

backfill.go

@@ -117,7 +117,7 @@ func (portal *Portal) collectBackfillMessages(log zerolog.Logger, source *User,
 	}
 	for {
 		log.Debug().Str("before_id", before).Msg("Fetching messages for backfill")
-		newMessages, err := source.Session.ChannelMessages(protoChannelID, messageFetchChunkSize, before, "", "")
+		newMessages, err := source.Session.ChannelMessages(protoChannelID, messageFetchChunkSize, before, "", "", portal.RefererOptIfUser(source.Session, protoChannelID)...)
 		if err != nil {
 			return nil, false, err
 		}
@@ -151,6 +151,9 @@ func (portal *Portal) collectBackfillMessages(log zerolog.Logger, source *User,
 func (portal *Portal) backfillLimited(log zerolog.Logger, source *User, limit int, after string, thread *Thread) {
 	messages, foundAll, err := portal.collectBackfillMessages(log, source, limit, after, thread)
 	if err != nil {
+		if source.handlePossible40002(err) {
+			panic(err)
+		}
 		log.Err(err).Msg("Error collecting messages to forward backfill")
 		return
 	}
@@ -180,7 +183,7 @@ func (portal *Portal) backfillUnlimitedMissed(log zerolog.Logger, source *User,
 	}
 	for {
 		log.Debug().Str("after_id", after).Msg("Fetching chunk of messages to backfill")
-		messages, err := source.Session.ChannelMessages(protoChannelID, messageFetchChunkSize, "", after, "")
+		messages, err := source.Session.ChannelMessages(protoChannelID, messageFetchChunkSize, "", after, "", portal.RefererOptIfUser(source.Session, protoChannelID)...)
 		if err != nil {
 			log.Err(err).Msg("Error fetching chunk of messages to forward backfill")
 			return

commands.go

@@ -62,6 +62,7 @@ func (br *DiscordBridge) RegisterCommands() {
 		cmdBridge,
 		cmdUnbridge,
 		cmdDeletePortal,
+		cmdCreatePortal,
 		cmdSetRelay,
 		cmdUnsetRelay,
 		cmdGuilds,
@@ -467,7 +468,7 @@ func fnSetRelay(ce *WrappedCommandEvent) {
 			return
 		}
 	case "create":
-		perms, err := ce.User.Session.UserChannelPermissions(ce.User.DiscordID, portal.Key.ChannelID)
+		perms, err := ce.User.Session.UserChannelPermissions(ce.User.DiscordID, portal.Key.ChannelID, portal.RefererOptIfUser(ce.User.Session, "")...)
 		if err != nil {
 			log.Warn().Err(err).Msg("Failed to check user permissions")
 			ce.Reply("Failed to check if you have permission to create webhooks")
@@ -482,7 +483,7 @@ func fnSetRelay(ce *WrappedCommandEvent) {
 			name = strings.Join(ce.Args[1:], " ")
 		}
 		log.Debug().Str("webhook_name", name).Msg("Creating webhook")
-		webhookMeta, err = ce.User.Session.WebhookCreate(portal.Key.ChannelID, name, "")
+		webhookMeta, err = ce.User.Session.WebhookCreate(portal.Key.ChannelID, name, "", portal.RefererOptIfUser(ce.User.Session, "")...)
 		if err != nil {
 			log.Warn().Err(err).Msg("Failed to create webhook")
 			ce.Reply("Failed to create webhook: %v", err)
@@ -757,7 +758,7 @@ func fnBridge(ce *WrappedCommandEvent) {
 	portal.updateRoomName()
 	portal.updateRoomAvatar()
 	portal.updateRoomTopic()
-	portal.updateSpace()
+	portal.updateSpace(ce.User)
 	portal.UpdateBridgeInfo()
 	state, err := portal.MainIntent().State(portal.MXID)
 	if err != nil {
@@ -785,6 +786,45 @@ var cmdUnbridge = &commands.FullHandler{
 	RequiresEventLevel: roomModerator,
 }
 
+var cmdCreatePortal = &commands.FullHandler{
+	Func: wrapCommand(fnCreatePortal),
+	Name: "create-portal",
+	Help: commands.HelpMeta{
+		Section:     HelpSectionPortalManagement,
+		Description: "Create a portal for a specific channel",
+		Args:        "<_channel ID_>",
+	},
+	RequiresLogin: true,
+}
+
+func fnCreatePortal(ce *WrappedCommandEvent) {
+	meta, err := ce.User.Session.Channel(ce.Args[0])
+	if err != nil {
+		ce.Reply("Failed to get channel info: %v", err)
+		return
+	} else if meta == nil {
+		ce.Reply("Channel not found")
+		return
+	} else if !ce.User.channelIsBridgeable(meta) {
+		ce.Reply("That channel can't be bridged")
+		return
+	}
+	portal := ce.User.GetPortalByMeta(meta)
+	if portal.Guild != nil && portal.Guild.BridgingMode == database.GuildBridgeNothing {
+		ce.Reply("That guild is set to not bridge any messages. Bridge the guild with `$cmdprefix guilds bridge %s` first", portal.Guild.ID)
+		return
+	} else if portal.MXID != "" {
+		ce.Reply("That channel is already bridged: [%s](%s)", portal.Name, portal.MXID.URI(portal.bridge.Config.Homeserver.Domain).MatrixToURL())
+		return
+	}
+	err = portal.CreateMatrixRoom(ce.User, meta)
+	if err != nil {
+		ce.Reply("Failed to create portal: %v", err)
+	} else {
+		ce.Reply("Portal created: [%s](%s)", portal.Name, portal.MXID.URI(portal.bridge.Config.Homeserver.Domain).MatrixToURL())
+	}
+}
+
 var cmdDeletePortal = &commands.FullHandler{
 	Func: wrapCommand(fnUnbridge),
 	Name: "delete-portal",

commands_botinteraction.go

@@ -61,7 +61,7 @@ func (portal *Portal) getCommand(user *User, command string) (*discordgo.Applica
 	defer portal.commandsLock.Unlock()
 	cmd, ok := portal.commands[command]
 	if !ok {
-		results, err := user.Session.ApplicationCommandsSearch(portal.Key.ChannelID, command)
+		results, err := user.Session.ApplicationCommandsSearch(portal.Key.ChannelID, command, portal.RefererOpt(""))
 		if err != nil {
 			return nil, err
 		}
@@ -247,7 +247,7 @@ func fnCommands(ce *WrappedCommandEvent) {
 	}
 	subcmd := strings.ToLower(ce.Args[0])
 	if subcmd == "search" {
-		results, err := ce.User.Session.ApplicationCommandsSearch(ce.Portal.Key.ChannelID, ce.Args[1])
+		results, err := ce.User.Session.ApplicationCommandsSearch(ce.Portal.Key.ChannelID, ce.Args[1], ce.Portal.RefererOpt(""))
 		if err != nil {
 			ce.Reply("Error searching for commands: %v", err)
 			return
@@ -297,7 +297,7 @@ func fnExec(ce *WrappedCommandEvent) {
 		ce.User.pendingInteractionsLock.Lock()
 		ce.User.pendingInteractions[nonce] = ce
 		ce.User.pendingInteractionsLock.Unlock()
-		err = ce.User.Session.SendInteractions(ce.Portal.GuildID, ce.Portal.Key.ChannelID, cmd, options, nonce)
+		err = ce.User.Session.SendInteractions(ce.Portal.GuildID, ce.Portal.Key.ChannelID, cmd, options, nonce, ce.Portal.RefererOpt(""))
 		if err != nil {
 			ce.Reply("Error sending interaction: %v", err)
 			ce.User.pendingInteractionsLock.Lock()

config/bridge.go

@@ -25,7 +25,6 @@ import (
 	"github.com/bwmarrin/discordgo"
 
 	"maunium.net/go/mautrix/bridge/bridgeconfig"
-	"maunium.net/go/mautrix/id"
 )
 
 type BridgeConfig struct {
@@ -38,6 +37,9 @@ type BridgeConfig struct {
 
 	PortalMessageBuffer int `yaml:"portal_message_buffer"`
 
+	PublicAddress  string `yaml:"public_address"`
+	AvatarProxyKey string `yaml:"avatar_proxy_key"`
+
 	DeliveryReceipts            bool `yaml:"delivery_receipts"`
 	MessageStatusEvents         bool `yaml:"message_status_events"`
 	MessageErrorNotices         bool `yaml:"message_error_notices"`
@@ -55,8 +57,10 @@ type BridgeConfig struct {
 	EnableWebhookAvatars        bool `yaml:"enable_webhook_avatars"`
 	UseDiscordCDNUpload         bool `yaml:"use_discord_cdn_upload"`
 
-	CacheMedia    string        `yaml:"cache_media"`
+	Proxy string `yaml:"proxy"`
-	MediaPatterns MediaPatterns `yaml:"media_patterns"`
+
+	CacheMedia  string      `yaml:"cache_media"`
+	DirectMedia DirectMedia `yaml:"direct_media"`
 
 	AnimatedSticker struct {
 		Target string `yaml:"target"`
@@ -83,8 +87,9 @@ type BridgeConfig struct {
 	Encryption bridgeconfig.EncryptionConfig `yaml:"encryption"`
 
 	Provisioning struct {
-		Prefix       string `yaml:"prefix"`
+		Prefix         string `yaml:"prefix"`
-		SharedSecret string `yaml:"shared_secret"`
+		SharedSecret   string `yaml:"shared_secret"`
+		DebugEndpoints bool   `yaml:"debug_endpoints"`
 	} `yaml:"provisioning"`
 
 	Permissions bridgeconfig.PermissionConfig `yaml:"permissions"`
@@ -95,111 +100,12 @@ type BridgeConfig struct {
 	guildNameTemplate   *template.Template `yaml:"-"`
 }
 
-type MediaPatterns struct {
+type DirectMedia struct {
-	Enabled        bool   `yaml:"enabled"`
+	Enabled           bool   `yaml:"enabled"`
-	TplAttachments string `yaml:"attachments"`
+	ServerName        string `yaml:"server_name"`
-	TplEmojis      string `yaml:"emojis"`
+	WellKnownResponse string `yaml:"well_known_response"`
-	TplStickers    string `yaml:"stickers"`
+	AllowProxy        bool   `yaml:"allow_proxy"`
-	TplAvatars     string `yaml:"avatars"`
+	ServerKey         string `yaml:"server_key"`
-
-	attachments *template.Template `yaml:"-"`
-	emojis      *template.Template `yaml:"-"`
-	stickers    *template.Template `yaml:"-"`
-	avatars     *template.Template `yaml:"-"`
-}
-
-type umMediaPatterns MediaPatterns
-
-func (mp *MediaPatterns) UnmarshalYAML(unmarshal func(interface{}) error) error {
-	err := unmarshal((*umMediaPatterns)(mp))
-	if err != nil {
-		return err
-	}
-	tpl := template.New("media_patterns")
-
-	pairs := []struct {
-		ptr      **template.Template
-		name     string
-		template string
-	}{
-		{&mp.attachments, "attachments", mp.TplAttachments},
-		{&mp.emojis, "emojis", mp.TplEmojis},
-		{&mp.stickers, "stickers", mp.TplStickers},
-		{&mp.avatars, "avatars", mp.TplAvatars},
-	}
-	for _, pair := range pairs {
-		if pair.template == "" {
-			continue
-		}
-		*pair.ptr, err = tpl.New(pair.name).Parse(pair.template)
-		if err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
-type attachmentParams struct {
-	ChannelID    string
-	AttachmentID string
-	FileName     string
-}
-
-type emojiStickerParams struct {
-	ID  string
-	Ext string
-}
-
-type avatarParams struct {
-	UserID   string
-	AvatarID string
-	Ext      string
-}
-
-func (mp *MediaPatterns) execute(tpl *template.Template, params any) id.ContentURI {
-	if tpl == nil || !mp.Enabled {
-		return id.ContentURI{}
-	}
-	var out strings.Builder
-	err := tpl.Execute(&out, params)
-	if err != nil {
-		panic(err)
-	}
-	uri, err := id.ParseContentURI(out.String())
-	if err != nil {
-		panic(err)
-	}
-	return uri
-}
-
-func (mp *MediaPatterns) Attachment(channelID, attachmentID, filename string) id.ContentURI {
-	return mp.execute(mp.attachments, attachmentParams{
-		ChannelID:    channelID,
-		AttachmentID: attachmentID,
-		FileName:     filename,
-	})
-}
-
-func (mp *MediaPatterns) Emoji(emojiID, ext string) id.ContentURI {
-	return mp.execute(mp.emojis, emojiStickerParams{
-		ID:  emojiID,
-		Ext: ext,
-	})
-}
-
-func (mp *MediaPatterns) Sticker(stickerID, ext string) id.ContentURI {
-	return mp.execute(mp.stickers, emojiStickerParams{
-		ID:  stickerID,
-		Ext: ext,
-	})
-}
-
-func (mp *MediaPatterns) Avatar(userID, avatarID, ext string) id.ContentURI {
-	return mp.execute(mp.avatars, avatarParams{
-		UserID:   userID,
-		AvatarID: avatarID,
-		Ext:      ext,
-	})
 }
 
 type BackfillLimitPart struct {

config/upgrade.go

@@ -20,13 +20,12 @@ import (
 	up "go.mau.fi/util/configupgrade"
 	"go.mau.fi/util/random"
 	"maunium.net/go/mautrix/bridge/bridgeconfig"
+	"maunium.net/go/mautrix/federation"
 )
 
 func DoUpgrade(helper *up.Helper) {
 	bridgeconfig.Upgrader.DoUpgrade(helper)
 
-	helper.Copy(up.Str|up.Null, "homeserver", "public_address")
-
 	helper.Copy(up.Str, "bridge", "username_template")
 	helper.Copy(up.Str, "bridge", "displayname_template")
 	helper.Copy(up.Str, "bridge", "channel_name_template")
@@ -41,6 +40,12 @@ func DoUpgrade(helper *up.Helper) {
 		helper.Copy(up.Str, "bridge", "private_chat_portal_meta")
 	}
 	helper.Copy(up.Int, "bridge", "startup_private_channel_create_limit")
+	helper.Copy(up.Str|up.Null, "bridge", "public_address")
+	if apkey, ok := helper.Get(up.Str, "bridge", "avatar_proxy_key"); !ok || apkey == "generate" {
+		helper.Set(up.Str, random.String(32), "bridge", "avatar_proxy_key")
+	} else {
+		helper.Copy(up.Str, "bridge", "avatar_proxy_key")
+	}
 	helper.Copy(up.Int, "bridge", "portal_message_buffer")
 	helper.Copy(up.Bool, "bridge", "delivery_receipts")
 	helper.Copy(up.Bool, "bridge", "message_status_events")
@@ -58,12 +63,18 @@ func DoUpgrade(helper *up.Helper) {
 	helper.Copy(up.Bool, "bridge", "prefix_webhook_messages")
 	helper.Copy(up.Bool, "bridge", "enable_webhook_avatars")
 	helper.Copy(up.Bool, "bridge", "use_discord_cdn_upload")
-	helper.Copy(up.Bool, "bridge", "media_patterns", "enabled")
+	helper.Copy(up.Str|up.Null, "bridge", "proxy")
 	helper.Copy(up.Str, "bridge", "cache_media")
-	helper.Copy(up.Str|up.Null, "bridge", "media_patterns", "attachments")
+	helper.Copy(up.Bool, "bridge", "direct_media", "enabled")
-	helper.Copy(up.Str|up.Null, "bridge", "media_patterns", "emojis")
+	helper.Copy(up.Str, "bridge", "direct_media", "server_name")
-	helper.Copy(up.Str|up.Null, "bridge", "media_patterns", "stickers")
+	helper.Copy(up.Str|up.Null, "bridge", "direct_media", "well_known_response")
-	helper.Copy(up.Str|up.Null, "bridge", "media_patterns", "avatars")
+	helper.Copy(up.Bool, "bridge", "direct_media", "allow_proxy")
+	if serverKey, ok := helper.Get(up.Str, "bridge", "direct_media", "server_key"); !ok || serverKey == "generate" {
+		serverKey = federation.GenerateSigningKey().SynapseString()
+		helper.Set(up.Str, serverKey, "bridge", "direct_media", "server_key")
+	} else {
+		helper.Copy(up.Str, "bridge", "direct_media", "server_key")
+	}
 	helper.Copy(up.Str, "bridge", "animated_sticker", "target")
 	helper.Copy(up.Int, "bridge", "animated_sticker", "args", "width")
 	helper.Copy(up.Int, "bridge", "animated_sticker", "args", "height")
@@ -113,6 +124,7 @@ func DoUpgrade(helper *up.Helper) {
 	} else {
 		helper.Copy(up.Str, "bridge", "provisioning", "shared_secret")
 	}
+	helper.Copy(up.Bool, "bridge", "provisioning", "debug_endpoints")
 
 	helper.Copy(up.Map, "bridge", "permissions")
 	//helper.Copy(up.Bool, "bridge", "relay", "enabled")

database/message.go

@@ -107,7 +107,7 @@ func (mq *MessageQuery) MassInsert(key PortalKey, msgs []Message) {
 	params[0] = key.ChannelID
 	params[1] = key.Receiver
 	for i, msg := range msgs {
-		baseIndex := 2 + i*7
+		baseIndex := 2 + i*8
 		params[baseIndex] = msg.DiscordID
 		params[baseIndex+1] = msg.AttachmentID
 		params[baseIndex+2] = msg.SenderID

database/userportal.go

@@ -7,6 +7,7 @@ import (
 
 	"go.mau.fi/util/dbutil"
 	log "maunium.net/go/maulogger/v2"
+	"maunium.net/go/mautrix/id"
 )
 
 const (
@@ -44,6 +45,24 @@ func (u *User) scanUserPortals(rows dbutil.Rows) []UserPortal {
 	return ups
 }
 
+func (db *Database) GetUsersInPortal(channelID string) []id.UserID {
+	rows, err := db.Query("SELECT user_mxid FROM user_portal WHERE discord_id=$1", channelID)
+	if err != nil {
+		db.Portal.log.Errorln("Failed to get users in portal:", err)
+	}
+	var users []id.UserID
+	for rows.Next() {
+		var mxid id.UserID
+		err = rows.Scan(&mxid)
+		if err != nil {
+			db.Portal.log.Errorln("Failed to scan user in portal:", err)
+		} else {
+			users = append(users, mxid)
+		}
+	}
+	return users
+}
+
 func (u *User) GetPortals() []UserPortal {
 	rows, err := u.db.Query("SELECT discord_id, type, timestamp, in_space FROM user_portal WHERE user_mxid=$1", u.MXID)
 	if err != nil {

directmedia.go

@@ -0,0 +1,662 @@
+// mautrix-discord - A Matrix-Discord puppeting bridge.
+// Copyright (C) 2024 Tulir Asokan
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+package main
+
+import (
+	"context"
+	"crypto/sha256"
+	"encoding/binary"
+	"encoding/hex"
+	"errors"
+	"fmt"
+	"io"
+	"mime"
+	"mime/multipart"
+	"net"
+	"net/http"
+	"net/textproto"
+	"net/url"
+	"os"
+	"strconv"
+	"strings"
+	"sync"
+	"sync/atomic"
+	"time"
+
+	"github.com/bwmarrin/discordgo"
+	"github.com/gorilla/mux"
+	"github.com/rs/zerolog"
+	"maunium.net/go/mautrix"
+	"maunium.net/go/mautrix/federation"
+	"maunium.net/go/mautrix/id"
+
+	"go.mau.fi/mautrix-discord/config"
+	"go.mau.fi/mautrix-discord/database"
+)
+
+type DirectMediaAPI struct {
+	bridge *DiscordBridge
+	ks     *federation.KeyServer
+	cfg    config.DirectMedia
+	log    zerolog.Logger
+	proxy  http.Client
+
+	signatureKey [32]byte
+
+	attachmentCache     map[AttachmentCacheKey]AttachmentCacheValue
+	attachmentCacheLock sync.Mutex
+}
+
+type AttachmentCacheKey struct {
+	ChannelID    uint64
+	AttachmentID uint64
+}
+
+type AttachmentCacheValue struct {
+	URL    string
+	Expiry time.Time
+}
+
+func newDirectMediaAPI(br *DiscordBridge) *DirectMediaAPI {
+	if !br.Config.Bridge.DirectMedia.Enabled {
+		return nil
+	}
+	dma := &DirectMediaAPI{
+		bridge: br,
+		cfg:    br.Config.Bridge.DirectMedia,
+		log:    br.ZLog.With().Str("component", "direct media").Logger(),
+		proxy: http.Client{
+			Transport: &http.Transport{
+				DialContext:         (&net.Dialer{Timeout: 10 * time.Second}).DialContext,
+				TLSHandshakeTimeout: 10 * time.Second,
+				ForceAttemptHTTP2:   false,
+			},
+			Timeout: 60 * time.Second,
+		},
+		attachmentCache: make(map[AttachmentCacheKey]AttachmentCacheValue),
+	}
+	r := br.AS.Router
+
+	parsed, err := federation.ParseSynapseKey(dma.cfg.ServerKey)
+	if err != nil {
+		dma.log.WithLevel(zerolog.FatalLevel).Err(err).Msg("Failed to parse server key")
+		os.Exit(11)
+		return nil
+	}
+	dma.signatureKey = sha256.Sum256(parsed.Priv.Seed())
+	dma.ks = &federation.KeyServer{
+		KeyProvider: &federation.StaticServerKey{
+			ServerName: dma.cfg.ServerName,
+			Key:        parsed,
+		},
+		WellKnownTarget: dma.cfg.WellKnownResponse,
+		Version: federation.ServerVersion{
+			Name:    br.Name,
+			Version: br.Version,
+		},
+	}
+	if dma.ks.WellKnownTarget == "" {
+		dma.ks.WellKnownTarget = fmt.Sprintf("%s:443", dma.cfg.ServerName)
+	}
+	federationRouter := r.PathPrefix("/_matrix/federation").Subrouter()
+	mediaRouter := r.PathPrefix("/_matrix/media").Subrouter()
+	clientMediaRouter := r.PathPrefix("/_matrix/client/v1/media").Subrouter()
+	var reqIDCounter atomic.Uint64
+	middleware := func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			w.Header().Set("Access-Control-Allow-Origin", "*")
+			w.Header().Set("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS")
+			w.Header().Set("Access-Control-Allow-Headers", "X-Requested-With, Content-Type, Authorization")
+			log := dma.log.With().
+				Str("remote_addr", r.RemoteAddr).
+				Str("request_path", r.URL.Path).
+				Uint64("req_id", reqIDCounter.Add(1)).
+				Logger()
+			next.ServeHTTP(w, r.WithContext(log.WithContext(r.Context())))
+		})
+	}
+	mediaRouter.Use(middleware)
+	federationRouter.Use(middleware)
+	clientMediaRouter.Use(middleware)
+	addRoutes := func(version string) {
+		mediaRouter.HandleFunc("/"+version+"/download/{serverName}/{mediaID}", dma.DownloadMedia).Methods(http.MethodGet)
+		mediaRouter.HandleFunc("/"+version+"/download/{serverName}/{mediaID}/{fileName}", dma.DownloadMedia).Methods(http.MethodGet)
+		mediaRouter.HandleFunc("/"+version+"/thumbnail/{serverName}/{mediaID}", dma.DownloadMedia).Methods(http.MethodGet)
+		mediaRouter.HandleFunc("/"+version+"/upload/{serverName}/{mediaID}", dma.UploadNotSupported).Methods(http.MethodPut)
+		mediaRouter.HandleFunc("/"+version+"/upload", dma.UploadNotSupported).Methods(http.MethodPost)
+		mediaRouter.HandleFunc("/"+version+"/create", dma.UploadNotSupported).Methods(http.MethodPost)
+		mediaRouter.HandleFunc("/"+version+"/config", dma.UploadNotSupported).Methods(http.MethodGet)
+		mediaRouter.HandleFunc("/"+version+"/preview_url", dma.PreviewURLNotSupported).Methods(http.MethodGet)
+	}
+	clientMediaRouter.HandleFunc("/download/{serverName}/{mediaID}", dma.DownloadMedia).Methods(http.MethodGet)
+	clientMediaRouter.HandleFunc("/download/{serverName}/{mediaID}/{fileName}", dma.DownloadMedia).Methods(http.MethodGet)
+	clientMediaRouter.HandleFunc("/thumbnail/{serverName}/{mediaID}", dma.DownloadMedia).Methods(http.MethodGet)
+	clientMediaRouter.HandleFunc("/upload/{serverName}/{mediaID}", dma.UploadNotSupported).Methods(http.MethodPut)
+	clientMediaRouter.HandleFunc("/upload", dma.UploadNotSupported).Methods(http.MethodPost)
+	clientMediaRouter.HandleFunc("/create", dma.UploadNotSupported).Methods(http.MethodPost)
+	clientMediaRouter.HandleFunc("/config", dma.UploadNotSupported).Methods(http.MethodGet)
+	clientMediaRouter.HandleFunc("/preview_url", dma.PreviewURLNotSupported).Methods(http.MethodGet)
+	addRoutes("v3")
+	addRoutes("r0")
+	addRoutes("v1")
+	federationRouter.HandleFunc("/v1/media/download/{mediaID}", dma.DownloadMedia).Methods(http.MethodGet)
+	federationRouter.HandleFunc("/v1/version", dma.ks.GetServerVersion).Methods(http.MethodGet)
+	mediaRouter.NotFoundHandler = http.HandlerFunc(dma.UnknownEndpoint)
+	mediaRouter.MethodNotAllowedHandler = http.HandlerFunc(dma.UnsupportedMethod)
+	federationRouter.NotFoundHandler = http.HandlerFunc(dma.UnknownEndpoint)
+	federationRouter.MethodNotAllowedHandler = http.HandlerFunc(dma.UnsupportedMethod)
+	dma.ks.Register(r)
+
+	return dma
+}
+
+func (dma *DirectMediaAPI) makeMXC(data MediaIDData) id.ContentURI {
+	return id.ContentURI{
+		Homeserver: dma.cfg.ServerName,
+		FileID:     data.Wrap().SignedString(dma.signatureKey),
+	}
+}
+
+func parseExpiryTS(addr string) time.Time {
+	parsedURL, err := url.Parse(addr)
+	if err != nil {
+		return time.Time{}
+	}
+	tsBytes, err := hex.DecodeString(parsedURL.Query().Get("ex"))
+	if err != nil || len(tsBytes) != 4 {
+		return time.Time{}
+	}
+	parsedTS := int64(binary.BigEndian.Uint32(tsBytes))
+	if parsedTS > time.Now().Unix() && parsedTS < time.Now().Add(365*24*time.Hour).Unix() {
+		return time.Unix(parsedTS, 0)
+	}
+	return time.Time{}
+}
+
+func (dma *DirectMediaAPI) addAttachmentToCache(channelID uint64, att *discordgo.MessageAttachment) time.Time {
+	attachmentID, err := strconv.ParseUint(att.ID, 10, 64)
+	if err != nil {
+		return time.Time{}
+	}
+	expiry := parseExpiryTS(att.URL)
+	if expiry.IsZero() {
+		expiry = time.Now().Add(24 * time.Hour)
+	}
+	dma.attachmentCache[AttachmentCacheKey{
+		ChannelID:    channelID,
+		AttachmentID: attachmentID,
+	}] = AttachmentCacheValue{
+		URL:    att.URL,
+		Expiry: expiry,
+	}
+	return expiry
+}
+
+func (dma *DirectMediaAPI) AttachmentMXC(channelID, messageID string, att *discordgo.MessageAttachment) (mxc id.ContentURI) {
+	if dma == nil {
+		return
+	}
+	channelIDInt, err := strconv.ParseUint(channelID, 10, 64)
+	if err != nil {
+		dma.log.Warn().Str("channel_id", channelID).Msg("Got non-integer channel ID")
+		return
+	}
+	messageIDInt, err := strconv.ParseUint(messageID, 10, 64)
+	if err != nil {
+		dma.log.Warn().Str("message_id", messageID).Msg("Got non-integer message ID")
+		return
+	}
+	attachmentIDInt, err := strconv.ParseUint(att.ID, 10, 64)
+	if err != nil {
+		dma.log.Warn().Str("attachment_id", att.ID).Msg("Got non-integer attachment ID")
+		return
+	}
+	dma.attachmentCacheLock.Lock()
+	dma.addAttachmentToCache(channelIDInt, att)
+	dma.attachmentCacheLock.Unlock()
+	return dma.makeMXC(&AttachmentMediaData{
+		ChannelID:    channelIDInt,
+		MessageID:    messageIDInt,
+		AttachmentID: attachmentIDInt,
+	})
+}
+
+func (dma *DirectMediaAPI) EmojiMXC(emojiID, name string, animated bool) (mxc id.ContentURI) {
+	if dma == nil {
+		return
+	}
+	emojiIDInt, err := strconv.ParseUint(emojiID, 10, 64)
+	if err != nil {
+		dma.log.Warn().Str("emoji_id", emojiID).Msg("Got non-integer emoji ID")
+		return
+	}
+	return dma.makeMXC(&EmojiMediaData{
+		EmojiMediaDataInner: EmojiMediaDataInner{
+			EmojiID:  emojiIDInt,
+			Animated: animated,
+		},
+		Name: name,
+	})
+}
+
+func (dma *DirectMediaAPI) StickerMXC(stickerID string, format discordgo.StickerFormat) (mxc id.ContentURI) {
+	if dma == nil {
+		return
+	}
+	stickerIDInt, err := strconv.ParseUint(stickerID, 10, 64)
+	if err != nil {
+		dma.log.Warn().Str("sticker_id", stickerID).Msg("Got non-integer sticker ID")
+		return
+	} else if format > 255 || format < 0 {
+		dma.log.Warn().Int("format", int(format)).Msg("Got invalid sticker format")
+		return
+	}
+	return dma.makeMXC(&StickerMediaData{
+		StickerID: stickerIDInt,
+		Format:    byte(format),
+	})
+}
+
+func (dma *DirectMediaAPI) AvatarMXC(guildID, userID, avatarID string) (mxc id.ContentURI) {
+	if dma == nil {
+		return
+	}
+	animated := strings.HasPrefix(avatarID, "a_")
+	avatarIDBytes, err := hex.DecodeString(strings.TrimPrefix(avatarID, "a_"))
+	if err != nil {
+		dma.log.Warn().Str("avatar_id", avatarID).Msg("Got non-hex avatar ID")
+		return
+	} else if len(avatarIDBytes) != 16 {
+		dma.log.Warn().Str("avatar_id", avatarID).Msg("Got invalid avatar ID length")
+		return
+	}
+	avatarIDArray := [16]byte(avatarIDBytes)
+	userIDInt, err := strconv.ParseUint(userID, 10, 64)
+	if err != nil {
+		dma.log.Warn().Str("user_id", userID).Msg("Got non-integer user ID")
+		return
+	}
+	if guildID != "" {
+		guildIDInt, err := strconv.ParseUint(guildID, 10, 64)
+		if err != nil {
+			dma.log.Warn().Str("guild_id", guildID).Msg("Got non-integer guild ID")
+			return
+		}
+		return dma.makeMXC(&GuildMemberAvatarMediaData{
+			GuildID:  guildIDInt,
+			UserID:   userIDInt,
+			AvatarID: avatarIDArray,
+			Animated: animated,
+		})
+	} else {
+		return dma.makeMXC(&UserAvatarMediaData{
+			UserID:   userIDInt,
+			AvatarID: avatarIDArray,
+			Animated: animated,
+		})
+	}
+}
+
+type RespError struct {
+	Code    string
+	Message string
+	Status  int
+}
+
+func (re *RespError) Error() string {
+	return re.Message
+}
+
+var ErrNoUsersWithAccessFound = errors.New("no users found to fetch message")
+var ErrAttachmentNotFound = errors.New("attachment not found")
+
+func (dma *DirectMediaAPI) fetchNewAttachmentURL(ctx context.Context, meta *AttachmentMediaData) (string, time.Time, error) {
+	var client *discordgo.Session
+	channelIDStr := strconv.FormatUint(meta.ChannelID, 10)
+	portal := dma.bridge.GetExistingPortalByID(database.PortalKey{ChannelID: channelIDStr})
+	var users []id.UserID
+	if portal != nil && portal.GuildID != "" {
+		users = dma.bridge.DB.GetUsersInPortal(portal.GuildID)
+	} else {
+		users = dma.bridge.DB.GetUsersInPortal(channelIDStr)
+	}
+	for _, userID := range users {
+		user := dma.bridge.GetCachedUserByMXID(userID)
+		if user == nil || user.Session == nil {
+			continue
+		}
+		perms, err := user.Session.State.UserChannelPermissions(user.DiscordID, channelIDStr)
+		if err == nil && perms&discordgo.PermissionViewChannel == 0 {
+			continue
+		}
+		if client == nil || err == nil {
+			client = user.Session
+			if !client.IsUser {
+				break
+			}
+		}
+	}
+	if client == nil {
+		return "", time.Time{}, ErrNoUsersWithAccessFound
+	}
+	var msgs []*discordgo.Message
+	var err error
+	messageIDStr := strconv.FormatUint(meta.MessageID, 10)
+	if client.IsUser {
+		var refs []discordgo.RequestOption
+		if portal != nil {
+			refs = append(refs, discordgo.WithChannelReferer(portal.GuildID, channelIDStr))
+		}
+		msgs, err = client.ChannelMessages(channelIDStr, 5, "", "", messageIDStr, refs...)
+	} else {
+		var msg *discordgo.Message
+		msg, err = client.ChannelMessage(channelIDStr, messageIDStr)
+		msgs = []*discordgo.Message{msg}
+	}
+	if err != nil {
+		return "", time.Time{}, fmt.Errorf("failed to fetch message: %w", err)
+	}
+	attachmentIDStr := strconv.FormatUint(meta.AttachmentID, 10)
+	var url string
+	var expiry time.Time
+	for _, item := range msgs {
+		for _, att := range item.Attachments {
+			thisExpiry := dma.addAttachmentToCache(meta.ChannelID, att)
+			if att.ID == attachmentIDStr {
+				url = att.URL
+				expiry = thisExpiry
+			}
+		}
+	}
+	if url == "" {
+		return "", time.Time{}, ErrAttachmentNotFound
+	}
+	return url, expiry, nil
+}
+
+func (dma *DirectMediaAPI) GetEmojiInfo(contentURI id.ContentURI) *EmojiMediaData {
+	if dma == nil || contentURI.IsEmpty() || contentURI.Homeserver != dma.cfg.ServerName {
+		return nil
+	}
+	mediaID, err := ParseMediaID(contentURI.FileID, dma.signatureKey)
+	if err != nil {
+		return nil
+	}
+	emojiData, ok := mediaID.Data.(*EmojiMediaData)
+	if !ok {
+		return nil
+	}
+	return emojiData
+
+}
+
+func (dma *DirectMediaAPI) getMediaURL(ctx context.Context, encodedMediaID string) (url string, expiry time.Time, err error) {
+	var mediaID *MediaID
+	mediaID, err = ParseMediaID(encodedMediaID, dma.signatureKey)
+	if err != nil {
+		err = &RespError{
+			Code:    mautrix.MNotFound.ErrCode,
+			Message: err.Error(),
+			Status:  http.StatusNotFound,
+		}
+		return
+	}
+	switch mediaData := mediaID.Data.(type) {
+	case *AttachmentMediaData:
+		dma.attachmentCacheLock.Lock()
+		defer dma.attachmentCacheLock.Unlock()
+		cached, ok := dma.attachmentCache[mediaData.CacheKey()]
+		if ok && time.Until(cached.Expiry) > 5*time.Minute {
+			return cached.URL, cached.Expiry, nil
+		}
+		zerolog.Ctx(ctx).Debug().
+			Uint64("channel_id", mediaData.ChannelID).
+			Uint64("message_id", mediaData.MessageID).
+			Uint64("attachment_id", mediaData.AttachmentID).
+			Msg("Refreshing attachment URL")
+		url, expiry, err = dma.fetchNewAttachmentURL(ctx, mediaData)
+		if err != nil {
+			zerolog.Ctx(ctx).Err(err).Msg("Failed to refresh attachment URL")
+			msg := "Failed to refresh attachment URL"
+			if errors.Is(err, ErrNoUsersWithAccessFound) {
+				msg = "No users found with access to the channel"
+			} else if errors.Is(err, ErrAttachmentNotFound) {
+				msg = "Attachment not found in message. Perhaps it was deleted?"
+			}
+			err = &RespError{
+				Code:    mautrix.MNotFound.ErrCode,
+				Message: msg,
+				Status:  http.StatusNotFound,
+			}
+		} else {
+			zerolog.Ctx(ctx).Debug().Time("expiry", expiry).Msg("Successfully refreshed attachment URL")
+		}
+	case *EmojiMediaData:
+		if mediaData.Animated {
+			url = discordgo.EndpointEmojiAnimated(strconv.FormatUint(mediaData.EmojiID, 10))
+		} else {
+			url = discordgo.EndpointEmoji(strconv.FormatUint(mediaData.EmojiID, 10))
+		}
+	case *StickerMediaData:
+		url = discordgo.EndpointStickerImage(
+			strconv.FormatUint(mediaData.StickerID, 10),
+			discordgo.StickerFormat(mediaData.Format),
+		)
+	case *UserAvatarMediaData:
+		if mediaData.Animated {
+			url = discordgo.EndpointUserAvatarAnimated(
+				strconv.FormatUint(mediaData.UserID, 10),
+				fmt.Sprintf("a_%x", mediaData.AvatarID),
+			)
+		} else {
+			url = discordgo.EndpointUserAvatar(
+				strconv.FormatUint(mediaData.UserID, 10),
+				fmt.Sprintf("%x", mediaData.AvatarID),
+			)
+		}
+	case *GuildMemberAvatarMediaData:
+		if mediaData.Animated {
+			url = discordgo.EndpointGuildMemberAvatarAnimated(
+				strconv.FormatUint(mediaData.GuildID, 10),
+				strconv.FormatUint(mediaData.UserID, 10),
+				fmt.Sprintf("a_%x", mediaData.AvatarID),
+			)
+		} else {
+			url = discordgo.EndpointGuildMemberAvatar(
+				strconv.FormatUint(mediaData.GuildID, 10),
+				strconv.FormatUint(mediaData.UserID, 10),
+				fmt.Sprintf("%x", mediaData.AvatarID),
+			)
+		}
+	default:
+		zerolog.Ctx(ctx).Error().Type("media_data_type", mediaData).Msg("Unrecognized media data struct")
+		err = &RespError{
+			Code:    "M_UNKNOWN",
+			Message: "Unrecognized media data struct",
+			Status:  http.StatusInternalServerError,
+		}
+	}
+	return
+}
+
+func (dma *DirectMediaAPI) proxyDownload(ctx context.Context, w http.ResponseWriter, url, fileName string) {
+	log := zerolog.Ctx(ctx)
+	req, err := http.NewRequest(http.MethodGet, url, nil)
+	if err != nil {
+		log.Err(err).Str("url", url).Msg("Failed to create proxy request")
+		jsonResponse(w, http.StatusInternalServerError, &mautrix.RespError{
+			ErrCode: "M_UNKNOWN",
+			Err:     "Failed to create proxy request",
+		})
+		return
+	}
+	for key, val := range discordgo.DroidDownloadHeaders {
+		req.Header.Set(key, val)
+	}
+	resp, err := dma.proxy.Do(req)
+	defer func() {
+		if resp != nil && resp.Body != nil {
+			_ = resp.Body.Close()
+		}
+	}()
+	if err != nil {
+		log.Err(err).Str("url", url).Msg("Failed to proxy download")
+		jsonResponse(w, http.StatusServiceUnavailable, &mautrix.RespError{
+			ErrCode: "M_UNKNOWN",
+			Err:     "Failed to proxy download",
+		})
+		return
+	} else if resp.StatusCode != http.StatusOK {
+		log.Warn().Str("url", url).Int("status", resp.StatusCode).Msg("Unexpected status code proxying download")
+		jsonResponse(w, resp.StatusCode, &mautrix.RespError{
+			ErrCode: "M_UNKNOWN",
+			Err:     "Unexpected status code proxying download",
+		})
+		return
+	}
+	w.Header()["Content-Type"] = resp.Header["Content-Type"]
+	w.Header()["Content-Length"] = resp.Header["Content-Length"]
+	w.Header()["Last-Modified"] = resp.Header["Last-Modified"]
+	w.Header()["Cache-Control"] = resp.Header["Cache-Control"]
+	contentDisposition := "attachment"
+	switch resp.Header.Get("Content-Type") {
+	case "text/css", "text/plain", "text/csv", "application/json", "application/ld+json", "image/jpeg", "image/gif",
+		"image/png", "image/apng", "image/webp", "image/avif", "video/mp4", "video/webm", "video/ogg", "video/quicktime",
+		"audio/mp4", "audio/webm", "audio/aac", "audio/mpeg", "audio/ogg", "audio/wave", "audio/wav", "audio/x-wav",
+		"audio/x-pn-wav", "audio/flac", "audio/x-flac", "application/pdf":
+		contentDisposition = "inline"
+	}
+	if fileName != "" {
+		contentDisposition = mime.FormatMediaType(contentDisposition, map[string]string{
+			"filename": fileName,
+		})
+	}
+	w.Header().Set("Content-Disposition", contentDisposition)
+	w.WriteHeader(http.StatusOK)
+	_, err = io.Copy(w, resp.Body)
+	if err != nil {
+		log.Debug().Err(err).Msg("Failed to write proxy response")
+	}
+}
+
+func (dma *DirectMediaAPI) DownloadMedia(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+	log := zerolog.Ctx(ctx)
+	isNewFederation := strings.HasPrefix(r.URL.Path, "/_matrix/federation/v1/media/download/")
+	vars := mux.Vars(r)
+	if !isNewFederation && vars["serverName"] != dma.cfg.ServerName {
+		jsonResponse(w, http.StatusNotFound, &mautrix.RespError{
+			ErrCode: mautrix.MNotFound.ErrCode,
+			Err:     fmt.Sprintf("This is a Discord media proxy for %q, other media downloads are not available here", dma.cfg.ServerName),
+		})
+		return
+	}
+	// TODO check destination header in X-Matrix auth when isNewFederation
+
+	url, expiresAt, err := dma.getMediaURL(ctx, vars["mediaID"])
+	if err != nil {
+		var respError *RespError
+		if errors.As(err, &respError) {
+			jsonResponse(w, respError.Status, &mautrix.RespError{
+				ErrCode: respError.Code,
+				Err:     respError.Message,
+			})
+		} else {
+			log.Err(err).Str("media_id", vars["mediaID"]).Msg("Failed to get media URL")
+			jsonResponse(w, http.StatusNotFound, &mautrix.RespError{
+				ErrCode: mautrix.MNotFound.ErrCode,
+				Err:     "Media not found",
+			})
+		}
+		return
+	}
+	if isNewFederation {
+		mp := multipart.NewWriter(w)
+		w.Header().Set("Content-Type", strings.Replace(mp.FormDataContentType(), "form-data", "mixed", 1))
+		var metaPart io.Writer
+		metaPart, err = mp.CreatePart(textproto.MIMEHeader{
+			"Content-Type": {"application/json"},
+		})
+		if err != nil {
+			log.Err(err).Msg("Failed to create multipart metadata field")
+			return
+		}
+		_, err = metaPart.Write([]byte(`{}`))
+		if err != nil {
+			log.Err(err).Msg("Failed to write multipart metadata field")
+			return
+		}
+		_, err = mp.CreatePart(textproto.MIMEHeader{
+			"Location": {url},
+		})
+		if err != nil {
+			log.Err(err).Msg("Failed to create multipart redirect field")
+			return
+		}
+		err = mp.Close()
+		if err != nil {
+			log.Err(err).Msg("Failed to close multipart writer")
+			return
+		}
+		return
+	}
+	// Proxy if the config allows proxying and the request doesn't allow redirects.
+	// In any other case, redirect to the Discord CDN.
+	if dma.cfg.AllowProxy && r.URL.Query().Get("allow_redirect") != "true" {
+		dma.proxyDownload(ctx, w, url, vars["fileName"])
+		return
+	}
+	w.Header().Set("Location", url)
+	expirySeconds := (time.Until(expiresAt) - 5*time.Minute).Seconds()
+	if expiresAt.IsZero() {
+		w.Header().Set("Cache-Control", "public, max-age=31536000, immutable")
+	} else if expirySeconds > 0 {
+		cacheControl := fmt.Sprintf("public, max-age=%d, immutable", int(expirySeconds))
+		w.Header().Set("Cache-Control", cacheControl)
+	} else {
+		w.Header().Set("Cache-Control", "no-store")
+	}
+	w.WriteHeader(http.StatusTemporaryRedirect)
+}
+
+func (dma *DirectMediaAPI) UploadNotSupported(w http.ResponseWriter, r *http.Request) {
+	jsonResponse(w, http.StatusNotImplemented, &mautrix.RespError{
+		ErrCode: mautrix.MUnrecognized.ErrCode,
+		Err:     "This bridge only supports proxying Discord media downloads and does not support media uploads.",
+	})
+}
+
+func (dma *DirectMediaAPI) PreviewURLNotSupported(w http.ResponseWriter, r *http.Request) {
+	jsonResponse(w, http.StatusNotImplemented, &mautrix.RespError{
+		ErrCode: mautrix.MUnrecognized.ErrCode,
+		Err:     "This bridge only supports proxying Discord media downloads and does not support URL previews.",
+	})
+}
+
+func (dma *DirectMediaAPI) UnknownEndpoint(w http.ResponseWriter, r *http.Request) {
+	jsonResponse(w, http.StatusNotFound, &mautrix.RespError{
+		ErrCode: mautrix.MUnrecognized.ErrCode,
+		Err:     "Unrecognized endpoint",
+	})
+}
+
+func (dma *DirectMediaAPI) UnsupportedMethod(w http.ResponseWriter, r *http.Request) {
+	jsonResponse(w, http.StatusMethodNotAllowed, &mautrix.RespError{
+		ErrCode: mautrix.MUnrecognized.ErrCode,
+		Err:     "Invalid method for endpoint",
+	})
+}

directmedia_id.go

@@ -0,0 +1,287 @@
+// mautrix-discord - A Matrix-Discord puppeting bridge.
+// Copyright (C) 2024 Tulir Asokan
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+package main
+
+import (
+	"bytes"
+	"crypto/hmac"
+	"crypto/sha256"
+	"encoding/base64"
+	"encoding/binary"
+	"errors"
+	"fmt"
+	"io"
+)
+
+const MediaIDPrefix = "\U0001F408DISCORD"
+const MediaIDVersion = 1
+
+type MediaIDClass uint8
+
+const (
+	MediaIDClassAttachment        MediaIDClass = 1
+	MediaIDClassEmoji             MediaIDClass = 2
+	MediaIDClassSticker           MediaIDClass = 3
+	MediaIDClassUserAvatar        MediaIDClass = 4
+	MediaIDClassGuildMemberAvatar MediaIDClass = 5
+)
+
+type MediaIDData interface {
+	Write(to io.Writer)
+	Read(from io.Reader) error
+	Size() int
+	Wrap() *MediaID
+}
+
+type MediaID struct {
+	Version   uint8
+	TypeClass MediaIDClass
+	Data      MediaIDData
+}
+
+func ParseMediaID(id string, key [32]byte) (*MediaID, error) {
+	data, err := base64.RawURLEncoding.DecodeString(id)
+	if err != nil {
+		return nil, fmt.Errorf("failed to decode base64: %w", err)
+	}
+	hasher := hmac.New(sha256.New, key[:])
+	checksum := data[len(data)-TruncatedHashLength:]
+	data = data[:len(data)-TruncatedHashLength]
+	hasher.Write(data)
+	if !hmac.Equal(checksum, hasher.Sum(nil)[:TruncatedHashLength]) {
+		return nil, ErrMediaIDChecksumMismatch
+	}
+	mid := &MediaID{}
+	err = mid.Read(bytes.NewReader(data))
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse media ID: %w", err)
+	}
+	return mid, nil
+}
+
+const TruncatedHashLength = 16
+
+func (mid *MediaID) SignedString(key [32]byte) string {
+	buf := bytes.NewBuffer(make([]byte, 0, mid.Size()))
+	mid.Write(buf)
+	hasher := hmac.New(sha256.New, key[:])
+	hasher.Write(buf.Bytes())
+	buf.Write(hasher.Sum(nil)[:TruncatedHashLength])
+	return base64.RawURLEncoding.EncodeToString(buf.Bytes())
+}
+
+func (mid *MediaID) Write(to io.Writer) {
+	_, _ = to.Write([]byte(MediaIDPrefix))
+	_ = binary.Write(to, binary.BigEndian, mid.Version)
+	_ = binary.Write(to, binary.BigEndian, mid.TypeClass)
+	mid.Data.Write(to)
+}
+
+func (mid *MediaID) Size() int {
+	return len(MediaIDPrefix) + 2 + mid.Data.Size() + TruncatedHashLength
+}
+
+var (
+	ErrInvalidMediaID          = errors.New("invalid media ID")
+	ErrMediaIDChecksumMismatch = errors.New("invalid checksum in media ID")
+	ErrUnsupportedMediaID      = errors.New("unsupported media ID")
+)
+
+func (mid *MediaID) Read(from io.Reader) error {
+	prefix := make([]byte, len(MediaIDPrefix))
+	_, err := io.ReadFull(from, prefix)
+	if err != nil || !bytes.Equal(prefix, []byte(MediaIDPrefix)) {
+		return fmt.Errorf("%w: prefix not found", ErrInvalidMediaID)
+	}
+	versionAndClass := make([]byte, 2)
+	_, err = io.ReadFull(from, versionAndClass)
+	if err != nil {
+		return fmt.Errorf("%w: version and class not found", ErrInvalidMediaID)
+	} else if versionAndClass[0] != MediaIDVersion {
+		return fmt.Errorf("%w: unknown version %d", ErrUnsupportedMediaID, versionAndClass[0])
+	}
+	switch MediaIDClass(versionAndClass[1]) {
+	case MediaIDClassAttachment:
+		mid.Data = &AttachmentMediaData{}
+	case MediaIDClassEmoji:
+		mid.Data = &EmojiMediaData{}
+	case MediaIDClassSticker:
+		mid.Data = &StickerMediaData{}
+	case MediaIDClassUserAvatar:
+		mid.Data = &UserAvatarMediaData{}
+	case MediaIDClassGuildMemberAvatar:
+		mid.Data = &GuildMemberAvatarMediaData{}
+	default:
+		return fmt.Errorf("%w: unrecognized type class %d", ErrUnsupportedMediaID, versionAndClass[1])
+	}
+	err = mid.Data.Read(from)
+	if err != nil {
+		return fmt.Errorf("failed to parse media ID data: %w", err)
+	}
+	return nil
+}
+
+type AttachmentMediaData struct {
+	ChannelID    uint64
+	MessageID    uint64
+	AttachmentID uint64
+}
+
+func (amd *AttachmentMediaData) Write(to io.Writer) {
+	_ = binary.Write(to, binary.BigEndian, amd)
+}
+
+func (amd *AttachmentMediaData) Read(from io.Reader) (err error) {
+	return binary.Read(from, binary.BigEndian, amd)
+}
+
+func (amd *AttachmentMediaData) Size() int {
+	return binary.Size(amd)
+}
+
+func (amd *AttachmentMediaData) Wrap() *MediaID {
+	return &MediaID{
+		Version:   MediaIDVersion,
+		TypeClass: MediaIDClassAttachment,
+		Data:      amd,
+	}
+}
+
+func (amd *AttachmentMediaData) CacheKey() AttachmentCacheKey {
+	return AttachmentCacheKey{
+		ChannelID:    amd.ChannelID,
+		AttachmentID: amd.AttachmentID,
+	}
+}
+
+type StickerMediaData struct {
+	StickerID uint64
+	Format    uint8
+}
+
+func (smd *StickerMediaData) Write(to io.Writer) {
+	_ = binary.Write(to, binary.BigEndian, smd)
+}
+
+func (smd *StickerMediaData) Read(from io.Reader) error {
+	return binary.Read(from, binary.BigEndian, smd)
+}
+
+func (smd *StickerMediaData) Size() int {
+	return binary.Size(smd)
+}
+
+func (smd *StickerMediaData) Wrap() *MediaID {
+	return &MediaID{
+		Version:   MediaIDVersion,
+		TypeClass: MediaIDClassSticker,
+		Data:      smd,
+	}
+}
+
+type EmojiMediaDataInner struct {
+	EmojiID  uint64
+	Animated bool
+}
+
+type EmojiMediaData struct {
+	EmojiMediaDataInner
+	Name string
+}
+
+func (emd *EmojiMediaData) Write(to io.Writer) {
+	_ = binary.Write(to, binary.BigEndian, &emd.EmojiMediaDataInner)
+	_, _ = to.Write([]byte(emd.Name))
+}
+
+func (emd *EmojiMediaData) Read(from io.Reader) (err error) {
+	err = binary.Read(from, binary.BigEndian, &emd.EmojiMediaDataInner)
+	if err != nil {
+		return
+	}
+	name, err := io.ReadAll(from)
+	if err != nil {
+		return
+	}
+	emd.Name = string(name)
+	return
+}
+
+func (emd *EmojiMediaData) Size() int {
+	return binary.Size(&emd.EmojiMediaDataInner) + len(emd.Name)
+}
+
+func (emd *EmojiMediaData) Wrap() *MediaID {
+	return &MediaID{
+		Version:   MediaIDVersion,
+		TypeClass: MediaIDClassEmoji,
+		Data:      emd,
+	}
+}
+
+type UserAvatarMediaData struct {
+	UserID   uint64
+	Animated bool
+	AvatarID [16]byte
+}
+
+func (uamd *UserAvatarMediaData) Write(to io.Writer) {
+	_ = binary.Write(to, binary.BigEndian, uamd)
+}
+
+func (uamd *UserAvatarMediaData) Read(from io.Reader) error {
+	return binary.Read(from, binary.BigEndian, uamd)
+}
+
+func (uamd *UserAvatarMediaData) Size() int {
+	return binary.Size(uamd)
+}
+
+func (uamd *UserAvatarMediaData) Wrap() *MediaID {
+	return &MediaID{
+		Version:   MediaIDVersion,
+		TypeClass: MediaIDClassUserAvatar,
+		Data:      uamd,
+	}
+}
+
+type GuildMemberAvatarMediaData struct {
+	GuildID  uint64
+	UserID   uint64
+	Animated bool
+	AvatarID [16]byte
+}
+
+func (guamd *GuildMemberAvatarMediaData) Write(to io.Writer) {
+	_ = binary.Write(to, binary.BigEndian, guamd)
+}
+
+func (guamd *GuildMemberAvatarMediaData) Read(from io.Reader) error {
+	return binary.Read(from, binary.BigEndian, guamd)
+}
+
+func (guamd *GuildMemberAvatarMediaData) Size() int {
+	return binary.Size(guamd)
+}
+
+func (guamd *GuildMemberAvatarMediaData) Wrap() *MediaID {
+	return &MediaID{
+		Version:   MediaIDVersion,
+		TypeClass: MediaIDClassGuildMemberAvatar,
+		Data:      guamd,
+	}
+}

example-config.yaml

@@ -2,9 +2,6 @@
 homeserver:
     # The address that this appservice can use to connect to the homeserver.
     address: https://matrix.example.com
-    # Publicly accessible base URL for media, used for avatars in relay mode.
-    # If not set, the connection address above will be used.
-    public_address: null
     # The domain of the homeserver (also known as server_name, used for MXIDs, etc).
     domain: example.com
 
@@ -113,6 +110,13 @@ bridge:
     # If set to `never`, DM rooms will never have names and avatars set.
     private_chat_portal_meta: default
 
+    # Publicly accessible base URL that Discord can use to reach the bridge, used for avatars in relay mode.
+    # If not set, avatars will not be bridged. Only the /mautrix-discord/avatar/{server}/{id}/{hash} endpoint is used on this address.
+    # This should not have a trailing slash, the endpoint above will be appended to the provided address.
+    public_address: null
+    # A random key used to sign the avatar URLs. The bridge will only accept requests with a valid signature.
+    avatar_proxy_key: generate
+
     portal_message_buffer: 128
 
     # Number of private channel portals to create on bridge startup.
@@ -164,24 +168,29 @@ bridge:
     # like the official client does? The other option is sending the media in the message send request as a form part
     # (which is always used by bots and webhooks).
     use_discord_cdn_upload: true
+    # Proxy for Discord connections
+    proxy:
     # Should mxc uris copied from Discord be cached?
     # This can be `never` to never cache, `unencrypted` to only cache unencrypted mxc uris, or `always` to cache everything.
     # If you have a media repo that generates non-unique mxc uris, you should set this to never.
     cache_media: unencrypted
-    # Patterns for converting Discord media to custom mxc:// URIs instead of reuploading.
+    # Settings for converting Discord media to custom mxc:// URIs instead of reuploading.
-    # Each of the patterns can be set to null to disable custom URIs for that type of media.
     # More details can be found at https://docs.mau.fi/bridges/go/discord/direct-media.html
-    media_patterns:
+    direct_media:
         # Should custom mxc:// URIs be used instead of reuploading media?
         enabled: false
-        # Pattern for normal message attachments.
+        # The server name to use for the custom mxc:// URIs.
-        attachments: mxc://discord-media.mau.dev/attachments|{{.ChannelID}}|{{.AttachmentID}}|{{.FileName}}
+        # This server name will effectively be a real Matrix server, it just won't implement anything other than media.
-        # Pattern for custom emojis.
+        # You must either set up .well-known delegation from this domain to the bridge, or proxy the domain directly to the bridge.
-        emojis: mxc://discord-media.mau.dev/emojis|{{.ID}}.{{.Ext}}
+        server_name: discord-media.example.com
-        # Pattern for stickers. Note that animated lottie stickers will not be converted if this is enabled.
+        # Optionally a custom .well-known response. This defaults to `server_name:443`
-        stickers: mxc://discord-media.mau.dev/stickers|{{.ID}}.{{.Ext}}
+        well_known_response:
-        # Pattern for static user avatars.
+        # The bridge supports MSC3860 media download redirects and will use them if the requester supports it.
-        avatars: mxc://discord-media.mau.dev/avatars|{{.UserID}}|{{.AvatarID}}.{{.Ext}}
+        # Optionally, you can force redirects and not allow proxying at all by setting this to false.
+        allow_proxy: true
+        # Matrix server signing key to make the federation tester pass, same format as synapse's .signing.key file.
+        # This key is also used to sign the mxc:// URIs to ensure only the bridge can generate them.
+        server_key: generate
     # Settings for converting animated stickers.
     animated_sticker:
         # Format to which animated stickers should be converted.
@@ -332,6 +341,8 @@ bridge:
         # Shared secret for authentication. If set to "generate", a random secret will be generated,
         # or if set to "disable", the provisioning API will be disabled.
         shared_secret: generate
+        # Enable debug API at /debug with provisioning authentication.
+        debug_endpoints: false
 
     # Permissions for using the bridge.
     # Permitted values:

formatter_tag.go

@@ -30,6 +30,7 @@ import (
 	"github.com/yuin/goldmark/renderer"
 	"github.com/yuin/goldmark/text"
 	"github.com/yuin/goldmark/util"
+	"maunium.net/go/mautrix/id"
 
 	"go.mau.fi/mautrix-discord/database"
 )
@@ -262,11 +263,19 @@ func (r *discordTagHTMLRenderer) renderDiscordMention(w util.BufWriter, source [
 	}
 	switch node := n.(type) {
 	case *astDiscordUserMention:
-		if user := node.portal.bridge.GetUserByID(strconv.FormatInt(node.id, 10)); user != nil {
+		var mxid id.UserID
-			_, _ = fmt.Fprintf(w, `<a href="%s">%s</a>`, user.MXID.URI().MatrixToURL(), user.MXID)
+		var name string
-		} else if puppet := node.portal.bridge.GetPuppetByID(strconv.FormatInt(node.id, 10)); puppet != nil {
+		if puppet := node.portal.bridge.GetPuppetByID(strconv.FormatInt(node.id, 10)); puppet != nil {
-			_, _ = fmt.Fprintf(w, `<a href="%s">%s</a>`, puppet.MXID.URI().MatrixToURL(), puppet.Name)
+			mxid = puppet.MXID
+			name = puppet.Name
 		}
+		if user := node.portal.bridge.GetUserByID(strconv.FormatInt(node.id, 10)); user != nil {
+			mxid = user.MXID
+			if name == "" {
+				name = user.MXID.Localpart()
+			}
+		}
+		_, _ = fmt.Fprintf(w, `<a href="%s">%s</a>`, mxid.URI().MatrixToURL(), name)
 		return
 	case *astDiscordRoleMention:
 		role := node.portal.bridge.DB.Role.GetByID(node.portal.GuildID, strconv.FormatInt(node.id, 10))

go.mod

@@ -1,43 +1,45 @@
 module go.mau.fi/mautrix-discord
 
-go 1.20
+go 1.22.0
+
+toolchain go1.23.4
 
 require (
 	github.com/bwmarrin/discordgo v0.27.0
-	github.com/gabriel-vasile/mimetype v1.4.2
+	github.com/gabriel-vasile/mimetype v1.4.7
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510
 	github.com/gorilla/mux v1.8.0
 	github.com/gorilla/websocket v1.5.0
 	github.com/lib/pq v1.10.9
-	github.com/mattn/go-sqlite3 v1.14.17
+	github.com/mattn/go-sqlite3 v1.14.24
-	github.com/rs/zerolog v1.30.0
+	github.com/rs/zerolog v1.31.0
 	github.com/skip2/go-qrcode v0.0.0-20200617195104-da1b6568686e
-	github.com/stretchr/testify v1.8.4
+	github.com/stretchr/testify v1.10.0
-	github.com/yuin/goldmark v1.5.6
+	github.com/yuin/goldmark v1.6.0
-	go.mau.fi/util v0.1.0
+	go.mau.fi/util v0.2.2-0.20231228160422-22fdd4bbddeb
-	golang.org/x/exp v0.0.0-20230905200255-921286631fa9
+	golang.org/x/exp v0.0.0-20241215155358-4a5509556b9e
-	golang.org/x/sync v0.3.0
+	golang.org/x/sync v0.10.0
 	maunium.net/go/maulogger/v2 v2.4.1
-	maunium.net/go/mautrix v0.16.1
+	maunium.net/go/mautrix v0.16.3-0.20240712164054-e6046fbf432c
 )
 
 require (
 	github.com/coreos/go-systemd/v22 v22.5.0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/mattn/go-colorable v0.1.12 // indirect
+	github.com/mattn/go-colorable v0.1.13 // indirect
-	github.com/mattn/go-isatty v0.0.14 // indirect
+	github.com/mattn/go-isatty v0.0.19 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/tidwall/gjson v1.16.0 // indirect
+	github.com/tidwall/gjson v1.18.0 // indirect
 	github.com/tidwall/match v1.1.1 // indirect
-	github.com/tidwall/pretty v1.2.0 // indirect
+	github.com/tidwall/pretty v1.2.1 // indirect
 	github.com/tidwall/sjson v1.2.5 // indirect
 	go.mau.fi/zeroconfig v0.1.2 // indirect
-	golang.org/x/crypto v0.13.0 // indirect
+	golang.org/x/crypto v0.31.0 // indirect
-	golang.org/x/net v0.15.0 // indirect
+	golang.org/x/net v0.32.0 // indirect
-	golang.org/x/sys v0.12.0 // indirect
+	golang.org/x/sys v0.28.0 // indirect
 	gopkg.in/natefinch/lumberjack.v2 v2.2.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	maunium.net/go/mauflag v1.0.0 // indirect
 )
 
-replace github.com/bwmarrin/discordgo => github.com/beeper/discordgo v0.0.0-20230804154054-72abb5417718
+replace github.com/bwmarrin/discordgo => github.com/beeper/discordgo v0.0.0-20241129182205-d6dffc9bf133

go.sum

@@ -1,12 +1,13 @@
 github.com/DATA-DOG/go-sqlmock v1.5.0 h1:Shsta01QNfFxHCfpW6YH2STWB0MudeXXEWMr20OEh60=
-github.com/beeper/discordgo v0.0.0-20230804154054-72abb5417718 h1:gzOFOenpzAWnsiskTmOOorrrejm2wGjSpxzQ5zgpSso=
+github.com/DATA-DOG/go-sqlmock v1.5.0/go.mod h1:f/Ixk793poVmq4qj/V1dPUg2JEAKC73Q5eFN3EC/SaM=
-github.com/beeper/discordgo v0.0.0-20230804154054-72abb5417718/go.mod h1:59+AOzzjmL6onAh62nuLXmn7dJCaC/owDLWbGtjTcFA=
+github.com/beeper/discordgo v0.0.0-20241129182205-d6dffc9bf133 h1:vTaMCjc0g0Cexadep0CaDxoJb0S37ZcUl5zTlDJ2adQ=
+github.com/beeper/discordgo v0.0.0-20241129182205-d6dffc9bf133/go.mod h1:59+AOzzjmL6onAh62nuLXmn7dJCaC/owDLWbGtjTcFA=
 github.com/coreos/go-systemd/v22 v22.5.0 h1:RrqgGjYQKalulkV8NGVIfkXQf6YYmOyiJKk8iXXhfZs=
 github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/gabriel-vasile/mimetype v1.4.2 h1:w5qFW6JKBz9Y393Y4q372O9A7cUSequkh1Q7OhCmWKU=
+github.com/gabriel-vasile/mimetype v1.4.7 h1:SKFKl7kD0RiPdbht0s7hFtjl489WcQ1VyPW8ZzUMYCA=
-github.com/gabriel-vasile/mimetype v1.4.2/go.mod h1:zApsH/mKG4w07erKIaJPFiX0Tsq9BFQgN3qGY5GnNgA=
+github.com/gabriel-vasile/mimetype v1.4.7/go.mod h1:GDlAgAyIRT27BhFl53XNAFtfjzOkLaF35JdEG0P7LtU=
 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4=
 github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ=
@@ -16,49 +17,52 @@ github.com/gorilla/websocket v1.5.0 h1:PPwGk2jz7EePpoHN/+ClbZu8SPxiqlu12wZP/3sWm
 github.com/gorilla/websocket v1.5.0/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
 github.com/lib/pq v1.10.9 h1:YXG7RB+JIjhP29X+OtkiDnYaXQwpS4JEWq7dtCCRUEw=
 github.com/lib/pq v1.10.9/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
-github.com/mattn/go-colorable v0.1.12 h1:jF+Du6AlPIjs2BiUiQlKOX0rt3SujHxPnksPKZbaA40=
+github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=
-github.com/mattn/go-colorable v0.1.12/go.mod h1:u5H1YNBxpqRaxsYJYSkiCWKzEfiAb1Gb520KVy5xxl4=
+github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
-github.com/mattn/go-isatty v0.0.14 h1:yVuAays6BHfxijgZPzw+3Zlu5yQgKGP2/hcQbHb7S9Y=
+github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
-github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27kJ6hsGG94=
+github.com/mattn/go-isatty v0.0.19 h1:JITubQf0MOLdlGRuRq+jtsDlekdYPia9ZFsB8h/APPA=
-github.com/mattn/go-sqlite3 v1.14.17 h1:mCRHCLDUBXgpKAqIKsaAaAsrAlbkeomtRFKXh2L6YIM=
+github.com/mattn/go-isatty v0.0.19/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
-github.com/mattn/go-sqlite3 v1.14.17/go.mod h1:2eHXhiwb8IkHr+BDWZGa96P6+rkvnG63S2DGjv9HUNg=
+github.com/mattn/go-sqlite3 v1.14.24 h1:tpSp2G2KyMnnQu99ngJ47EIkWVmliIizyZBfPrBWDRM=
+github.com/mattn/go-sqlite3 v1.14.24/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/rs/xid v1.5.0/go.mod h1:trrq9SKmegXys3aeAKXMUTdJsYXVwGY3RLcfgqegfbg=
-github.com/rs/zerolog v1.30.0 h1:SymVODrcRsaRaSInD9yQtKbtWqwsfoPcRff/oRXLj4c=
+github.com/rs/zerolog v1.31.0 h1:FcTR3NnLWW+NnTwwhFWiJSZr4ECLpqCm6QsEnyvbV4A=
-github.com/rs/zerolog v1.30.0/go.mod h1:/tk+P47gFdPXq4QYjvCmT5/Gsug2nagsFWBWhAiSi1w=
+github.com/rs/zerolog v1.31.0/go.mod h1:/7mN4D5sKwJLZQ2b/znpjC3/GQWY/xaDXUM0kKWRHss=
 github.com/skip2/go-qrcode v0.0.0-20200617195104-da1b6568686e h1:MRM5ITcdelLK2j1vwZ3Je0FKVCfqOLp5zO6trqMLYs0=
 github.com/skip2/go-qrcode v0.0.0-20200617195104-da1b6568686e/go.mod h1:XV66xRDqSt+GTGFMVlhk3ULuV0y9ZmzeVGR4mloJI3M=
-github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
+github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
-github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
+github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/tidwall/gjson v1.14.2/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk=
-github.com/tidwall/gjson v1.16.0 h1:SyXa+dsSPpUlcwEDuKuEBJEz5vzTvOea+9rjyYodQFg=
+github.com/tidwall/gjson v1.18.0 h1:FIDeeyB800efLX89e5a8Y0BNH+LOngJyGrIWxG2FKQY=
-github.com/tidwall/gjson v1.16.0/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk=
+github.com/tidwall/gjson v1.18.0/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk=
 github.com/tidwall/match v1.1.1 h1:+Ho715JplO36QYgwN9PGYNhgZvoUSc9X2c80KVTi+GA=
 github.com/tidwall/match v1.1.1/go.mod h1:eRSPERbgtNPcGhD8UCthc6PmLEQXEWd3PRB5JTxsfmM=
-github.com/tidwall/pretty v1.2.0 h1:RWIZEg2iJ8/g6fDDYzMpobmaoGh5OLl4AXtGUGPcqCs=
 github.com/tidwall/pretty v1.2.0/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU=
+github.com/tidwall/pretty v1.2.1 h1:qjsOFOWWQl+N3RsoF5/ssm1pHmJJwhjlSbZ51I6wMl4=
+github.com/tidwall/pretty v1.2.1/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU=
 github.com/tidwall/sjson v1.2.5 h1:kLy8mja+1c9jlljvWTlSazM7cKDRfJuR/bOJhcY5NcY=
 github.com/tidwall/sjson v1.2.5/go.mod h1:Fvgq9kS/6ociJEDnK0Fk1cpYF4FIW6ZF7LAe+6jwd28=
-github.com/yuin/goldmark v1.5.6 h1:COmQAWTCcGetChm3Ig7G/t8AFAN00t+o8Mt4cf7JpwA=
+github.com/yuin/goldmark v1.6.0 h1:boZcn2GTjpsynOsC0iJHnBWa4Bi0qzfJjthwauItG68=
-github.com/yuin/goldmark v1.5.6/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
+github.com/yuin/goldmark v1.6.0/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
-go.mau.fi/util v0.1.0 h1:BwIFWIOEeO7lsiI2eWKFkWTfc5yQmoe+0FYyOFVyaoE=
+go.mau.fi/util v0.2.2-0.20231228160422-22fdd4bbddeb h1:Is+6vDKgINRy9KHodvi7NElxoDaWA8sc2S3cF3+QWjs=
-go.mau.fi/util v0.1.0/go.mod h1:AxuJUMCxpzgJ5eV9JbPWKRH8aAJJidxetNdUj7qcb84=
+go.mau.fi/util v0.2.2-0.20231228160422-22fdd4bbddeb/go.mod h1:tiBX6nxVSOjU89jVQ7wBh3P8KjM26Lv1k7/I5QdSvBw=
 go.mau.fi/zeroconfig v0.1.2 h1:DKOydWnhPMn65GbXZOafgkPm11BvFashZWLct0dGFto=
 go.mau.fi/zeroconfig v0.1.2/go.mod h1:NcSJkf180JT+1IId76PcMuLTNa1CzsFFZ0nBygIQM70=
-golang.org/x/crypto v0.13.0 h1:mvySKfSWJ+UKUii46M40LOvyWfN0s2U+46/jDd0e6Ck=
+golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U=
-golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
+golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
-golang.org/x/exp v0.0.0-20230905200255-921286631fa9 h1:GoHiUyI/Tp2nVkLI2mCxVkOjsbSXD66ic0XW0js0R9g=
+golang.org/x/exp v0.0.0-20241215155358-4a5509556b9e h1:4qufH0hlUYs6AO6XmZC3GqfDPGSXHVXUFR6OND+iJX4=
-golang.org/x/exp v0.0.0-20230905200255-921286631fa9/go.mod h1:S2oDrQGGwySpoQPVqRShND87VCbxmc6bL1Yd2oYrm6k=
+golang.org/x/exp v0.0.0-20241215155358-4a5509556b9e/go.mod h1:qj5a5QZpwLU2NLQudwIN5koi3beDhSAlJwa67PuM98c=
-golang.org/x/net v0.15.0 h1:ugBLEUaxABaB5AJqW9enI0ACdci2RUd4eP51NTBvuJ8=
+golang.org/x/net v0.32.0 h1:ZqPmj8Kzc+Y6e0+skZsuACbx+wzMgo5MQsJh9Qd6aYI=
-golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
+golang.org/x/net v0.32.0/go.mod h1:CwU0IoeOlnQQWJ6ioyFrfRuomB8GKF6KbYXZVyeXNfs=
-golang.org/x/sync v0.3.0 h1:ftCYgMx6zT/asHUrPw8BLLscYtGznsLAnjq5RH9P66E=
+golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ=
-golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
+golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
-golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.12.0 h1:CM0HF96J0hcLAwsHPJZjfdNzs0gftsLfgKt57wWHJ0o=
 golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA=
+golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/natefinch/lumberjack.v2 v2.2.1 h1:bBRl1b0OH9s/DuPhuXpNl+VtCaJXFZ5/uEFST95x9zc=
@@ -69,5 +73,5 @@ maunium.net/go/mauflag v1.0.0 h1:YiaRc0tEI3toYtJMRIfjP+jklH45uDHtT80nUamyD4M=
 maunium.net/go/mauflag v1.0.0/go.mod h1:nLivPOpTpHnpzEh8jEdSL9UqO9+/KBJFmNRlwKfkPeA=
 maunium.net/go/maulogger/v2 v2.4.1 h1:N7zSdd0mZkB2m2JtFUsiGTQQAdP0YeFWT7YMc80yAL8=
 maunium.net/go/maulogger/v2 v2.4.1/go.mod h1:omPuYwYBILeVQobz8uO3XC8DIRuEb5rXYlQSuqrbCho=
-maunium.net/go/mautrix v0.16.1 h1:Wb3CvOCe8A/NLsFeZYxKrgXKiqeZUQEBD1zqm7n/kWk=
+maunium.net/go/mautrix v0.16.3-0.20240712164054-e6046fbf432c h1:LHjqti3fFzrC8LXkkxxKYlLbuI/CJcwa2JN4Ppg2GK0=
-maunium.net/go/mautrix v0.16.1/go.mod h1:2Jf15tulVtr6LxoiRL4smRXwpkGWUNfBFhwh/aXDBuk=
+maunium.net/go/mautrix v0.16.3-0.20240712164054-e6046fbf432c/go.mod h1:gCgLw/4c1a8QsiOWTdUdXlt5cYdE0rJ9wLeZQKPD58Q=

main.go

@@ -18,6 +18,7 @@ package main
 
 import (
 	_ "embed"
+	"net/http"
 	"sync"
 
 	"go.mau.fi/util/configupgrade"
@@ -48,6 +49,7 @@ type DiscordBridge struct {
 	Config *config.Config
 	DB     *database.Database
 
+	DMA          *DirectMediaAPI
 	provisioning *ProvisioningAPI
 
 	usersByMXID map[id.UserID]*User
@@ -104,6 +106,10 @@ func (br *DiscordBridge) Start() {
 	if br.Config.Bridge.Provisioning.SharedSecret != "disable" {
 		br.provisioning = newProvisioningAPI(br)
 	}
+	if br.Config.Bridge.PublicAddress != "" {
+		br.AS.Router.HandleFunc("/mautrix-discord/avatar/{server}/{mediaID}/{checksum}", br.serveMediaProxy).Methods(http.MethodGet)
+	}
+	br.DMA = newDirectMediaAPI(br)
 	br.WaitWebsocketConnected()
 	go br.startUsers()
 }
@@ -179,7 +185,7 @@ func main() {
 		Name:              "mautrix-discord",
 		URL:               "https://github.com/mautrix/discord",
 		Description:       "A Matrix-Discord puppeting bridge.",
-		Version:           "0.6.2",
+		Version:           "0.7.2",
 		ProtocolName:      "Discord",
 		BeeperServiceName: "discordgo",
 		BeeperNetworkName: "discord",

portal.go

@@ -3,9 +3,13 @@ package main
 import (
 	"bytes"
 	"context"
+	"crypto/hmac"
+	"crypto/sha256"
+	"encoding/base64"
 	"encoding/json"
 	"errors"
 	"fmt"
+	"io"
 	"net/http"
 	"reflect"
 	"regexp"
@@ -17,6 +21,7 @@ import (
 
 	"github.com/bwmarrin/discordgo"
 	"github.com/gabriel-vasile/mimetype"
+	"github.com/gorilla/mux"
 	"github.com/rs/zerolog"
 	"go.mau.fi/util/exsync"
 	"go.mau.fi/util/variationselector"
@@ -459,7 +464,7 @@ func (portal *Portal) CreateMatrixRoom(user *User, channel *discordgo.Channel) e
 			Content: event.Content{Parsed: &event.JoinRulesEventContent{
 				JoinRule: event.JoinRuleRestricted,
 				Allow: []event.JoinRuleAllow{{
-					RoomID: spaceID,
+					RoomID: portal.Guild.MXID,
 					Type:   event.JoinRuleAllowRoomMembership,
 				}},
 			}},
@@ -519,7 +524,7 @@ func (portal *Portal) CreateMatrixRoom(user *User, channel *discordgo.Channel) e
 	if portal.GuildID == "" {
 		user.addPrivateChannelToSpace(portal)
 	} else {
-		portal.updateSpace()
+		portal.updateSpace(user)
 	}
 	portal.ensureUserInvited(user, true)
 	user.syncChatDoublePuppetDetails(portal, true)
@@ -1033,9 +1038,12 @@ func (portal *Portal) syncParticipants(source *User, participants []*discordgo.U
 		puppet := portal.bridge.GetPuppetByID(participant.ID)
 		puppet.UpdateInfo(source, participant, nil)
 
-		user := portal.bridge.GetUserByID(participant.ID)
+		var user *User
-		if user != nil {
+		if participant.ID != portal.OtherUserID {
-			portal.ensureUserInvited(user, false)
+			user = portal.bridge.GetUserByID(participant.ID)
+			if user != nil {
+				portal.ensureUserInvited(user, false)
+			}
 		}
 
 		if user == nil || !puppet.IntentFor(portal).IsCustomPuppet {
@@ -1111,7 +1119,7 @@ func (portal *Portal) getEvent(mxid id.EventID) (*event.Event, error) {
 	if evt.Type == event.EventEncrypted {
 		decryptedEvt, err := portal.bridge.Crypto.Decrypt(evt)
 		if err != nil {
-			return nil, err
+			return nil, fmt.Errorf("failed to decrypt event: %w", err)
 		} else {
 			evt = decryptedEvt
 		}
@@ -1159,7 +1167,7 @@ func (portal *Portal) startThreadFromMatrix(sender *User, threadRoot id.EventID)
 			AutoArchiveDuration: 24 * 60,
 			Type:                discordgo.ChannelTypeGuildPublicThread,
 			Location:            "Message",
-		})
+		}, portal.RefererOptIfUser(sender.Session, "")...)
 		if err != nil {
 			return "", fmt.Errorf("error starting thread: %v", err)
 		}
@@ -1172,7 +1180,7 @@ func (portal *Portal) startThreadFromMatrix(sender *User, threadRoot id.EventID)
 	}
 }
 
-func (portal *Portal) sendErrorMessage(msgType, message string, confirmed bool) id.EventID {
+func (portal *Portal) sendErrorMessage(evt *event.Event, msgType, message string, confirmed bool) id.EventID {
 	if !portal.bridge.Config.Bridge.MessageErrorNotices {
 		return ""
 	}
@@ -1183,10 +1191,15 @@ func (portal *Portal) sendErrorMessage(msgType, message string, confirmed bool)
 	if portal.RelayWebhookSecret != "" {
 		message = strings.ReplaceAll(message, portal.RelayWebhookSecret, "<redacted>")
 	}
-	resp, err := portal.sendMatrixMessage(portal.MainIntent(), event.EventMessage, &event.MessageEventContent{
+	content := &event.MessageEventContent{
 		MsgType: event.MsgNotice,
 		Body:    fmt.Sprintf("\u26a0 Your %s %s bridged: %v", msgType, certainty, message),
-	}, nil, 0)
+	}
+	relatable, ok := evt.Content.Parsed.(event.Relatable)
+	if ok && relatable.OptionalGetRelatesTo().GetThreadParent() != "" {
+		content.GetRelatesTo().SetThread(relatable.OptionalGetRelatesTo().GetThreadParent(), evt.ID)
+	}
+	resp, err := portal.sendMatrixMessage(portal.MainIntent(), event.EventMessage, content, nil, 0)
 	if err != nil {
 		portal.log.Warn().Err(err).Msg("Failed to send bridging error message")
 		return ""
@@ -1351,7 +1364,7 @@ func (portal *Portal) sendMessageMetrics(evt *event.Event, err error, part strin
 			if humanMessage == "" {
 				humanMessage = err.Error()
 			}
-			portal.sendErrorMessage(msgType, humanMessage, isCertain)
+			portal.sendErrorMessage(evt, msgType, humanMessage, isCertain)
 		}
 		portal.sendStatusEvent(evt.ID, err)
 	} else {
@@ -1362,6 +1375,64 @@ func (portal *Portal) sendMessageMetrics(evt *event.Event, err error, part strin
 	}
 }
 
+func (br *DiscordBridge) serveMediaProxy(w http.ResponseWriter, r *http.Request) {
+	vars := mux.Vars(r)
+	mxc := id.ContentURI{
+		Homeserver: vars["server"],
+		FileID:     vars["mediaID"],
+	}
+	checksum, err := base64.RawURLEncoding.DecodeString(vars["checksum"])
+	if err != nil || len(checksum) != 32 {
+		w.WriteHeader(http.StatusNotFound)
+		return
+	}
+	_, expectedChecksum := br.hashMediaProxyURL(mxc)
+	if !hmac.Equal(checksum, expectedChecksum) {
+		w.WriteHeader(http.StatusNotFound)
+		return
+	}
+	reader, err := br.Bot.Download(mxc)
+	if err != nil {
+		br.ZLog.Warn().Err(err).Msg("Failed to download media to proxy")
+		w.WriteHeader(http.StatusInternalServerError)
+		return
+	}
+	buf := make([]byte, 32*1024)
+	n, err := io.ReadFull(reader, buf)
+	if err != nil && (!errors.Is(err, io.EOF) && !errors.Is(err, io.ErrUnexpectedEOF)) {
+		br.ZLog.Warn().Err(err).Msg("Failed to read first part of media to proxy")
+		w.WriteHeader(http.StatusBadGateway)
+		return
+	}
+	w.Header().Add("Content-Type", http.DetectContentType(buf[:n]))
+	if n < len(buf) {
+		w.Header().Add("Content-Length", strconv.Itoa(n))
+	}
+	w.WriteHeader(http.StatusOK)
+	_, err = w.Write(buf[:n])
+	if err != nil {
+		return
+	}
+	if n >= len(buf) {
+		_, _ = io.CopyBuffer(w, reader, buf)
+	}
+}
+
+func (br *DiscordBridge) hashMediaProxyURL(mxc id.ContentURI) (string, []byte) {
+	path := fmt.Sprintf("/mautrix-discord/avatar/%s/%s/", mxc.Homeserver, mxc.FileID)
+	checksum := hmac.New(sha256.New, []byte(br.Config.Bridge.AvatarProxyKey))
+	checksum.Write([]byte(path))
+	return path, checksum.Sum(nil)
+}
+
+func (br *DiscordBridge) makeMediaProxyURL(mxc id.ContentURI) string {
+	if br.Config.Bridge.PublicAddress == "" {
+		return ""
+	}
+	path, checksum := br.hashMediaProxyURL(mxc)
+	return br.Config.Bridge.PublicAddress + path + base64.RawURLEncoding.EncodeToString(checksum)
+}
+
 func (portal *Portal) getRelayUserMeta(sender *User) (name, avatarURL string) {
 	member := portal.bridge.StateStore.GetMember(portal.MXID, sender.MXID)
 	name = member.Displayname
@@ -1369,11 +1440,8 @@ func (portal *Portal) getRelayUserMeta(sender *User) (name, avatarURL string) {
 		name = sender.MXID.String()
 	}
 	mxc := member.AvatarURL.ParseOrIgnore()
-	if !mxc.IsEmpty() {
+	if !mxc.IsEmpty() && portal.bridge.Config.Bridge.PublicAddress != "" {
-		avatarURL = mautrix.BuildURL(
+		avatarURL = portal.bridge.makeMediaProxyURL(mxc)
-			portal.bridge.PublicHSAddress,
-			"_matrix", "media", "v3", "download", mxc.Homeserver, mxc.FileID,
-		).String()
 	}
 	return
 }
@@ -1402,13 +1470,9 @@ func cutBody(body string) string {
 }
 
 func (portal *Portal) convertReplyMessageToEmbed(eventID id.EventID, url string) (*discordgo.MessageEmbed, error) {
-	evt, err := portal.MainIntent().GetEvent(portal.MXID, eventID)
+	evt, err := portal.getEvent(eventID)
 	if err != nil {
-		return nil, fmt.Errorf("failed to fetch event: %w", err)
+		return nil, fmt.Errorf("failed to get reply target event: %w", err)
-	}
-	err = evt.Content.ParseRaw(evt.Type)
-	if err != nil {
-		return nil, fmt.Errorf("failed to parse event content: %w", err)
 	}
 	content, ok := evt.Content.Parsed.(*event.MessageEventContent)
 	if !ok {
@@ -1433,6 +1497,20 @@ func (portal *Portal) convertReplyMessageToEmbed(eventID id.EventID, url string)
 	return embed, nil
 }
 
+func (portal *Portal) RefererOpt(threadID string) discordgo.RequestOption {
+	if threadID != "" && threadID != portal.Key.ChannelID {
+		return discordgo.WithThreadReferer(portal.GuildID, portal.Key.ChannelID, threadID)
+	}
+	return discordgo.WithChannelReferer(portal.GuildID, portal.Key.ChannelID)
+}
+
+func (portal *Portal) RefererOptIfUser(sess *discordgo.Session, threadID string) []discordgo.RequestOption {
+	if sess == nil || !sess.IsUser {
+		return nil
+	}
+	return []discordgo.RequestOption{portal.RefererOpt(threadID)}
+}
+
 func (portal *Portal) handleMatrixMessage(sender *User, evt *event.Event) {
 	if portal.IsPrivateChat() && sender.DiscordID != portal.Key.Receiver {
 		go portal.sendMessageMetrics(evt, errUserNotReceiver, "Ignoring")
@@ -1562,14 +1640,14 @@ func (portal *Portal) handleMatrixMessage(sender *User, evt *event.Event) {
 					Name: att.Filename,
 					ID:   sender.NextDiscordUploadID(),
 				}},
-			})
+			}, portal.RefererOpt(threadID))
 			if err != nil {
 				go portal.sendMessageMetrics(evt, err, "Error preparing to reupload media in")
 				return
 			}
 			prepared := prep.Attachments[0]
 			att.UploadedFilename = prepared.UploadFilename
-			err = uploadDiscordAttachment(prepared.UploadURL, data)
+			err = uploadDiscordAttachment(sender.Session.Client, prepared.UploadURL, data)
 			if err != nil {
 				go portal.sendMessageMetrics(evt, err, "Error reuploading media in")
 				return
@@ -1603,20 +1681,20 @@ func (portal *Portal) handleMatrixMessage(sender *User, evt *event.Event) {
 	var msg *discordgo.Message
 	var err error
 	if !isWebhookSend {
-		msg, err = sess.ChannelMessageSendComplex(channelID, &sendReq)
+		msg, err = sess.ChannelMessageSendComplex(channelID, &sendReq, portal.RefererOptIfUser(sess, threadID)...)
 	} else {
 		username, avatarURL := portal.getRelayUserMeta(sender)
 		msg, err = relayClient.WebhookThreadExecute(portal.RelayWebhookID, portal.RelayWebhookSecret, true, threadID, &discordgo.WebhookParams{
 			Content:         sendReq.Content,
 			Username:        username,
 			AvatarURL:       avatarURL,
-			TTS:             sendReq.TTS,
 			Files:           sendReq.Files,
 			Components:      sendReq.Components,
 			Embeds:          sendReq.Embeds,
 			AllowedMentions: sendReq.AllowedMentions,
 		})
 	}
+	sender.handlePossible40002(err)
 	go portal.sendMessageMetrics(evt, err, "Error sending")
 	if msg != nil {
 		dbMsg := portal.bridge.DB.Message.New()
@@ -1828,13 +1906,15 @@ func (portal *Portal) handleMatrixReaction(sender *User, evt *event.Event) {
 	emojiID := reaction.RelatesTo.Key
 	if strings.HasPrefix(emojiID, "mxc://") {
 		uri, _ := id.ParseContentURI(emojiID)
-		emojiFile := portal.bridge.DB.File.GetEmojiByMXC(uri)
+		emojiInfo := portal.bridge.DMA.GetEmojiInfo(uri)
-		if emojiFile == nil || emojiFile.ID == "" || emojiFile.EmojiName == "" {
+		if emojiInfo != nil {
+			emojiID = fmt.Sprintf("%s:%d", emojiInfo.Name, emojiInfo.EmojiID)
+		} else if emojiFile := portal.bridge.DB.File.GetEmojiByMXC(uri); emojiFile != nil && emojiFile.ID != "" && emojiFile.EmojiName != "" {
+			emojiID = fmt.Sprintf("%s:%s", emojiFile.EmojiName, emojiFile.ID)
+		} else {
 			go portal.sendMessageMetrics(evt, fmt.Errorf("%w %s", errUnknownEmoji, emojiID), "Ignoring")
 			return
 		}
-
-		emojiID = fmt.Sprintf("%s:%s", emojiFile.EmojiName, emojiFile.ID)
 	} else {
 		emojiID = variationselector.FullyQualify(emojiID)
 	}
@@ -1849,7 +1929,7 @@ func (portal *Portal) handleMatrixReaction(sender *User, evt *event.Event) {
 		return
 	}
 
-	err := sender.Session.MessageReactionAdd(msg.DiscordProtoChannelID(), msg.DiscordID, emojiID)
+	err := sender.Session.MessageReactionAddUser(portal.GuildID, msg.DiscordProtoChannelID(), msg.DiscordID, emojiID)
 	go portal.sendMessageMetrics(evt, err, "Error sending")
 	if err == nil {
 		dbReaction := portal.bridge.DB.Reaction.New()
@@ -1985,7 +2065,7 @@ func (portal *Portal) handleMatrixRedaction(sender *User, evt *event.Event) {
 		var err error
 		// TODO add support for deleting individual attachments from messages
 		if sess != nil {
-			err = sess.ChannelMessageDelete(message.DiscordProtoChannelID(), message.DiscordID)
+			err = sess.ChannelMessageDelete(message.DiscordProtoChannelID(), message.DiscordID, portal.RefererOptIfUser(sess, message.ThreadID)...)
 		} else {
 			// TODO pre-validate that the message was sent by the webhook?
 			err = relayClient.WebhookMessageDelete(portal.RelayWebhookID, portal.RelayWebhookSecret, message.DiscordID)
@@ -2000,7 +2080,7 @@ func (portal *Portal) handleMatrixRedaction(sender *User, evt *event.Event) {
 	if sess != nil {
 		reaction := portal.bridge.DB.Reaction.GetByMXID(evt.Redacts)
 		if reaction != nil && reaction.Channel == portal.Key {
-			err := sess.MessageReactionRemove(reaction.DiscordProtoChannelID(), reaction.MessageID, reaction.EmojiName, reaction.Sender)
+			err := sess.MessageReactionRemoveUser(portal.GuildID, reaction.DiscordProtoChannelID(), reaction.MessageID, reaction.EmojiName, reaction.Sender)
 			go portal.sendMessageMetrics(evt, err, "Error sending")
 			if err == nil {
 				reaction.Delete()
@@ -2069,7 +2149,7 @@ func (portal *Portal) HandleMatrixReadReceipt(brUser bridge.User, eventID id.Eve
 			Msg("Dropping read receipt: thread ID mismatch")
 		return
 	}
-	resp, err := sender.Session.ChannelMessageAckNoToken(msg.DiscordProtoChannelID(), msg.DiscordID)
+	resp, err := sender.Session.ChannelMessageAckNoToken(msg.DiscordProtoChannelID(), msg.DiscordID, portal.RefererOpt(msg.DiscordProtoChannelID()))
 	if err != nil {
 		log.Err(err).Msg("Failed to send read receipt to Discord")
 	} else if resp.Token != nil {
@@ -2103,7 +2183,7 @@ func (portal *Portal) HandleMatrixTyping(newTyping []id.UserID) {
 		user := portal.bridge.GetUserByMXID(userID)
 		if user != nil && user.Session != nil {
 			user.ViewingChannel(portal)
-			err := user.Session.ChannelTyping(portal.Key.ChannelID)
+			err := user.Session.ChannelTyping(portal.Key.ChannelID, portal.RefererOptIfUser(user.Session, "")...)
 			if err != nil {
 				portal.log.Warn().Err(err).
 					Str("user_id", user.MXID.String()).
@@ -2315,11 +2395,19 @@ func (portal *Portal) ExpectedSpaceID() id.RoomID {
 	return ""
 }
 
-func (portal *Portal) updateSpace() bool {
+func (portal *Portal) updateSpace(source *User) bool {
 	if portal.MXID == "" {
 		return false
 	}
 	if portal.Parent != nil {
+		if portal.Parent.MXID != "" {
+			portal.log.Warn().Str("parent_id", portal.ParentID).Msg("Parent portal has no Matrix room, creating...")
+			err := portal.Parent.CreateMatrixRoom(source, nil)
+			if err != nil {
+				portal.log.Err(err).Str("parent_id", portal.ParentID).Msg("Failed to create Matrix room for parent")
+				return false
+			}
+		}
 		return portal.addToSpace(portal.Parent.MXID)
 	} else if portal.Guild != nil {
 		return portal.addToSpace(portal.Guild.MXID)
@@ -2410,7 +2498,7 @@ func (portal *Portal) UpdateInfo(source *User, meta *discordgo.Channel) *discord
 	changed = portal.UpdateParent(meta.ParentID) || changed
 	// Private channels are added to the space in User.handlePrivateChannel
 	if portal.GuildID != "" && portal.MXID != "" && portal.ExpectedSpaceID() != portal.InSpace {
-		changed = portal.updateSpace() || changed
+		changed = portal.updateSpace(source) || changed
 	}
 	if changed {
 		portal.UpdateBridgeInfo()

portal_convert.go

@@ -27,12 +27,11 @@ import (
 	"github.com/bwmarrin/discordgo"
 	"github.com/rs/zerolog"
 	"golang.org/x/exp/slices"
-	"maunium.net/go/mautrix/id"
-
 	"maunium.net/go/mautrix"
 	"maunium.net/go/mautrix/appservice"
 	"maunium.net/go/mautrix/event"
 	"maunium.net/go/mautrix/format"
+	"maunium.net/go/mautrix/id"
 )
 
 type ConvertedMessage struct {
@@ -102,21 +101,17 @@ func (portal *Portal) cleanupConvertedStickerInfo(content *event.MessageEventCon
 	}
 }
 
-func (portal *Portal) convertDiscordSticker(ctx context.Context, intent *appservice.IntentAPI, sticker *discordgo.Sticker) *ConvertedMessage {
+func (portal *Portal) convertDiscordSticker(ctx context.Context, intent *appservice.IntentAPI, sticker *discordgo.StickerItem) *ConvertedMessage {
-	var mime, ext string
+	var mime string
 	switch sticker.FormatType {
 	case discordgo.StickerFormatTypePNG:
 		mime = "image/png"
-		ext = "png"
 	case discordgo.StickerFormatTypeAPNG:
 		mime = "image/apng"
-		ext = "png"
 	case discordgo.StickerFormatTypeLottie:
 		mime = "application/json"
-		ext = "json"
 	case discordgo.StickerFormatTypeGIF:
 		mime = "image/gif"
-		ext = "gif"
 	default:
 		zerolog.Ctx(ctx).Warn().
 			Int("sticker_format", int(sticker.FormatType)).
@@ -130,8 +125,9 @@ func (portal *Portal) convertDiscordSticker(ctx context.Context, intent *appserv
 		},
 	}
 
-	mxc := portal.bridge.Config.Bridge.MediaPatterns.Sticker(sticker.ID, ext)
+	mxc := portal.bridge.DMA.StickerMXC(sticker.ID, sticker.FormatType)
-	if mxc.IsEmpty() {
+	// TODO add config option to use direct media even for lottie stickers
+	if mxc.IsEmpty() && mime != "application/json" {
 		content = portal.convertDiscordFile(ctx, "sticker", intent, sticker.ID, sticker.URL(), content)
 	} else {
 		content.URL = mxc.CUString()
@@ -144,7 +140,7 @@ func (portal *Portal) convertDiscordSticker(ctx context.Context, intent *appserv
 	}
 }
 
-func (portal *Portal) convertDiscordAttachment(ctx context.Context, intent *appservice.IntentAPI, att *discordgo.MessageAttachment) *ConvertedMessage {
+func (portal *Portal) convertDiscordAttachment(ctx context.Context, intent *appservice.IntentAPI, messageID string, att *discordgo.MessageAttachment) *ConvertedMessage {
 	content := &event.MessageEventContent{
 		Body: att.Filename,
 		Info: &event.FileInfo{
@@ -182,7 +178,7 @@ func (portal *Portal) convertDiscordAttachment(ctx context.Context, intent *apps
 	default:
 		content.MsgType = event.MsgFile
 	}
-	mxc := portal.bridge.Config.Bridge.MediaPatterns.Attachment(portal.Key.ChannelID, att.ID, att.Filename)
+	mxc := portal.bridge.DMA.AttachmentMXC(portal.Key.ChannelID, messageID, att)
 	if mxc.IsEmpty() {
 		content = portal.convertDiscordFile(ctx, "attachment", intent, att.ID, att.URL, content)
 	} else {
@@ -256,6 +252,7 @@ func (portal *Portal) convertDiscordVideoEmbed(ctx context.Context, intent *apps
 	if content.MsgType == event.MsgVideo && embed.Type == discordgo.EmbedTypeGifv {
 		extra["info"] = map[string]any{
 			"fi.mau.discord.gifv":  true,
+			"fi.mau.gif":           true,
 			"fi.mau.loop":          true,
 			"fi.mau.autoplay":      true,
 			"fi.mau.hide_controls": true,
@@ -287,7 +284,7 @@ func (portal *Portal) convertDiscordMessage(ctx context.Context, puppet *Puppet,
 		}
 		handledIDs[att.ID] = struct{}{}
 		log := log.With().Str("attachment_id", att.ID).Logger()
-		if part := portal.convertDiscordAttachment(log.WithContext(ctx), intent, att); part != nil {
+		if part := portal.convertDiscordAttachment(log.WithContext(ctx), intent, msg.ID, att); part != nil {
 			parts = append(parts, part)
 		}
 	}

provisioning.go

@@ -7,6 +7,7 @@ import (
 	"errors"
 	"net"
 	"net/http"
+	_ "net/http/pprof"
 	"strings"
 	"time"
 
@@ -71,6 +72,13 @@ func newProvisioningAPI(br *DiscordBridge) *ProvisioningAPI {
 	r.HandleFunc("/v1/guilds/{guildID}", p.guildsBridge).Methods(http.MethodPost)
 	r.HandleFunc("/v1/guilds/{guildID}", p.guildsUnbridge).Methods(http.MethodDelete)
 
+	if p.bridge.Config.Bridge.Provisioning.DebugEndpoints {
+		p.log.Debugln("Enabling debug API at /debug")
+		r := p.bridge.AS.Router.PathPrefix("/debug").Subrouter()
+		r.Use(p.authMiddleware)
+		r.PathPrefix("/pprof").Handler(http.DefaultServeMux)
+	}
+
 	return p
 }
 

puppet.go

@@ -217,27 +217,23 @@ func (puppet *Puppet) UpdateName(info *discordgo.User) bool {
 }
 
 func (br *DiscordBridge) reuploadUserAvatar(intent *appservice.IntentAPI, guildID, userID, avatarID string) (id.ContentURI, string, error) {
-	var downloadURL, ext string
+	var downloadURL string
 	if guildID == "" {
-		downloadURL = discordgo.EndpointUserAvatar(userID, avatarID)
-		ext = "png"
 		if strings.HasPrefix(avatarID, "a_") {
 			downloadURL = discordgo.EndpointUserAvatarAnimated(userID, avatarID)
-			ext = "gif"
+		} else {
+			downloadURL = discordgo.EndpointUserAvatar(userID, avatarID)
 		}
 	} else {
-		downloadURL = discordgo.EndpointGuildMemberAvatar(guildID, userID, avatarID)
-		ext = "png"
 		if strings.HasPrefix(avatarID, "a_") {
 			downloadURL = discordgo.EndpointGuildMemberAvatarAnimated(guildID, userID, avatarID)
-			ext = "gif"
+		} else {
+			downloadURL = discordgo.EndpointGuildMemberAvatar(guildID, userID, avatarID)
 		}
 	}
-	if guildID == "" {
+	url := br.DMA.AvatarMXC(guildID, userID, avatarID)
-		url := br.Config.Bridge.MediaPatterns.Avatar(userID, avatarID, ext)
+	if !url.IsEmpty() {
-		if !url.IsEmpty() {
+		return url, downloadURL, nil
-			return url, downloadURL, nil
-		}
 	}
 	copied, err := br.copyAttachmentToMatrix(intent, downloadURL, false, AttachmentMeta{
 		AttachmentID: fmt.Sprintf("avatar/%s/%s/%s", guildID, userID, avatarID),

thread.go

@@ -112,6 +112,10 @@ func (thread *Thread) maybeInitialBackfill(source *User) {
 	thread.Parent.forwardBackfillInitial(source, thread)
 }
 
+func (thread *Thread) RefererOpt() discordgo.RequestOption {
+	return discordgo.WithThreadReferer(thread.Parent.GuildID, thread.ParentID, thread.ID)
+}
+
 func (thread *Thread) Join(user *User) {
 	if user.IsInPortal(thread.ID) {
 		return
@@ -137,7 +141,7 @@ func (thread *Thread) Join(user *User) {
 
 	var err error
 	if user.Session.IsUser {
-		err = user.Session.ThreadJoinWithLocation(thread.ID, discordgo.ThreadJoinLocationContextMenu)
+		err = user.Session.ThreadJoin(thread.ID, discordgo.WithLocationParam(discordgo.ThreadJoinLocationContextMenu), thread.RefererOpt())
 	} else {
 		err = user.Session.ThreadJoin(thread.ID)
 	}

user.go

@@ -2,11 +2,14 @@ package main
 
 import (
 	"context"
+	"crypto/tls"
 	"errors"
 	"fmt"
 	"math/rand"
 	"net/http"
+	"net/url"
 	"os"
+	"runtime/debug"
 	"sort"
 	"strconv"
 	"strings"
@@ -100,7 +103,7 @@ func discordToZeroLevel(level int) zerolog.Level {
 
 func init() {
 	discordgo.Logger = func(msgL, caller int, format string, a ...interface{}) {
-		discordLog.WithLevel(discordToZeroLevel(msgL)).Caller(caller+1).Msgf(strings.TrimSpace(format), a...)
+		discordLog.WithLevel(discordToZeroLevel(msgL)).Caller(caller+1).Msgf(strings.TrimSpace(format), a...) // zerolog-allow-msgf
 	}
 }
 
@@ -195,6 +198,12 @@ func (br *DiscordBridge) GetCachedUserByID(id string) *User {
 	return br.usersByID[id]
 }
 
+func (br *DiscordBridge) GetCachedUserByMXID(userID id.UserID) *User {
+	br.usersLock.Lock()
+	defer br.usersLock.Unlock()
+	return br.usersByMXID[userID]
+}
+
 func (br *DiscordBridge) NewUser(dbUser *database.User) *User {
 	user := &User{
 		User:   dbUser,
@@ -540,6 +549,19 @@ func (user *User) Connect() error {
 	if err != nil {
 		return err
 	}
+	if user.bridge.Config.Bridge.Proxy != "" {
+		u, _ := url.Parse(user.bridge.Config.Bridge.Proxy)
+		tlsConf := &tls.Config{
+			InsecureSkipVerify: os.Getenv("DISCORD_SKIP_TLS_VERIFICATION") == "true",
+		}
+		session.Client.Transport = &http.Transport{
+			Proxy:             http.ProxyURL(u),
+			TLSClientConfig:   tlsConf,
+			ForceAttemptHTTP2: true,
+		}
+		session.Dialer.Proxy = http.ProxyURL(u)
+		session.Dialer.TLSClientConfig = tlsConf
+	}
 	// TODO move to config
 	if os.Getenv("DISCORD_DEBUG") == "1" {
 		session.LogLevel = discordgo.LogDebug
@@ -548,16 +570,29 @@ func (user *User) Connect() error {
 	}
 	userDiscordLog := user.log.With().Str("component", "discordgo").Logger()
 	session.Logger = func(msgL, caller int, format string, a ...interface{}) {
-		userDiscordLog.WithLevel(discordToZeroLevel(msgL)).Caller(caller+1).Msgf(strings.TrimSpace(format), a...)
+		userDiscordLog.WithLevel(discordToZeroLevel(msgL)).Caller(caller+1).Msgf(strings.TrimSpace(format), a...) // zerolog-allow-msgf
 	}
 	if !session.IsUser {
 		session.Identify.Intents = BotIntents
 	}
 	session.EventHandler = user.eventHandlerSync
 
+	err = session.LoadMainPage(context.TODO())
+	if err != nil {
+		user.log.Warn().Err(err).Msg("Failed to load main page")
+	}
+
 	user.Session = session
 
-	return user.Session.Open()
+	for {
+		err = user.Session.Open()
+		if errors.Is(err, discordgo.ErrImmediateDisconnect) {
+			user.log.Warn().Err(err).Msg("Retrying initial connection in 5 seconds")
+			time.Sleep(5 * time.Second)
+			continue
+		}
+		return err
+	}
 }
 
 func (user *User) eventHandlerSync(rawEvt any) {
@@ -565,6 +600,15 @@ func (user *User) eventHandlerSync(rawEvt any) {
 }
 
 func (user *User) eventHandler(rawEvt any) {
+	defer func() {
+		err := recover()
+		if err != nil {
+			user.log.Error().
+				Bytes(zerolog.ErrorStackFieldName, debug.Stack()).
+				Any(zerolog.ErrorFieldName, err).
+				Msg("Panic in Discord event handler")
+		}
+	}()
 	switch evt := rawEvt.(type) {
 	case *discordgo.Ready:
 		user.readyHandler(evt)
@@ -985,6 +1029,15 @@ func (user *User) invalidAuthHandler(_ *discordgo.InvalidAuth) {
 	go user.Logout(false)
 }
 
+func (user *User) handlePossible40002(err error) bool {
+	var restErr *discordgo.RESTError
+	if !errors.As(err, &restErr) || restErr.Message == nil || restErr.Message.Code != discordgo.ErrCodeActionRequiredVerifiedAccount {
+		return false
+	}
+	user.BridgeState.Send(status.BridgeState{StateEvent: status.StateBadCredentials, Error: "dc-http-40002", Message: restErr.Message.Message})
+	return true
+}
+
 func (user *User) guildCreateHandler(g *discordgo.GuildCreate) {
 	user.log.Info().
 		Str("guild_id", g.ID).