From 1074d625ed1d651702aca1016cad165e256bab29 Mon Sep 17 00:00:00 2001
From: syuilo <4439005+syuilo@users.noreply.github.com>
Date: Thu, 3 Oct 2024 12:11:09 +0900
Subject: enhance: require captcha for signin (#14655)

* wip

* Update MkSignin.vue

* Update MkSignin.vue

* wip

* Update CHANGELOG.md
---
 .../backend/src/server/api/SigninApiService.ts     | 37 ++++++++++++++++++++++
 1 file changed, 37 insertions(+)

(limited to 'packages/backend/src/server/api')

diff --git a/packages/backend/src/server/api/SigninApiService.ts b/packages/backend/src/server/api/SigninApiService.ts
index edac9b3beb..2ccc75da00 100644
--- a/packages/backend/src/server/api/SigninApiService.ts
+++ b/packages/backend/src/server/api/SigninApiService.ts
@@ -9,6 +9,7 @@ import * as OTPAuth from 'otpauth';
 import { IsNull } from 'typeorm';
 import { DI } from '@/di-symbols.js';
 import type {
+	MiMeta,
 	SigninsRepository,
 	UserProfilesRepository,
 	UsersRepository,
@@ -20,6 +21,8 @@ import { IdService } from '@/core/IdService.js';
 import { bindThis } from '@/decorators.js';
 import { WebAuthnService } from '@/core/WebAuthnService.js';
 import { UserAuthService } from '@/core/UserAuthService.js';
+import { CaptchaService } from '@/core/CaptchaService.js';
+import { FastifyReplyError } from '@/misc/fastify-reply-error.js';
 import { RateLimiterService } from './RateLimiterService.js';
 import { SigninService } from './SigninService.js';
 import type { AuthenticationResponseJSON } from '@simplewebauthn/types';
@@ -31,6 +34,9 @@ export class SigninApiService {
 		@Inject(DI.config)
 		private config: Config,
 
+		@Inject(DI.meta)
+		private meta: MiMeta,
+
 		@Inject(DI.usersRepository)
 		private usersRepository: UsersRepository,
 
@@ -45,6 +51,7 @@ export class SigninApiService {
 		private signinService: SigninService,
 		private userAuthService: UserAuthService,
 		private webAuthnService: WebAuthnService,
+		private captchaService: CaptchaService,
 	) {
 	}
 
@@ -56,6 +63,10 @@ export class SigninApiService {
 				password: string;
 				token?: string;
 				credential?: AuthenticationResponseJSON;
+				'hcaptcha-response'?: string;
+				'g-recaptcha-response'?: string;
+				'turnstile-response'?: string;
+				'm-captcha-response'?: string;
 			};
 		}>,
 		reply: FastifyReply,
@@ -139,6 +150,32 @@ export class SigninApiService {
 		};
 
 		if (!profile.twoFactorEnabled) {
+			if (process.env.NODE_ENV !== 'test') {
+				if (this.meta.enableHcaptcha && this.meta.hcaptchaSecretKey) {
+					await this.captchaService.verifyHcaptcha(this.meta.hcaptchaSecretKey, body['hcaptcha-response']).catch(err => {
+						throw new FastifyReplyError(400, err);
+					});
+				}
+
+				if (this.meta.enableMcaptcha && this.meta.mcaptchaSecretKey && this.meta.mcaptchaSitekey && this.meta.mcaptchaInstanceUrl) {
+					await this.captchaService.verifyMcaptcha(this.meta.mcaptchaSecretKey, this.meta.mcaptchaSitekey, this.meta.mcaptchaInstanceUrl, body['m-captcha-response']).catch(err => {
+						throw new FastifyReplyError(400, err);
+					});
+				}
+
+				if (this.meta.enableRecaptcha && this.meta.recaptchaSecretKey) {
+					await this.captchaService.verifyRecaptcha(this.meta.recaptchaSecretKey, body['g-recaptcha-response']).catch(err => {
+						throw new FastifyReplyError(400, err);
+					});
+				}
+
+				if (this.meta.enableTurnstile && this.meta.turnstileSecretKey) {
+					await this.captchaService.verifyTurnstile(this.meta.turnstileSecretKey, body['turnstile-response']).catch(err => {
+						throw new FastifyReplyError(400, err);
+					});
+				}
+			}
+
 			if (same) {
 				return this.signinService.signin(request, reply, user);
 			} else {
-- 
cgit v1.2.3-freya


From 83db116c46e64ad6a9a479cbd00e96030821c1e9 Mon Sep 17 00:00:00 2001
From: syuilo <4439005+syuilo@users.noreply.github.com>
Date: Thu, 3 Oct 2024 15:06:04 +0900
Subject: enhance(backend): notify new login (#14673)

* wip

* Update CHANGELOG.md

* wip

* fix

* Update index.d.ts

* Update SigninService.ts

* Update MkNotification.vue
---
 CHANGELOG.md                                        |   2 +-
 locales/index.d.ts                                  |   8 ++++++++
 locales/ja-JP.yml                                   |   2 ++
 packages/backend/assets/tabler-badges/login-2.png   | Bin 0 -> 3770 bytes
 packages/backend/src/models/Notification.ts         |   6 +++++-
 .../backend/src/models/json-schema/notification.ts  |  10 ++++++++++
 packages/backend/src/server/api/SigninService.ts    |  20 +++++++++++++++++---
 packages/backend/src/types.ts                       |   2 ++
 packages/frontend-shared/js/const.ts                |   1 +
 packages/frontend/src/components/MkNotification.vue |  13 +++++++++++--
 packages/misskey-js/src/autogen/types.ts            |  17 ++++++++++++-----
 packages/sw/src/scripts/create-notification.ts      |   6 ++++++
 packages/sw/src/types.ts                            |   3 ++-
 13 files changed, 77 insertions(+), 13 deletions(-)
 create mode 100644 packages/backend/assets/tabler-badges/login-2.png

(limited to 'packages/backend/src/server/api')

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 8f0fd24c44..72c3b22d69 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,7 +7,7 @@
 - Enhance: フォロワーへのメッセージ欄のデザイン改良
 
 ### Server
--
+- Enhance: セキュリティ向上のため、ログイン時にメール通知を行うように
 
 
 ## 2024.9.0
diff --git a/locales/index.d.ts b/locales/index.d.ts
index 29c93453ff..0a9123f03d 100644
--- a/locales/index.d.ts
+++ b/locales/index.d.ts
@@ -9285,6 +9285,10 @@ export interface Locale extends ILocale {
          * {x}のエクスポートが完了しました
          */
         "exportOfXCompleted": ParameterizedString<"x">;
+        /**
+         * ログインがありました
+         */
+        "login": string;
         "_types": {
             /**
              * すべて
@@ -9342,6 +9346,10 @@ export interface Locale extends ILocale {
              * エクスポートが完了した
              */
             "exportCompleted": string;
+            /**
+             * ログイン
+             */
+            "login": string;
             /**
              * 通知のテスト
              */
diff --git a/locales/ja-JP.yml b/locales/ja-JP.yml
index 678af6987c..cfbe0dcc75 100644
--- a/locales/ja-JP.yml
+++ b/locales/ja-JP.yml
@@ -2451,6 +2451,7 @@ _notification:
   followedBySomeUsers: "{n}人にフォローされました"
   flushNotification: "通知の履歴をリセットする"
   exportOfXCompleted: "{x}のエクスポートが完了しました"
+  login: "ログインがありました"
 
   _types:
     all: "すべて"
@@ -2467,6 +2468,7 @@ _notification:
     roleAssigned: "ロールが付与された"
     achievementEarned: "実績の獲得"
     exportCompleted: "エクスポートが完了した"
+    login: "ログイン"
     test: "通知のテスト"
     app: "連携アプリからの通知"
 
diff --git a/packages/backend/assets/tabler-badges/login-2.png b/packages/backend/assets/tabler-badges/login-2.png
new file mode 100644
index 0000000000..f3ca8de3dd
Binary files /dev/null and b/packages/backend/assets/tabler-badges/login-2.png differ
diff --git a/packages/backend/src/models/Notification.ts b/packages/backend/src/models/Notification.ts
index c1d3d42134..b7f8e94d69 100644
--- a/packages/backend/src/models/Notification.ts
+++ b/packages/backend/src/models/Notification.ts
@@ -3,12 +3,12 @@
  * SPDX-License-Identifier: AGPL-3.0-only
  */
 
+import { userExportableEntities } from '@/types.js';
 import { MiUser } from './User.js';
 import { MiNote } from './Note.js';
 import { MiAccessToken } from './AccessToken.js';
 import { MiRole } from './Role.js';
 import { MiDriveFile } from './DriveFile.js';
-import { userExportableEntities } from '@/types.js';
 
 export type MiNotification = {
 	type: 'note';
@@ -86,6 +86,10 @@ export type MiNotification = {
 	createdAt: string;
 	exportedEntity: typeof userExportableEntities[number];
 	fileId: MiDriveFile['id'];
+} | {
+	type: 'login';
+	id: string;
+	createdAt: string;
 } | {
 	type: 'app';
 	id: string;
diff --git a/packages/backend/src/models/json-schema/notification.ts b/packages/backend/src/models/json-schema/notification.ts
index 2645010491..cddaf4bc83 100644
--- a/packages/backend/src/models/json-schema/notification.ts
+++ b/packages/backend/src/models/json-schema/notification.ts
@@ -322,6 +322,16 @@ export const packedNotificationSchema = {
 				format: 'id',
 			},
 		},
+	}, {
+		type: 'object',
+		properties: {
+			...baseSchema.properties,
+			type: {
+				type: 'string',
+				optional: false, nullable: false,
+				enum: ['login'],
+			},
+		},
 	}, {
 		type: 'object',
 		properties: {
diff --git a/packages/backend/src/server/api/SigninService.ts b/packages/backend/src/server/api/SigninService.ts
index 70306c3113..4b041f373f 100644
--- a/packages/backend/src/server/api/SigninService.ts
+++ b/packages/backend/src/server/api/SigninService.ts
@@ -5,12 +5,14 @@
 
 import { Inject, Injectable } from '@nestjs/common';
 import { DI } from '@/di-symbols.js';
-import type { SigninsRepository } from '@/models/_.js';
+import type { SigninsRepository, UserProfilesRepository } from '@/models/_.js';
 import { IdService } from '@/core/IdService.js';
 import type { MiLocalUser } from '@/models/User.js';
 import { GlobalEventService } from '@/core/GlobalEventService.js';
 import { SigninEntityService } from '@/core/entities/SigninEntityService.js';
 import { bindThis } from '@/decorators.js';
+import { EmailService } from '@/core/EmailService.js';
+import { NotificationService } from '@/core/NotificationService.js';
 import type { FastifyRequest, FastifyReply } from 'fastify';
 
 @Injectable()
@@ -19,7 +21,12 @@ export class SigninService {
 		@Inject(DI.signinsRepository)
 		private signinsRepository: SigninsRepository,
 
+		@Inject(DI.userProfilesRepository)
+		private userProfilesRepository: UserProfilesRepository,
+
 		private signinEntityService: SigninEntityService,
+		private emailService: EmailService,
+		private notificationService: NotificationService,
 		private idService: IdService,
 		private globalEventService: GlobalEventService,
 	) {
@@ -28,7 +35,8 @@ export class SigninService {
 	@bindThis
 	public signin(request: FastifyRequest, reply: FastifyReply, user: MiLocalUser) {
 		setImmediate(async () => {
-			// Append signin history
+			this.notificationService.createNotification(user.id, 'login', {});
+
 			const record = await this.signinsRepository.insertOne({
 				id: this.idService.gen(),
 				userId: user.id,
@@ -37,8 +45,14 @@ export class SigninService {
 				success: true,
 			});
 
-			// Publish signin event
 			this.globalEventService.publishMainStream(user.id, 'signin', await this.signinEntityService.pack(record));
+
+			const profile = await this.userProfilesRepository.findOneByOrFail({ userId: user.id });
+			if (profile.email && profile.emailVerified) {
+				this.emailService.sendEmail(profile.email, 'New login / ログインがありました',
+					'There is a new login. If you do not recognize this login, update the security status of your account, including changing your password. / 新しいログインがありました。このログインに心当たりがない場合は、パスワードを変更するなど、アカウントのセキュリティ状態を更新してください。',
+					'There is a new login. If you do not recognize this login, update the security status of your account, including changing your password. / 新しいログインがありました。このログインに心当たりがない場合は、パスワードを変更するなど、アカウントのセキュリティ状態を更新してください。');
+			}
 		});
 
 		reply.code(200);
diff --git a/packages/backend/src/types.ts b/packages/backend/src/types.ts
index 5854c6b392..0389143daf 100644
--- a/packages/backend/src/types.ts
+++ b/packages/backend/src/types.ts
@@ -17,6 +17,7 @@
  * roleAssigned - ロールが付与された
  * achievementEarned - 実績を獲得
  * exportCompleted - エクスポートが完了
+ * login - ログイン
  * app - アプリ通知
  * test - テスト通知（サーバー側）
  */
@@ -34,6 +35,7 @@ export const notificationTypes = [
 	'roleAssigned',
 	'achievementEarned',
 	'exportCompleted',
+	'login',
 	'app',
 	'test',
 ] as const;
diff --git a/packages/frontend-shared/js/const.ts b/packages/frontend-shared/js/const.ts
index aec4a4a58b..4fe5cbb205 100644
--- a/packages/frontend-shared/js/const.ts
+++ b/packages/frontend-shared/js/const.ts
@@ -68,6 +68,7 @@ export const notificationTypes = [
 	'roleAssigned',
 	'achievementEarned',
 	'exportCompleted',
+	'login',
 	'test',
 	'app',
 ] as const;
diff --git a/packages/frontend/src/components/MkNotification.vue b/packages/frontend/src/components/MkNotification.vue
index 12c2974de4..b27d883b85 100644
--- a/packages/frontend/src/components/MkNotification.vue
+++ b/packages/frontend/src/components/MkNotification.vue
@@ -7,13 +7,12 @@ SPDX-License-Identifier: AGPL-3.0-only
 <div :class="$style.root">
 	<div :class="$style.head">
 		<MkAvatar v-if="['pollEnded', 'note'].includes(notification.type) && 'note' in notification" :class="$style.icon" :user="notification.note.user" link preview/>
-		<MkAvatar v-else-if="['roleAssigned', 'achievementEarned'].includes(notification.type)" :class="$style.icon" :user="$i" link preview/>
+		<MkAvatar v-else-if="['roleAssigned', 'achievementEarned', 'exportCompleted', 'login'].includes(notification.type)" :class="$style.icon" :user="$i" link preview/>
 		<div v-else-if="notification.type === 'reaction:grouped' && notification.note.reactionAcceptance === 'likeOnly'" :class="[$style.icon, $style.icon_reactionGroupHeart]"><i class="ti ti-heart" style="line-height: 1;"></i></div>
 		<div v-else-if="notification.type === 'reaction:grouped'" :class="[$style.icon, $style.icon_reactionGroup]"><i class="ti ti-plus" style="line-height: 1;"></i></div>
 		<div v-else-if="notification.type === 'renote:grouped'" :class="[$style.icon, $style.icon_renoteGroup]"><i class="ti ti-repeat" style="line-height: 1;"></i></div>
 		<img v-else-if="notification.type === 'test'" :class="$style.icon" :src="infoImageUrl"/>
 		<MkAvatar v-else-if="'user' in notification" :class="$style.icon" :user="notification.user" link preview/>
-		<MkAvatar v-else-if="notification.type === 'exportCompleted'" :class="$style.icon" :user="$i" link preview/>
 		<img v-else-if="'icon' in notification && notification.icon != null" :class="[$style.icon, $style.icon_app]" :src="notification.icon" alt=""/>
 		<div
 			:class="[$style.subIcon, {
@@ -27,6 +26,7 @@ SPDX-License-Identifier: AGPL-3.0-only
 				[$style.t_pollEnded]: notification.type === 'pollEnded',
 				[$style.t_achievementEarned]: notification.type === 'achievementEarned',
 				[$style.t_exportCompleted]: notification.type === 'exportCompleted',
+				[$style.t_login]: notification.type === 'login',
 				[$style.t_roleAssigned]: notification.type === 'roleAssigned' && notification.role.iconUrl == null,
 			}]"
 		>
@@ -40,6 +40,7 @@ SPDX-License-Identifier: AGPL-3.0-only
 			<i v-else-if="notification.type === 'pollEnded'" class="ti ti-chart-arrows"></i>
 			<i v-else-if="notification.type === 'achievementEarned'" class="ti ti-medal"></i>
 			<i v-else-if="notification.type === 'exportCompleted'" class="ti ti-archive"></i>
+			<i v-else-if="notification.type === 'login'" class="ti ti-login-2"></i>
 			<template v-else-if="notification.type === 'roleAssigned'">
 				<img v-if="notification.role.iconUrl" style="height: 1.3em; vertical-align: -22%;" :src="notification.role.iconUrl" alt=""/>
 				<i v-else class="ti ti-badges"></i>
@@ -59,6 +60,7 @@ SPDX-License-Identifier: AGPL-3.0-only
 			<span v-else-if="notification.type === 'note'">{{ i18n.ts._notification.newNote }}: <MkUserName :user="notification.note.user"/></span>
 			<span v-else-if="notification.type === 'roleAssigned'">{{ i18n.ts._notification.roleAssigned }}</span>
 			<span v-else-if="notification.type === 'achievementEarned'">{{ i18n.ts._notification.achievementEarned }}</span>
+			<span v-else-if="notification.type === 'login'">{{ i18n.ts._notification.login }}</span>
 			<span v-else-if="notification.type === 'test'">{{ i18n.ts._notification.testNotification }}</span>
 			<span v-else-if="notification.type === 'exportCompleted'">{{ i18n.tsx._notification.exportOfXCompleted({ x: exportEntityName[notification.exportedEntity] }) }}</span>
 			<MkA v-else-if="notification.type === 'follow' || notification.type === 'mention' || notification.type === 'reply' || notification.type === 'renote' || notification.type === 'quote' || notification.type === 'reaction' || notification.type === 'receiveFollowRequest' || notification.type === 'followRequestAccepted'" v-user-preview="notification.user.id" :class="$style.headerName" :to="userPage(notification.user)"><MkUserName :user="notification.user"/></MkA>
@@ -225,6 +227,7 @@ function getActualReactedUsersCount(notification: Misskey.entities.Notification)
 	--eventReactionHeart: var(--love);
 	--eventReaction: #e99a0b;
 	--eventAchievement: #cb9a11;
+	--eventLogin: #007aff;
 	--eventOther: #88a6b7;
 }
 
@@ -346,6 +349,12 @@ function getActualReactedUsersCount(notification: Misskey.entities.Notification)
 	pointer-events: none;
 }
 
+.t_login {
+	padding: 3px;
+	background: var(--eventLogin);
+	pointer-events: none;
+}
+
 .tail {
 	flex: 1;
 	min-width: 0;
diff --git a/packages/misskey-js/src/autogen/types.ts b/packages/misskey-js/src/autogen/types.ts
index 6aaeabec7b..46fc2496da 100644
--- a/packages/misskey-js/src/autogen/types.ts
+++ b/packages/misskey-js/src/autogen/types.ts
@@ -4288,7 +4288,14 @@ export type components = {
       exportedEntity: 'antenna' | 'blocking' | 'clip' | 'customEmoji' | 'favorite' | 'following' | 'muting' | 'note' | 'userList';
       /** Format: id */
       fileId: string;
-    }) | ({
+    }) | {
+      /** Format: id */
+      id: string;
+      /** Format: date-time */
+      createdAt: string;
+      /** @enum {string} */
+      type: 'login';
+    } | ({
       /** Format: id */
       id: string;
       /** Format: date-time */
@@ -18550,8 +18557,8 @@ export type operations = {
           untilId?: string;
           /** @default true */
           markAsRead?: boolean;
-          includeTypes?: ('note' | 'follow' | 'mention' | 'reply' | 'renote' | 'quote' | 'reaction' | 'pollEnded' | 'receiveFollowRequest' | 'followRequestAccepted' | 'roleAssigned' | 'achievementEarned' | 'exportCompleted' | 'app' | 'test' | 'pollVote' | 'groupInvited')[];
-          excludeTypes?: ('note' | 'follow' | 'mention' | 'reply' | 'renote' | 'quote' | 'reaction' | 'pollEnded' | 'receiveFollowRequest' | 'followRequestAccepted' | 'roleAssigned' | 'achievementEarned' | 'exportCompleted' | 'app' | 'test' | 'pollVote' | 'groupInvited')[];
+          includeTypes?: ('note' | 'follow' | 'mention' | 'reply' | 'renote' | 'quote' | 'reaction' | 'pollEnded' | 'receiveFollowRequest' | 'followRequestAccepted' | 'roleAssigned' | 'achievementEarned' | 'exportCompleted' | 'login' | 'app' | 'test' | 'pollVote' | 'groupInvited')[];
+          excludeTypes?: ('note' | 'follow' | 'mention' | 'reply' | 'renote' | 'quote' | 'reaction' | 'pollEnded' | 'receiveFollowRequest' | 'followRequestAccepted' | 'roleAssigned' | 'achievementEarned' | 'exportCompleted' | 'login' | 'app' | 'test' | 'pollVote' | 'groupInvited')[];
         };
       };
     };
@@ -18618,8 +18625,8 @@ export type operations = {
           untilId?: string;
           /** @default true */
           markAsRead?: boolean;
-          includeTypes?: ('note' | 'follow' | 'mention' | 'reply' | 'renote' | 'quote' | 'reaction' | 'pollEnded' | 'receiveFollowRequest' | 'followRequestAccepted' | 'roleAssigned' | 'achievementEarned' | 'exportCompleted' | 'app' | 'test' | 'reaction:grouped' | 'renote:grouped' | 'pollVote' | 'groupInvited')[];
-          excludeTypes?: ('note' | 'follow' | 'mention' | 'reply' | 'renote' | 'quote' | 'reaction' | 'pollEnded' | 'receiveFollowRequest' | 'followRequestAccepted' | 'roleAssigned' | 'achievementEarned' | 'exportCompleted' | 'app' | 'test' | 'reaction:grouped' | 'renote:grouped' | 'pollVote' | 'groupInvited')[];
+          includeTypes?: ('note' | 'follow' | 'mention' | 'reply' | 'renote' | 'quote' | 'reaction' | 'pollEnded' | 'receiveFollowRequest' | 'followRequestAccepted' | 'roleAssigned' | 'achievementEarned' | 'exportCompleted' | 'login' | 'app' | 'test' | 'reaction:grouped' | 'renote:grouped' | 'pollVote' | 'groupInvited')[];
+          excludeTypes?: ('note' | 'follow' | 'mention' | 'reply' | 'renote' | 'quote' | 'reaction' | 'pollEnded' | 'receiveFollowRequest' | 'followRequestAccepted' | 'roleAssigned' | 'achievementEarned' | 'exportCompleted' | 'login' | 'app' | 'test' | 'reaction:grouped' | 'renote:grouped' | 'pollVote' | 'groupInvited')[];
         };
       };
     };
diff --git a/packages/sw/src/scripts/create-notification.ts b/packages/sw/src/scripts/create-notification.ts
index 2b7dfd4f2d..364328d4b0 100644
--- a/packages/sw/src/scripts/create-notification.ts
+++ b/packages/sw/src/scripts/create-notification.ts
@@ -210,6 +210,12 @@ async function composeNotification(data: PushNotificationDataMap[keyof PushNotif
 						tag: `achievement:${data.body.achievement}`,
 					}];
 
+				case 'login':
+					return [i18n.ts._notification.login, {
+						badge: iconUrl('login-2'),
+						data,
+					}];
+
 				case 'exportCompleted': {
 					const entityName = {
 						antenna: i18n.ts.antennas,
diff --git a/packages/sw/src/types.ts b/packages/sw/src/types.ts
index fac3e707d8..4f82779808 100644
--- a/packages/sw/src/types.ts
+++ b/packages/sw/src/types.ts
@@ -50,4 +50,5 @@ export type BadgeNames =
 	| 'quote'
 	| 'repeat'
 	| 'user-plus'
-	| 'users';
+	| 'users'
+	| 'login-2';
-- 
cgit v1.2.3-freya


From a722ea8ccd98c66784442d71a1e1cd14b7835d48 Mon Sep 17 00:00:00 2001
From: Kisaragi <48310258+KisaragiEffective@users.noreply.github.com>
Date: Thu, 3 Oct 2024 17:05:14 +0900
Subject: fix(backend):
 連合限定先が間違って連合しない先に代入されているのを修正 (#14662)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* fix(backend): 連合限定先が間違って連合しない先に代入されているのを修正

* build: fix property typo
---
 packages/backend/src/server/api/endpoints/admin/update-meta.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'packages/backend/src/server/api')

diff --git a/packages/backend/src/server/api/endpoints/admin/update-meta.ts b/packages/backend/src/server/api/endpoints/admin/update-meta.ts
index daef236397..9ffae840b6 100644
--- a/packages/backend/src/server/api/endpoints/admin/update-meta.ts
+++ b/packages/backend/src/server/api/endpoints/admin/update-meta.ts
@@ -652,7 +652,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 			}
 
 			if (Array.isArray(ps.federationHosts)) {
-				set.blockedHosts = ps.federationHosts.filter(Boolean).map(x => x.toLowerCase());
+				set.federationHosts = ps.federationHosts.filter(Boolean).map(x => x.toLowerCase());
 			}
 
 			const before = await this.metaService.fetch(true);
-- 
cgit v1.2.3-freya


From 2c1a7470d35cb840950e63008fb4014e5e341dd6 Mon Sep 17 00:00:00 2001
From: かっこかり <67428053+kakkokari-gtyih@users.noreply.github.com>
Date: Thu, 3 Oct 2024 18:18:00 +0900
Subject: feat: サーバー初期設定時に初期パスワードを要求できるように (#14626)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* feat: サーバー初期設定時専用の初期パスワードを設定できるように

* 無いのに入力された場合もエラーにする

* :art:

* :art:

* cypress-devcontainerにもpassを設定（テストが失敗するため）

* [ci skip] :art:

* :v:

* test: please revert this commit before merge

* Revert "test: please revert this commit before merge"

This reverts commit 66b2b48f66830d2450d8cda03955c143feba76c7.

* Update locales/ja-JP.yml

Co-authored-by: syuilo <4439005+syuilo@users.noreply.github.com>

* build assets

* Update Changelog

* fix condition

* fix condition

* add comment

* change error code

* 他のエラーコードと合わせる

* Update CHANGELOG.md

---------

Co-authored-by: syuilo <4439005+syuilo@users.noreply.github.com>
---
 .config/cypress-devcontainer.yml                   | 13 ++++++++
 .config/example.yml                                | 13 ++++++++
 CHANGELOG.md                                       |  5 +++
 cypress/e2e/basic.cy.ts                            |  1 +
 locales/index.d.ts                                 | 14 ++++++++
 locales/ja-JP.yml                                  |  3 ++
 packages/backend/src/config.ts                     |  4 +++
 .../server/api/endpoints/admin/accounts/create.ts  | 38 +++++++++++++++++++++-
 packages/frontend/src/pages/welcome.setup.vue      | 26 ++++++++++++---
 packages/misskey-js/src/autogen/types.ts           |  1 +
 10 files changed, 113 insertions(+), 5 deletions(-)

(limited to 'packages/backend/src/server/api')

diff --git a/.config/cypress-devcontainer.yml b/.config/cypress-devcontainer.yml
index 91dce35155..64988aff66 100644
--- a/.config/cypress-devcontainer.yml
+++ b/.config/cypress-devcontainer.yml
@@ -2,6 +2,19 @@
 # Misskey configuration
 #━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
 
+#   ┌────────────────────────┐
+#───┘ Initial Setup Password └─────────────────────────────────────────────────────
+
+# Password to initiate setting up admin account.
+# It will not be used after the initial setup is complete.
+#
+# Be sure to change this when you set up Misskey via the Internet.
+#
+# The provider of the service who sets up Misskey on behalf of the customer should
+# set this value to something unique when generating the Misskey config file,
+# and provide it to the customer.
+initialPassword: example_password_please_change_this_or_you_will_get_hacked
+
 #   ┌─────┐
 #───┘ URL └─────────────────────────────────────────────────────
 
diff --git a/.config/example.yml b/.config/example.yml
index 7080159117..fbc4cdff4b 100644
--- a/.config/example.yml
+++ b/.config/example.yml
@@ -59,6 +59,19 @@
 #
 # publishTarballInsteadOfProvideRepositoryUrl: true
 
+#   ┌────────────────────────┐
+#───┘ Initial Setup Password └─────────────────────────────────────────────────────
+
+# Password to initiate setting up admin account.
+# It will not be used after the initial setup is complete.
+#
+# Be sure to change this when you set up Misskey via the Internet.
+#
+# The provider of the service who sets up Misskey on behalf of the customer should
+# set this value to something unique when generating the Misskey config file,
+# and provide it to the customer.
+initialPassword: example_password_please_change_this_or_you_will_get_hacked
+
 #   ┌─────┐
 #───┘ URL └─────────────────────────────────────────────────────
 
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 188e3b7d82..2e48931267 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,6 +1,11 @@
 ## 2024.10.0
 
+### Note
+- サーバー初期設定時に使用する初期パスワードを設定できるようになりました。今後Misskeyサーバーを新たに設置する際には、初回の起動前にコンフィグファイルの`initialPassword`を必ず変更してください。（すでに初期設定を完了しているサーバーについては、この変更に伴い対応する必要はありません）  
+  ホスティングサービスを運営している場合は、コンフィグファイルを構築する際に`initialPassword`をランダムな値に設定し、ユーザーに通知するようにしてください。
+
 ### General
+- Feat: サーバー初期設定時に初期パスワードを設定できるように
 - Enhance: セキュリティ向上のため、サインイン時もCAPTCHAを求めるようになりました
 - Enhance: 依存関係の更新
 - Enhance: l10nの更新
diff --git a/cypress/e2e/basic.cy.ts b/cypress/e2e/basic.cy.ts
index d2525e0a7d..e4baeacbf3 100644
--- a/cypress/e2e/basic.cy.ts
+++ b/cypress/e2e/basic.cy.ts
@@ -23,6 +23,7 @@ describe('Before setup instance', () => {
 
 		cy.intercept('POST', '/api/admin/accounts/create').as('signup');
 
+		cy.get('[data-cy-admin-initial-password] input').type('example_password_please_change_this_or_you_will_get_hacked');
 		cy.get('[data-cy-admin-username] input').type('admin');
 		cy.get('[data-cy-admin-password] input').type('admin1234');
 		cy.get('[data-cy-admin-ok]').click();
diff --git a/locales/index.d.ts b/locales/index.d.ts
index 0a9123f03d..86a6df3100 100644
--- a/locales/index.d.ts
+++ b/locales/index.d.ts
@@ -48,6 +48,20 @@ export interface Locale extends ILocale {
      * パスワード
      */
     "password": string;
+    /**
+     * 初期設定開始用パスワード
+     */
+    "initialPasswordForSetup": string;
+    /**
+     * 初期設定開始用のパスワードが違います。
+     */
+    "initialPasswordIsIncorrect": string;
+    /**
+     * Misskeyを自分でインストールした場合は、設定ファイルに入力したパスワードを使用してください。
+     * Misskeyのホスティングサービスなどを使用している場合は、提供されたパスワードを使用してください。
+     * パスワードを設定していない場合は、空欄にしたまま続行してください。
+     */
+    "initialPasswordForSetupDescription": string;
     /**
      * パスワードを忘れた
      */
diff --git a/locales/ja-JP.yml b/locales/ja-JP.yml
index cfbe0dcc75..62317cd5e6 100644
--- a/locales/ja-JP.yml
+++ b/locales/ja-JP.yml
@@ -8,6 +8,9 @@ search: "検索"
 notifications: "通知"
 username: "ユーザー名"
 password: "パスワード"
+initialPasswordForSetup: "初期設定開始用パスワード"
+initialPasswordIsIncorrect: "初期設定開始用のパスワードが違います。"
+initialPasswordForSetupDescription: "Misskeyを自分でインストールした場合は、設定ファイルに入力したパスワードを使用してください。\nMisskeyのホスティングサービスなどを使用している場合は、提供されたパスワードを使用してください。\nパスワードを設定していない場合は、空欄にしたまま続行してください。"
 forgotPassword: "パスワードを忘れた"
 fetchingAsApObject: "連合に照会中"
 ok: "OK"
diff --git a/packages/backend/src/config.ts b/packages/backend/src/config.ts
index 97ba79c574..b320ce5403 100644
--- a/packages/backend/src/config.ts
+++ b/packages/backend/src/config.ts
@@ -63,6 +63,8 @@ type Source = {
 
 	publishTarballInsteadOfProvideRepositoryUrl?: boolean;
 
+	initialPassword?: string;
+
 	proxy?: string;
 	proxySmtp?: string;
 	proxyBypassHosts?: string[];
@@ -152,6 +154,7 @@ export type Config = {
 
 	version: string;
 	publishTarballInsteadOfProvideRepositoryUrl: boolean;
+	initialPassword: string | undefined;
 	host: string;
 	hostname: string;
 	scheme: string;
@@ -232,6 +235,7 @@ export function loadConfig(): Config {
 	return {
 		version,
 		publishTarballInsteadOfProvideRepositoryUrl: !!config.publishTarballInsteadOfProvideRepositoryUrl,
+		initialPassword: config.initialPassword,
 		url: url.origin,
 		port: config.port ?? parseInt(process.env.PORT ?? '', 10),
 		socket: config.socket,
diff --git a/packages/backend/src/server/api/endpoints/admin/accounts/create.ts b/packages/backend/src/server/api/endpoints/admin/accounts/create.ts
index a7e8a3b018..bddf7f45d3 100644
--- a/packages/backend/src/server/api/endpoints/admin/accounts/create.ts
+++ b/packages/backend/src/server/api/endpoints/admin/accounts/create.ts
@@ -12,11 +12,27 @@ import { UserEntityService } from '@/core/entities/UserEntityService.js';
 import { InstanceActorService } from '@/core/InstanceActorService.js';
 import { localUsernameSchema, passwordSchema } from '@/models/User.js';
 import { DI } from '@/di-symbols.js';
+import type { Config } from '@/config.js';
+import { ApiError } from '@/server/api/error.js';
 import { Packed } from '@/misc/json-schema.js';
 
 export const meta = {
 	tags: ['admin'],
 
+	errors: {
+		accessDenied: {
+			message: 'Access denied.',
+			code: 'ACCESS_DENIED',
+			id: '1fb7cb09-d46a-4fff-b8df-057708cce513',
+		},
+
+		wrongInitialPassword: {
+			message: 'Initial password is incorrect.',
+			code: 'INCORRECT_INITIAL_PASSWORD',
+			id: '97147c55-1ae1-4f6f-91d6-e1c3e0e76d62',
+		},
+	},
+
 	res: {
 		type: 'object',
 		optional: false, nullable: false,
@@ -35,6 +51,7 @@ export const paramDef = {
 	properties: {
 		username: localUsernameSchema,
 		password: passwordSchema,
+		initialPassword: { type: 'string', nullable: true },
 	},
 	required: ['username', 'password'],
 } as const;
@@ -42,6 +59,9 @@ export const paramDef = {
 @Injectable()
 export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-disable-line import/no-default-export
 	constructor(
+		@Inject(DI.config)
+		private config: Config,
+
 		@Inject(DI.usersRepository)
 		private usersRepository: UsersRepository,
 
@@ -52,7 +72,23 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 		super(meta, paramDef, async (ps, _me, token) => {
 			const me = _me ? await this.usersRepository.findOneByOrFail({ id: _me.id }) : null;
 			const realUsers = await this.instanceActorService.realLocalUsersPresent();
-			if ((realUsers && !me?.isRoot) || token !== null) throw new Error('access denied');
+
+			if (!realUsers && me == null && token == null) {
+				// 初回セットアップの場合
+				if (this.config.initialPassword != null) {
+					// 初期パスワードが設定されている場合
+					if (ps.initialPassword !== this.config.initialPassword) {
+						// 初期パスワードが違う場合
+						throw new ApiError(meta.errors.wrongInitialPassword);
+					}
+				} else if (ps.initialPassword != null && ps.initialPassword.trim() !== '') {
+					// 初期パスワードが設定されていないのに初期パスワードが入力された場合
+					throw new ApiError(meta.errors.wrongInitialPassword);
+				}
+			} else if ((realUsers && !me?.isRoot) || token !== null) {
+				// 初回セットアップではなく、管理者でない場合 or 外部トークンを使用している場合
+				throw new ApiError(meta.errors.accessDenied);
+			}
 
 			const { account, secret } = await this.signupService.signup({
 				username: ps.username,
diff --git a/packages/frontend/src/pages/welcome.setup.vue b/packages/frontend/src/pages/welcome.setup.vue
index a227c7c4bc..cb20cfc5fc 100644
--- a/packages/frontend/src/pages/welcome.setup.vue
+++ b/packages/frontend/src/pages/welcome.setup.vue
@@ -14,6 +14,10 @@ SPDX-License-Identifier: AGPL-3.0-only
 			</div>
 			<div class="_gaps_m" style="padding: 32px;">
 				<div>{{ i18n.ts.intro }}</div>
+				<MkInput v-model="initialPassword" type="password" data-cy-admin-initial-password>
+					<template #label>{{ i18n.ts.initialPasswordForSetup }} <div v-tooltip:dialog="i18n.ts.initialPasswordForSetupDescription" class="_button _help"><i class="ti ti-help-circle"></i></div></template>
+					<template #prefix><i class="ti ti-lock"></i></template>
+				</MkInput>
 				<MkInput v-model="username" pattern="^[a-zA-Z0-9_]{1,20}$" :spellcheck="false" required data-cy-admin-username>
 					<template #label>{{ i18n.ts.username }}</template>
 					<template #prefix>@</template>
@@ -47,6 +51,7 @@ import MkAnimBg from '@/components/MkAnimBg.vue';
 
 const username = ref('');
 const password = ref('');
+const initialPassword = ref('');
 const submitting = ref(false);
 
 function submit() {
@@ -56,14 +61,27 @@ function submit() {
 	misskeyApi('admin/accounts/create', {
 		username: username.value,
 		password: password.value,
+		initialPassword: initialPassword.value === '' ? null : initialPassword.value,
 	}).then(res => {
 		return login(res.token);
-	}).catch(() => {
+	}).catch((err) => {
 		submitting.value = false;
 
+		let title = i18n.ts.somethingHappened;
+		let text = err.message + '\n' + err.id;
+
+		if (err.code === 'ACCESS_DENIED') {
+			title = i18n.ts.permissionDeniedError;
+			text = i18n.ts.operationForbidden;
+		} else if (err.code === 'INCORRECT_INITIAL_PASSWORD') {
+			title = i18n.ts.permissionDeniedError;
+			text = i18n.ts.incorrectPassword;
+		}
+
 		os.alert({
 			type: 'error',
-			text: i18n.ts.somethingHappened,
+			title,
+			text,
 		});
 	});
 }
@@ -74,8 +92,8 @@ function submit() {
 	min-height: 100svh;
 	padding: 32px 32px 64px 32px;
 	box-sizing: border-box;
-display: grid;
-place-content: center;
+	display: grid;
+	place-content: center;
 }
 
 .form {
diff --git a/packages/misskey-js/src/autogen/types.ts b/packages/misskey-js/src/autogen/types.ts
index 46fc2496da..ee5cd477f1 100644
--- a/packages/misskey-js/src/autogen/types.ts
+++ b/packages/misskey-js/src/autogen/types.ts
@@ -5611,6 +5611,7 @@ export type operations = {
         'application/json': {
           username: string;
           password: string;
+          initialPassword?: string | null;
         };
       };
     };
-- 
cgit v1.2.3-freya


From 2a4ab0e1878c7e45e939574cb4eb6c23f6371802 Mon Sep 17 00:00:00 2001
From: zyoshoka <107108195+zyoshoka@users.noreply.github.com>
Date: Thu, 3 Oct 2024 18:33:56 +0900
Subject: fix(misskey-js): type fixes related to signup and signin (#14679)

---
 .../backend/src/server/api/ApiServerService.ts     | 12 ++++---
 packages/frontend/src/components/MkSignin.vue      |  5 ++-
 packages/misskey-js/etc/misskey-js.api.md          | 37 ++++++++++++++++++----
 packages/misskey-js/package.json                   |  1 +
 packages/misskey-js/src/api.types.ts               | 17 ++++++++--
 packages/misskey-js/src/entities.ts                | 18 ++++++++---
 pnpm-lock.yaml                                     |  3 ++
 7 files changed, 73 insertions(+), 20 deletions(-)

(limited to 'packages/backend/src/server/api')

diff --git a/packages/backend/src/server/api/ApiServerService.ts b/packages/backend/src/server/api/ApiServerService.ts
index 709a044601..356e145681 100644
--- a/packages/backend/src/server/api/ApiServerService.ts
+++ b/packages/backend/src/server/api/ApiServerService.ts
@@ -118,6 +118,7 @@ export class ApiServerService {
 				'hcaptcha-response'?: string;
 				'g-recaptcha-response'?: string;
 				'turnstile-response'?: string;
+				'm-captcha-response'?: string;
 			}
 		}>('/signup', (request, reply) => this.signupApiService.signup(request, reply));
 
@@ -126,17 +127,18 @@ export class ApiServerService {
 				username: string;
 				password: string;
 				token?: string;
-				signature?: string;
-				authenticatorData?: string;
-				clientDataJSON?: string;
-				credentialId?: string;
-				challengeId?: string;
+				credential?: AuthenticationResponseJSON;
+				'hcaptcha-response'?: string;
+				'g-recaptcha-response'?: string;
+				'turnstile-response'?: string;
+				'm-captcha-response'?: string;
 			};
 		}>('/signin', (request, reply) => this.signinApiService.signin(request, reply));
 
 		fastify.post<{
 			Body: {
 				credential?: AuthenticationResponseJSON;
+				context?: string;
 			};
 		}>('/signin-with-passkey', (request, reply) => this.signinWithPasskeyApiService.signin(request, reply));
 
diff --git a/packages/frontend/src/components/MkSignin.vue b/packages/frontend/src/components/MkSignin.vue
index 8ebdac0220..abbff8e1f2 100644
--- a/packages/frontend/src/components/MkSignin.vue
+++ b/packages/frontend/src/components/MkSignin.vue
@@ -76,7 +76,6 @@ import { computed, defineAsyncComponent, ref } from 'vue';
 import { toUnicode } from 'punycode/';
 import * as Misskey from 'misskey-js';
 import { supported as webAuthnSupported, get as webAuthnRequest, parseRequestOptionsFromJSON } from '@github/webauthn-json/browser-ponyfill';
-import { SigninWithPasskeyResponse } from 'misskey-js/entities.js';
 import { query, extractDomain } from '@@/js/url.js';
 import { host as configHost } from '@@/js/config.js';
 import MkDivider from './MkDivider.vue';
@@ -188,7 +187,7 @@ function onPasskeyLogin(): void {
 	signing.value = true;
 	if (webAuthnSupported()) {
 		misskeyApi('signin-with-passkey', {})
-			.then((res: SigninWithPasskeyResponse) => {
+			.then(res => {
 				totpLogin.value = false;
 				signing.value = false;
 				queryingKey.value = true;
@@ -219,7 +218,7 @@ async function queryPasskey(): Promise<void> {
 				credential: credential.toJSON(),
 				context: passkey_context.value,
 			});
-		}).then((res: SigninWithPasskeyResponse) => {
+		}).then(res => {
 			emit('login', res.signinResponse);
 			return onLogin(res.signinResponse);
 		});
diff --git a/packages/misskey-js/etc/misskey-js.api.md b/packages/misskey-js/etc/misskey-js.api.md
index a5f12b41f4..5f4792eb74 100644
--- a/packages/misskey-js/etc/misskey-js.api.md
+++ b/packages/misskey-js/etc/misskey-js.api.md
@@ -4,7 +4,9 @@
 
 ```ts
 
+import type { AuthenticationResponseJSON } from '@simplewebauthn/types';
 import { EventEmitter } from 'eventemitter3';
+import type { PublicKeyCredentialRequestOptionsJSON } from '@simplewebauthn/types';
 
 // Warning: (ae-forgotten-export) The symbol "components" needs to be exported by the entry point index.d.ts
 //
@@ -1162,7 +1164,19 @@ export type Endpoints = Overwrite<Endpoints_2, {
     };
     'signin-with-passkey': {
         req: SigninWithPasskeyRequest;
-        res: SigninWithPasskeyResponse;
+        res: {
+            $switch: {
+                $cases: [
+                [
+                    {
+                    context: string;
+                },
+                SigninWithPasskeyResponse
+                ]
+                ];
+                $default: SigninWithPasskeyInitResponse;
+            };
+        };
     };
     'admin/roles/create': {
         req: Overwrite<AdminRolesCreateRequest, {
@@ -1196,6 +1210,7 @@ declare namespace entities {
         SignupPendingResponse,
         SigninRequest,
         SigninWithPasskeyRequest,
+        SigninWithPasskeyInitResponse,
         SigninWithPasskeyResponse,
         SigninResponse,
         PartialRolePolicyOverride,
@@ -3027,6 +3042,11 @@ type SigninRequest = {
     username: string;
     password: string;
     token?: string;
+    credential?: AuthenticationResponseJSON;
+    'hcaptcha-response'?: string | null;
+    'g-recaptcha-response'?: string | null;
+    'turnstile-response'?: string | null;
+    'm-captcha-response'?: string | null;
 };
 
 // @public (undocumented)
@@ -3035,17 +3055,21 @@ type SigninResponse = {
     i: string;
 };
 
+// @public (undocumented)
+type SigninWithPasskeyInitResponse = {
+    option: PublicKeyCredentialRequestOptionsJSON;
+    context: string;
+};
+
 // @public (undocumented)
 type SigninWithPasskeyRequest = {
-    credential?: object;
+    credential?: AuthenticationResponseJSON;
     context?: string;
 };
 
 // @public (undocumented)
 type SigninWithPasskeyResponse = {
-    option?: object;
-    context?: string;
-    signinResponse?: SigninResponse;
+    signinResponse: SigninResponse;
 };
 
 // @public (undocumented)
@@ -3069,6 +3093,7 @@ type SignupRequest = {
     'hcaptcha-response'?: string | null;
     'g-recaptcha-response'?: string | null;
     'turnstile-response'?: string | null;
+    'm-captcha-response'?: string | null;
 };
 
 // @public (undocumented)
@@ -3346,7 +3371,7 @@ type UsersUpdateMemoRequest = operations['users___update-memo']['requestBody']['
 
 // Warnings were encountered during analysis:
 //
-// src/entities.ts:49:2 - (ae-forgotten-export) The symbol "ModerationLogPayloads" needs to be exported by the entry point index.d.ts
+// src/entities.ts:50:2 - (ae-forgotten-export) The symbol "ModerationLogPayloads" needs to be exported by the entry point index.d.ts
 // src/streaming.types.ts:220:4 - (ae-forgotten-export) The symbol "ReversiUpdateKey" needs to be exported by the entry point index.d.ts
 // src/streaming.types.ts:230:4 - (ae-forgotten-export) The symbol "ReversiUpdateSettings" needs to be exported by the entry point index.d.ts
 
diff --git a/packages/misskey-js/package.json b/packages/misskey-js/package.json
index b41f0057a3..badc4f64ff 100644
--- a/packages/misskey-js/package.json
+++ b/packages/misskey-js/package.json
@@ -57,6 +57,7 @@
 		"built"
 	],
 	"dependencies": {
+		"@simplewebauthn/types": "10.0.0",
 		"eventemitter3": "5.0.1",
 		"reconnecting-websocket": "4.4.0"
 	}
diff --git a/packages/misskey-js/src/api.types.ts b/packages/misskey-js/src/api.types.ts
index 4c3f2e1578..cef5ab8861 100644
--- a/packages/misskey-js/src/api.types.ts
+++ b/packages/misskey-js/src/api.types.ts
@@ -5,6 +5,7 @@ import {
 	PartialRolePolicyOverride,
 	SigninRequest,
 	SigninResponse,
+	SigninWithPasskeyInitResponse,
 	SigninWithPasskeyRequest,
 	SigninWithPasskeyResponse,
 	SignupPendingRequest,
@@ -86,8 +87,20 @@ export type Endpoints = Overwrite<
 		},
 		'signin-with-passkey': {
 			req: SigninWithPasskeyRequest;
-			res: SigninWithPasskeyResponse;
-		}
+			res: {
+				$switch: {
+					$cases: [
+						[
+							{
+								context: string;
+							},
+							SigninWithPasskeyResponse,
+						],
+					];
+					$default: SigninWithPasskeyInitResponse;
+				},
+			},
+		},
 		'admin/roles/create': {
 			req: Overwrite<AdminRolesCreateRequest, { policies: PartialRolePolicyOverride }>;
 			res: AdminRolesCreateResponse;
diff --git a/packages/misskey-js/src/entities.ts b/packages/misskey-js/src/entities.ts
index 64ed90cbb1..36b7f5bca3 100644
--- a/packages/misskey-js/src/entities.ts
+++ b/packages/misskey-js/src/entities.ts
@@ -10,6 +10,7 @@ import {
 	User,
 	UserDetailedNotMe,
 } from './autogen/models.js';
+import type { AuthenticationResponseJSON, PublicKeyCredentialRequestOptionsJSON } from '@simplewebauthn/types';
 
 export * from './autogen/entities.js';
 export * from './autogen/models.js';
@@ -250,6 +251,7 @@ export type SignupRequest = {
 	'hcaptcha-response'?: string | null;
 	'g-recaptcha-response'?: string | null;
 	'turnstile-response'?: string | null;
+	'm-captcha-response'?: string | null;
 }
 
 export type SignupResponse = MeDetailed & {
@@ -269,17 +271,25 @@ export type SigninRequest = {
 	username: string;
 	password: string;
 	token?: string;
+	credential?: AuthenticationResponseJSON;
+	'hcaptcha-response'?: string | null;
+	'g-recaptcha-response'?: string | null;
+	'turnstile-response'?: string | null;
+	'm-captcha-response'?: string | null;
 };
 
 export type SigninWithPasskeyRequest = {
-	credential?: object;
+	credential?: AuthenticationResponseJSON;
 	context?: string;
 };
 
+export type SigninWithPasskeyInitResponse = {
+	option: PublicKeyCredentialRequestOptionsJSON;
+	context: string;
+};
+
 export type SigninWithPasskeyResponse = {
-	option?: object;
-	context?: string;
-	signinResponse?: SigninResponse;
+	signinResponse: SigninResponse;
 };
 
 export type SigninResponse = {
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index 5d7febbcc9..53d5dbbde0 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -1289,6 +1289,9 @@ importers:
 
   packages/misskey-js:
     dependencies:
+      '@simplewebauthn/types':
+        specifier: 10.0.0
+        version: 10.0.0
       eventemitter3:
         specifier: 5.0.1
         version: 5.0.1
-- 
cgit v1.2.3-freya


From d2175a9b9f6e38ca3ec0ca28b29d99f4b46f9dcd Mon Sep 17 00:00:00 2001
From: syuilo <4439005+syuilo@users.noreply.github.com>
Date: Thu, 3 Oct 2024 20:40:39 +0900
Subject: initialPassword -> setupPassword

---
 .config/cypress-devcontainer.yml                                  | 2 +-
 .config/example.yml                                               | 2 +-
 packages/backend/src/config.ts                                    | 6 +++---
 .../backend/src/server/api/endpoints/admin/accounts/create.ts     | 8 ++++----
 packages/frontend/src/pages/welcome.setup.vue                     | 8 ++++----
 packages/misskey-js/src/autogen/types.ts                          | 2 +-
 6 files changed, 14 insertions(+), 14 deletions(-)

(limited to 'packages/backend/src/server/api')

diff --git a/.config/cypress-devcontainer.yml b/.config/cypress-devcontainer.yml
index 64988aff66..3907615f73 100644
--- a/.config/cypress-devcontainer.yml
+++ b/.config/cypress-devcontainer.yml
@@ -13,7 +13,7 @@
 # The provider of the service who sets up Misskey on behalf of the customer should
 # set this value to something unique when generating the Misskey config file,
 # and provide it to the customer.
-initialPassword: example_password_please_change_this_or_you_will_get_hacked
+setupPassword: example_password_please_change_this_or_you_will_get_hacked
 
 #   ┌─────┐
 #───┘ URL └─────────────────────────────────────────────────────
diff --git a/.config/example.yml b/.config/example.yml
index fbc4cdff4b..600c1c632e 100644
--- a/.config/example.yml
+++ b/.config/example.yml
@@ -70,7 +70,7 @@
 # The provider of the service who sets up Misskey on behalf of the customer should
 # set this value to something unique when generating the Misskey config file,
 # and provide it to the customer.
-initialPassword: example_password_please_change_this_or_you_will_get_hacked
+setupPassword: example_password_please_change_this_or_you_will_get_hacked
 
 #   ┌─────┐
 #───┘ URL └─────────────────────────────────────────────────────
diff --git a/packages/backend/src/config.ts b/packages/backend/src/config.ts
index b320ce5403..42f1033b9d 100644
--- a/packages/backend/src/config.ts
+++ b/packages/backend/src/config.ts
@@ -63,7 +63,7 @@ type Source = {
 
 	publishTarballInsteadOfProvideRepositoryUrl?: boolean;
 
-	initialPassword?: string;
+	setupPassword?: string;
 
 	proxy?: string;
 	proxySmtp?: string;
@@ -154,7 +154,7 @@ export type Config = {
 
 	version: string;
 	publishTarballInsteadOfProvideRepositoryUrl: boolean;
-	initialPassword: string | undefined;
+	setupPassword: string | undefined;
 	host: string;
 	hostname: string;
 	scheme: string;
@@ -235,7 +235,7 @@ export function loadConfig(): Config {
 	return {
 		version,
 		publishTarballInsteadOfProvideRepositoryUrl: !!config.publishTarballInsteadOfProvideRepositoryUrl,
-		initialPassword: config.initialPassword,
+		setupPassword: config.setupPassword,
 		url: url.origin,
 		port: config.port ?? parseInt(process.env.PORT ?? '', 10),
 		socket: config.socket,
diff --git a/packages/backend/src/server/api/endpoints/admin/accounts/create.ts b/packages/backend/src/server/api/endpoints/admin/accounts/create.ts
index bddf7f45d3..d30131a62f 100644
--- a/packages/backend/src/server/api/endpoints/admin/accounts/create.ts
+++ b/packages/backend/src/server/api/endpoints/admin/accounts/create.ts
@@ -51,7 +51,7 @@ export const paramDef = {
 	properties: {
 		username: localUsernameSchema,
 		password: passwordSchema,
-		initialPassword: { type: 'string', nullable: true },
+		setupPassword: { type: 'string', nullable: true },
 	},
 	required: ['username', 'password'],
 } as const;
@@ -75,13 +75,13 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 
 			if (!realUsers && me == null && token == null) {
 				// 初回セットアップの場合
-				if (this.config.initialPassword != null) {
+				if (this.config.setupPassword != null) {
 					// 初期パスワードが設定されている場合
-					if (ps.initialPassword !== this.config.initialPassword) {
+					if (ps.setupPassword !== this.config.setupPassword) {
 						// 初期パスワードが違う場合
 						throw new ApiError(meta.errors.wrongInitialPassword);
 					}
-				} else if (ps.initialPassword != null && ps.initialPassword.trim() !== '') {
+				} else if (ps.setupPassword != null && ps.setupPassword.trim() !== '') {
 					// 初期パスワードが設定されていないのに初期パスワードが入力された場合
 					throw new ApiError(meta.errors.wrongInitialPassword);
 				}
diff --git a/packages/frontend/src/pages/welcome.setup.vue b/packages/frontend/src/pages/welcome.setup.vue
index cb20cfc5fc..dd258aad98 100644
--- a/packages/frontend/src/pages/welcome.setup.vue
+++ b/packages/frontend/src/pages/welcome.setup.vue
@@ -14,7 +14,7 @@ SPDX-License-Identifier: AGPL-3.0-only
 			</div>
 			<div class="_gaps_m" style="padding: 32px;">
 				<div>{{ i18n.ts.intro }}</div>
-				<MkInput v-model="initialPassword" type="password" data-cy-admin-initial-password>
+				<MkInput v-model="setupPassword" type="password" data-cy-admin-initial-password>
 					<template #label>{{ i18n.ts.initialPasswordForSetup }} <div v-tooltip:dialog="i18n.ts.initialPasswordForSetupDescription" class="_button _help"><i class="ti ti-help-circle"></i></div></template>
 					<template #prefix><i class="ti ti-lock"></i></template>
 				</MkInput>
@@ -40,9 +40,9 @@ SPDX-License-Identifier: AGPL-3.0-only
 
 <script lang="ts" setup>
 import { ref } from 'vue';
+import { host, version } from '@@/js/config.js';
 import MkButton from '@/components/MkButton.vue';
 import MkInput from '@/components/MkInput.vue';
-import { host, version } from '@@/js/config.js';
 import * as os from '@/os.js';
 import { misskeyApi } from '@/scripts/misskey-api.js';
 import { login } from '@/account.js';
@@ -51,7 +51,7 @@ import MkAnimBg from '@/components/MkAnimBg.vue';
 
 const username = ref('');
 const password = ref('');
-const initialPassword = ref('');
+const setupPassword = ref('');
 const submitting = ref(false);
 
 function submit() {
@@ -61,7 +61,7 @@ function submit() {
 	misskeyApi('admin/accounts/create', {
 		username: username.value,
 		password: password.value,
-		initialPassword: initialPassword.value === '' ? null : initialPassword.value,
+		setupPassword: setupPassword.value === '' ? null : setupPassword.value,
 	}).then(res => {
 		return login(res.token);
 	}).catch((err) => {
diff --git a/packages/misskey-js/src/autogen/types.ts b/packages/misskey-js/src/autogen/types.ts
index ee5cd477f1..32646d28ed 100644
--- a/packages/misskey-js/src/autogen/types.ts
+++ b/packages/misskey-js/src/autogen/types.ts
@@ -5611,7 +5611,7 @@ export type operations = {
         'application/json': {
           username: string;
           password: string;
-          initialPassword?: string | null;
+          setupPassword?: string | null;
         };
       };
     };
-- 
cgit v1.2.3-freya


From 975c2e7bc567618c3f8b0082afcba6530d679dae Mon Sep 17 00:00:00 2001
From: かっこかり <67428053+kakkokari-gtyih@users.noreply.github.com>
Date: Fri, 4 Oct 2024 15:23:33 +0900
Subject: enhance(frontend): サインイン画面の改善 (#14658)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* wip

* Update MkSignin.vue

* Update MkSignin.vue

* wip

* Update CHANGELOG.md

* enhance(frontend): サインイン画面の改善

* Update Changelog

* 14655の変更取り込み

* spdx

* fix

* fix

* fix

* :art:

* :art:

* :art:

* :art:

* Captchaがリセットされない問題を修正

* 次の処理をsignin apiから読み取るように

* Add Comments

* fix

* fix test

* attempt to fix test

* fix test

* fix test

* fix test

* fix

* fix test

* fix: 一部のエラーがちゃんと出るように

* Update Changelog

* :art:

* :art:

* remove border

---------

Co-authored-by: syuilo <4439005+syuilo@users.noreply.github.com>
---
 CHANGELOG.md                                       |   4 +
 cypress/e2e/basic.cy.ts                            |  14 +-
 cypress/support/commands.ts                        |   4 +-
 locales/index.d.ts                                 |   4 +
 locales/ja-JP.yml                                  |   1 +
 .../backend/src/core/entities/UserEntityService.ts |  13 +-
 packages/backend/src/models/json-schema/user.ts    |  42 +-
 .../backend/src/server/api/SigninApiService.ts     |  86 ++-
 packages/backend/test/e2e/2fa.ts                   |  99 +--
 packages/backend/test/e2e/users.ts                 |  15 +-
 .../frontend/src/components/MkSignin.input.vue     | 206 ++++++
 .../frontend/src/components/MkSignin.passkey.vue   |  92 +++
 .../frontend/src/components/MkSignin.password.vue  | 181 ++++++
 packages/frontend/src/components/MkSignin.totp.vue |  74 +++
 packages/frontend/src/components/MkSignin.vue      | 694 ++++++++++-----------
 .../frontend/src/components/MkSigninDialog.vue     |  80 ++-
 packages/misskey-js/etc/misskey-js.api.md          |   2 +-
 packages/misskey-js/src/autogen/types.ts           |  15 +-
 packages/misskey-js/src/entities.ts                |   2 +-
 19 files changed, 1150 insertions(+), 478 deletions(-)
 create mode 100644 packages/frontend/src/components/MkSignin.input.vue
 create mode 100644 packages/frontend/src/components/MkSignin.passkey.vue
 create mode 100644 packages/frontend/src/components/MkSignin.password.vue
 create mode 100644 packages/frontend/src/components/MkSignin.totp.vue

(limited to 'packages/backend/src/server/api')

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 9e4ddabd55..a31be063f0 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,8 @@
 - サーバー初期設定時に使用する初期パスワードを設定できるようになりました。今後Misskeyサーバーを新たに設置する際には、初回の起動前にコンフィグファイルの`setupPassword`をコメントアウトし、初期パスワードを設定することをおすすめします。（すでに初期設定を完了しているサーバーについては、この変更に伴い対応する必要はありません）  
   - ホスティングサービスを運営している場合は、コンフィグファイルを構築する際に`setupPassword`をランダムな値に設定し、ユーザーに通知するようにシステムを更新することをおすすめします。
   - なお、初期パスワードが設定されていない場合でも初期設定を行うことが可能です（UI上で初期パスワードの入力欄を空欄にすると続行できます）。
+- ユーザーデータを読み込む際の型が一部変更されました。
+	- `twoFactorEnabled`, `usePasswordLessLogin`, `securityKeys`: 自分とモデレーター以外のユーザーからは取得できなくなりました
 
 ### General
 - Feat: サーバー初期設定時に初期パスワードを設定できるように
@@ -14,9 +16,11 @@
 
 ### Client
 - Enhance: デザインの調整
+- Enhance: ログイン画面の認証フローを改善
 
 ### Server
 - Enhance: セキュリティ向上のため、ログイン時にメール通知を行うように
+- Enhance: 自分とモデレーター以外のユーザーから二要素認証関連のデータが取得できないように
 
 
 ## 2024.9.0
diff --git a/cypress/e2e/basic.cy.ts b/cypress/e2e/basic.cy.ts
index e4baeacbf3..c9d7e0a24a 100644
--- a/cypress/e2e/basic.cy.ts
+++ b/cypress/e2e/basic.cy.ts
@@ -123,8 +123,13 @@ describe('After user signup', () => {
 		cy.intercept('POST', '/api/signin').as('signin');
 
 		cy.get('[data-cy-signin]').click();
-		cy.get('[data-cy-signin-username] input').type('alice');
-		// Enterキーでサインインできるかの確認も兼ねる
+
+		cy.get('[data-cy-signin-page-input]').should('be.visible', { timeout: 1000 });
+		// Enterキーで続行できるかの確認も兼ねる
+		cy.get('[data-cy-signin-username] input').type('alice{enter}');
+
+		cy.get('[data-cy-signin-page-password]').should('be.visible', { timeout: 10000 });
+		// Enterキーで続行できるかの確認も兼ねる
 		cy.get('[data-cy-signin-password] input').type('alice1234{enter}');
 
 		cy.wait('@signin');
@@ -139,8 +144,9 @@ describe('After user signup', () => {
 		cy.visitHome();
 
 		cy.get('[data-cy-signin]').click();
-		cy.get('[data-cy-signin-username] input').type('alice');
-		cy.get('[data-cy-signin-password] input').type('alice1234{enter}');
+
+		cy.get('[data-cy-signin-page-input]').should('be.visible', { timeout: 1000 });
+		cy.get('[data-cy-signin-username] input').type('alice{enter}');
 
 		// TODO: cypressにブラウザの言語指定できる機能が実装され次第英語のみテストするようにする
 		cy.contains(/アカウントが凍結されています|This account has been suspended due to/gi);
diff --git a/cypress/support/commands.ts b/cypress/support/commands.ts
index 3cdf4e2087..ed5cda31b0 100644
--- a/cypress/support/commands.ts
+++ b/cypress/support/commands.ts
@@ -58,7 +58,9 @@ Cypress.Commands.add('login', (username, password) => {
 	cy.intercept('POST', '/api/signin').as('signin');
 
 	cy.get('[data-cy-signin]').click();
-	cy.get('[data-cy-signin-username] input').type(username);
+	cy.get('[data-cy-signin-page-input]').should('be.visible', { timeout: 1000 });
+	cy.get('[data-cy-signin-username] input').type(`${username}{enter}`);
+	cy.get('[data-cy-signin-page-password]').should('be.visible', { timeout: 10000 });
 	cy.get('[data-cy-signin-password] input').type(`${password}{enter}`);
 
 	cy.wait('@signin').as('signedIn');
diff --git a/locales/index.d.ts b/locales/index.d.ts
index 86a6df3100..1a0547ebc6 100644
--- a/locales/index.d.ts
+++ b/locales/index.d.ts
@@ -3714,6 +3714,10 @@ export interface Locale extends ILocale {
      * パスワードが間違っています。
      */
     "incorrectPassword": string;
+    /**
+     * ワンタイムパスワードが間違っているか、期限切れになっています。
+     */
+    "incorrectTotp": string;
     /**
      * 「{choice}」に投票しますか？
      */
diff --git a/locales/ja-JP.yml b/locales/ja-JP.yml
index 62317cd5e6..92014c8abc 100644
--- a/locales/ja-JP.yml
+++ b/locales/ja-JP.yml
@@ -924,6 +924,7 @@ followersVisibility: "フォロワーの公開範囲"
 continueThread: "さらにスレッドを見る"
 deleteAccountConfirm: "アカウントが削除されます。よろしいですか？"
 incorrectPassword: "パスワードが間違っています。"
+incorrectTotp: "ワンタイムパスワードが間違っているか、期限切れになっています。"
 voteConfirm: "「{choice}」に投票しますか？"
 hide: "隠す"
 useDrawerReactionPickerForMobile: "モバイルデバイスのときドロワーで表示"
diff --git a/packages/backend/src/core/entities/UserEntityService.ts b/packages/backend/src/core/entities/UserEntityService.ts
index 69e2d6fc89..c9939adf11 100644
--- a/packages/backend/src/core/entities/UserEntityService.ts
+++ b/packages/backend/src/core/entities/UserEntityService.ts
@@ -545,11 +545,6 @@ export class UserEntityService implements OnModuleInit {
 				publicReactions: this.isLocalUser(user) ? profile!.publicReactions : false, // https://github.com/misskey-dev/misskey/issues/12964
 				followersVisibility: profile!.followersVisibility,
 				followingVisibility: profile!.followingVisibility,
-				twoFactorEnabled: profile!.twoFactorEnabled,
-				usePasswordLessLogin: profile!.usePasswordLessLogin,
-				securityKeys: profile!.twoFactorEnabled
-					? this.userSecurityKeysRepository.countBy({ userId: user.id }).then(result => result >= 1)
-					: false,
 				roles: this.roleService.getUserRoles(user.id).then(roles => roles.filter(role => role.isPublic).sort((a, b) => b.displayOrder - a.displayOrder).map(role => ({
 					id: role.id,
 					name: role.name,
@@ -564,6 +559,14 @@ export class UserEntityService implements OnModuleInit {
 				moderationNote: iAmModerator ? (profile!.moderationNote ?? '') : undefined,
 			} : {}),
 
+			...(isDetailed && (isMe || iAmModerator) ? {
+				twoFactorEnabled: profile!.twoFactorEnabled,
+				usePasswordLessLogin: profile!.usePasswordLessLogin,
+				securityKeys: profile!.twoFactorEnabled
+					? this.userSecurityKeysRepository.countBy({ userId: user.id }).then(result => result >= 1)
+					: false,
+			} : {}),
+
 			...(isDetailed && isMe ? {
 				avatarId: user.avatarId,
 				bannerId: user.bannerId,
diff --git a/packages/backend/src/models/json-schema/user.ts b/packages/backend/src/models/json-schema/user.ts
index 16c8a5a097..9cffd680f2 100644
--- a/packages/backend/src/models/json-schema/user.ts
+++ b/packages/backend/src/models/json-schema/user.ts
@@ -346,21 +346,6 @@ export const packedUserDetailedNotMeOnlySchema = {
 			nullable: false, optional: false,
 			enum: ['public', 'followers', 'private'],
 		},
-		twoFactorEnabled: {
-			type: 'boolean',
-			nullable: false, optional: false,
-			default: false,
-		},
-		usePasswordLessLogin: {
-			type: 'boolean',
-			nullable: false, optional: false,
-			default: false,
-		},
-		securityKeys: {
-			type: 'boolean',
-			nullable: false, optional: false,
-			default: false,
-		},
 		roles: {
 			type: 'array',
 			nullable: false, optional: false,
@@ -382,6 +367,18 @@ export const packedUserDetailedNotMeOnlySchema = {
 			type: 'string',
 			nullable: false, optional: true,
 		},
+		twoFactorEnabled: {
+			type: 'boolean',
+			nullable: false, optional: true,
+		},
+		usePasswordLessLogin: {
+			type: 'boolean',
+			nullable: false, optional: true,
+		},
+		securityKeys: {
+			type: 'boolean',
+			nullable: false, optional: true,
+		},
 		//#region relations
 		isFollowing: {
 			type: 'boolean',
@@ -630,6 +627,21 @@ export const packedMeDetailedOnlySchema = {
 			nullable: false, optional: false,
 			ref: 'RolePolicies',
 		},
+		twoFactorEnabled: {
+			type: 'boolean',
+			nullable: false, optional: false,
+			default: false,
+		},
+		usePasswordLessLogin: {
+			type: 'boolean',
+			nullable: false, optional: false,
+			default: false,
+		},
+		securityKeys: {
+			type: 'boolean',
+			nullable: false, optional: false,
+			default: false,
+		},
 		//#region secrets
 		email: {
 			type: 'string',
diff --git a/packages/backend/src/server/api/SigninApiService.ts b/packages/backend/src/server/api/SigninApiService.ts
index 2ccc75da00..81684beb3c 100644
--- a/packages/backend/src/server/api/SigninApiService.ts
+++ b/packages/backend/src/server/api/SigninApiService.ts
@@ -12,6 +12,7 @@ import type {
 	MiMeta,
 	SigninsRepository,
 	UserProfilesRepository,
+	UserSecurityKeysRepository,
 	UsersRepository,
 } from '@/models/_.js';
 import type { Config } from '@/config.js';
@@ -25,9 +26,27 @@ import { CaptchaService } from '@/core/CaptchaService.js';
 import { FastifyReplyError } from '@/misc/fastify-reply-error.js';
 import { RateLimiterService } from './RateLimiterService.js';
 import { SigninService } from './SigninService.js';
-import type { AuthenticationResponseJSON } from '@simplewebauthn/types';
+import type { AuthenticationResponseJSON, PublicKeyCredentialRequestOptionsJSON } from '@simplewebauthn/types';
 import type { FastifyReply, FastifyRequest } from 'fastify';
 
+/**
+ * next を指定すると、次にクライアント側で行うべき処理を指定できる。
+ *
+ * - `captcha`: パスワードと、（有効になっている場合は）CAPTCHAを求める
+ * - `password`: パスワードを求める
+ * - `totp`: ワンタイムパスワードを求める
+ * - `passkey`: WebAuthn認証を求める（WebAuthnに対応していないブラウザの場合はワンタイムパスワード）
+ */
+
+type SigninErrorResponse = {
+	id: string;
+	next?: 'captcha' | 'password' | 'totp';
+} | {
+	id: string;
+	next: 'passkey';
+	authRequest: PublicKeyCredentialRequestOptionsJSON;
+};
+
 @Injectable()
 export class SigninApiService {
 	constructor(
@@ -43,6 +62,9 @@ export class SigninApiService {
 		@Inject(DI.userProfilesRepository)
 		private userProfilesRepository: UserProfilesRepository,
 
+		@Inject(DI.userSecurityKeysRepository)
+		private userSecurityKeysRepository: UserSecurityKeysRepository,
+
 		@Inject(DI.signinsRepository)
 		private signinsRepository: SigninsRepository,
 
@@ -60,7 +82,7 @@ export class SigninApiService {
 		request: FastifyRequest<{
 			Body: {
 				username: string;
-				password: string;
+				password?: string;
 				token?: string;
 				credential?: AuthenticationResponseJSON;
 				'hcaptcha-response'?: string;
@@ -79,7 +101,7 @@ export class SigninApiService {
 		const password = body['password'];
 		const token = body['token'];
 
-		function error(status: number, error: { id: string }) {
+		function error(status: number, error: SigninErrorResponse) {
 			reply.code(status);
 			return { error };
 		}
@@ -103,11 +125,6 @@ export class SigninApiService {
 			return;
 		}
 
-		if (typeof password !== 'string') {
-			reply.code(400);
-			return;
-		}
-
 		if (token != null && typeof token !== 'string') {
 			reply.code(400);
 			return;
@@ -132,11 +149,36 @@ export class SigninApiService {
 		}
 
 		const profile = await this.userProfilesRepository.findOneByOrFail({ userId: user.id });
+		const securityKeysAvailable = await this.userSecurityKeysRepository.countBy({ userId: user.id }).then(result => result >= 1);
+
+		if (password == null) {
+			reply.code(403);
+			if (profile.twoFactorEnabled) {
+				return {
+					error: {
+						id: '144ff4f8-bd6c-41bc-82c3-b672eb09efbf',
+						next: 'password',
+					},
+				} satisfies { error: SigninErrorResponse };
+			} else {
+				return {
+					error: {
+						id: '144ff4f8-bd6c-41bc-82c3-b672eb09efbf',
+						next: 'captcha',
+					},
+				} satisfies { error: SigninErrorResponse };
+			}
+		}
+
+		if (typeof password !== 'string') {
+			reply.code(400);
+			return;
+		}
 
 		// Compare password
 		const same = await bcrypt.compare(password, profile.password!);
 
-		const fail = async (status?: number, failure?: { id: string }) => {
+		const fail = async (status?: number, failure?: SigninErrorResponse) => {
 			// Append signin history
 			await this.signinsRepository.insert({
 				id: this.idService.gen(),
@@ -217,7 +259,7 @@ export class SigninApiService {
 					id: '93b86c4b-72f9-40eb-9815-798928603d1e',
 				});
 			}
-		} else {
+		} else if (securityKeysAvailable) {
 			if (!same && !profile.usePasswordLessLogin) {
 				return await fail(403, {
 					id: '932c904e-9460-45b7-9ce6-7ed33be7eb2c',
@@ -226,8 +268,28 @@ export class SigninApiService {
 
 			const authRequest = await this.webAuthnService.initiateAuthentication(user.id);
 
-			reply.code(200);
-			return authRequest;
+			reply.code(403);
+			return {
+				error: {
+					id: '06e661b9-8146-4ae3-bde5-47138c0ae0c4',
+					next: 'passkey',
+					authRequest,
+				},
+			} satisfies { error: SigninErrorResponse };
+		} else {
+			if (!same || !profile.twoFactorEnabled) {
+				return await fail(403, {
+					id: '932c904e-9460-45b7-9ce6-7ed33be7eb2c',
+				});
+			} else {
+				reply.code(403);
+				return {
+					error: {
+						id: '144ff4f8-bd6c-41bc-82c3-b672eb09efbf',
+						next: 'totp',
+					},
+				} satisfies { error: SigninErrorResponse };
+			}
 		}
 		// never get here
 	}
diff --git a/packages/backend/test/e2e/2fa.ts b/packages/backend/test/e2e/2fa.ts
index 06548fa7da..88c32b4346 100644
--- a/packages/backend/test/e2e/2fa.ts
+++ b/packages/backend/test/e2e/2fa.ts
@@ -136,13 +136,7 @@ describe('2要素認証', () => {
 		keyName: string,
 		credentialId: Buffer,
 		requestOptions: PublicKeyCredentialRequestOptionsJSON,
-	}): {
-		username: string,
-		password: string,
-		credential: AuthenticationResponseJSON,
-		'g-recaptcha-response'?: string | null,
-		'hcaptcha-response'?: string | null,
-	} => {
+	}): misskey.entities.SigninRequest => {
 		// AuthenticatorAssertionResponse.authenticatorData
 		// https://developer.mozilla.org/en-US/docs/Web/API/AuthenticatorAssertionResponse/authenticatorData
 		const authenticatorData = Buffer.concat([
@@ -202,11 +196,16 @@ describe('2要素認証', () => {
 		}, alice);
 		assert.strictEqual(doneResponse.status, 200);
 
-		const usersShowResponse = await api('users/show', {
-			username,
-		}, alice);
-		assert.strictEqual(usersShowResponse.status, 200);
-		assert.strictEqual((usersShowResponse.body as unknown as { twoFactorEnabled: boolean }).twoFactorEnabled, true);
+		const signinWithoutTokenResponse = await api('signin', {
+			...signinParam(),
+		});
+		assert.strictEqual(signinWithoutTokenResponse.status, 403);
+		assert.deepStrictEqual(signinWithoutTokenResponse.body, {
+			error: {
+				id: '144ff4f8-bd6c-41bc-82c3-b672eb09efbf',
+				next: 'totp',
+			},
+		});
 
 		const signinResponse = await api('signin', {
 			...signinParam(),
@@ -253,26 +252,28 @@ describe('2要素認証', () => {
 		assert.strictEqual(keyDoneResponse.body.id, credentialId.toString('base64url'));
 		assert.strictEqual(keyDoneResponse.body.name, keyName);
 
-		const usersShowResponse = await api('users/show', {
-			username,
-		});
-		assert.strictEqual(usersShowResponse.status, 200);
-		assert.strictEqual((usersShowResponse.body as unknown as { securityKeys: boolean }).securityKeys, true);
-
 		const signinResponse = await api('signin', {
 			...signinParam(),
 		});
-		assert.strictEqual(signinResponse.status, 200);
-		assert.strictEqual(signinResponse.body.i, undefined);
-		assert.notEqual((signinResponse.body as unknown as { challenge: unknown | undefined }).challenge, undefined);
-		assert.notEqual((signinResponse.body as unknown as { allowCredentials: unknown | undefined }).allowCredentials, undefined);
-		assert.strictEqual((signinResponse.body as unknown as { allowCredentials: {id: string}[] }).allowCredentials[0].id, credentialId.toString('base64url'));
+		const signinResponseBody = signinResponse.body as unknown as {
+			error: {
+				id: string;
+				next: 'passkey';
+				authRequest: PublicKeyCredentialRequestOptionsJSON;
+			};
+		};
+		assert.strictEqual(signinResponse.status, 403);
+		assert.strictEqual(signinResponseBody.error.id, '06e661b9-8146-4ae3-bde5-47138c0ae0c4');
+		assert.strictEqual(signinResponseBody.error.next, 'passkey');
+		assert.notEqual(signinResponseBody.error.authRequest.challenge, undefined);
+		assert.notEqual(signinResponseBody.error.authRequest.allowCredentials, undefined);
+		assert.strictEqual(signinResponseBody.error.authRequest.allowCredentials && signinResponseBody.error.authRequest.allowCredentials[0]?.id, credentialId.toString('base64url'));
 
 		const signinResponse2 = await api('signin', signinWithSecurityKeyParam({
 			keyName,
 			credentialId,
-			requestOptions: signinResponse.body,
-		} as any));
+			requestOptions: signinResponseBody.error.authRequest,
+		}));
 		assert.strictEqual(signinResponse2.status, 200);
 		assert.notEqual(signinResponse2.body.i, undefined);
 
@@ -315,24 +316,32 @@ describe('2要素認証', () => {
 		}, alice);
 		assert.strictEqual(passwordLessResponse.status, 204);
 
-		const usersShowResponse = await api('users/show', {
-			username,
-		});
-		assert.strictEqual(usersShowResponse.status, 200);
-		assert.strictEqual((usersShowResponse.body as unknown as { usePasswordLessLogin: boolean }).usePasswordLessLogin, true);
+		const iResponse = await api('i', {}, alice);
+		assert.strictEqual(iResponse.status, 200);
+		assert.strictEqual(iResponse.body.usePasswordLessLogin, true);
 
 		const signinResponse = await api('signin', {
 			...signinParam(),
 			password: '',
 		});
-		assert.strictEqual(signinResponse.status, 200);
-		assert.strictEqual(signinResponse.body.i, undefined);
+		const signinResponseBody = signinResponse.body as unknown as {
+			error: {
+				id: string;
+				next: 'passkey';
+				authRequest: PublicKeyCredentialRequestOptionsJSON;
+			};
+		};
+		assert.strictEqual(signinResponse.status, 403);
+		assert.strictEqual(signinResponseBody.error.id, '06e661b9-8146-4ae3-bde5-47138c0ae0c4');
+		assert.strictEqual(signinResponseBody.error.next, 'passkey');
+		assert.notEqual(signinResponseBody.error.authRequest.challenge, undefined);
+		assert.notEqual(signinResponseBody.error.authRequest.allowCredentials, undefined);
 
 		const signinResponse2 = await api('signin', {
 			...signinWithSecurityKeyParam({
 				keyName,
 				credentialId,
-				requestOptions: signinResponse.body,
+				requestOptions: signinResponseBody.error.authRequest,
 			} as any),
 			password: '',
 		});
@@ -424,11 +433,11 @@ describe('2要素認証', () => {
 		assert.strictEqual(keyDoneResponse.status, 200);
 
 		// テストの実行順によっては複数残ってるので全部消す
-		const iResponse = await api('i', {
+		const beforeIResponse = await api('i', {
 		}, alice);
-		assert.strictEqual(iResponse.status, 200);
-		assert.ok(iResponse.body.securityKeysList);
-		for (const key of iResponse.body.securityKeysList) {
+		assert.strictEqual(beforeIResponse.status, 200);
+		assert.ok(beforeIResponse.body.securityKeysList);
+		for (const key of beforeIResponse.body.securityKeysList) {
 			const removeKeyResponse = await api('i/2fa/remove-key', {
 				token: otpToken(registerResponse.body.secret),
 				password,
@@ -437,11 +446,9 @@ describe('2要素認証', () => {
 			assert.strictEqual(removeKeyResponse.status, 200);
 		}
 
-		const usersShowResponse = await api('users/show', {
-			username,
-		});
-		assert.strictEqual(usersShowResponse.status, 200);
-		assert.strictEqual((usersShowResponse.body as unknown as { securityKeys: boolean }).securityKeys, false);
+		const afterIResponse = await api('i', {}, alice);
+		assert.strictEqual(afterIResponse.status, 200);
+		assert.strictEqual(afterIResponse.body.securityKeys, false);
 
 		const signinResponse = await api('signin', {
 			...signinParam(),
@@ -468,11 +475,9 @@ describe('2要素認証', () => {
 		}, alice);
 		assert.strictEqual(doneResponse.status, 200);
 
-		const usersShowResponse = await api('users/show', {
-			username,
-		});
-		assert.strictEqual(usersShowResponse.status, 200);
-		assert.strictEqual((usersShowResponse.body as unknown as { twoFactorEnabled: boolean }).twoFactorEnabled, true);
+		const iResponse = await api('i', {}, alice);
+		assert.strictEqual(iResponse.status, 200);
+		assert.strictEqual(iResponse.body.twoFactorEnabled, true);
 
 		const unregisterResponse = await api('i/2fa/unregister', {
 			token: otpToken(registerResponse.body.secret),
diff --git a/packages/backend/test/e2e/users.ts b/packages/backend/test/e2e/users.ts
index 8ebe9af792..822ca14ae6 100644
--- a/packages/backend/test/e2e/users.ts
+++ b/packages/backend/test/e2e/users.ts
@@ -83,9 +83,6 @@ describe('ユーザー', () => {
 			publicReactions: user.publicReactions,
 			followingVisibility: user.followingVisibility,
 			followersVisibility: user.followersVisibility,
-			twoFactorEnabled: user.twoFactorEnabled,
-			usePasswordLessLogin: user.usePasswordLessLogin,
-			securityKeys: user.securityKeys,
 			roles: user.roles,
 			memo: user.memo,
 		});
@@ -149,6 +146,9 @@ describe('ユーザー', () => {
 			achievements: user.achievements,
 			loggedInDays: user.loggedInDays,
 			policies: user.policies,
+			twoFactorEnabled: user.twoFactorEnabled,
+			usePasswordLessLogin: user.usePasswordLessLogin,
+			securityKeys: user.securityKeys,
 			...(security ? {
 				email: user.email,
 				emailVerified: user.emailVerified,
@@ -343,9 +343,6 @@ describe('ユーザー', () => {
 		assert.strictEqual(response.publicReactions, true);
 		assert.strictEqual(response.followingVisibility, 'public');
 		assert.strictEqual(response.followersVisibility, 'public');
-		assert.strictEqual(response.twoFactorEnabled, false);
-		assert.strictEqual(response.usePasswordLessLogin, false);
-		assert.strictEqual(response.securityKeys, false);
 		assert.deepStrictEqual(response.roles, []);
 		assert.strictEqual(response.memo, null);
 
@@ -385,6 +382,9 @@ describe('ユーザー', () => {
 		assert.deepStrictEqual(response.achievements, []);
 		assert.deepStrictEqual(response.loggedInDays, 0);
 		assert.deepStrictEqual(response.policies, DEFAULT_POLICIES);
+		assert.strictEqual(response.twoFactorEnabled, false);
+		assert.strictEqual(response.usePasswordLessLogin, false);
+		assert.strictEqual(response.securityKeys, false);
 		assert.notStrictEqual(response.email, undefined);
 		assert.strictEqual(response.emailVerified, false);
 		assert.deepStrictEqual(response.securityKeysList, []);
@@ -618,6 +618,9 @@ describe('ユーザー', () => {
 		{ label: 'Moderatorになっている', user: () => userModerator, me: () => userModerator, selector: (user: misskey.entities.MeDetailed) => user.isModerator },
 		// @ts-expect-error UserDetailedNotMe doesn't include isModerator
 		{ label: '自分以外から見たときはModeratorか判定できない', user: () => userModerator, selector: (user: misskey.entities.UserDetailedNotMe) => user.isModerator, expected: () => undefined },
+		{ label: '自分から見た場合に二要素認証関連のプロパティがセットされている', user: () => alice, me: () => alice, selector: (user: misskey.entities.MeDetailed) => user.twoFactorEnabled, expected: () => false },
+		{ label: '自分以外から見た場合に二要素認証関連のプロパティがセットされていない', user: () => alice, me: () => bob, selector: (user: misskey.entities.UserDetailedNotMe) => user.twoFactorEnabled, expected: () => undefined },
+		{ label: 'モデレーターから見た場合に二要素認証関連のプロパティがセットされている', user: () => alice, me: () => userModerator, selector: (user: misskey.entities.UserDetailedNotMe) => user.twoFactorEnabled, expected: () => false },
 		{ label: 'サイレンスになっている', user: () => userSilenced, selector: (user: misskey.entities.UserDetailed) => user.isSilenced },
 		// FIXME: 落ちる
 		//{ label: 'サスペンドになっている', user: () => userSuspended, selector: (user: misskey.entities.UserDetailed) => user.isSuspended },
diff --git a/packages/frontend/src/components/MkSignin.input.vue b/packages/frontend/src/components/MkSignin.input.vue
new file mode 100644
index 0000000000..6336b78c80
--- /dev/null
+++ b/packages/frontend/src/components/MkSignin.input.vue
@@ -0,0 +1,206 @@
+<!--
+SPDX-FileCopyrightText: syuilo and misskey-project
+SPDX-License-Identifier: AGPL-3.0-only
+-->
+
+<template>
+<div :class="$style.wrapper" data-cy-signin-page-input>
+	<div :class="$style.root">
+		<div :class="$style.avatar">
+			<i class="ti ti-user"></i>
+		</div>
+
+		<!-- ログイン画面メッセージ -->
+		<MkInfo v-if="message">
+			{{ message }}
+		</MkInfo>
+
+		<!-- 外部サーバーへの転送 -->
+		<div v-if="openOnRemote" class="_gaps_m">
+			<div class="_gaps_s">
+				<MkButton type="button" rounded primary style="margin: 0 auto;" @click="openRemote(openOnRemote)">
+					{{ i18n.ts.continueOnRemote }} <i class="ti ti-external-link"></i>
+				</MkButton>
+				<button type="button" class="_button" :class="$style.instanceManualSelectButton" @click="specifyHostAndOpenRemote(openOnRemote)">
+					{{ i18n.ts.specifyServerHost }}
+				</button>
+			</div>
+			<div :class="$style.orHr">
+				<p :class="$style.orMsg">{{ i18n.ts.or }}</p>
+			</div>
+		</div>
+
+		<!-- username入力 -->
+		<form class="_gaps_s" @submit.prevent="emit('usernameSubmitted', username)">
+			<MkInput v-model="username" :placeholder="i18n.ts.username" type="text" pattern="^[a-zA-Z0-9_]+$" :spellcheck="false" autocomplete="username webauthn" autofocus required data-cy-signin-username>
+				<template #prefix>@</template>
+				<template #suffix>@{{ host }}</template>
+			</MkInput>
+			<MkButton type="submit" large primary rounded style="margin: 0 auto;" data-cy-signin-page-input-continue>{{ i18n.ts.continue }} <i class="ti ti-arrow-right"></i></MkButton>
+		</form>
+
+		<!-- パスワードレスログイン -->
+		<div :class="$style.orHr">
+			<p :class="$style.orMsg">{{ i18n.ts.or }}</p>
+		</div>
+		<div>
+			<MkButton type="submit" style="margin: auto auto;" large rounded primary gradate @click="emit('passkeyClick', $event)">
+				<i class="ti ti-device-usb" style="font-size: medium;"></i>{{ i18n.ts.signinWithPasskey }}
+			</MkButton>
+		</div>
+	</div>
+</div>
+</template>
+
+<script setup lang="ts">
+import { ref } from 'vue';
+import { toUnicode } from 'punycode/';
+
+import { query, extractDomain } from '@@/js/url.js';
+import { host as configHost } from '@@/js/config.js';
+import type { OpenOnRemoteOptions } from '@/scripts/please-login.js';
+import { i18n } from '@/i18n.js';
+import * as os from '@/os.js';
+
+import MkButton from '@/components/MkButton.vue';
+import MkInput from '@/components/MkInput.vue';
+import MkInfo from '@/components/MkInfo.vue';
+
+const props = withDefaults(defineProps<{
+	message?: string,
+	openOnRemote?: OpenOnRemoteOptions,
+}>(), {
+	message: '',
+	openOnRemote: undefined,
+});
+
+const emit = defineEmits<{
+	(ev: 'usernameSubmitted', v: string): void;
+	(ev: 'passkeyClick', v: MouseEvent): void;
+}>();
+
+const host = toUnicode(configHost);
+
+const username = ref('');
+
+//#region Open on remote
+function openRemote(options: OpenOnRemoteOptions, targetHost?: string): void {
+	switch (options.type) {
+		case 'web':
+		case 'lookup': {
+			let _path: string;
+
+			if (options.type === 'lookup') {
+				// TODO: v2024.7.0以降が浸透してきたら正式なURLに変更する▼
+				// _path = `/lookup?uri=${encodeURIComponent(_path)}`;
+				_path = `/authorize-follow?acct=${encodeURIComponent(options.url)}`;
+			} else {
+				_path = options.path;
+			}
+
+			if (targetHost) {
+				window.open(`https://${targetHost}${_path}`, '_blank', 'noopener');
+			} else {
+				window.open(`https://misskey-hub.net/mi-web/?path=${encodeURIComponent(_path)}`, '_blank', 'noopener');
+			}
+			break;
+		}
+		case 'share': {
+			const params = query(options.params);
+			if (targetHost) {
+				window.open(`https://${targetHost}/share?${params}`, '_blank', 'noopener');
+			} else {
+				window.open(`https://misskey-hub.net/share/?${params}`, '_blank', 'noopener');
+			}
+			break;
+		}
+	}
+}
+
+async function specifyHostAndOpenRemote(options: OpenOnRemoteOptions): Promise<void> {
+	const { canceled, result: hostTemp } = await os.inputText({
+		title: i18n.ts.inputHostName,
+		placeholder: 'misskey.example.com',
+	});
+
+	if (canceled) return;
+
+	let targetHost: string | null = hostTemp;
+
+	// ドメイン部分だけを取り出す
+	targetHost = extractDomain(targetHost ?? '');
+	if (targetHost == null) {
+		os.alert({
+			type: 'error',
+			title: i18n.ts.invalidValue,
+			text: i18n.ts.tryAgain,
+		});
+		return;
+	}
+	openRemote(options, targetHost);
+}
+//#endregion
+</script>
+
+<style lang="scss" module>
+.root {
+	display: flex;
+	flex-direction: column;
+	gap: 20px;
+}
+
+.wrapper {
+	display: flex;
+	align-items: center;
+	width: 100%;
+	min-height: 336px;
+
+	> .root {
+		width: 100%;
+	}
+}
+
+.avatar {
+	margin: 0 auto;
+	background-color: color-mix(in srgb, var(--fg), transparent 85%);
+	color: color-mix(in srgb, var(--fg), transparent 25%);
+	text-align: center;
+	height: 64px;
+	width: 64px;
+	font-size: 24px;
+	line-height: 64px;
+	border-radius: 50%;
+}
+
+.instanceManualSelectButton {
+	display: block;
+	text-align: center;
+	opacity: .7;
+	font-size: .8em;
+
+	&:hover {
+		text-decoration: underline;
+	}
+}
+
+.orHr {
+	position: relative;
+	margin: .4em auto;
+	width: 100%;
+	height: 1px;
+	background: var(--divider);
+}
+
+.orMsg {
+	position: absolute;
+	top: -.6em;
+	display: inline-block;
+	padding: 0 1em;
+	background: var(--panel);
+	font-size: 0.8em;
+	color: var(--fgOnPanel);
+	margin: 0;
+	left: 50%;
+	transform: translateX(-50%);
+}
+</style>
diff --git a/packages/frontend/src/components/MkSignin.passkey.vue b/packages/frontend/src/components/MkSignin.passkey.vue
new file mode 100644
index 0000000000..0d68955fab
--- /dev/null
+++ b/packages/frontend/src/components/MkSignin.passkey.vue
@@ -0,0 +1,92 @@
+<!--
+SPDX-FileCopyrightText: syuilo and misskey-project
+SPDX-License-Identifier: AGPL-3.0-only
+-->
+
+<template>
+<div :class="$style.wrapper">
+	<div class="_gaps" :class="$style.root">
+		<div class="_gaps_s">
+			<div :class="$style.passkeyIcon">
+				<i class="ti ti-fingerprint"></i>
+			</div>
+			<div :class="$style.passkeyDescription">{{ i18n.ts.useSecurityKey }}</div>
+		</div>
+
+		<MkButton large primary rounded :disabled="queryingKey" style="margin: 0 auto;" @click="queryKey">{{ i18n.ts.retry }}</MkButton>
+
+		<MkButton v-if="isPerformingPasswordlessLogin !== true" transparent rounded :disabled="queryingKey" style="margin: 0 auto;" @click="emit('useTotp')">{{ i18n.ts.useTotp }}</MkButton>
+	</div>
+</div>
+</template>
+
+<script setup lang="ts">
+import { ref, onMounted } from 'vue';
+import { get as webAuthnRequest } from '@github/webauthn-json/browser-ponyfill';
+
+import { i18n } from '@/i18n.js';
+
+import MkButton from '@/components/MkButton.vue';
+
+import type { AuthenticationPublicKeyCredential } from '@github/webauthn-json/browser-ponyfill';
+
+const props = defineProps<{
+	credentialRequest: CredentialRequestOptions;
+	isPerformingPasswordlessLogin?: boolean;
+}>();
+
+const emit = defineEmits<{
+	(ev: 'done', credential: AuthenticationPublicKeyCredential): void;
+	(ev: 'useTotp'): void;
+}>();
+
+const queryingKey = ref(true);
+
+async function queryKey() {
+	queryingKey.value = true;
+	await webAuthnRequest(props.credentialRequest)
+		.catch(() => {
+			return Promise.reject(null);
+		})
+		.then((credential) => {
+			emit('done', credential);
+		})
+		.finally(() => {
+			queryingKey.value = false;
+		});
+}
+
+onMounted(() => {
+	queryKey();
+});
+</script>
+
+<style lang="scss" module>
+.wrapper {
+	display: flex;
+	align-items: center;
+	width: 100%;
+	min-height: 336px;
+
+	> .root {
+		width: 100%;
+	}
+}
+
+.passkeyIcon {
+	margin: 0 auto;
+	background-color: var(--accentedBg);
+	color: var(--accent);
+	text-align: center;
+	height: 64px;
+	width: 64px;
+	font-size: 24px;
+	line-height: 64px;
+	border-radius: 50%;
+}
+
+.passkeyDescription {
+	text-align: center;
+	font-size: 1.1em;
+}
+</style>
diff --git a/packages/frontend/src/components/MkSignin.password.vue b/packages/frontend/src/components/MkSignin.password.vue
new file mode 100644
index 0000000000..2d79e2aeb1
--- /dev/null
+++ b/packages/frontend/src/components/MkSignin.password.vue
@@ -0,0 +1,181 @@
+<!--
+SPDX-FileCopyrightText: syuilo and misskey-project
+SPDX-License-Identifier: AGPL-3.0-only
+-->
+
+<template>
+<div :class="$style.wrapper" data-cy-signin-page-password>
+	<div class="_gaps" :class="$style.root">
+		<div :class="$style.avatar" :style="{ backgroundImage: user ? `url('${user.avatarUrl}')` : undefined }"></div>
+		<div :class="$style.welcomeBackMessage">
+			<I18n :src="i18n.ts.welcomeBackWithName" tag="span">
+				<template #name><Mfm :text="user.name ?? user.username" :plain="true"/></template>
+			</I18n>
+		</div>
+
+		<!-- password入力 -->
+		<form class="_gaps_s" @submit.prevent="onSubmit">
+			<!-- ブラウザ オートコンプリート用 -->
+			<input type="hidden" name="username" autocomplete="username" :value="user.username">
+
+			<MkInput v-model="password" :placeholder="i18n.ts.password" type="password" autocomplete="current-password webauthn" :withPasswordToggle="true" required autofocus data-cy-signin-password>
+				<template #prefix><i class="ti ti-lock"></i></template>
+				<template #caption><button class="_textButton" type="button" @click="resetPassword">{{ i18n.ts.forgotPassword }}</button></template>
+			</MkInput>
+
+			<div v-if="needCaptcha">
+				<MkCaptcha v-if="instance.enableHcaptcha" ref="hcaptcha" v-model="hCaptchaResponse" :class="$style.captcha" provider="hcaptcha" :sitekey="instance.hcaptchaSiteKey"/>
+				<MkCaptcha v-if="instance.enableMcaptcha" ref="mcaptcha" v-model="mCaptchaResponse" :class="$style.captcha" provider="mcaptcha" :sitekey="instance.mcaptchaSiteKey" :instanceUrl="instance.mcaptchaInstanceUrl"/>
+				<MkCaptcha v-if="instance.enableRecaptcha" ref="recaptcha" v-model="reCaptchaResponse" :class="$style.captcha" provider="recaptcha" :sitekey="instance.recaptchaSiteKey"/>
+				<MkCaptcha v-if="instance.enableTurnstile" ref="turnstile" v-model="turnstileResponse" :class="$style.captcha" provider="turnstile" :sitekey="instance.turnstileSiteKey"/>
+			</div>
+
+			<MkButton type="submit" :disabled="needCaptcha && captchaFailed" large primary rounded style="margin: 0 auto;" data-cy-signin-page-password-continue>{{ i18n.ts.continue }} <i class="ti ti-arrow-right"></i></MkButton>
+		</form>
+	</div>
+</div>
+</template>
+
+<script lang="ts">
+export type PwResponse = {
+	password: string;
+	captcha: {
+		hCaptchaResponse: string | null;
+		mCaptchaResponse: string | null;
+		reCaptchaResponse: string | null;
+		turnstileResponse: string | null;
+	};
+};
+</script>
+
+<script setup lang="ts">
+import { ref, computed, useTemplateRef, defineAsyncComponent } from 'vue';
+import * as Misskey from 'misskey-js';
+
+import { instance } from '@/instance.js';
+import { i18n } from '@/i18n.js';
+import * as os from '@/os.js';
+
+import MkButton from '@/components/MkButton.vue';
+import MkInput from '@/components/MkInput.vue';
+import MkCaptcha from '@/components/MkCaptcha.vue';
+
+const props = defineProps<{
+	user: Misskey.entities.UserDetailed;
+	needCaptcha: boolean;
+}>();
+
+const emit = defineEmits<{
+	(ev: 'passwordSubmitted', v: PwResponse): void;
+}>();
+
+const password = ref('');
+
+const hCaptcha = useTemplateRef('hcaptcha');
+const mCaptcha = useTemplateRef('mcaptcha');
+const reCaptcha = useTemplateRef('recaptcha');
+const turnstile = useTemplateRef('turnstile');
+
+const hCaptchaResponse = ref<string | null>(null);
+const mCaptchaResponse = ref<string | null>(null);
+const reCaptchaResponse = ref<string | null>(null);
+const turnstileResponse = ref<string | null>(null);
+
+const captchaFailed = computed((): boolean => {
+	return (
+		(instance.enableHcaptcha && !hCaptchaResponse.value) ||
+		(instance.enableMcaptcha && !mCaptchaResponse.value) ||
+		(instance.enableRecaptcha && !reCaptchaResponse.value) ||
+		(instance.enableTurnstile && !turnstileResponse.value)
+	);
+});
+
+function resetPassword(): void {
+	const { dispose } = os.popup(defineAsyncComponent(() => import('@/components/MkForgotPassword.vue')), {}, {
+		closed: () => dispose(),
+	});
+}
+
+function onSubmit() {
+	emit('passwordSubmitted', {
+		password: password.value,
+		captcha: {
+			hCaptchaResponse: hCaptchaResponse.value,
+			mCaptchaResponse: mCaptchaResponse.value,
+			reCaptchaResponse: reCaptchaResponse.value,
+			turnstileResponse: turnstileResponse.value,
+		},
+	});
+}
+
+function resetCaptcha() {
+	hCaptcha.value?.reset();
+	mCaptcha.value?.reset();
+	reCaptcha.value?.reset();
+	turnstile.value?.reset();
+}
+
+defineExpose({
+	resetCaptcha,
+});
+</script>
+
+<style lang="scss" module>
+.wrapper {
+	display: flex;
+	align-items: center;
+	width: 100%;
+	min-height: 336px;
+
+	> .root {
+		width: 100%;
+	}
+}
+
+.avatar {
+	margin: 0 auto 0 auto;
+	width: 64px;
+	height: 64px;
+	background: #ddd;
+	background-position: center;
+	background-size: cover;
+	border-radius: 100%;
+}
+
+.welcomeBackMessage {
+	text-align: center;
+	font-size: 1.1em;
+}
+
+.instanceManualSelectButton {
+	display: block;
+	text-align: center;
+	opacity: .7;
+	font-size: .8em;
+
+	&:hover {
+		text-decoration: underline;
+	}
+}
+
+.orHr {
+	position: relative;
+	margin: .4em auto;
+	width: 100%;
+	height: 1px;
+	background: var(--divider);
+}
+
+.orMsg {
+	position: absolute;
+	top: -.6em;
+	display: inline-block;
+	padding: 0 1em;
+	background: var(--panel);
+	font-size: 0.8em;
+	color: var(--fgOnPanel);
+	margin: 0;
+	left: 50%;
+	transform: translateX(-50%);
+}
+</style>
diff --git a/packages/frontend/src/components/MkSignin.totp.vue b/packages/frontend/src/components/MkSignin.totp.vue
new file mode 100644
index 0000000000..880c08315e
--- /dev/null
+++ b/packages/frontend/src/components/MkSignin.totp.vue
@@ -0,0 +1,74 @@
+<!--
+SPDX-FileCopyrightText: syuilo and misskey-project
+SPDX-License-Identifier: AGPL-3.0-only
+-->
+
+<template>
+<div :class="$style.wrapper">
+	<div class="_gaps" :class="$style.root">
+		<div class="_gaps_s">
+			<div :class="$style.totpIcon">
+				<i class="ti ti-key"></i>
+			</div>
+			<div :class="$style.totpDescription">{{ i18n.ts['2fa'] }}</div>
+		</div>
+
+		<!-- totp入力 -->
+		<form class="_gaps_s" @submit.prevent="emit('totpSubmitted', token)">
+			<MkInput v-model="token" type="text" :pattern="isBackupCode ? '^[A-Z0-9]{32}$' :'^[0-9]{6}$'" autocomplete="one-time-code" required autofocus :spellcheck="false" :inputmode="isBackupCode ? undefined : 'numeric'">
+				<template #label>{{ i18n.ts.token }} ({{ i18n.ts['2fa'] }})</template>
+				<template #prefix><i v-if="isBackupCode" class="ti ti-key"></i><i v-else class="ti ti-123"></i></template>
+				<template #caption><button class="_textButton" type="button" @click="isBackupCode = !isBackupCode">{{ isBackupCode ? i18n.ts.useTotp : i18n.ts.useBackupCode }}</button></template>
+			</MkInput>
+
+			<MkButton type="submit" large primary rounded style="margin: 0 auto;">{{ i18n.ts.continue }} <i class="ti ti-arrow-right"></i></MkButton>
+		</form>
+	</div>
+</div>
+</template>
+
+<script setup lang="ts">
+import { ref } from 'vue';
+
+import { i18n } from '@/i18n.js';
+
+import MkButton from '@/components/MkButton.vue';
+import MkInput from '@/components/MkInput.vue';
+
+const emit = defineEmits<{
+	(ev: 'totpSubmitted', token: string): void;
+}>();
+
+const token = ref('');
+const isBackupCode = ref(false);
+</script>
+
+<style lang="scss" module>
+.wrapper {
+	display: flex;
+	align-items: center;
+	width: 100%;
+	min-height: 336px;
+
+	> .root {
+		width: 100%;
+	}
+}
+
+.totpIcon {
+	margin: 0 auto;
+	background-color: var(--accentedBg);
+	color: var(--accent);
+	text-align: center;
+	height: 64px;
+	width: 64px;
+	font-size: 24px;
+	line-height: 64px;
+	border-radius: 50%;
+}
+
+.totpDescription {
+	text-align: center;
+	font-size: 1.1em;
+}
+</style>
diff --git a/packages/frontend/src/components/MkSignin.vue b/packages/frontend/src/components/MkSignin.vue
index abbff8e1f2..81a98cae0e 100644
--- a/packages/frontend/src/components/MkSignin.vue
+++ b/packages/frontend/src/components/MkSignin.vue
@@ -4,438 +4,402 @@ SPDX-License-Identifier: AGPL-3.0-only
 -->
 
 <template>
-<form :class="{ signing, totpLogin }" @submit.prevent="onSubmit">
-	<div class="_gaps_m">
-		<div v-show="withAvatar" :class="$style.avatar" :style="{ backgroundImage: user ? `url('${user.avatarUrl}')` : undefined, marginBottom: message ? '1.5em' : undefined }"></div>
-		<MkInfo v-if="message">
-			{{ message }}
-		</MkInfo>
-		<div v-if="openOnRemote" class="_gaps_m">
-			<div class="_gaps_s">
-				<MkButton type="button" rounded primary style="margin: 0 auto;" @click="openRemote(openOnRemote)">
-					{{ i18n.ts.continueOnRemote }} <i class="ti ti-external-link"></i>
-				</MkButton>
-				<button type="button" class="_button" :class="$style.instanceManualSelectButton" @click="specifyHostAndOpenRemote(openOnRemote)">
-					{{ i18n.ts.specifyServerHost }}
-				</button>
-			</div>
-			<div :class="$style.orHr">
-				<p :class="$style.orMsg">{{ i18n.ts.or }}</p>
-			</div>
-		</div>
-		<div v-if="!totpLogin" class="normal-signin _gaps_m">
-			<MkInput v-model="username" :placeholder="i18n.ts.username" type="text" pattern="^[a-zA-Z0-9_]+$" :spellcheck="false" autocomplete="username webauthn" autofocus required data-cy-signin-username @update:modelValue="onUsernameChange">
-				<template #prefix>@</template>
-				<template #suffix>@{{ host }}</template>
-			</MkInput>
-			<MkInput v-model="password" :placeholder="i18n.ts.password" type="password" autocomplete="current-password webauthn" :withPasswordToggle="true" required data-cy-signin-password>
-				<template #prefix><i class="ti ti-lock"></i></template>
-				<template #caption><button class="_textButton" type="button" @click="resetPassword">{{ i18n.ts.forgotPassword }}</button></template>
-			</MkInput>
-			<MkCaptcha v-if="instance.enableHcaptcha" ref="hcaptcha" v-model="hCaptchaResponse" :class="$style.captcha" provider="hcaptcha" :sitekey="instance.hcaptchaSiteKey"/>
-			<MkCaptcha v-if="instance.enableMcaptcha" ref="mcaptcha" v-model="mCaptchaResponse" :class="$style.captcha" provider="mcaptcha" :sitekey="instance.mcaptchaSiteKey" :instanceUrl="instance.mcaptchaInstanceUrl"/>
-			<MkCaptcha v-if="instance.enableRecaptcha" ref="recaptcha" v-model="reCaptchaResponse" :class="$style.captcha" provider="recaptcha" :sitekey="instance.recaptchaSiteKey"/>
-			<MkCaptcha v-if="instance.enableTurnstile" ref="turnstile" v-model="turnstileResponse" :class="$style.captcha" provider="turnstile" :sitekey="instance.turnstileSiteKey"/>
-			<MkButton type="submit" large primary rounded :disabled="captchaFailed || signing" style="margin: 0 auto;">{{ signing ? i18n.ts.loggingIn : i18n.ts.login }}</MkButton>
-		</div>
-		<div v-if="totpLogin" class="2fa-signin" :class="{ securityKeys: user && user.securityKeys }">
-			<div v-if="user && user.securityKeys" class="twofa-group tap-group">
-				<p>{{ i18n.ts.useSecurityKey }}</p>
-				<MkButton v-if="!queryingKey" @click="query2FaKey">
-					{{ i18n.ts.retry }}
-				</MkButton>
-			</div>
-			<div v-if="user && user.securityKeys" :class="$style.orHr">
-				<p :class="$style.orMsg">{{ i18n.ts.or }}</p>
-			</div>
-			<div class="twofa-group totp-group _gaps">
-				<MkInput v-model="token" type="text" :pattern="isBackupCode ? '^[A-Z0-9]{32}$' :'^[0-9]{6}$'" autocomplete="one-time-code" required :spellcheck="false" :inputmode="isBackupCode ? undefined : 'numeric'">
-					<template #label>{{ i18n.ts.token }} ({{ i18n.ts['2fa'] }})</template>
-					<template #prefix><i v-if="isBackupCode" class="ti ti-key"></i><i v-else class="ti ti-123"></i></template>
-					<template #caption><button class="_textButton" type="button" @click="isBackupCode = !isBackupCode">{{ isBackupCode ? i18n.ts.useTotp : i18n.ts.useBackupCode }}</button></template>
-				</MkInput>
-				<MkButton type="submit" :disabled="signing" large primary rounded style="margin: 0 auto;">{{ signing ? i18n.ts.loggingIn : i18n.ts.login }}</MkButton>
-			</div>
-		</div>
-		<div v-if="!totpLogin && usePasswordLessLogin" :class="$style.orHr">
-			<p :class="$style.orMsg">{{ i18n.ts.or }}</p>
-		</div>
-		<div v-if="!totpLogin && usePasswordLessLogin" class="twofa-group tap-group">
-			<MkButton v-if="!queryingKey" type="submit" :disabled="signing" style="margin: auto auto;" rounded large primary @click="onPasskeyLogin">
-				<i class="ti ti-device-usb" style="font-size: medium;"></i>
-				{{ signing ? i18n.ts.loggingIn : i18n.ts.signinWithPasskey }}
-			</MkButton>
-			<p v-if="queryingKey">{{ i18n.ts.useSecurityKey }}</p>
-		</div>
+<div :class="$style.signinRoot">
+	<Transition
+		mode="out-in"
+		:enterActiveClass="$style.transition_enterActive"
+		:leaveActiveClass="$style.transition_leaveActive"
+		:enterFromClass="$style.transition_enterFrom"
+		:leaveToClass="$style.transition_leaveTo"
+
+		:inert="waiting"
+	>
+		<!-- 1. 外部サーバーへの転送・username入力・パスキー -->
+		<XInput
+			v-if="page === 'input'"
+			key="input"
+			:message="message"
+			:openOnRemote="openOnRemote"
+
+			@usernameSubmitted="onUsernameSubmitted"
+			@passkeyClick="onPasskeyLogin"
+		/>
+
+		<!-- 2. パスワード入力 -->
+		<XPassword
+			v-else-if="page === 'password'"
+			key="password"
+			ref="passwordPageEl"
+
+			:user="userInfo!"
+			:needCaptcha="needCaptcha"
+
+			@passwordSubmitted="onPasswordSubmitted"
+		/>
+
+		<!-- 3. ワンタイムパスワード -->
+		<XTotp
+			v-else-if="page === 'totp'"
+			key="totp"
+
+			@totpSubmitted="onTotpSubmitted"
+		/>
+
+		<!-- 4. パスキー -->
+		<XPasskey
+			v-else-if="page === 'passkey'"
+			key="passkey"
+
+			:credentialRequest="credentialRequest!"
+			:isPerformingPasswordlessLogin="doingPasskeyFromInputPage"
+
+			@done="onPasskeyDone"
+			@useTotp="onUseTotp"
+		/>
+	</Transition>
+	<div v-if="waiting" :class="$style.waitingRoot">
+		<MkLoading/>
 	</div>
-</form>
+</div>
 </template>
 
-<script lang="ts" setup>
-import { computed, defineAsyncComponent, ref } from 'vue';
-import { toUnicode } from 'punycode/';
+<script setup lang="ts">
+import { nextTick, onBeforeUnmount, ref, shallowRef, useTemplateRef } from 'vue';
 import * as Misskey from 'misskey-js';
-import { supported as webAuthnSupported, get as webAuthnRequest, parseRequestOptionsFromJSON } from '@github/webauthn-json/browser-ponyfill';
-import { query, extractDomain } from '@@/js/url.js';
-import { host as configHost } from '@@/js/config.js';
-import MkDivider from './MkDivider.vue';
-import type { OpenOnRemoteOptions } from '@/scripts/please-login.js';
-import { showSuspendedDialog } from '@/scripts/show-suspended-dialog.js';
-import MkButton from '@/components/MkButton.vue';
-import MkInput from '@/components/MkInput.vue';
-import MkInfo from '@/components/MkInfo.vue';
-import * as os from '@/os.js';
+import { supported as webAuthnSupported, parseRequestOptionsFromJSON } from '@github/webauthn-json/browser-ponyfill';
+
 import { misskeyApi } from '@/scripts/misskey-api.js';
+import { showSuspendedDialog } from '@/scripts/show-suspended-dialog.js';
 import { login } from '@/account.js';
 import { i18n } from '@/i18n.js';
-import { instance } from '@/instance.js';
-import MkCaptcha, { type Captcha } from '@/components/MkCaptcha.vue';
+import * as os from '@/os.js';
 
-const signing = ref(false);
-const user = ref<Misskey.entities.UserDetailed | null>(null);
-const usePasswordLessLogin = ref<Misskey.entities.UserDetailed['usePasswordLessLogin']>(true);
-const username = ref('');
-const password = ref('');
-const token = ref('');
-const host = ref(toUnicode(configHost));
-const totpLogin = ref(false);
-const isBackupCode = ref(false);
-const queryingKey = ref(false);
-let credentialRequest: CredentialRequestOptions | null = null;
-const passkey_context = ref('');
-const hcaptcha = ref<Captcha | undefined>();
-const mcaptcha = ref<Captcha | undefined>();
-const recaptcha = ref<Captcha | undefined>();
-const turnstile = ref<Captcha | undefined>();
-const hCaptchaResponse = ref<string | null>(null);
-const mCaptchaResponse = ref<string | null>(null);
-const reCaptchaResponse = ref<string | null>(null);
-const turnstileResponse = ref<string | null>(null);
-
-const captchaFailed = computed((): boolean => {
-	return (
-		instance.enableHcaptcha && !hCaptchaResponse.value ||
-		instance.enableMcaptcha && !mCaptchaResponse.value ||
-		instance.enableRecaptcha && !reCaptchaResponse.value ||
-		instance.enableTurnstile && !turnstileResponse.value);
-});
+import XInput from '@/components/MkSignin.input.vue';
+import XPassword, { type PwResponse } from '@/components/MkSignin.password.vue';
+import XTotp from '@/components/MkSignin.totp.vue';
+import XPasskey from '@/components/MkSignin.passkey.vue';
+
+import type { AuthenticationPublicKeyCredential } from '@github/webauthn-json/browser-ponyfill';
+import type { OpenOnRemoteOptions } from '@/scripts/please-login.js';
 
 const emit = defineEmits<{
-	(ev: 'login', v: any): void;
+	(ev: 'login', v: Misskey.entities.SigninResponse): void;
 }>();
 
 const props = withDefaults(defineProps<{
-	withAvatar?: boolean;
 	autoSet?: boolean;
 	message?: string,
 	openOnRemote?: OpenOnRemoteOptions,
 }>(), {
-	withAvatar: true,
 	autoSet: false,
 	message: '',
 	openOnRemote: undefined,
 });
 
-function onUsernameChange(): void {
-	misskeyApi('users/show', {
-		username: username.value,
-	}).then(userResponse => {
-		user.value = userResponse;
-		usePasswordLessLogin.value = userResponse.usePasswordLessLogin;
-	}, () => {
-		user.value = null;
-		usePasswordLessLogin.value = true;
-	});
-}
+const page = ref<'input' | 'password' | 'totp' | 'passkey'>('input');
+const waiting = ref(false);
 
-function onLogin(res: any): Promise<void> | void {
-	if (props.autoSet) {
-		return login(res.i);
-	}
-}
+const passwordPageEl = useTemplateRef('passwordPageEl');
+const needCaptcha = ref(false);
 
-async function query2FaKey(): Promise<void> {
-	if (credentialRequest == null) return;
-	queryingKey.value = true;
-	await webAuthnRequest(credentialRequest)
-		.catch(() => {
-			queryingKey.value = false;
-			return Promise.reject(null);
-		}).then(credential => {
-			credentialRequest = null;
-			queryingKey.value = false;
-			signing.value = true;
-			return misskeyApi('signin', {
-				username: username.value,
-				password: password.value,
-				credential: credential.toJSON(),
-			});
-		}).then(res => {
-			emit('login', res);
-			return onLogin(res);
-		}).catch(err => {
-			if (err === null) return;
-			os.alert({
-				type: 'error',
-				text: i18n.ts.signinFailed,
-			});
-			signing.value = false;
-		});
-}
+const userInfo = ref<null | Misskey.entities.UserDetailed>(null);
+const password = ref('');
+
+//#region Passkey Passwordless
+const credentialRequest = shallowRef<CredentialRequestOptions | null>(null);
+const passkeyContext = ref('');
+const doingPasskeyFromInputPage = ref(false);
 
 function onPasskeyLogin(): void {
-	signing.value = true;
 	if (webAuthnSupported()) {
+		doingPasskeyFromInputPage.value = true;
+		waiting.value = true;
 		misskeyApi('signin-with-passkey', {})
-			.then(res => {
-				totpLogin.value = false;
-				signing.value = false;
-				queryingKey.value = true;
-				passkey_context.value = res.context ?? '';
-				credentialRequest = parseRequestOptionsFromJSON({
+			.then((res) => {
+				passkeyContext.value = res.context ?? '';
+				credentialRequest.value = parseRequestOptionsFromJSON({
 					publicKey: res.option,
 				});
+
+				page.value = 'passkey';
+				waiting.value = false;
 			})
-			.then(() => queryPasskey())
-			.catch(loginFailed);
+			.catch(onLoginFailed);
 	}
 }
 
-async function queryPasskey(): Promise<void> {
-	if (credentialRequest == null) return;
-	queryingKey.value = true;
-	console.log('Waiting passkey auth...');
-	await webAuthnRequest(credentialRequest)
-		.catch((err) => {
-			console.warn('Passkey Auth fail!: ', err);
-			queryingKey.value = false;
-			return Promise.reject(null);
-		}).then(credential => {
-			credentialRequest = null;
-			queryingKey.value = false;
-			signing.value = true;
-			return misskeyApi('signin-with-passkey', {
-				credential: credential.toJSON(),
-				context: passkey_context.value,
-			});
-		}).then(res => {
+function onPasskeyDone(credential: AuthenticationPublicKeyCredential): void {
+	waiting.value = true;
+
+	if (doingPasskeyFromInputPage.value) {
+		misskeyApi('signin-with-passkey', {
+			credential: credential.toJSON(),
+			context: passkeyContext.value,
+		}).then((res) => {
+			if (res.signinResponse == null) {
+				onLoginFailed();
+				return;
+			}
 			emit('login', res.signinResponse);
-			return onLogin(res.signinResponse);
+		}).catch(onLoginFailed);
+	} else if (userInfo.value != null) {
+		tryLogin({
+			username: userInfo.value.username,
+			password: password.value,
+			credential: credential.toJSON(),
 		});
+	}
 }
 
-function onSubmit(): void {
-	signing.value = true;
-	if (!totpLogin.value && user.value && user.value.twoFactorEnabled) {
-		if (webAuthnSupported() && user.value.securityKeys) {
-			misskeyApi('signin', {
-				username: username.value,
-				password: password.value,
-			}).then(res => {
-				totpLogin.value = true;
-				signing.value = false;
-				credentialRequest = parseRequestOptionsFromJSON({
-					publicKey: res,
-				});
-			})
-				.then(() => query2FaKey())
-				.catch(loginFailed);
-		} else {
-			totpLogin.value = true;
-			signing.value = false;
-		}
+function onUseTotp(): void {
+	page.value = 'totp';
+}
+//#endregion
+
+async function onUsernameSubmitted(username: string) {
+	waiting.value = true;
+
+	userInfo.value = await misskeyApi('users/show', {
+		username,
+	}).catch(() => null);
+
+	await tryLogin({
+		username,
+	});
+}
+
+async function onPasswordSubmitted(pw: PwResponse) {
+	waiting.value = true;
+	password.value = pw.password;
+
+	if (userInfo.value == null) {
+		await os.alert({
+			type: 'error',
+			title: i18n.ts.noSuchUser,
+			text: i18n.ts.signinFailed,
+		});
+		waiting.value = false;
+		return;
+	} else {
+		await tryLogin({
+			username: userInfo.value.username,
+			password: pw.password,
+			'hcaptcha-response': pw.captcha.hCaptchaResponse,
+			'm-captcha-response': pw.captcha.mCaptchaResponse,
+			'g-recaptcha-response': pw.captcha.reCaptchaResponse,
+			'turnstile-response': pw.captcha.turnstileResponse,
+		});
+	}
+}
+
+async function onTotpSubmitted(token: string) {
+	waiting.value = true;
+
+	if (userInfo.value == null) {
+		await os.alert({
+			type: 'error',
+			title: i18n.ts.noSuchUser,
+			text: i18n.ts.signinFailed,
+		});
+		waiting.value = false;
+		return;
 	} else {
-		misskeyApi('signin', {
-			username: username.value,
+		await tryLogin({
+			username: userInfo.value.username,
 			password: password.value,
-			'hcaptcha-response': hCaptchaResponse.value,
-			'm-captcha-response': mCaptchaResponse.value,
-			'g-recaptcha-response': reCaptchaResponse.value,
-			'turnstile-response': turnstileResponse.value,
-			token: user.value?.twoFactorEnabled ? token.value : undefined,
-		}).then(res => {
-			emit('login', res);
-			onLogin(res);
-		}).catch(loginFailed);
+			token,
+		});
 	}
 }
 
-function loginFailed(err: any): void {
-	hcaptcha.value?.reset?.();
-	mcaptcha.value?.reset?.();
-	recaptcha.value?.reset?.();
-	turnstile.value?.reset?.();
-
-	switch (err.id) {
-		case '6cc579cc-885d-43d8-95c2-b8c7fc963280': {
-			os.alert({
-				type: 'error',
-				title: i18n.ts.loginFailed,
-				text: i18n.ts.noSuchUser,
-			});
-			break;
-		}
-		case '932c904e-9460-45b7-9ce6-7ed33be7eb2c': {
-			os.alert({
-				type: 'error',
-				title: i18n.ts.loginFailed,
-				text: i18n.ts.incorrectPassword,
-			});
-			break;
-		}
-		case 'e03a5f46-d309-4865-9b69-56282d94e1eb': {
-			showSuspendedDialog();
-			break;
-		}
-		case '22d05606-fbcf-421a-a2db-b32610dcfd1b': {
-			os.alert({
-				type: 'error',
-				title: i18n.ts.loginFailed,
-				text: i18n.ts.rateLimitExceeded,
-			});
-			break;
-		}
-		case '36b96a7d-b547-412d-aeed-2d611cdc8cdc': {
-			os.alert({
-				type: 'error',
-				title: i18n.ts.loginFailed,
-				text: i18n.ts.unknownWebAuthnKey,
-			});
-			break;
-		}
-		case 'b18c89a7-5b5e-4cec-bb5b-0419f332d430': {
-			os.alert({
-				type: 'error',
-				title: i18n.ts.loginFailed,
-				text: i18n.ts.passkeyVerificationFailed,
-			});
-			break;
-		}
-		case '2d84773e-f7b7-4d0b-8f72-bb69b584c912': {
-			os.alert({
-				type: 'error',
-				title: i18n.ts.loginFailed,
-				text: i18n.ts.passkeyVerificationSucceededButPasswordlessLoginDisabled,
-			});
-			break;
-		}
-		default: {
-			console.error(err);
-			os.alert({
-				type: 'error',
-				title: i18n.ts.loginFailed,
-				text: JSON.stringify(err),
-			});
-		}
+async function tryLogin(req: Partial<Misskey.entities.SigninRequest>): Promise<Misskey.entities.SigninResponse> {
+	const _req = {
+		username: req.username ?? userInfo.value?.username,
+		...req,
+	};
+
+	function assertIsSigninRequest(x: Partial<Misskey.entities.SigninRequest>): x is Misskey.entities.SigninRequest {
+		return x.username != null;
 	}
 
-	totpLogin.value = false;
-	signing.value = false;
-}
+	if (!assertIsSigninRequest(_req)) {
+		throw new Error('Invalid request');
+	}
 
-function resetPassword(): void {
-	const { dispose } = os.popup(defineAsyncComponent(() => import('@/components/MkForgotPassword.vue')), {}, {
-		closed: () => dispose(),
+	return await misskeyApi('signin', _req).then(async (res) => {
+		emit('login', res);
+		await onLoginSucceeded(res);
+		return res;
+	}).catch((err) => {
+		onLoginFailed(err);
+		return Promise.reject(err);
 	});
 }
 
-function openRemote(options: OpenOnRemoteOptions, targetHost?: string): void {
-	switch (options.type) {
-		case 'web':
-		case 'lookup': {
-			let _path: string;
-
-			if (options.type === 'lookup') {
-				// TODO: v2024.7.0以降が浸透してきたら正式なURLに変更する▼
-				// _path = `/lookup?uri=${encodeURIComponent(_path)}`;
-				_path = `/authorize-follow?acct=${encodeURIComponent(options.url)}`;
-			} else {
-				_path = options.path;
-			}
+async function onLoginSucceeded(res: Misskey.entities.SigninResponse) {
+	if (props.autoSet) {
+		await login(res.i);
+	}
+}
+
+function onLoginFailed(err?: any): void {
+	const id = err?.id ?? null;
 
-			if (targetHost) {
-				window.open(`https://${targetHost}${_path}`, '_blank', 'noopener');
-			} else {
-				window.open(`https://misskey-hub.net/mi-web/?path=${encodeURIComponent(_path)}`, '_blank', 'noopener');
+	if (typeof err === 'object' && 'next' in err) {
+		switch (err.next) {
+			case 'captcha': {
+				page.value = 'password';
+				break;
+			}
+			case 'password': {
+				page.value = 'password';
+				break;
+			}
+			case 'totp': {
+				page.value = 'totp';
+				break;
+			}
+			case 'passkey': {
+				if (webAuthnSupported() && 'authRequest' in err) {
+					credentialRequest.value = parseRequestOptionsFromJSON({
+						publicKey: err.authRequest,
+					});
+					page.value = 'passkey';
+				} else {
+					page.value = 'totp';
+				}
+				break;
 			}
-			break;
 		}
-		case 'share': {
-			const params = query(options.params);
-			if (targetHost) {
-				window.open(`https://${targetHost}/share?${params}`, '_blank', 'noopener');
-			} else {
-				window.open(`https://misskey-hub.net/share/?${params}`, '_blank', 'noopener');
+	} else {
+		switch (id) {
+			case '6cc579cc-885d-43d8-95c2-b8c7fc963280': {
+				os.alert({
+					type: 'error',
+					title: i18n.ts.loginFailed,
+					text: i18n.ts.noSuchUser,
+				});
+				break;
+			}
+			case '932c904e-9460-45b7-9ce6-7ed33be7eb2c': {
+				os.alert({
+					type: 'error',
+					title: i18n.ts.loginFailed,
+					text: i18n.ts.incorrectPassword,
+				});
+				break;
+			}
+			case 'e03a5f46-d309-4865-9b69-56282d94e1eb': {
+				showSuspendedDialog();
+				break;
+			}
+			case '22d05606-fbcf-421a-a2db-b32610dcfd1b': {
+				os.alert({
+					type: 'error',
+					title: i18n.ts.loginFailed,
+					text: i18n.ts.rateLimitExceeded,
+				});
+				break;
+			}
+			case 'cdf1235b-ac71-46d4-a3a6-84ccce48df6f': {
+				os.alert({
+					type: 'error',
+					title: i18n.ts.loginFailed,
+					text: i18n.ts.incorrectTotp,
+				});
+				break;
+			}
+			case '36b96a7d-b547-412d-aeed-2d611cdc8cdc': {
+				os.alert({
+					type: 'error',
+					title: i18n.ts.loginFailed,
+					text: i18n.ts.unknownWebAuthnKey,
+				});
+				break;
+			}
+			case '93b86c4b-72f9-40eb-9815-798928603d1e': {
+				os.alert({
+					type: 'error',
+					title: i18n.ts.loginFailed,
+					text: i18n.ts.passkeyVerificationFailed,
+				});
+				break;
+			}
+			case 'b18c89a7-5b5e-4cec-bb5b-0419f332d430': {
+				os.alert({
+					type: 'error',
+					title: i18n.ts.loginFailed,
+					text: i18n.ts.passkeyVerificationFailed,
+				});
+				break;
+			}
+			case '2d84773e-f7b7-4d0b-8f72-bb69b584c912': {
+				os.alert({
+					type: 'error',
+					title: i18n.ts.loginFailed,
+					text: i18n.ts.passkeyVerificationSucceededButPasswordlessLoginDisabled,
+				});
+				break;
+			}
+			default: {
+				console.error(err);
+				os.alert({
+					type: 'error',
+					title: i18n.ts.loginFailed,
+					text: JSON.stringify(err),
+				});
 			}
-			break;
 		}
 	}
-}
-
-async function specifyHostAndOpenRemote(options: OpenOnRemoteOptions): Promise<void> {
-	const { canceled, result: hostTemp } = await os.inputText({
-		title: i18n.ts.inputHostName,
-		placeholder: 'misskey.example.com',
-	});
-
-	if (canceled) return;
 
-	let targetHost: string | null = hostTemp;
-
-	// ドメイン部分だけを取り出す
-	targetHost = extractDomain(targetHost);
-	if (targetHost == null) {
-		os.alert({
-			type: 'error',
-			title: i18n.ts.invalidValue,
-			text: i18n.ts.tryAgain,
-		});
-		return;
+	if (doingPasskeyFromInputPage.value === true) {
+		doingPasskeyFromInputPage.value = false;
+		page.value = 'input';
+		password.value = '';
 	}
-	openRemote(options, targetHost);
+	passwordPageEl.value?.resetCaptcha();
+	nextTick(() => {
+		waiting.value = false;
+	});
 }
+
+onBeforeUnmount(() => {
+	password.value = '';
+	userInfo.value = null;
+});
 </script>
 
 <style lang="scss" module>
-.avatar {
-	margin: 0 auto 0 auto;
-	width: 64px;
-	height: 64px;
-	background: #ddd;
-	background-position: center;
-	background-size: cover;
-	border-radius: 100%;
+.transition_enterActive,
+.transition_leaveActive {
+	transition: opacity 0.3s cubic-bezier(0,0,.35,1), transform 0.3s cubic-bezier(0,0,.35,1);
 }
-
-.instanceManualSelectButton {
-	display: block;
-	text-align: center;
-	opacity: .7;
-	font-size: .8em;
-
-	&:hover {
-		text-decoration: underline;
-	}
+.transition_enterFrom {
+	opacity: 0;
+	transform: translateX(50px);
+}
+.transition_leaveTo {
+	opacity: 0;
+	transform: translateX(-50px);
 }
 
-.orHr {
+.signinRoot {
+	overflow-x: hidden;
+	overflow-x: clip;
+
 	position: relative;
-	margin: .4em auto;
-	width: 100%;
-	height: 1px;
-	background: var(--divider);
 }
 
-.orMsg {
+.waitingRoot {
 	position: absolute;
-	top: -.6em;
-	display: inline-block;
-	padding: 0 1em;
-	background: var(--panel);
-	font-size: 0.8em;
-	color: var(--fgOnPanel);
-	margin: 0;
-	left: 50%;
-	transform: translateX(-50%);
+	top: 0;
+	left: 0;
+	width: 100%;
+	height: 100%;
+	background-color: color-mix(in srgb, var(--panel), transparent 50%);
+	display: flex;
+	justify-content: center;
+	align-items: center;
+	z-index: 1;
 }
 </style>
diff --git a/packages/frontend/src/components/MkSigninDialog.vue b/packages/frontend/src/components/MkSigninDialog.vue
index d48780e9de..8351d7d5e0 100644
--- a/packages/frontend/src/components/MkSigninDialog.vue
+++ b/packages/frontend/src/components/MkSigninDialog.vue
@@ -4,26 +4,29 @@ SPDX-License-Identifier: AGPL-3.0-only
 -->
 
 <template>
-<MkModalWindow
-	ref="dialog"
-	:width="400"
-	:height="450"
-	@close="onClose"
+<MkModal
+	ref="modal"
+	:preferType="'dialog'"
+	@click="onClose"
 	@closed="emit('closed')"
 >
-	<template #header>{{ i18n.ts.login }}</template>
-
-	<MkSpacer :marginMin="20" :marginMax="28">
-		<MkSignin :autoSet="autoSet" :message="message" :openOnRemote="openOnRemote" @login="onLogin"/>
-	</MkSpacer>
-</MkModalWindow>
+	<div :class="$style.root">
+		<div :class="$style.header">
+			<div :class="$style.headerText"><i class="ti ti-login-2"></i> {{ i18n.ts.login }}</div>
+			<button :class="$style.closeButton" class="_button" @click="onClose"><i class="ti ti-x"></i></button>
+		</div>
+		<div :class="$style.content">
+			<MkSignin :autoSet="autoSet" :message="message" :openOnRemote="openOnRemote" @login="onLogin"/>
+		</div>
+	</div>
+</MkModal>
 </template>
 
 <script lang="ts" setup>
 import { shallowRef } from 'vue';
 import type { OpenOnRemoteOptions } from '@/scripts/please-login.js';
 import MkSignin from '@/components/MkSignin.vue';
-import MkModalWindow from '@/components/MkModalWindow.vue';
+import MkModal from '@/components/MkModal.vue';
 import { i18n } from '@/i18n.js';
 
 withDefaults(defineProps<{
@@ -42,15 +45,62 @@ const emit = defineEmits<{
 	(ev: 'cancelled'): void;
 }>();
 
-const dialog = shallowRef<InstanceType<typeof MkModalWindow>>();
+const modal = shallowRef<InstanceType<typeof MkModal>>();
 
 function onClose() {
 	emit('cancelled');
-	if (dialog.value) dialog.value.close();
+	if (modal.value) modal.value.close();
 }
 
 function onLogin(res) {
 	emit('done', res);
-	if (dialog.value) dialog.value.close();
+	if (modal.value) modal.value.close();
 }
 </script>
+
+<style lang="scss" module>
+.root {
+	overflow: auto;
+	margin: auto;
+	position: relative;
+	width: 100%;
+	max-width: 400px;
+	height: 100%;
+	max-height: 450px;
+	box-sizing: border-box;
+	background: var(--panel);
+	border-radius: var(--radius);
+}
+
+.header {
+	position: sticky;
+	top: 0;
+	left: 0;
+	width: 100%;
+	height: 50px;
+	box-sizing: border-box;
+	display: flex;
+	align-items: center;
+	font-weight: bold;
+	backdrop-filter: var(--blur, blur(15px));
+	background: var(--acrylicBg);
+	z-index: 1;
+}
+
+.headerText {
+	padding: 0 20px;
+	box-sizing: border-box;
+}
+
+.closeButton {
+	margin-left: auto;
+	padding: 16px;
+	font-size: 16px;
+	line-height: 16px;
+}
+
+.content {
+	padding: 32px;
+	box-sizing: border-box;
+}
+</style>
diff --git a/packages/misskey-js/etc/misskey-js.api.md b/packages/misskey-js/etc/misskey-js.api.md
index 5f4792eb74..9ad784c296 100644
--- a/packages/misskey-js/etc/misskey-js.api.md
+++ b/packages/misskey-js/etc/misskey-js.api.md
@@ -3040,7 +3040,7 @@ type Signin = components['schemas']['Signin'];
 // @public (undocumented)
 type SigninRequest = {
     username: string;
-    password: string;
+    password?: string;
     token?: string;
     credential?: AuthenticationResponseJSON;
     'hcaptcha-response'?: string | null;
diff --git a/packages/misskey-js/src/autogen/types.ts b/packages/misskey-js/src/autogen/types.ts
index 32646d28ed..3876a0bfe5 100644
--- a/packages/misskey-js/src/autogen/types.ts
+++ b/packages/misskey-js/src/autogen/types.ts
@@ -3782,16 +3782,13 @@ export type components = {
       followingVisibility: 'public' | 'followers' | 'private';
       /** @enum {string} */
       followersVisibility: 'public' | 'followers' | 'private';
-      /** @default false */
-      twoFactorEnabled: boolean;
-      /** @default false */
-      usePasswordLessLogin: boolean;
-      /** @default false */
-      securityKeys: boolean;
       roles: components['schemas']['RoleLite'][];
       followedMessage?: string | null;
       memo: string | null;
       moderationNote?: string;
+      twoFactorEnabled?: boolean;
+      usePasswordLessLogin?: boolean;
+      securityKeys?: boolean;
       isFollowing?: boolean;
       isFollowed?: boolean;
       hasPendingFollowRequestFromYou?: boolean;
@@ -3972,6 +3969,12 @@ export type components = {
         }[];
       loggedInDays: number;
       policies: components['schemas']['RolePolicies'];
+      /** @default false */
+      twoFactorEnabled: boolean;
+      /** @default false */
+      usePasswordLessLogin: boolean;
+      /** @default false */
+      securityKeys: boolean;
       email?: string | null;
       emailVerified?: boolean | null;
       securityKeysList?: {
diff --git a/packages/misskey-js/src/entities.ts b/packages/misskey-js/src/entities.ts
index 36b7f5bca3..98ac50e5a1 100644
--- a/packages/misskey-js/src/entities.ts
+++ b/packages/misskey-js/src/entities.ts
@@ -269,7 +269,7 @@ export type SignupPendingResponse = {
 
 export type SigninRequest = {
 	username: string;
-	password: string;
+	password?: string;
 	token?: string;
 	credential?: AuthenticationResponseJSON;
 	'hcaptcha-response'?: string | null;
-- 
cgit v1.2.3-freya


From ae3c155490d9b5a574c45309744ba2a0cbe78932 Mon Sep 17 00:00:00 2001
From: かっこかり <67428053+kakkokari-gtyih@users.noreply.github.com>
Date: Sat, 5 Oct 2024 12:03:47 +0900
Subject: fix: signin
 の資格情報が足りないだけの場合はエラーにせず200を返すように (#14700)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* fix: signin の資格情報が足りないだけの場合はエラーにせず200を返すように

* run api extractor

* fix

* fix

* fix test

* /signin -> /signin-flow

* fix

* fix lint

* rename

* fix

* fix
---
 cypress/e2e/basic.cy.ts                            |   2 +-
 cypress/support/commands.ts                        |   2 +-
 .../backend/src/server/api/ApiServerService.ts     |   2 +-
 .../backend/src/server/api/SigninApiService.ts     |  66 ++----
 packages/backend/src/server/api/SigninService.ts   |   6 +-
 packages/backend/test/e2e/2fa.ts                   |  73 +++----
 packages/backend/test/e2e/endpoints.ts             |   8 +-
 packages/frontend/src/components/MkSignin.vue      | 236 +++++++++++----------
 .../src/components/MkSignupDialog.form.vue         |  11 +-
 .../frontend/src/components/MkSignupDialog.vue     |   4 +-
 packages/misskey-js/etc/misskey-js.api.md          |  24 ++-
 packages/misskey-js/src/api.types.ts               |  10 +-
 packages/misskey-js/src/entities.ts                |  22 +-
 13 files changed, 231 insertions(+), 235 deletions(-)

(limited to 'packages/backend/src/server/api')

diff --git a/cypress/e2e/basic.cy.ts b/cypress/e2e/basic.cy.ts
index c9d7e0a24a..d2efbf709c 100644
--- a/cypress/e2e/basic.cy.ts
+++ b/cypress/e2e/basic.cy.ts
@@ -120,7 +120,7 @@ describe('After user signup', () => {
 	it('signin', () => {
 		cy.visitHome();
 
-		cy.intercept('POST', '/api/signin').as('signin');
+		cy.intercept('POST', '/api/signin-flow').as('signin');
 
 		cy.get('[data-cy-signin]').click();
 
diff --git a/cypress/support/commands.ts b/cypress/support/commands.ts
index ed5cda31b0..197ff963ac 100644
--- a/cypress/support/commands.ts
+++ b/cypress/support/commands.ts
@@ -55,7 +55,7 @@ Cypress.Commands.add('registerUser', (username, password, isAdmin = false) => {
 Cypress.Commands.add('login', (username, password) => {
 	cy.visitHome();
 
-	cy.intercept('POST', '/api/signin').as('signin');
+	cy.intercept('POST', '/api/signin-flow').as('signin');
 
 	cy.get('[data-cy-signin]').click();
 	cy.get('[data-cy-signin-page-input]').should('be.visible', { timeout: 1000 });
diff --git a/packages/backend/src/server/api/ApiServerService.ts b/packages/backend/src/server/api/ApiServerService.ts
index 356e145681..6b760c258b 100644
--- a/packages/backend/src/server/api/ApiServerService.ts
+++ b/packages/backend/src/server/api/ApiServerService.ts
@@ -133,7 +133,7 @@ export class ApiServerService {
 				'turnstile-response'?: string;
 				'm-captcha-response'?: string;
 			};
-		}>('/signin', (request, reply) => this.signinApiService.signin(request, reply));
+		}>('/signin-flow', (request, reply) => this.signinApiService.signin(request, reply));
 
 		fastify.post<{
 			Body: {
diff --git a/packages/backend/src/server/api/SigninApiService.ts b/packages/backend/src/server/api/SigninApiService.ts
index 81684beb3c..0d24ffa56a 100644
--- a/packages/backend/src/server/api/SigninApiService.ts
+++ b/packages/backend/src/server/api/SigninApiService.ts
@@ -5,8 +5,8 @@
 
 import { Inject, Injectable } from '@nestjs/common';
 import bcrypt from 'bcryptjs';
-import * as OTPAuth from 'otpauth';
 import { IsNull } from 'typeorm';
+import * as Misskey from 'misskey-js';
 import { DI } from '@/di-symbols.js';
 import type {
 	MiMeta,
@@ -26,27 +26,9 @@ import { CaptchaService } from '@/core/CaptchaService.js';
 import { FastifyReplyError } from '@/misc/fastify-reply-error.js';
 import { RateLimiterService } from './RateLimiterService.js';
 import { SigninService } from './SigninService.js';
-import type { AuthenticationResponseJSON, PublicKeyCredentialRequestOptionsJSON } from '@simplewebauthn/types';
+import type { AuthenticationResponseJSON } from '@simplewebauthn/types';
 import type { FastifyReply, FastifyRequest } from 'fastify';
 
-/**
- * next を指定すると、次にクライアント側で行うべき処理を指定できる。
- *
- * - `captcha`: パスワードと、（有効になっている場合は）CAPTCHAを求める
- * - `password`: パスワードを求める
- * - `totp`: ワンタイムパスワードを求める
- * - `passkey`: WebAuthn認証を求める（WebAuthnに対応していないブラウザの場合はワンタイムパスワード）
- */
-
-type SigninErrorResponse = {
-	id: string;
-	next?: 'captcha' | 'password' | 'totp';
-} | {
-	id: string;
-	next: 'passkey';
-	authRequest: PublicKeyCredentialRequestOptionsJSON;
-};
-
 @Injectable()
 export class SigninApiService {
 	constructor(
@@ -101,7 +83,7 @@ export class SigninApiService {
 		const password = body['password'];
 		const token = body['token'];
 
-		function error(status: number, error: SigninErrorResponse) {
+		function error(status: number, error: { id: string }) {
 			reply.code(status);
 			return { error };
 		}
@@ -152,21 +134,17 @@ export class SigninApiService {
 		const securityKeysAvailable = await this.userSecurityKeysRepository.countBy({ userId: user.id }).then(result => result >= 1);
 
 		if (password == null) {
-			reply.code(403);
+			reply.code(200);
 			if (profile.twoFactorEnabled) {
 				return {
-					error: {
-						id: '144ff4f8-bd6c-41bc-82c3-b672eb09efbf',
-						next: 'password',
-					},
-				} satisfies { error: SigninErrorResponse };
+					finished: false,
+					next: 'password',
+				} satisfies Misskey.entities.SigninFlowResponse;
 			} else {
 				return {
-					error: {
-						id: '144ff4f8-bd6c-41bc-82c3-b672eb09efbf',
-						next: 'captcha',
-					},
-				} satisfies { error: SigninErrorResponse };
+					finished: false,
+					next: 'captcha',
+				} satisfies Misskey.entities.SigninFlowResponse;
 			}
 		}
 
@@ -178,7 +156,7 @@ export class SigninApiService {
 		// Compare password
 		const same = await bcrypt.compare(password, profile.password!);
 
-		const fail = async (status?: number, failure?: SigninErrorResponse) => {
+		const fail = async (status?: number, failure?: { id: string; }) => {
 			// Append signin history
 			await this.signinsRepository.insert({
 				id: this.idService.gen(),
@@ -268,27 +246,23 @@ export class SigninApiService {
 
 			const authRequest = await this.webAuthnService.initiateAuthentication(user.id);
 
-			reply.code(403);
+			reply.code(200);
 			return {
-				error: {
-					id: '06e661b9-8146-4ae3-bde5-47138c0ae0c4',
-					next: 'passkey',
-					authRequest,
-				},
-			} satisfies { error: SigninErrorResponse };
+				finished: false,
+				next: 'passkey',
+				authRequest,
+			} satisfies Misskey.entities.SigninFlowResponse;
 		} else {
 			if (!same || !profile.twoFactorEnabled) {
 				return await fail(403, {
 					id: '932c904e-9460-45b7-9ce6-7ed33be7eb2c',
 				});
 			} else {
-				reply.code(403);
+				reply.code(200);
 				return {
-					error: {
-						id: '144ff4f8-bd6c-41bc-82c3-b672eb09efbf',
-						next: 'totp',
-					},
-				} satisfies { error: SigninErrorResponse };
+					finished: false,
+					next: 'totp',
+				} satisfies Misskey.entities.SigninFlowResponse;
 			}
 		}
 		// never get here
diff --git a/packages/backend/src/server/api/SigninService.ts b/packages/backend/src/server/api/SigninService.ts
index 4b041f373f..640356b50c 100644
--- a/packages/backend/src/server/api/SigninService.ts
+++ b/packages/backend/src/server/api/SigninService.ts
@@ -4,6 +4,7 @@
  */
 
 import { Inject, Injectable } from '@nestjs/common';
+import * as Misskey from 'misskey-js';
 import { DI } from '@/di-symbols.js';
 import type { SigninsRepository, UserProfilesRepository } from '@/models/_.js';
 import { IdService } from '@/core/IdService.js';
@@ -57,9 +58,10 @@ export class SigninService {
 
 		reply.code(200);
 		return {
+			finished: true,
 			id: user.id,
-			i: user.token,
-		};
+			i: user.token!,
+		} satisfies Misskey.entities.SigninFlowResponse;
 	}
 }
 
diff --git a/packages/backend/test/e2e/2fa.ts b/packages/backend/test/e2e/2fa.ts
index 88c32b4346..48e1bababb 100644
--- a/packages/backend/test/e2e/2fa.ts
+++ b/packages/backend/test/e2e/2fa.ts
@@ -136,7 +136,7 @@ describe('2要素認証', () => {
 		keyName: string,
 		credentialId: Buffer,
 		requestOptions: PublicKeyCredentialRequestOptionsJSON,
-	}): misskey.entities.SigninRequest => {
+	}): misskey.entities.SigninFlowRequest => {
 		// AuthenticatorAssertionResponse.authenticatorData
 		// https://developer.mozilla.org/en-US/docs/Web/API/AuthenticatorAssertionResponse/authenticatorData
 		const authenticatorData = Buffer.concat([
@@ -196,22 +196,21 @@ describe('2要素認証', () => {
 		}, alice);
 		assert.strictEqual(doneResponse.status, 200);
 
-		const signinWithoutTokenResponse = await api('signin', {
+		const signinWithoutTokenResponse = await api('signin-flow', {
 			...signinParam(),
 		});
-		assert.strictEqual(signinWithoutTokenResponse.status, 403);
+		assert.strictEqual(signinWithoutTokenResponse.status, 200);
 		assert.deepStrictEqual(signinWithoutTokenResponse.body, {
-			error: {
-				id: '144ff4f8-bd6c-41bc-82c3-b672eb09efbf',
-				next: 'totp',
-			},
+			finished: false,
+			next: 'totp',
 		});
 
-		const signinResponse = await api('signin', {
+		const signinResponse = await api('signin-flow', {
 			...signinParam(),
 			token: otpToken(registerResponse.body.secret),
 		});
 		assert.strictEqual(signinResponse.status, 200);
+		assert.strictEqual(signinResponse.body.finished, true);
 		assert.notEqual(signinResponse.body.i, undefined);
 
 		// 後片付け
@@ -252,29 +251,23 @@ describe('2要素認証', () => {
 		assert.strictEqual(keyDoneResponse.body.id, credentialId.toString('base64url'));
 		assert.strictEqual(keyDoneResponse.body.name, keyName);
 
-		const signinResponse = await api('signin', {
+		const signinResponse = await api('signin-flow', {
 			...signinParam(),
 		});
-		const signinResponseBody = signinResponse.body as unknown as {
-			error: {
-				id: string;
-				next: 'passkey';
-				authRequest: PublicKeyCredentialRequestOptionsJSON;
-			};
-		};
-		assert.strictEqual(signinResponse.status, 403);
-		assert.strictEqual(signinResponseBody.error.id, '06e661b9-8146-4ae3-bde5-47138c0ae0c4');
-		assert.strictEqual(signinResponseBody.error.next, 'passkey');
-		assert.notEqual(signinResponseBody.error.authRequest.challenge, undefined);
-		assert.notEqual(signinResponseBody.error.authRequest.allowCredentials, undefined);
-		assert.strictEqual(signinResponseBody.error.authRequest.allowCredentials && signinResponseBody.error.authRequest.allowCredentials[0]?.id, credentialId.toString('base64url'));
-
-		const signinResponse2 = await api('signin', signinWithSecurityKeyParam({
+		assert.strictEqual(signinResponse.status, 200);
+		assert.strictEqual(signinResponse.body.finished, false);
+		assert.strictEqual(signinResponse.body.next, 'passkey');
+		assert.notEqual(signinResponse.body.authRequest.challenge, undefined);
+		assert.notEqual(signinResponse.body.authRequest.allowCredentials, undefined);
+		assert.strictEqual(signinResponse.body.authRequest.allowCredentials && signinResponse.body.authRequest.allowCredentials[0]?.id, credentialId.toString('base64url'));
+
+		const signinResponse2 = await api('signin-flow', signinWithSecurityKeyParam({
 			keyName,
 			credentialId,
-			requestOptions: signinResponseBody.error.authRequest,
+			requestOptions: signinResponse.body.authRequest,
 		}));
 		assert.strictEqual(signinResponse2.status, 200);
+		assert.strictEqual(signinResponse2.body.finished, true);
 		assert.notEqual(signinResponse2.body.i, undefined);
 
 		// 後片付け
@@ -320,32 +313,26 @@ describe('2要素認証', () => {
 		assert.strictEqual(iResponse.status, 200);
 		assert.strictEqual(iResponse.body.usePasswordLessLogin, true);
 
-		const signinResponse = await api('signin', {
+		const signinResponse = await api('signin-flow', {
 			...signinParam(),
 			password: '',
 		});
-		const signinResponseBody = signinResponse.body as unknown as {
-			error: {
-				id: string;
-				next: 'passkey';
-				authRequest: PublicKeyCredentialRequestOptionsJSON;
-			};
-		};
-		assert.strictEqual(signinResponse.status, 403);
-		assert.strictEqual(signinResponseBody.error.id, '06e661b9-8146-4ae3-bde5-47138c0ae0c4');
-		assert.strictEqual(signinResponseBody.error.next, 'passkey');
-		assert.notEqual(signinResponseBody.error.authRequest.challenge, undefined);
-		assert.notEqual(signinResponseBody.error.authRequest.allowCredentials, undefined);
+		assert.strictEqual(signinResponse.status, 200);
+		assert.strictEqual(signinResponse.body.finished, false);
+		assert.strictEqual(signinResponse.body.next, 'passkey');
+		assert.notEqual(signinResponse.body.authRequest.challenge, undefined);
+		assert.notEqual(signinResponse.body.authRequest.allowCredentials, undefined);
 
-		const signinResponse2 = await api('signin', {
+		const signinResponse2 = await api('signin-flow', {
 			...signinWithSecurityKeyParam({
 				keyName,
 				credentialId,
-				requestOptions: signinResponseBody.error.authRequest,
+				requestOptions: signinResponse.body.authRequest,
 			} as any),
 			password: '',
 		});
 		assert.strictEqual(signinResponse2.status, 200);
+		assert.strictEqual(signinResponse2.body.finished, true);
 		assert.notEqual(signinResponse2.body.i, undefined);
 
 		// 後片付け
@@ -450,11 +437,12 @@ describe('2要素認証', () => {
 		assert.strictEqual(afterIResponse.status, 200);
 		assert.strictEqual(afterIResponse.body.securityKeys, false);
 
-		const signinResponse = await api('signin', {
+		const signinResponse = await api('signin-flow', {
 			...signinParam(),
 			token: otpToken(registerResponse.body.secret),
 		});
 		assert.strictEqual(signinResponse.status, 200);
+		assert.strictEqual(signinResponse.body.finished, true);
 		assert.notEqual(signinResponse.body.i, undefined);
 
 		// 後片付け
@@ -485,10 +473,11 @@ describe('2要素認証', () => {
 		}, alice);
 		assert.strictEqual(unregisterResponse.status, 204);
 
-		const signinResponse = await api('signin', {
+		const signinResponse = await api('signin-flow', {
 			...signinParam(),
 		});
 		assert.strictEqual(signinResponse.status, 200);
+		assert.strictEqual(signinResponse.body.finished, true);
 		assert.notEqual(signinResponse.body.i, undefined);
 
 		// 後片付け
diff --git a/packages/backend/test/e2e/endpoints.ts b/packages/backend/test/e2e/endpoints.ts
index 5aaec7f6f9..b91d77c398 100644
--- a/packages/backend/test/e2e/endpoints.ts
+++ b/packages/backend/test/e2e/endpoints.ts
@@ -66,9 +66,9 @@ describe('Endpoints', () => {
 		});
 	});
 
-	describe('signin', () => {
+	describe('signin-flow', () => {
 		test('間違ったパスワードでサインインできない', async () => {
-			const res = await api('signin', {
+			const res = await api('signin-flow', {
 				username: 'test1',
 				password: 'bar',
 			});
@@ -77,7 +77,7 @@ describe('Endpoints', () => {
 		});
 
 		test('クエリをインジェクションできない', async () => {
-			const res = await api('signin', {
+			const res = await api('signin-flow', {
 				username: 'test1',
 				// @ts-expect-error password must be string
 				password: {
@@ -89,7 +89,7 @@ describe('Endpoints', () => {
 		});
 
 		test('正しい情報でサインインできる', async () => {
-			const res = await api('signin', {
+			const res = await api('signin-flow', {
 				username: 'test1',
 				password: 'test1',
 			});
diff --git a/packages/frontend/src/components/MkSignin.vue b/packages/frontend/src/components/MkSignin.vue
index 03dd61f6c6..26e1ac516c 100644
--- a/packages/frontend/src/components/MkSignin.vue
+++ b/packages/frontend/src/components/MkSignin.vue
@@ -83,7 +83,7 @@ import type { AuthenticationPublicKeyCredential } from '@github/webauthn-json/br
 import type { OpenOnRemoteOptions } from '@/scripts/please-login.js';
 
 const emit = defineEmits<{
-	(ev: 'login', v: Misskey.entities.SigninResponse): void;
+	(ev: 'login', v: Misskey.entities.SigninFlowResponse): void;
 }>();
 
 const props = withDefaults(defineProps<{
@@ -212,23 +212,63 @@ async function onTotpSubmitted(token: string) {
 	}
 }
 
-async function tryLogin(req: Partial<Misskey.entities.SigninRequest>): Promise<Misskey.entities.SigninResponse> {
+async function tryLogin(req: Partial<Misskey.entities.SigninFlowRequest>): Promise<Misskey.entities.SigninFlowResponse> {
 	const _req = {
 		username: req.username ?? userInfo.value?.username,
 		...req,
 	};
 
-	function assertIsSigninRequest(x: Partial<Misskey.entities.SigninRequest>): x is Misskey.entities.SigninRequest {
+	function assertIsSigninFlowRequest(x: Partial<Misskey.entities.SigninFlowRequest>): x is Misskey.entities.SigninFlowRequest {
 		return x.username != null;
 	}
 
-	if (!assertIsSigninRequest(_req)) {
+	if (!assertIsSigninFlowRequest(_req)) {
 		throw new Error('Invalid request');
 	}
 
-	return await misskeyApi('signin', _req).then(async (res) => {
-		emit('login', res);
-		await onLoginSucceeded(res);
+	return await misskeyApi('signin-flow', _req).then(async (res) => {
+		if (res.finished) {
+			emit('login', res);
+			await onLoginSucceeded(res);
+		} else {
+			switch (res.next) {
+				case 'captcha': {
+					needCaptcha.value = true;
+					page.value = 'password';
+					break;
+				}
+				case 'password': {
+					needCaptcha.value = false;
+					page.value = 'password';
+					break;
+				}
+				case 'totp': {
+					page.value = 'totp';
+					break;
+				}
+				case 'passkey': {
+					if (webAuthnSupported()) {
+						credentialRequest.value = parseRequestOptionsFromJSON({
+							publicKey: res.authRequest,
+						});
+						page.value = 'passkey';
+					} else {
+						page.value = 'totp';
+					}
+					break;
+				}
+			}
+
+			if (doingPasskeyFromInputPage.value === true) {
+				doingPasskeyFromInputPage.value = false;
+				page.value = 'input';
+				password.value = '';
+			}
+			passwordPageEl.value?.resetCaptcha();
+			nextTick(() => {
+				waiting.value = false;
+			});
+		}
 		return res;
 	}).catch((err) => {
 		onSigninApiError(err);
@@ -236,7 +276,7 @@ async function tryLogin(req: Partial<Misskey.entities.SigninRequest>): Promise<M
 	});
 }
 
-async function onLoginSucceeded(res: Misskey.entities.SigninResponse) {
+async function onLoginSucceeded(res: Misskey.entities.SigninFlowResponse & { finished: true; }) {
 	if (props.autoSet) {
 		await login(res.i);
 	}
@@ -245,112 +285,82 @@ async function onLoginSucceeded(res: Misskey.entities.SigninResponse) {
 function onSigninApiError(err?: any): void {
 	const id = err?.id ?? null;
 
-	if (typeof err === 'object' && 'next' in err) {
-		switch (err.next) {
-			case 'captcha': {
-				needCaptcha.value = true;
-				page.value = 'password';
-				break;
-			}
-			case 'password': {
-				needCaptcha.value = false;
-				page.value = 'password';
-				break;
-			}
-			case 'totp': {
-				page.value = 'totp';
-				break;
-			}
-			case 'passkey': {
-				if (webAuthnSupported() && 'authRequest' in err) {
-					credentialRequest.value = parseRequestOptionsFromJSON({
-						publicKey: err.authRequest,
-					});
-					page.value = 'passkey';
-				} else {
-					page.value = 'totp';
-				}
-				break;
-			}
+	switch (id) {
+		case '6cc579cc-885d-43d8-95c2-b8c7fc963280': {
+			os.alert({
+				type: 'error',
+				title: i18n.ts.loginFailed,
+				text: i18n.ts.noSuchUser,
+			});
+			break;
 		}
-	} else {
-		switch (id) {
-			case '6cc579cc-885d-43d8-95c2-b8c7fc963280': {
-				os.alert({
-					type: 'error',
-					title: i18n.ts.loginFailed,
-					text: i18n.ts.noSuchUser,
-				});
-				break;
-			}
-			case '932c904e-9460-45b7-9ce6-7ed33be7eb2c': {
-				os.alert({
-					type: 'error',
-					title: i18n.ts.loginFailed,
-					text: i18n.ts.incorrectPassword,
-				});
-				break;
-			}
-			case 'e03a5f46-d309-4865-9b69-56282d94e1eb': {
-				showSuspendedDialog();
-				break;
-			}
-			case '22d05606-fbcf-421a-a2db-b32610dcfd1b': {
-				os.alert({
-					type: 'error',
-					title: i18n.ts.loginFailed,
-					text: i18n.ts.rateLimitExceeded,
-				});
-				break;
-			}
-			case 'cdf1235b-ac71-46d4-a3a6-84ccce48df6f': {
-				os.alert({
-					type: 'error',
-					title: i18n.ts.loginFailed,
-					text: i18n.ts.incorrectTotp,
-				});
-				break;
-			}
-			case '36b96a7d-b547-412d-aeed-2d611cdc8cdc': {
-				os.alert({
-					type: 'error',
-					title: i18n.ts.loginFailed,
-					text: i18n.ts.unknownWebAuthnKey,
-				});
-				break;
-			}
-			case '93b86c4b-72f9-40eb-9815-798928603d1e': {
-				os.alert({
-					type: 'error',
-					title: i18n.ts.loginFailed,
-					text: i18n.ts.passkeyVerificationFailed,
-				});
-				break;
-			}
-			case 'b18c89a7-5b5e-4cec-bb5b-0419f332d430': {
-				os.alert({
-					type: 'error',
-					title: i18n.ts.loginFailed,
-					text: i18n.ts.passkeyVerificationFailed,
-				});
-				break;
-			}
-			case '2d84773e-f7b7-4d0b-8f72-bb69b584c912': {
-				os.alert({
-					type: 'error',
-					title: i18n.ts.loginFailed,
-					text: i18n.ts.passkeyVerificationSucceededButPasswordlessLoginDisabled,
-				});
-				break;
-			}
-			default: {
-				console.error(err);
-				os.alert({
-					type: 'error',
-					title: i18n.ts.loginFailed,
-					text: JSON.stringify(err),
-				});
-			}
+		case '932c904e-9460-45b7-9ce6-7ed33be7eb2c': {
+			os.alert({
+				type: 'error',
+				title: i18n.ts.loginFailed,
+				text: i18n.ts.incorrectPassword,
+			});
+			break;
+		}
+		case 'e03a5f46-d309-4865-9b69-56282d94e1eb': {
+			showSuspendedDialog();
+			break;
+		}
+		case '22d05606-fbcf-421a-a2db-b32610dcfd1b': {
+			os.alert({
+				type: 'error',
+				title: i18n.ts.loginFailed,
+				text: i18n.ts.rateLimitExceeded,
+			});
+			break;
+		}
+		case 'cdf1235b-ac71-46d4-a3a6-84ccce48df6f': {
+			os.alert({
+				type: 'error',
+				title: i18n.ts.loginFailed,
+				text: i18n.ts.incorrectTotp,
+			});
+			break;
+		}
+		case '36b96a7d-b547-412d-aeed-2d611cdc8cdc': {
+			os.alert({
+				type: 'error',
+				title: i18n.ts.loginFailed,
+				text: i18n.ts.unknownWebAuthnKey,
+			});
+			break;
+		}
+		case '93b86c4b-72f9-40eb-9815-798928603d1e': {
+			os.alert({
+				type: 'error',
+				title: i18n.ts.loginFailed,
+				text: i18n.ts.passkeyVerificationFailed,
+			});
+			break;
+		}
+		case 'b18c89a7-5b5e-4cec-bb5b-0419f332d430': {
+			os.alert({
+				type: 'error',
+				title: i18n.ts.loginFailed,
+				text: i18n.ts.passkeyVerificationFailed,
+			});
+			break;
+		}
+		case '2d84773e-f7b7-4d0b-8f72-bb69b584c912': {
+			os.alert({
+				type: 'error',
+				title: i18n.ts.loginFailed,
+				text: i18n.ts.passkeyVerificationSucceededButPasswordlessLoginDisabled,
+			});
+			break;
+		}
+		default: {
+			console.error(err);
+			os.alert({
+				type: 'error',
+				title: i18n.ts.loginFailed,
+				text: JSON.stringify(err),
+			});
 		}
 	}
 
diff --git a/packages/frontend/src/components/MkSignupDialog.form.vue b/packages/frontend/src/components/MkSignupDialog.form.vue
index 38cac7f644..ff096dc729 100644
--- a/packages/frontend/src/components/MkSignupDialog.form.vue
+++ b/packages/frontend/src/components/MkSignupDialog.form.vue
@@ -98,7 +98,7 @@ const props = withDefaults(defineProps<{
 });
 
 const emit = defineEmits<{
-	(ev: 'signup', user: Misskey.entities.SigninResponse): void;
+	(ev: 'signup', user: Misskey.entities.SigninFlowResponse): void;
 	(ev: 'signupEmailPending'): void;
 }>();
 
@@ -269,14 +269,19 @@ async function onSubmit(): Promise<void> {
 			});
 			emit('signupEmailPending');
 		} else {
-			const res = await misskeyApi('signin', {
+			const res = await misskeyApi('signin-flow', {
 				username: username.value,
 				password: password.value,
 			});
 			emit('signup', res);
 
-			if (props.autoSet) {
+			if (props.autoSet && res.finished) {
 				return login(res.i);
+			} else {
+				os.alert({
+					type: 'error',
+					text: i18n.ts.somethingHappened,
+				});
 			}
 		}
 	} catch {
diff --git a/packages/frontend/src/components/MkSignupDialog.vue b/packages/frontend/src/components/MkSignupDialog.vue
index 97310d32a6..4cccd99492 100644
--- a/packages/frontend/src/components/MkSignupDialog.vue
+++ b/packages/frontend/src/components/MkSignupDialog.vue
@@ -47,7 +47,7 @@ const props = withDefaults(defineProps<{
 });
 
 const emit = defineEmits<{
-	(ev: 'done', res: Misskey.entities.SigninResponse): void;
+	(ev: 'done', res: Misskey.entities.SigninFlowResponse): void;
 	(ev: 'closed'): void;
 }>();
 
@@ -55,7 +55,7 @@ const dialog = shallowRef<InstanceType<typeof MkModalWindow>>();
 
 const isAcceptedServerRule = ref(false);
 
-function onSignup(res: Misskey.entities.SigninResponse) {
+function onSignup(res: Misskey.entities.SigninFlowResponse) {
 	emit('done', res);
 	dialog.value?.close();
 }
diff --git a/packages/misskey-js/etc/misskey-js.api.md b/packages/misskey-js/etc/misskey-js.api.md
index 9ad784c296..732352abd8 100644
--- a/packages/misskey-js/etc/misskey-js.api.md
+++ b/packages/misskey-js/etc/misskey-js.api.md
@@ -1158,9 +1158,9 @@ export type Endpoints = Overwrite<Endpoints_2, {
         req: SignupPendingRequest;
         res: SignupPendingResponse;
     };
-    'signin': {
-        req: SigninRequest;
-        res: SigninResponse;
+    'signin-flow': {
+        req: SigninFlowRequest;
+        res: SigninFlowResponse;
     };
     'signin-with-passkey': {
         req: SigninWithPasskeyRequest;
@@ -1208,11 +1208,11 @@ declare namespace entities {
         SignupResponse,
         SignupPendingRequest,
         SignupPendingResponse,
-        SigninRequest,
+        SigninFlowRequest,
+        SigninFlowResponse,
         SigninWithPasskeyRequest,
         SigninWithPasskeyInitResponse,
         SigninWithPasskeyResponse,
-        SigninResponse,
         PartialRolePolicyOverride,
         EmptyRequest,
         EmptyResponse,
@@ -3038,7 +3038,7 @@ type ServerStatsLog = ServerStats[];
 type Signin = components['schemas']['Signin'];
 
 // @public (undocumented)
-type SigninRequest = {
+type SigninFlowRequest = {
     username: string;
     password?: string;
     token?: string;
@@ -3050,9 +3050,17 @@ type SigninRequest = {
 };
 
 // @public (undocumented)
-type SigninResponse = {
+type SigninFlowResponse = {
+    finished: true;
     id: User['id'];
     i: string;
+} | {
+    finished: false;
+    next: 'captcha' | 'password' | 'totp';
+} | {
+    finished: false;
+    next: 'passkey';
+    authRequest: PublicKeyCredentialRequestOptionsJSON;
 };
 
 // @public (undocumented)
@@ -3069,7 +3077,7 @@ type SigninWithPasskeyRequest = {
 
 // @public (undocumented)
 type SigninWithPasskeyResponse = {
-    signinResponse: SigninResponse;
+    signinResponse: SigninFlowResponse;
 };
 
 // @public (undocumented)
diff --git a/packages/misskey-js/src/api.types.ts b/packages/misskey-js/src/api.types.ts
index cef5ab8861..838949f8e1 100644
--- a/packages/misskey-js/src/api.types.ts
+++ b/packages/misskey-js/src/api.types.ts
@@ -3,8 +3,8 @@ import { UserDetailed } from './autogen/models.js';
 import { AdminRolesCreateRequest, AdminRolesCreateResponse, UsersShowRequest } from './autogen/entities.js';
 import {
 	PartialRolePolicyOverride,
-	SigninRequest,
-	SigninResponse,
+	SigninFlowRequest,
+	SigninFlowResponse,
 	SigninWithPasskeyInitResponse,
 	SigninWithPasskeyRequest,
 	SigninWithPasskeyResponse,
@@ -81,9 +81,9 @@ export type Endpoints = Overwrite<
 			res: SignupPendingResponse;
 		},
 		// api.jsonには載せないものなのでここで定義
-		'signin': {
-			req: SigninRequest;
-			res: SigninResponse;
+		'signin-flow': {
+			req: SigninFlowRequest;
+			res: SigninFlowResponse;
 		},
 		'signin-with-passkey': {
 			req: SigninWithPasskeyRequest;
diff --git a/packages/misskey-js/src/entities.ts b/packages/misskey-js/src/entities.ts
index 98ac50e5a1..8bbc9c113b 100644
--- a/packages/misskey-js/src/entities.ts
+++ b/packages/misskey-js/src/entities.ts
@@ -267,7 +267,7 @@ export type SignupPendingResponse = {
 	i: string,
 };
 
-export type SigninRequest = {
+export type SigninFlowRequest = {
 	username: string;
 	password?: string;
 	token?: string;
@@ -278,6 +278,19 @@ export type SigninRequest = {
 	'm-captcha-response'?: string | null;
 };
 
+export type SigninFlowResponse = {
+	finished: true;
+	id: User['id'];
+	i: string;
+} | {
+	finished: false;
+	next: 'captcha' | 'password' | 'totp';
+} | {
+	finished: false;
+	next: 'passkey';
+	authRequest: PublicKeyCredentialRequestOptionsJSON;
+};
+
 export type SigninWithPasskeyRequest = {
 	credential?: AuthenticationResponseJSON;
 	context?: string;
@@ -289,12 +302,7 @@ export type SigninWithPasskeyInitResponse = {
 };
 
 export type SigninWithPasskeyResponse = {
-	signinResponse: SigninResponse;
-};
-
-export type SigninResponse = {
-	id: User['id'],
-	i: string,
+	signinResponse: SigninFlowResponse;
 };
 
 type Values<T extends Record<PropertyKey, unknown>> = T[keyof T];
-- 
cgit v1.2.3-freya


From d8bf1ff7e9ab4d39b2e924bf7eae010e9b9e21f0 Mon Sep 17 00:00:00 2001
From: かっこかり <67428053+kakkokari-gtyih@users.noreply.github.com>
Date: Sat, 5 Oct 2024 13:47:50 +0900
Subject: #14675 レビューの修正 (#14705)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 packages/backend/src/server/api/ApiServerService.ts | 2 +-
 packages/frontend/src/components/MkFukidashi.vue    | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

(limited to 'packages/backend/src/server/api')

diff --git a/packages/backend/src/server/api/ApiServerService.ts b/packages/backend/src/server/api/ApiServerService.ts
index 6b760c258b..be63635efe 100644
--- a/packages/backend/src/server/api/ApiServerService.ts
+++ b/packages/backend/src/server/api/ApiServerService.ts
@@ -125,7 +125,7 @@ export class ApiServerService {
 		fastify.post<{
 			Body: {
 				username: string;
-				password: string;
+				password?: string;
 				token?: string;
 				credential?: AuthenticationResponseJSON;
 				'hcaptcha-response'?: string;
diff --git a/packages/frontend/src/components/MkFukidashi.vue b/packages/frontend/src/components/MkFukidashi.vue
index ba82eb442f..09825487bf 100644
--- a/packages/frontend/src/components/MkFukidashi.vue
+++ b/packages/frontend/src/components/MkFukidashi.vue
@@ -8,7 +8,7 @@ SPDX-License-Identifier: AGPL-3.0-only
 	:class="[
 		$style.root,
 		tail === 'left' ? $style.left : $style.right,
-		negativeMargin === true && $style.negativeMergin,
+		negativeMargin === true && $style.negativeMargin,
 		shadow === true && $style.shadow,
 	]"
 >
@@ -54,7 +54,7 @@ withDefaults(defineProps<{
 	&.left {
 		padding-left: calc(var(--fukidashi-radius) * .13);
 
-		&.negativeMergin {
+		&.negativeMargin {
 			margin-left: calc(calc(var(--fukidashi-radius) * .13) * -1);
 		}
 	}
@@ -62,7 +62,7 @@ withDefaults(defineProps<{
 	&.right {
 		padding-right: calc(var(--fukidashi-radius) * .13);
 
-		&.negativeMergin {
+		&.negativeMargin {
 			margin-right: calc(calc(var(--fukidashi-radius) * .13) * -1);
 		}
 	}
-- 
cgit v1.2.3-freya


From 0d7d1091c8970d9979e8efb02f0accd6dcd39422 Mon Sep 17 00:00:00 2001
From: おさむのひと <46447427+samunohito@users.noreply.github.com>
Date: Sat, 5 Oct 2024 14:37:52 +0900
Subject: enhance: 人気のPlayを10件以上表示できるように (#14443)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: osamu <46447427+sam-osamu@users.noreply.github.com>
---
 CHANGELOG.md                                       |   1 +
 packages/backend/src/core/CoreModule.ts            |   5 +
 packages/backend/src/core/FlashService.ts          |  40 ++++++
 .../src/core/entities/FlashEntityService.ts        |  41 ++++--
 packages/backend/src/models/Flash.ts               |   5 +-
 .../src/server/api/endpoints/flash/featured.ts     |  22 +--
 packages/backend/test/unit/FlashService.ts         | 152 +++++++++++++++++++++
 packages/frontend/src/pages/flash/flash-index.vue  |   3 +-
 packages/misskey-js/etc/misskey-js.api.md          |   4 +
 packages/misskey-js/src/autogen/endpoint.ts        |   3 +-
 packages/misskey-js/src/autogen/entities.ts        |   1 +
 packages/misskey-js/src/autogen/types.ts           |  10 ++
 12 files changed, 262 insertions(+), 25 deletions(-)
 create mode 100644 packages/backend/src/core/FlashService.ts
 create mode 100644 packages/backend/test/unit/FlashService.ts

(limited to 'packages/backend/src/server/api')

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 04acc11ac3..6a9143ea1b 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -12,6 +12,7 @@
 - Enhance: セキュリティ向上のため、サインイン時もCAPTCHAを求めるようになりました
 - Enhance: 依存関係の更新
 - Enhance: l10nの更新
+- Enhance: Playの「人気」タブで10件以上表示可能に #14399
 - Fix: 連合のホワイトリストが正常に登録されない問題を修正
 
 ### Client
diff --git a/packages/backend/src/core/CoreModule.ts b/packages/backend/src/core/CoreModule.ts
index 3b3c35f976..734d135648 100644
--- a/packages/backend/src/core/CoreModule.ts
+++ b/packages/backend/src/core/CoreModule.ts
@@ -14,6 +14,7 @@ import { AbuseReportNotificationService } from '@/core/AbuseReportNotificationSe
 import { SystemWebhookService } from '@/core/SystemWebhookService.js';
 import { UserSearchService } from '@/core/UserSearchService.js';
 import { WebhookTestService } from '@/core/WebhookTestService.js';
+import { FlashService } from '@/core/FlashService.js';
 import { AccountMoveService } from './AccountMoveService.js';
 import { AccountUpdateService } from './AccountUpdateService.js';
 import { AiService } from './AiService.js';
@@ -217,6 +218,7 @@ const $SystemWebhookService: Provider = { provide: 'SystemWebhookService', useEx
 const $WebhookTestService: Provider = { provide: 'WebhookTestService', useExisting: WebhookTestService };
 const $UtilityService: Provider = { provide: 'UtilityService', useExisting: UtilityService };
 const $FileInfoService: Provider = { provide: 'FileInfoService', useExisting: FileInfoService };
+const $FlashService: Provider = { provide: 'FlashService', useExisting: FlashService };
 const $SearchService: Provider = { provide: 'SearchService', useExisting: SearchService };
 const $ClipService: Provider = { provide: 'ClipService', useExisting: ClipService };
 const $FeaturedService: Provider = { provide: 'FeaturedService', useExisting: FeaturedService };
@@ -367,6 +369,7 @@ const $ApQuestionService: Provider = { provide: 'ApQuestionService', useExisting
 		WebhookTestService,
 		UtilityService,
 		FileInfoService,
+		FlashService,
 		SearchService,
 		ClipService,
 		FeaturedService,
@@ -513,6 +516,7 @@ const $ApQuestionService: Provider = { provide: 'ApQuestionService', useExisting
 		$WebhookTestService,
 		$UtilityService,
 		$FileInfoService,
+		$FlashService,
 		$SearchService,
 		$ClipService,
 		$FeaturedService,
@@ -660,6 +664,7 @@ const $ApQuestionService: Provider = { provide: 'ApQuestionService', useExisting
 		WebhookTestService,
 		UtilityService,
 		FileInfoService,
+		FlashService,
 		SearchService,
 		ClipService,
 		FeaturedService,
diff --git a/packages/backend/src/core/FlashService.ts b/packages/backend/src/core/FlashService.ts
new file mode 100644
index 0000000000..2a98225382
--- /dev/null
+++ b/packages/backend/src/core/FlashService.ts
@@ -0,0 +1,40 @@
+/*
+ * SPDX-FileCopyrightText: syuilo and misskey-project
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+import { Inject, Injectable } from '@nestjs/common';
+import { DI } from '@/di-symbols.js';
+import { type FlashsRepository } from '@/models/_.js';
+
+/**
+ * MisskeyPlay関係のService
+ */
+@Injectable()
+export class FlashService {
+	constructor(
+		@Inject(DI.flashsRepository)
+		private flashRepository: FlashsRepository,
+	) {
+	}
+
+	/**
+	 * 人気のあるPlay一覧を取得する.
+	 */
+	public async featured(opts?: { offset?: number, limit: number }) {
+		const builder = this.flashRepository.createQueryBuilder('flash')
+			.andWhere('flash.likedCount > 0')
+			.andWhere('flash.visibility = :visibility', { visibility: 'public' })
+			.addOrderBy('flash.likedCount', 'DESC')
+			.addOrderBy('flash.updatedAt', 'DESC')
+			.addOrderBy('flash.id', 'DESC');
+
+		if (opts?.offset) {
+			builder.skip(opts.offset);
+		}
+
+		builder.take(opts?.limit ?? 10);
+
+		return await builder.getMany();
+	}
+}
diff --git a/packages/backend/src/core/entities/FlashEntityService.ts b/packages/backend/src/core/entities/FlashEntityService.ts
index 4aa7104c1e..0cdcf3310a 100644
--- a/packages/backend/src/core/entities/FlashEntityService.ts
+++ b/packages/backend/src/core/entities/FlashEntityService.ts
@@ -5,10 +5,8 @@
 
 import { Inject, Injectable } from '@nestjs/common';
 import { DI } from '@/di-symbols.js';
-import type { FlashsRepository, FlashLikesRepository } from '@/models/_.js';
-import { awaitAll } from '@/misc/prelude/await-all.js';
+import type { FlashLikesRepository, FlashsRepository } from '@/models/_.js';
 import type { Packed } from '@/misc/json-schema.js';
-import type { } from '@/models/Blocking.js';
 import type { MiUser } from '@/models/User.js';
 import type { MiFlash } from '@/models/Flash.js';
 import { bindThis } from '@/decorators.js';
@@ -20,10 +18,8 @@ export class FlashEntityService {
 	constructor(
 		@Inject(DI.flashsRepository)
 		private flashsRepository: FlashsRepository,
-
 		@Inject(DI.flashLikesRepository)
 		private flashLikesRepository: FlashLikesRepository,
-
 		private userEntityService: UserEntityService,
 		private idService: IdService,
 	) {
@@ -34,25 +30,36 @@ export class FlashEntityService {
 		src: MiFlash['id'] | MiFlash,
 		me?: { id: MiUser['id'] } | null | undefined,
 		hint?: {
-			packedUser?: Packed<'UserLite'>
+			packedUser?: Packed<'UserLite'>,
+			likedFlashIds?: MiFlash['id'][],
 		},
 	): Promise<Packed<'Flash'>> {
 		const meId = me ? me.id : null;
 		const flash = typeof src === 'object' ? src : await this.flashsRepository.findOneByOrFail({ id: src });
 
-		return await awaitAll({
+		// { schema: 'UserDetailed' } すると無限ループするので注意
+		const user = hint?.packedUser ?? await this.userEntityService.pack(flash.user ?? flash.userId, me);
+
+		let isLiked = false;
+		if (meId) {
+			isLiked = hint?.likedFlashIds
+				? hint.likedFlashIds.includes(flash.id)
+				: await this.flashLikesRepository.exists({ where: { flashId: flash.id, userId: meId } });
+		}
+
+		return {
 			id: flash.id,
 			createdAt: this.idService.parse(flash.id).date.toISOString(),
 			updatedAt: flash.updatedAt.toISOString(),
 			userId: flash.userId,
-			user: hint?.packedUser ?? this.userEntityService.pack(flash.user ?? flash.userId, me), // { schema: 'UserDetailed' } すると無限ループするので注意
+			user: user,
 			title: flash.title,
 			summary: flash.summary,
 			script: flash.script,
 			visibility: flash.visibility,
 			likedCount: flash.likedCount,
-			isLiked: meId ? await this.flashLikesRepository.exists({ where: { flashId: flash.id, userId: meId } }) : undefined,
-		});
+			isLiked: isLiked,
+		};
 	}
 
 	@bindThis
@@ -63,7 +70,19 @@ export class FlashEntityService {
 		const _users = flashes.map(({ user, userId }) => user ?? userId);
 		const _userMap = await this.userEntityService.packMany(_users, me)
 			.then(users => new Map(users.map(u => [u.id, u])));
-		return Promise.all(flashes.map(flash => this.pack(flash, me, { packedUser: _userMap.get(flash.userId) })));
+		const _likedFlashIds = me
+			? await this.flashLikesRepository.createQueryBuilder('flashLike')
+				.select('flashLike.flashId')
+				.where('flashLike.userId = :userId', { userId: me.id })
+				.getRawMany<{ flashLike_flashId: string }>()
+				.then(likes => [...new Set(likes.map(like => like.flashLike_flashId))])
+			: [];
+		return Promise.all(
+			flashes.map(flash => this.pack(flash, me, {
+				packedUser: _userMap.get(flash.userId),
+				likedFlashIds: _likedFlashIds,
+			})),
+		);
 	}
 }
 
diff --git a/packages/backend/src/models/Flash.ts b/packages/backend/src/models/Flash.ts
index a1469a0d94..5db7dca992 100644
--- a/packages/backend/src/models/Flash.ts
+++ b/packages/backend/src/models/Flash.ts
@@ -7,6 +7,9 @@ import { Entity, Index, JoinColumn, Column, PrimaryColumn, ManyToOne } from 'typ
 import { id } from './util/id.js';
 import { MiUser } from './User.js';
 
+export const flashVisibility = ['public', 'private'] as const;
+export type FlashVisibility = typeof flashVisibility[number];
+
 @Entity('flash')
 export class MiFlash {
 	@PrimaryColumn(id())
@@ -63,5 +66,5 @@ export class MiFlash {
 	@Column('varchar', {
 		length: 512, default: 'public',
 	})
-	public visibility: 'public' | 'private';
+	public visibility: FlashVisibility;
 }
diff --git a/packages/backend/src/server/api/endpoints/flash/featured.ts b/packages/backend/src/server/api/endpoints/flash/featured.ts
index c2d6ab5085..9a0cb461f2 100644
--- a/packages/backend/src/server/api/endpoints/flash/featured.ts
+++ b/packages/backend/src/server/api/endpoints/flash/featured.ts
@@ -8,6 +8,7 @@ import type { FlashsRepository } from '@/models/_.js';
 import { Endpoint } from '@/server/api/endpoint-base.js';
 import { FlashEntityService } from '@/core/entities/FlashEntityService.js';
 import { DI } from '@/di-symbols.js';
+import { FlashService } from '@/core/FlashService.js';
 
 export const meta = {
 	tags: ['flash'],
@@ -27,26 +28,25 @@ export const meta = {
 
 export const paramDef = {
 	type: 'object',
-	properties: {},
+	properties: {
+		offset: { type: 'integer', minimum: 0, default: 0 },
+		limit: { type: 'integer', minimum: 1, maximum: 100, default: 10 },
+	},
 	required: [],
 } as const;
 
 @Injectable()
 export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-disable-line import/no-default-export
 	constructor(
-		@Inject(DI.flashsRepository)
-		private flashsRepository: FlashsRepository,
-
+		private flashService: FlashService,
 		private flashEntityService: FlashEntityService,
 	) {
 		super(meta, paramDef, async (ps, me) => {
-			const query = this.flashsRepository.createQueryBuilder('flash')
-				.andWhere('flash.likedCount > 0')
-				.orderBy('flash.likedCount', 'DESC');
-
-			const flashs = await query.limit(10).getMany();
-
-			return await this.flashEntityService.packMany(flashs, me);
+			const result = await this.flashService.featured({
+				offset: ps.offset,
+				limit: ps.limit,
+			});
+			return await this.flashEntityService.packMany(result, me);
 		});
 	}
 }
diff --git a/packages/backend/test/unit/FlashService.ts b/packages/backend/test/unit/FlashService.ts
new file mode 100644
index 0000000000..12ffaf3421
--- /dev/null
+++ b/packages/backend/test/unit/FlashService.ts
@@ -0,0 +1,152 @@
+/* eslint-disable @typescript-eslint/no-unused-vars */
+/*
+ * SPDX-FileCopyrightText: syuilo and misskey-project
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+import { Test, TestingModule } from '@nestjs/testing';
+import { FlashService } from '@/core/FlashService.js';
+import { IdService } from '@/core/IdService.js';
+import { FlashsRepository, MiFlash, MiUser, UserProfilesRepository, UsersRepository } from '@/models/_.js';
+import { DI } from '@/di-symbols.js';
+import { GlobalModule } from '@/GlobalModule.js';
+
+describe('FlashService', () => {
+	let app: TestingModule;
+	let service: FlashService;
+
+	// --------------------------------------------------------------------------------------
+
+	let flashsRepository: FlashsRepository;
+	let usersRepository: UsersRepository;
+	let userProfilesRepository: UserProfilesRepository;
+	let idService: IdService;
+
+	// --------------------------------------------------------------------------------------
+
+	let root: MiUser;
+	let alice: MiUser;
+	let bob: MiUser;
+
+	// --------------------------------------------------------------------------------------
+
+	async function createFlash(data: Partial<MiFlash>) {
+		return flashsRepository.insert({
+			id: idService.gen(),
+			updatedAt: new Date(),
+			userId: root.id,
+			title: 'title',
+			summary: 'summary',
+			script: 'script',
+			permissions: [],
+			likedCount: 0,
+			...data,
+		}).then(x => flashsRepository.findOneByOrFail(x.identifiers[0]));
+	}
+
+	async function createUser(data: Partial<MiUser> = {}) {
+		const user = await usersRepository
+			.insert({
+				id: idService.gen(),
+				...data,
+			})
+			.then(x => usersRepository.findOneByOrFail(x.identifiers[0]));
+
+		await userProfilesRepository.insert({
+			userId: user.id,
+		});
+
+		return user;
+	}
+
+	// --------------------------------------------------------------------------------------
+
+	beforeEach(async () => {
+		app = await Test.createTestingModule({
+			imports: [
+				GlobalModule,
+			],
+			providers: [
+				FlashService,
+				IdService,
+			],
+		}).compile();
+
+		service = app.get(FlashService);
+
+		flashsRepository = app.get(DI.flashsRepository);
+		usersRepository = app.get(DI.usersRepository);
+		userProfilesRepository = app.get(DI.userProfilesRepository);
+		idService = app.get(IdService);
+
+		root = await createUser({ username: 'root', usernameLower: 'root', isRoot: true });
+		alice = await createUser({ username: 'alice', usernameLower: 'alice', isRoot: false });
+		bob = await createUser({ username: 'bob', usernameLower: 'bob', isRoot: false });
+	});
+
+	afterEach(async () => {
+		await usersRepository.delete({});
+		await userProfilesRepository.delete({});
+		await flashsRepository.delete({});
+	});
+
+	afterAll(async () => {
+		await app.close();
+	});
+
+	// --------------------------------------------------------------------------------------
+
+	describe('featured', () => {
+		test('should return featured flashes', async () => {
+			const flash1 = await createFlash({ likedCount: 1 });
+			const flash2 = await createFlash({ likedCount: 2 });
+			const flash3 = await createFlash({ likedCount: 3 });
+
+			const result = await service.featured({
+				offset: 0,
+				limit: 10,
+			});
+
+			expect(result).toEqual([flash3, flash2, flash1]);
+		});
+
+		test('should return featured flashes public visibility only', async () => {
+			const flash1 = await createFlash({ likedCount: 1, visibility: 'public' });
+			const flash2 = await createFlash({ likedCount: 2, visibility: 'public' });
+			const flash3 = await createFlash({ likedCount: 3, visibility: 'private' });
+
+			const result = await service.featured({
+				offset: 0,
+				limit: 10,
+			});
+
+			expect(result).toEqual([flash2, flash1]);
+		});
+
+		test('should return featured flashes with offset', async () => {
+			const flash1 = await createFlash({ likedCount: 1 });
+			const flash2 = await createFlash({ likedCount: 2 });
+			const flash3 = await createFlash({ likedCount: 3 });
+
+			const result = await service.featured({
+				offset: 1,
+				limit: 10,
+			});
+
+			expect(result).toEqual([flash2, flash1]);
+		});
+
+		test('should return featured flashes with limit', async () => {
+			const flash1 = await createFlash({ likedCount: 1 });
+			const flash2 = await createFlash({ likedCount: 2 });
+			const flash3 = await createFlash({ likedCount: 3 });
+
+			const result = await service.featured({
+				offset: 0,
+				limit: 2,
+			});
+
+			expect(result).toEqual([flash3, flash2]);
+		});
+	});
+});
diff --git a/packages/frontend/src/pages/flash/flash-index.vue b/packages/frontend/src/pages/flash/flash-index.vue
index f63a799365..2b85489706 100644
--- a/packages/frontend/src/pages/flash/flash-index.vue
+++ b/packages/frontend/src/pages/flash/flash-index.vue
@@ -55,7 +55,8 @@ const tab = ref('featured');
 
 const featuredFlashsPagination = {
 	endpoint: 'flash/featured' as const,
-	noPaging: true,
+	limit: 5,
+	offsetMode: true,
 };
 const myFlashsPagination = {
 	endpoint: 'flash/my' as const,
diff --git a/packages/misskey-js/etc/misskey-js.api.md b/packages/misskey-js/etc/misskey-js.api.md
index 732352abd8..de52be3a61 100644
--- a/packages/misskey-js/etc/misskey-js.api.md
+++ b/packages/misskey-js/etc/misskey-js.api.md
@@ -1680,6 +1680,7 @@ declare namespace entities {
         FlashCreateRequest,
         FlashCreateResponse,
         FlashDeleteRequest,
+        FlashFeaturedRequest,
         FlashFeaturedResponse,
         FlashLikeRequest,
         FlashShowRequest,
@@ -1929,6 +1930,9 @@ type FlashCreateResponse = operations['flash___create']['responses']['200']['con
 // @public (undocumented)
 type FlashDeleteRequest = operations['flash___delete']['requestBody']['content']['application/json'];
 
+// @public (undocumented)
+type FlashFeaturedRequest = operations['flash___featured']['requestBody']['content']['application/json'];
+
 // @public (undocumented)
 type FlashFeaturedResponse = operations['flash___featured']['responses']['200']['content']['application/json'];
 
diff --git a/packages/misskey-js/src/autogen/endpoint.ts b/packages/misskey-js/src/autogen/endpoint.ts
index 42c74599a5..bf61c20628 100644
--- a/packages/misskey-js/src/autogen/endpoint.ts
+++ b/packages/misskey-js/src/autogen/endpoint.ts
@@ -465,6 +465,7 @@ import type {
 	FlashCreateRequest,
 	FlashCreateResponse,
 	FlashDeleteRequest,
+	FlashFeaturedRequest,
 	FlashFeaturedResponse,
 	FlashLikeRequest,
 	FlashShowRequest,
@@ -889,7 +890,7 @@ export type Endpoints = {
 	'pages/update': { req: PagesUpdateRequest; res: EmptyResponse };
 	'flash/create': { req: FlashCreateRequest; res: FlashCreateResponse };
 	'flash/delete': { req: FlashDeleteRequest; res: EmptyResponse };
-	'flash/featured': { req: EmptyRequest; res: FlashFeaturedResponse };
+	'flash/featured': { req: FlashFeaturedRequest; res: FlashFeaturedResponse };
 	'flash/like': { req: FlashLikeRequest; res: EmptyResponse };
 	'flash/show': { req: FlashShowRequest; res: FlashShowResponse };
 	'flash/unlike': { req: FlashUnlikeRequest; res: EmptyResponse };
diff --git a/packages/misskey-js/src/autogen/entities.ts b/packages/misskey-js/src/autogen/entities.ts
index 87ed653d44..72c7c35ed4 100644
--- a/packages/misskey-js/src/autogen/entities.ts
+++ b/packages/misskey-js/src/autogen/entities.ts
@@ -468,6 +468,7 @@ export type PagesUpdateRequest = operations['pages___update']['requestBody']['co
 export type FlashCreateRequest = operations['flash___create']['requestBody']['content']['application/json'];
 export type FlashCreateResponse = operations['flash___create']['responses']['200']['content']['application/json'];
 export type FlashDeleteRequest = operations['flash___delete']['requestBody']['content']['application/json'];
+export type FlashFeaturedRequest = operations['flash___featured']['requestBody']['content']['application/json'];
 export type FlashFeaturedResponse = operations['flash___featured']['responses']['200']['content']['application/json'];
 export type FlashLikeRequest = operations['flash___like']['requestBody']['content']['application/json'];
 export type FlashShowRequest = operations['flash___show']['requestBody']['content']['application/json'];
diff --git a/packages/misskey-js/src/autogen/types.ts b/packages/misskey-js/src/autogen/types.ts
index 3876a0bfe5..0938973481 100644
--- a/packages/misskey-js/src/autogen/types.ts
+++ b/packages/misskey-js/src/autogen/types.ts
@@ -23799,6 +23799,16 @@ export type operations = {
    * **Credential required**: *No*
    */
   flash___featured: {
+    requestBody: {
+      content: {
+        'application/json': {
+          /** @default 0 */
+          offset?: number;
+          /** @default 10 */
+          limit?: number;
+        };
+      };
+    };
     responses: {
       /** @description OK (with results) */
       200: {
-- 
cgit v1.2.3-freya


From d8cb7305ef4d5ad6398d9eb57ece2f3ba7ca73eb Mon Sep 17 00:00:00 2001
From: syuilo <4439005+syuilo@users.noreply.github.com>
Date: Sat, 5 Oct 2024 16:20:15 +0900
Subject: feat: 通報の強化 (#14704)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* wip

* Update CHANGELOG.md

* lint

* Update types.ts

* wip

* :v:

* Update MkAbuseReport.vue

* tweak
---
 CHANGELOG.md                                       |   3 +
 locales/index.d.ts                                 |  55 +++++++--
 locales/ja-JP.yml                                  |  15 ++-
 .../1728085812127-refine-abuse-user-report.js      |  18 +++
 packages/backend/src/core/AbuseReportService.ts    |  80 ++++++++++---
 packages/backend/src/core/WebhookTestService.ts    |   2 +
 .../core/entities/AbuseUserReportEntityService.ts  |   2 +
 packages/backend/src/models/AbuseUserReport.ts     |  18 +++
 packages/backend/src/server/api/EndpointsModule.ts |   8 ++
 packages/backend/src/server/api/endpoints.ts       |   4 +
 .../endpoints/admin/forward-abuse-user-report.ts   |  55 +++++++++
 .../endpoints/admin/resolve-abuse-user-report.ts   |   4 +-
 .../endpoints/admin/update-abuse-user-report.ts    |  58 ++++++++++
 packages/backend/src/types.ts                      |  15 ++-
 packages/backend/test/e2e/synalio/abuse-report.ts  |   6 -
 packages/frontend/src/components/MkAbuseReport.vue |  74 +++++++++---
 packages/frontend/src/pages/admin-user.vue         |   3 +-
 packages/frontend/src/pages/admin/abuses.vue       |  11 +-
 .../frontend/src/pages/admin/modlog.ModLog.vue     |   5 +
 packages/frontend/src/pages/instance-info.vue      |   1 +
 packages/frontend/src/pages/user/home.vue          |   3 +-
 packages/frontend/src/store.ts                     |   4 +
 packages/misskey-js/etc/misskey-js.api.md          |  16 ++-
 packages/misskey-js/src/autogen/apiClientJSDoc.ts  |  22 ++++
 packages/misskey-js/src/autogen/endpoint.ts        |   4 +
 packages/misskey-js/src/autogen/entities.ts        |   2 +
 packages/misskey-js/src/autogen/types.ts           | 127 ++++++++++++++++++++-
 packages/misskey-js/src/consts.ts                  |  15 ++-
 packages/misskey-js/src/entities.ts                |   6 +
 29 files changed, 574 insertions(+), 62 deletions(-)
 create mode 100644 packages/backend/migration/1728085812127-refine-abuse-user-report.js
 create mode 100644 packages/backend/src/server/api/endpoints/admin/forward-abuse-user-report.ts
 create mode 100644 packages/backend/src/server/api/endpoints/admin/update-abuse-user-report.ts

(limited to 'packages/backend/src/server/api')

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 6a9143ea1b..3fd1b7f899 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -9,6 +9,9 @@
 
 ### General
 - Feat: サーバー初期設定時に初期パスワードを設定できるように
+- Feat: 通報にモデレーションノートを残せるように
+- Feat: 通報の解決種別を設定できるように
+- Enhance: 通報の解決と転送を個別に行えるように
 - Enhance: セキュリティ向上のため、サインイン時もCAPTCHAを求めるようになりました
 - Enhance: 依存関係の更新
 - Enhance: l10nの更新
diff --git a/locales/index.d.ts b/locales/index.d.ts
index 1a0547ebc6..d502c5b432 100644
--- a/locales/index.d.ts
+++ b/locales/index.d.ts
@@ -1834,6 +1834,10 @@ export interface Locale extends ILocale {
      * モデレーションノート
      */
     "moderationNote": string;
+    /**
+     * モデレーター間でだけ共有されるメモを記入することができます。
+     */
+    "moderationNoteDescription": string;
     /**
      * モデレーションノートを追加する
      */
@@ -2894,22 +2898,10 @@ export interface Locale extends ILocale {
      * 通報元
      */
     "reporterOrigin": string;
-    /**
-     * リモートサーバーに通報を転送する
-     */
-    "forwardReport": string;
-    /**
-     * リモートサーバーからはあなたの情報は見れず、匿名のシステムアカウントとして表示されます。
-     */
-    "forwardReportIsAnonymous": string;
     /**
      * 送信
      */
     "send": string;
-    /**
-     * 対応済みにする
-     */
-    "abuseMarkAsResolved": string;
     /**
      * 新しいタブで開く
      */
@@ -5170,6 +5162,37 @@ export interface Locale extends ILocale {
      * フォロワーへのメッセージ
      */
     "messageToFollower": string;
+    /**
+     * 対象
+     */
+    "target": string;
+    "_abuseUserReport": {
+        /**
+         * 転送
+         */
+        "forward": string;
+        /**
+         * 匿名のシステムアカウントとして、リモートサーバーに通報を転送します。
+         */
+        "forwardDescription": string;
+        /**
+         * 解決
+         */
+        "resolve": string;
+        /**
+         * 是認
+         */
+        "accept": string;
+        /**
+         * 否認
+         */
+        "reject": string;
+        /**
+         * 内容が正当である通報に対応した場合は「是認」を選択し、肯定的にケースが解決されたことをマークします。
+         * 内容が正当でない通報の場合は「否認」を選択し、否定的にケースが解決されたことをマークします。
+         */
+        "resolveTutorial": string;
+    };
     "_delivery": {
         /**
          * 配信状態
@@ -9785,6 +9808,14 @@ export interface Locale extends ILocale {
          * 通報を解決
          */
         "resolveAbuseReport": string;
+        /**
+         * 通報を転送
+         */
+        "forwardAbuseReport": string;
+        /**
+         * 通報のモデレーションノート更新
+         */
+        "updateAbuseReportNote": string;
         /**
          * 招待コードを作成
          */
diff --git a/locales/ja-JP.yml b/locales/ja-JP.yml
index 92014c8abc..678bc7e66b 100644
--- a/locales/ja-JP.yml
+++ b/locales/ja-JP.yml
@@ -454,6 +454,7 @@ totpDescription: "認証アプリを使ってワンタイムパスワードを
 moderator: "モデレーター"
 moderation: "モデレーション"
 moderationNote: "モデレーションノート"
+moderationNoteDescription: "モデレーター間でだけ共有されるメモを記入することができます。"
 addModerationNote: "モデレーションノートを追加する"
 moderationLogs: "モデログ"
 nUsersMentioned: "{n}人が投稿"
@@ -719,10 +720,7 @@ abuseReported: "内容が送信されました。ご報告ありがとうござ
 reporter: "通報者"
 reporteeOrigin: "通報先"
 reporterOrigin: "通報元"
-forwardReport: "リモートサーバーに通報を転送する"
-forwardReportIsAnonymous: "リモートサーバーからはあなたの情報は見れず、匿名のシステムアカウントとして表示されます。"
 send: "送信"
-abuseMarkAsResolved: "対応済みにする"
 openInNewTab: "新しいタブで開く"
 openInSideView: "サイドビューで開く"
 defaultNavigationBehaviour: "デフォルトのナビゲーション"
@@ -1288,6 +1286,15 @@ unknownWebAuthnKey: "登録されていないパスキーです。"
 passkeyVerificationFailed: "パスキーの検証に失敗しました。"
 passkeyVerificationSucceededButPasswordlessLoginDisabled: "パスキーの検証に成功しましたが、パスワードレスログインが無効になっています。"
 messageToFollower: "フォロワーへのメッセージ"
+target: "対象"
+
+_abuseUserReport:
+  forward: "転送"
+  forwardDescription: "匿名のシステムアカウントとして、リモートサーバーに通報を転送します。"
+  resolve: "解決"
+  accept: "是認"
+  reject: "否認"
+  resolveTutorial: "内容が正当である通報に対応した場合は「是認」を選択し、肯定的にケースが解決されたことをマークします。\n内容が正当でない通報の場合は「否認」を選択し、否定的にケースが解決されたことをマークします。"
 
 _delivery:
   status: "配信状態"
@@ -2593,6 +2600,8 @@ _moderationLogTypes:
   markSensitiveDriveFile: "ファイルをセンシティブ付与"
   unmarkSensitiveDriveFile: "ファイルをセンシティブ解除"
   resolveAbuseReport: "通報を解決"
+  forwardAbuseReport: "通報を転送"
+  updateAbuseReportNote: "通報のモデレーションノート更新"
   createInvitation: "招待コードを作成"
   createAd: "広告を作成"
   deleteAd: "広告を削除"
diff --git a/packages/backend/migration/1728085812127-refine-abuse-user-report.js b/packages/backend/migration/1728085812127-refine-abuse-user-report.js
new file mode 100644
index 0000000000..57cbfdcf6d
--- /dev/null
+++ b/packages/backend/migration/1728085812127-refine-abuse-user-report.js
@@ -0,0 +1,18 @@
+/*
+ * SPDX-FileCopyrightText: syuilo and misskey-project
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+export class RefineAbuseUserReport1728085812127 {
+    name = 'RefineAbuseUserReport1728085812127'
+
+    async up(queryRunner) {
+        await queryRunner.query(`ALTER TABLE "abuse_user_report" ADD "moderationNote" character varying(8192) NOT NULL DEFAULT ''`);
+        await queryRunner.query(`ALTER TABLE "abuse_user_report" ADD "resolvedAs" character varying(128)`);
+    }
+
+    async down(queryRunner) {
+        await queryRunner.query(`ALTER TABLE "abuse_user_report" DROP COLUMN "resolvedAs"`);
+        await queryRunner.query(`ALTER TABLE "abuse_user_report" DROP COLUMN "moderationNote"`);
+    }
+}
diff --git a/packages/backend/src/core/AbuseReportService.ts b/packages/backend/src/core/AbuseReportService.ts
index 69c51509ba..cddfe5eb81 100644
--- a/packages/backend/src/core/AbuseReportService.ts
+++ b/packages/backend/src/core/AbuseReportService.ts
@@ -20,8 +20,10 @@ export class AbuseReportService {
 	constructor(
 		@Inject(DI.abuseUserReportsRepository)
 		private abuseUserReportsRepository: AbuseUserReportsRepository,
+
 		@Inject(DI.usersRepository)
 		private usersRepository: UsersRepository,
+
 		private idService: IdService,
 		private abuseReportNotificationService: AbuseReportNotificationService,
 		private queueService: QueueService,
@@ -77,16 +79,16 @@ export class AbuseReportService {
 	 * - SystemWebhook
 	 *
 	 * @param params 通報内容. もし複数件の通報に対応した時のために、あらかじめ複数件を処理できる前提で考える
-	 * @param operator 通報を処理したユーザ
+	 * @param moderator 通報を処理したユーザ
 	 * @see AbuseReportNotificationService.notify
 	 */
 	@bindThis
 	public async resolve(
 		params: {
 			reportId: string;
-			forward: boolean;
+			resolvedAs: MiAbuseUserReport['resolvedAs'];
 		}[],
-		operator: MiUser,
+		moderator: MiUser,
 	) {
 		const paramsMap = new Map(params.map(it => [it.reportId, it]));
 		const reports = await this.abuseUserReportsRepository.findBy({
@@ -99,25 +101,15 @@ export class AbuseReportService {
 
 			await this.abuseUserReportsRepository.update(report.id, {
 				resolved: true,
-				assigneeId: operator.id,
-				forwarded: ps.forward && report.targetUserHost !== null,
+				assigneeId: moderator.id,
+				resolvedAs: ps.resolvedAs,
 			});
 
-			if (ps.forward && report.targetUserHost != null) {
-				const actor = await this.instanceActorService.getInstanceActor();
-				const targetUser = await this.usersRepository.findOneByOrFail({ id: report.targetUserId });
-
-				// eslint-disable-next-line
-				const flag = this.apRendererService.renderFlag(actor, targetUser.uri!, report.comment);
-				const contextAssignedFlag = this.apRendererService.addContext(flag);
-				this.queueService.deliver(actor, contextAssignedFlag, targetUser.inbox, false);
-			}
-
 			this.moderationLogService
-				.log(operator, 'resolveAbuseReport', {
+				.log(moderator, 'resolveAbuseReport', {
 					reportId: report.id,
 					report: report,
-					forwarded: ps.forward && report.targetUserHost !== null,
+					resolvedAs: ps.resolvedAs,
 				})
 				.then();
 		}
@@ -125,4 +117,58 @@ export class AbuseReportService {
 		return this.abuseUserReportsRepository.findBy({ id: In(reports.map(it => it.id)) })
 			.then(reports => this.abuseReportNotificationService.notifySystemWebhook(reports, 'abuseReportResolved'));
 	}
+
+	@bindThis
+	public async forward(
+		reportId: MiAbuseUserReport['id'],
+		moderator: MiUser,
+	) {
+		const report = await this.abuseUserReportsRepository.findOneByOrFail({ id: reportId });
+
+		if (report.targetUserHost == null) {
+			throw new Error('The target user host is null.');
+		}
+
+		await this.abuseUserReportsRepository.update(report.id, {
+			forwarded: true,
+		});
+
+		const actor = await this.instanceActorService.getInstanceActor();
+		const targetUser = await this.usersRepository.findOneByOrFail({ id: report.targetUserId });
+
+		const flag = this.apRendererService.renderFlag(actor, targetUser.uri!, report.comment);
+		const contextAssignedFlag = this.apRendererService.addContext(flag);
+		this.queueService.deliver(actor, contextAssignedFlag, targetUser.inbox, false);
+
+		this.moderationLogService
+			.log(moderator, 'forwardAbuseReport', {
+				reportId: report.id,
+				report: report,
+			})
+			.then();
+	}
+
+	@bindThis
+	public async update(
+		reportId: MiAbuseUserReport['id'],
+		params: {
+			moderationNote?: MiAbuseUserReport['moderationNote'];
+		},
+		moderator: MiUser,
+	) {
+		const report = await this.abuseUserReportsRepository.findOneByOrFail({ id: reportId });
+
+		await this.abuseUserReportsRepository.update(report.id, {
+			moderationNote: params.moderationNote,
+		});
+
+		if (params.moderationNote != null && report.moderationNote !== params.moderationNote) {
+			this.moderationLogService.log(moderator, 'updateAbuseReportNote', {
+				reportId: report.id,
+				report: report,
+				before: report.moderationNote,
+				after: params.moderationNote,
+			});
+		}
+	}
 }
diff --git a/packages/backend/src/core/WebhookTestService.ts b/packages/backend/src/core/WebhookTestService.ts
index 149c753d4c..4c45b95a64 100644
--- a/packages/backend/src/core/WebhookTestService.ts
+++ b/packages/backend/src/core/WebhookTestService.ts
@@ -35,6 +35,8 @@ function generateAbuseReport(override?: Partial<MiAbuseUserReport>): AbuseUserRe
 		comment: 'This is a dummy report for testing purposes.',
 		targetUserHost: null,
 		reporterHost: null,
+		resolvedAs: null,
+		moderationNote: 'foo',
 		...override,
 	};
 
diff --git a/packages/backend/src/core/entities/AbuseUserReportEntityService.ts b/packages/backend/src/core/entities/AbuseUserReportEntityService.ts
index a13c244c19..70ead890ab 100644
--- a/packages/backend/src/core/entities/AbuseUserReportEntityService.ts
+++ b/packages/backend/src/core/entities/AbuseUserReportEntityService.ts
@@ -53,6 +53,8 @@ export class AbuseUserReportEntityService {
 				schema: 'UserDetailedNotMe',
 			}) : null,
 			forwarded: report.forwarded,
+			resolvedAs: report.resolvedAs,
+			moderationNote: report.moderationNote,
 		});
 	}
 
diff --git a/packages/backend/src/models/AbuseUserReport.ts b/packages/backend/src/models/AbuseUserReport.ts
index 0615fd7eb5..cb5672e4ac 100644
--- a/packages/backend/src/models/AbuseUserReport.ts
+++ b/packages/backend/src/models/AbuseUserReport.ts
@@ -50,6 +50,9 @@ export class MiAbuseUserReport {
 	})
 	public resolved: boolean;
 
+	/**
+	 * リモートサーバーに転送したかどうか
+	 */
 	@Column('boolean', {
 		default: false,
 	})
@@ -60,6 +63,21 @@ export class MiAbuseUserReport {
 	})
 	public comment: string;
 
+	@Column('varchar', {
+		length: 8192, default: '',
+	})
+	public moderationNote: string;
+
+	/**
+	 * accept 是認 ... 通報内容が正当であり、肯定的に対応された
+	 * reject 否認 ... 通報内容が正当でなく、否定的に対応された
+	 * null ... その他
+	 */
+	@Column('varchar', {
+		length: 128, nullable: true,
+	})
+	public resolvedAs: 'accept' | 'reject' | null;
+
 	//#region Denormalized fields
 	@Index()
 	@Column('varchar', {
diff --git a/packages/backend/src/server/api/EndpointsModule.ts b/packages/backend/src/server/api/EndpointsModule.ts
index 08a0468ab2..3557fa40a5 100644
--- a/packages/backend/src/server/api/EndpointsModule.ts
+++ b/packages/backend/src/server/api/EndpointsModule.ts
@@ -68,6 +68,8 @@ import * as ep___admin_relays_list from './endpoints/admin/relays/list.js';
 import * as ep___admin_relays_remove from './endpoints/admin/relays/remove.js';
 import * as ep___admin_resetPassword from './endpoints/admin/reset-password.js';
 import * as ep___admin_resolveAbuseUserReport from './endpoints/admin/resolve-abuse-user-report.js';
+import * as ep___admin_forwardAbuseUserReport from './endpoints/admin/forward-abuse-user-report.js';
+import * as ep___admin_updateAbuseUserReport from './endpoints/admin/update-abuse-user-report.js';
 import * as ep___admin_sendEmail from './endpoints/admin/send-email.js';
 import * as ep___admin_serverInfo from './endpoints/admin/server-info.js';
 import * as ep___admin_showModerationLogs from './endpoints/admin/show-moderation-logs.js';
@@ -453,6 +455,8 @@ const $admin_relays_list: Provider = { provide: 'ep:admin/relays/list', useClass
 const $admin_relays_remove: Provider = { provide: 'ep:admin/relays/remove', useClass: ep___admin_relays_remove.default };
 const $admin_resetPassword: Provider = { provide: 'ep:admin/reset-password', useClass: ep___admin_resetPassword.default };
 const $admin_resolveAbuseUserReport: Provider = { provide: 'ep:admin/resolve-abuse-user-report', useClass: ep___admin_resolveAbuseUserReport.default };
+const $admin_forwardAbuseUserReport: Provider = { provide: 'ep:admin/forward-abuse-user-report', useClass: ep___admin_forwardAbuseUserReport.default };
+const $admin_updateAbuseUserReport: Provider = { provide: 'ep:admin/update-abuse-user-report', useClass: ep___admin_updateAbuseUserReport.default };
 const $admin_sendEmail: Provider = { provide: 'ep:admin/send-email', useClass: ep___admin_sendEmail.default };
 const $admin_serverInfo: Provider = { provide: 'ep:admin/server-info', useClass: ep___admin_serverInfo.default };
 const $admin_showModerationLogs: Provider = { provide: 'ep:admin/show-moderation-logs', useClass: ep___admin_showModerationLogs.default };
@@ -842,6 +846,8 @@ const $reversi_verify: Provider = { provide: 'ep:reversi/verify', useClass: ep__
 		$admin_relays_remove,
 		$admin_resetPassword,
 		$admin_resolveAbuseUserReport,
+		$admin_forwardAbuseUserReport,
+		$admin_updateAbuseUserReport,
 		$admin_sendEmail,
 		$admin_serverInfo,
 		$admin_showModerationLogs,
@@ -1225,6 +1231,8 @@ const $reversi_verify: Provider = { provide: 'ep:reversi/verify', useClass: ep__
 		$admin_relays_remove,
 		$admin_resetPassword,
 		$admin_resolveAbuseUserReport,
+		$admin_forwardAbuseUserReport,
+		$admin_updateAbuseUserReport,
 		$admin_sendEmail,
 		$admin_serverInfo,
 		$admin_showModerationLogs,
diff --git a/packages/backend/src/server/api/endpoints.ts b/packages/backend/src/server/api/endpoints.ts
index 2462781f7b..49b07d6ced 100644
--- a/packages/backend/src/server/api/endpoints.ts
+++ b/packages/backend/src/server/api/endpoints.ts
@@ -74,6 +74,8 @@ import * as ep___admin_relays_list from './endpoints/admin/relays/list.js';
 import * as ep___admin_relays_remove from './endpoints/admin/relays/remove.js';
 import * as ep___admin_resetPassword from './endpoints/admin/reset-password.js';
 import * as ep___admin_resolveAbuseUserReport from './endpoints/admin/resolve-abuse-user-report.js';
+import * as ep___admin_forwardAbuseUserReport from './endpoints/admin/forward-abuse-user-report.js';
+import * as ep___admin_updateAbuseUserReport from './endpoints/admin/update-abuse-user-report.js';
 import * as ep___admin_sendEmail from './endpoints/admin/send-email.js';
 import * as ep___admin_serverInfo from './endpoints/admin/server-info.js';
 import * as ep___admin_showModerationLogs from './endpoints/admin/show-moderation-logs.js';
@@ -457,6 +459,8 @@ const eps = [
 	['admin/relays/remove', ep___admin_relays_remove],
 	['admin/reset-password', ep___admin_resetPassword],
 	['admin/resolve-abuse-user-report', ep___admin_resolveAbuseUserReport],
+	['admin/forward-abuse-user-report', ep___admin_forwardAbuseUserReport],
+	['admin/update-abuse-user-report', ep___admin_updateAbuseUserReport],
 	['admin/send-email', ep___admin_sendEmail],
 	['admin/server-info', ep___admin_serverInfo],
 	['admin/show-moderation-logs', ep___admin_showModerationLogs],
diff --git a/packages/backend/src/server/api/endpoints/admin/forward-abuse-user-report.ts b/packages/backend/src/server/api/endpoints/admin/forward-abuse-user-report.ts
new file mode 100644
index 0000000000..3e42c91fed
--- /dev/null
+++ b/packages/backend/src/server/api/endpoints/admin/forward-abuse-user-report.ts
@@ -0,0 +1,55 @@
+/*
+ * SPDX-FileCopyrightText: syuilo and misskey-project
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+import { Inject, Injectable } from '@nestjs/common';
+import { Endpoint } from '@/server/api/endpoint-base.js';
+import type { AbuseUserReportsRepository } from '@/models/_.js';
+import { DI } from '@/di-symbols.js';
+import { ApiError } from '@/server/api/error.js';
+import { AbuseReportService } from '@/core/AbuseReportService.js';
+
+export const meta = {
+	tags: ['admin'],
+
+	requireCredential: true,
+	requireModerator: true,
+	kind: 'write:admin:resolve-abuse-user-report',
+
+	errors: {
+		noSuchAbuseReport: {
+			message: 'No such abuse report.',
+			code: 'NO_SUCH_ABUSE_REPORT',
+			id: '8763e21b-d9bc-40be-acf6-54c1a6986493',
+			kind: 'server',
+			httpStatusCode: 404,
+		},
+	},
+} as const;
+
+export const paramDef = {
+	type: 'object',
+	properties: {
+		reportId: { type: 'string', format: 'misskey:id' },
+	},
+	required: ['reportId'],
+} as const;
+
+@Injectable()
+export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-disable-line import/no-default-export
+	constructor(
+		@Inject(DI.abuseUserReportsRepository)
+		private abuseUserReportsRepository: AbuseUserReportsRepository,
+		private abuseReportService: AbuseReportService,
+	) {
+		super(meta, paramDef, async (ps, me) => {
+			const report = await this.abuseUserReportsRepository.findOneBy({ id: ps.reportId });
+			if (!report) {
+				throw new ApiError(meta.errors.noSuchAbuseReport);
+			}
+
+			await this.abuseReportService.forward(report.id, me);
+		});
+	}
+}
diff --git a/packages/backend/src/server/api/endpoints/admin/resolve-abuse-user-report.ts b/packages/backend/src/server/api/endpoints/admin/resolve-abuse-user-report.ts
index 9b79100fcf..554d324ff2 100644
--- a/packages/backend/src/server/api/endpoints/admin/resolve-abuse-user-report.ts
+++ b/packages/backend/src/server/api/endpoints/admin/resolve-abuse-user-report.ts
@@ -32,7 +32,7 @@ export const paramDef = {
 	type: 'object',
 	properties: {
 		reportId: { type: 'string', format: 'misskey:id' },
-		forward: { type: 'boolean', default: false },
+		resolvedAs: { type: 'string', enum: ['accept', 'reject', null], nullable: true },
 	},
 	required: ['reportId'],
 } as const;
@@ -50,7 +50,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 				throw new ApiError(meta.errors.noSuchAbuseReport);
 			}
 
-			await this.abuseReportService.resolve([{ reportId: report.id, forward: ps.forward }], me);
+			await this.abuseReportService.resolve([{ reportId: report.id, resolvedAs: ps.resolvedAs ?? null }], me);
 		});
 	}
 }
diff --git a/packages/backend/src/server/api/endpoints/admin/update-abuse-user-report.ts b/packages/backend/src/server/api/endpoints/admin/update-abuse-user-report.ts
new file mode 100644
index 0000000000..73d4b843f0
--- /dev/null
+++ b/packages/backend/src/server/api/endpoints/admin/update-abuse-user-report.ts
@@ -0,0 +1,58 @@
+/*
+ * SPDX-FileCopyrightText: syuilo and misskey-project
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+import { Inject, Injectable } from '@nestjs/common';
+import { Endpoint } from '@/server/api/endpoint-base.js';
+import type { AbuseUserReportsRepository } from '@/models/_.js';
+import { DI } from '@/di-symbols.js';
+import { ApiError } from '@/server/api/error.js';
+import { AbuseReportService } from '@/core/AbuseReportService.js';
+
+export const meta = {
+	tags: ['admin'],
+
+	requireCredential: true,
+	requireModerator: true,
+	kind: 'write:admin:resolve-abuse-user-report',
+
+	errors: {
+		noSuchAbuseReport: {
+			message: 'No such abuse report.',
+			code: 'NO_SUCH_ABUSE_REPORT',
+			id: '15f51cf5-46d1-4b1d-a618-b35bcbed0662',
+			kind: 'server',
+			httpStatusCode: 404,
+		},
+	},
+} as const;
+
+export const paramDef = {
+	type: 'object',
+	properties: {
+		reportId: { type: 'string', format: 'misskey:id' },
+		moderationNote: { type: 'string' },
+	},
+	required: ['reportId'],
+} as const;
+
+@Injectable()
+export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-disable-line import/no-default-export
+	constructor(
+		@Inject(DI.abuseUserReportsRepository)
+		private abuseUserReportsRepository: AbuseUserReportsRepository,
+		private abuseReportService: AbuseReportService,
+	) {
+		super(meta, paramDef, async (ps, me) => {
+			const report = await this.abuseUserReportsRepository.findOneBy({ id: ps.reportId });
+			if (!report) {
+				throw new ApiError(meta.errors.noSuchAbuseReport);
+			}
+
+			await this.abuseReportService.update(report.id, {
+				moderationNote: ps.moderationNote,
+			}, me);
+		});
+	}
+}
diff --git a/packages/backend/src/types.ts b/packages/backend/src/types.ts
index 0389143daf..df3cfee171 100644
--- a/packages/backend/src/types.ts
+++ b/packages/backend/src/types.ts
@@ -99,6 +99,8 @@ export const moderationLogTypes = [
 	'markSensitiveDriveFile',
 	'unmarkSensitiveDriveFile',
 	'resolveAbuseReport',
+	'forwardAbuseReport',
+	'updateAbuseReportNote',
 	'createInvitation',
 	'createAd',
 	'updateAd',
@@ -267,7 +269,18 @@ export type ModerationLogPayloads = {
 	resolveAbuseReport: {
 		reportId: string;
 		report: any;
-		forwarded: boolean;
+		forwarded?: boolean;
+		resolvedAs?: string | null;
+	};
+	forwardAbuseReport: {
+		reportId: string;
+		report: any;
+	};
+	updateAbuseReportNote: {
+		reportId: string;
+		report: any;
+		before: string;
+		after: string;
 	};
 	createInvitation: {
 		invitations: any[];
diff --git a/packages/backend/test/e2e/synalio/abuse-report.ts b/packages/backend/test/e2e/synalio/abuse-report.ts
index 6ce6e47781..c98d199f35 100644
--- a/packages/backend/test/e2e/synalio/abuse-report.ts
+++ b/packages/backend/test/e2e/synalio/abuse-report.ts
@@ -157,7 +157,6 @@ describe('[シナリオ] ユーザ通報', () => {
 			const webhookBody2 = await captureWebhook(async () => {
 				await resolveAbuseReport({
 					reportId: webhookBody1.body.id,
-					forward: false,
 				}, admin);
 			});
 
@@ -214,7 +213,6 @@ describe('[シナリオ] ユーザ通報', () => {
 			const webhookBody2 = await captureWebhook(async () => {
 				await resolveAbuseReport({
 					reportId: abuseReportId,
-					forward: false,
 				}, admin);
 			});
 
@@ -257,7 +255,6 @@ describe('[シナリオ] ユーザ通報', () => {
 			const webhookBody2 = await captureWebhook(async () => {
 				await resolveAbuseReport({
 					reportId: webhookBody1.body.id,
-					forward: false,
 				}, admin);
 			}).catch(e => e.message);
 
@@ -288,7 +285,6 @@ describe('[シナリオ] ユーザ通報', () => {
 			const webhookBody2 = await captureWebhook(async () => {
 				await resolveAbuseReport({
 					reportId: abuseReportId,
-					forward: false,
 				}, admin);
 			}).catch(e => e.message);
 
@@ -319,7 +315,6 @@ describe('[シナリオ] ユーザ通報', () => {
 			const webhookBody2 = await captureWebhook(async () => {
 				await resolveAbuseReport({
 					reportId: abuseReportId,
-					forward: false,
 				}, admin);
 			}).catch(e => e.message);
 
@@ -350,7 +345,6 @@ describe('[シナリオ] ユーザ通報', () => {
 			const webhookBody2 = await captureWebhook(async () => {
 				await resolveAbuseReport({
 					reportId: abuseReportId,
-					forward: false,
 				}, admin);
 			}).catch(e => e.message);
 
diff --git a/packages/frontend/src/components/MkAbuseReport.vue b/packages/frontend/src/components/MkAbuseReport.vue
index c9c629046e..2f0e09fc4b 100644
--- a/packages/frontend/src/components/MkAbuseReport.vue
+++ b/packages/frontend/src/components/MkAbuseReport.vue
@@ -6,26 +6,33 @@ SPDX-License-Identifier: AGPL-3.0-only
 <template>
 <MkFolder>
 	<template #icon>
-		<i v-if="report.resolved" class="ti ti-check" style="color: var(--success)"></i>
+		<i v-if="report.resolved && report.resolvedAs === 'accept'" class="ti ti-check" style="color: var(--success)"></i>
+		<i v-else-if="report.resolved && report.resolvedAs === 'reject'" class="ti ti-x" style="color: var(--error)"></i>
+		<i v-else-if="report.resolved" class="ti ti-slash"></i>
 		<i v-else class="ti ti-exclamation-circle" style="color: var(--warn)"></i>
 	</template>
 	<template #label><MkAcct :user="report.targetUser"/> (by <MkAcct :user="report.reporter"/>)</template>
 	<template #caption>{{ report.comment }}</template>
 	<template #suffix><MkTime :time="report.createdAt"/></template>
-	<template v-if="!report.resolved" #footer>
+	<template #footer>
 		<div class="_buttons">
-			<MkButton primary @click="resolve">{{ i18n.ts.abuseMarkAsResolved }}</MkButton>
-			<template v-if="report.targetUser.host == null || report.resolved">
-				<MkButton primary @click="resolveAndForward">{{ i18n.ts.forwardReport }}</MkButton>
-				<div v-tooltip:dialog="i18n.ts.forwardReportIsAnonymous" class="_button _help"><i class="ti ti-help-circle"></i></div>
+			<template v-if="!report.resolved">
+				<MkButton @click="resolve('accept')"><i class="ti ti-check" style="color: var(--success)"></i> {{ i18n.ts._abuseUserReport.resolve }} ({{ i18n.ts._abuseUserReport.accept }})</MkButton>
+				<MkButton @click="resolve('reject')"><i class="ti ti-x" style="color: var(--error)"></i> {{ i18n.ts._abuseUserReport.resolve }} ({{ i18n.ts._abuseUserReport.reject }})</MkButton>
+				<MkButton @click="resolve(null)"><i class="ti ti-slash"></i> {{ i18n.ts._abuseUserReport.resolve }} ({{ i18n.ts.other }})</MkButton>
 			</template>
+			<template v-if="report.targetUser.host == null">
+				<MkButton :disabled="report.forwarded" primary @click="forward"><i class="ti ti-corner-up-right"></i> {{ i18n.ts._abuseUserReport.forward }}</MkButton>
+				<div v-tooltip:dialog="i18n.ts._abuseUserReport.forwardDescription" class="_button _help"><i class="ti ti-help-circle"></i></div>
+			</template>
+			<button class="_button" style="margin-left: auto; width: 34px;" @click="showMenu"><i class="ti ti-dots"></i></button>
 		</div>
 	</template>
 
 	<div :class="$style.root" class="_gaps_s">
 		<MkFolder :withSpacer="false">
 			<template #icon><MkAvatar :user="report.targetUser" style="width: 18px; height: 18px;"/></template>
-			<template #label>Target: <MkAcct :user="report.targetUser"/></template>
+			<template #label>{{ i18n.ts.target }}: <MkAcct :user="report.targetUser"/></template>
 			<template #suffix>#{{ report.targetUserId.toUpperCase() }}</template>
 
 			<div style="container-type: inline-size;">
@@ -36,7 +43,7 @@ SPDX-License-Identifier: AGPL-3.0-only
 		<MkFolder :defaultOpen="true">
 			<template #icon><i class="ti ti-message-2"></i></template>
 			<template #label>{{ i18n.ts.details }}</template>
-			<div>
+			<div class="_gaps_s">
 				<Mfm :text="report.comment" :linkNavigationBehavior="'window'"/>
 			</div>
 		</MkFolder>
@@ -51,6 +58,17 @@ SPDX-License-Identifier: AGPL-3.0-only
 			</div>
 		</MkFolder>
 
+		<MkFolder :defaultOpen="false">
+			<template #icon><i class="ti ti-message-2"></i></template>
+			<template #label>{{ i18n.ts.moderationNote }}</template>
+			<template #suffix>{{ moderationNote.length > 0 ? '...' : i18n.ts.none }}</template>
+			<div class="_gaps_s">
+				<MkTextarea v-model="moderationNote" manualSave>
+					<template #caption>{{ i18n.ts.moderationNoteDescription }}</template>
+				</MkTextarea>
+			</div>
+		</MkFolder>
+
 		<div v-if="report.assignee">
 			{{ i18n.ts.moderator }}:
 			<MkAcct :user="report.assignee"/>
@@ -60,7 +78,7 @@ SPDX-License-Identifier: AGPL-3.0-only
 </template>
 
 <script lang="ts" setup>
-import { provide, ref } from 'vue';
+import { provide, ref, watch } from 'vue';
 import * as Misskey from 'misskey-js';
 import MkButton from '@/components/MkButton.vue';
 import MkSwitch from '@/components/MkSwitch.vue';
@@ -71,6 +89,8 @@ import { dateString } from '@/filters/date.js';
 import MkFolder from '@/components/MkFolder.vue';
 import RouterView from '@/components/global/RouterView.vue';
 import { useRouterFactory } from '@/router/supplier';
+import MkTextarea from '@/components/MkTextarea.vue';
+import { copyToClipboard } from '@/scripts/copy-to-clipboard.js';
 
 const props = defineProps<{
 	report: Misskey.entities.AdminAbuseUserReportsResponse[number];
@@ -86,22 +106,48 @@ targetRouter.init();
 const reporterRouter = routerFactory(`/admin/user/${props.report.reporterId}`);
 reporterRouter.init();
 
-function resolve() {
+const moderationNote = ref(props.report.moderationNote ?? '');
+
+watch(moderationNote, async () => {
+	os.apiWithDialog('admin/update-abuse-user-report', {
+		reportId: props.report.id,
+		moderationNote: moderationNote.value,
+	}).then(() => {
+	});
+});
+
+function resolve(resolvedAs) {
 	os.apiWithDialog('admin/resolve-abuse-user-report', {
 		reportId: props.report.id,
+		resolvedAs,
 	}).then(() => {
 		emit('resolved', props.report.id);
 	});
 }
 
-function resolveAndForward() {
-	os.apiWithDialog('admin/resolve-abuse-user-report', {
-		forward: true,
+function forward() {
+	os.apiWithDialog('admin/forward-abuse-user-report', {
 		reportId: props.report.id,
 	}).then(() => {
-		emit('resolved', props.report.id);
+
 	});
 }
+
+function showMenu(ev: MouseEvent) {
+	os.popupMenu([{
+		icon: 'ti ti-id',
+		text: 'Copy ID',
+		action: () => {
+			copyToClipboard(props.report.id);
+		},
+	}, {
+		icon: 'ti ti-json',
+		text: 'Copy JSON',
+		action: () => {
+			copyToClipboard(JSON.stringify(props.report, null, '\t'));
+		},
+	}], ev.currentTarget ?? ev.target);
+}
 </script>
 
 <style lang="scss" module>
diff --git a/packages/frontend/src/pages/admin-user.vue b/packages/frontend/src/pages/admin-user.vue
index d40d1eee58..033634396e 100644
--- a/packages/frontend/src/pages/admin-user.vue
+++ b/packages/frontend/src/pages/admin-user.vue
@@ -53,6 +53,7 @@ SPDX-License-Identifier: AGPL-3.0-only
 
 				<MkTextarea v-model="moderationNote" manualSave>
 					<template #label>{{ i18n.ts.moderationNote }}</template>
+					<template #caption>{{ i18n.ts.moderationNoteDescription }}</template>
 				</MkTextarea>
 
 				<!--
@@ -205,6 +206,7 @@ SPDX-License-Identifier: AGPL-3.0-only
 <script lang="ts" setup>
 import { computed, defineAsyncComponent, watch, ref } from 'vue';
 import * as Misskey from 'misskey-js';
+import { url } from '@@/js/config.js';
 import MkChart from '@/components/MkChart.vue';
 import MkObjectView from '@/components/MkObjectView.vue';
 import MkTextarea from '@/components/MkTextarea.vue';
@@ -220,7 +222,6 @@ import MkFileListForAdmin from '@/components/MkFileListForAdmin.vue';
 import MkInfo from '@/components/MkInfo.vue';
 import * as os from '@/os.js';
 import { misskeyApi } from '@/scripts/misskey-api.js';
-import { url } from '@@/js/config.js';
 import { acct } from '@/filters/user.js';
 import { definePageMetadata } from '@/scripts/page-metadata.js';
 import { i18n } from '@/i18n.js';
diff --git a/packages/frontend/src/pages/admin/abuses.vue b/packages/frontend/src/pages/admin/abuses.vue
index 33021ae025..22173bb888 100644
--- a/packages/frontend/src/pages/admin/abuses.vue
+++ b/packages/frontend/src/pages/admin/abuses.vue
@@ -12,6 +12,10 @@ SPDX-License-Identifier: AGPL-3.0-only
 				<MkButton link to="/admin/abuse-report-notification-recipient" primary>{{ i18n.ts.notificationSetting }}</MkButton>
 			</div>
 
+			<MkInfo v-if="!defaultStore.reactiveState.abusesTutorial.value" closable @close="closeTutorial()">
+				{{ i18n.ts._abuseUserReport.resolveTutorial }}
+			</MkInfo>
+
 			<div :class="$style.inputs" class="_gaps">
 				<MkSelect v-model="state" style="margin: 0; flex: 1;">
 					<template #label>{{ i18n.ts.state }}</template>
@@ -56,7 +60,6 @@ SPDX-License-Identifier: AGPL-3.0-only
 
 <script lang="ts" setup>
 import { computed, shallowRef, ref } from 'vue';
-
 import XHeader from './_header_.vue';
 import MkSelect from '@/components/MkSelect.vue';
 import MkPagination from '@/components/MkPagination.vue';
@@ -64,6 +67,8 @@ import XAbuseReport from '@/components/MkAbuseReport.vue';
 import { i18n } from '@/i18n.js';
 import { definePageMetadata } from '@/scripts/page-metadata.js';
 import MkButton from '@/components/MkButton.vue';
+import MkInfo from '@/components/MkInfo.vue';
+import { defaultStore } from '@/store.js';
 
 const reports = shallowRef<InstanceType<typeof MkPagination>>();
 
@@ -87,6 +92,10 @@ function resolved(reportId) {
 	reports.value?.removeItem(reportId);
 }
 
+function closeTutorial() {
+	defaultStore.set('abusesTutorial', false);
+}
+
 const headerActions = computed(() => []);
 
 const headerTabs = computed(() => []);
diff --git a/packages/frontend/src/pages/admin/modlog.ModLog.vue b/packages/frontend/src/pages/admin/modlog.ModLog.vue
index 64d7f25845..6cf95e936e 100644
--- a/packages/frontend/src/pages/admin/modlog.ModLog.vue
+++ b/packages/frontend/src/pages/admin/modlog.ModLog.vue
@@ -165,6 +165,11 @@ SPDX-License-Identifier: AGPL-3.0-only
 				<CodeDiff :context="5" :hideHeader="true" :oldString="JSON5.stringify(log.info.before, null, '\t')" :newString="JSON5.stringify(log.info.after, null, '\t')" language="javascript" maxHeight="300px"/>
 			</div>
 		</template>
+		<template v-else-if="log.type === 'updateAbuseReportNote'">
+			<div :class="$style.diff">
+				<CodeDiff :context="5" :hideHeader="true" :oldString="log.info.before ?? ''" :newString="log.info.after ?? ''" maxHeight="300px"/>
+			</div>
+		</template>
 
 		<details>
 			<summary>raw</summary>
diff --git a/packages/frontend/src/pages/instance-info.vue b/packages/frontend/src/pages/instance-info.vue
index c69530b343..6cec3f9d45 100644
--- a/packages/frontend/src/pages/instance-info.vue
+++ b/packages/frontend/src/pages/instance-info.vue
@@ -51,6 +51,7 @@ SPDX-License-Identifier: AGPL-3.0-only
 						<MkButton @click="refreshMetadata"><i class="ti ti-refresh"></i> Refresh metadata</MkButton>
 						<MkTextarea v-model="moderationNote" manualSave>
 							<template #label>{{ i18n.ts.moderationNote }}</template>
+							<template #caption>{{ i18n.ts.moderationNoteDescription }}</template>
 						</MkTextarea>
 					</div>
 				</FormSection>
diff --git a/packages/frontend/src/pages/user/home.vue b/packages/frontend/src/pages/user/home.vue
index 93af534a9b..79091e584e 100644
--- a/packages/frontend/src/pages/user/home.vue
+++ b/packages/frontend/src/pages/user/home.vue
@@ -64,6 +64,7 @@ SPDX-License-Identifier: AGPL-3.0-only
 					<div v-if="iAmModerator" class="moderationNote">
 						<MkTextarea v-if="editModerationNote || (moderationNote != null && moderationNote !== '')" v-model="moderationNote" manualSave>
 							<template #label>{{ i18n.ts.moderationNote }}</template>
+							<template #caption>{{ i18n.ts.moderationNoteDescription }}</template>
 						</MkTextarea>
 						<div v-else>
 							<MkButton small @click="editModerationNote = true">{{ i18n.ts.addModerationNote }}</MkButton>
@@ -159,6 +160,7 @@ SPDX-License-Identifier: AGPL-3.0-only
 <script lang="ts" setup>
 import { defineAsyncComponent, computed, onMounted, onUnmounted, nextTick, watch, ref } from 'vue';
 import * as Misskey from 'misskey-js';
+import { getScrollPosition } from '@@/js/scroll.js';
 import MkNote from '@/components/MkNote.vue';
 import MkFollowButton from '@/components/MkFollowButton.vue';
 import MkAccountMoved from '@/components/MkAccountMoved.vue';
@@ -168,7 +170,6 @@ import MkTextarea from '@/components/MkTextarea.vue';
 import MkOmit from '@/components/MkOmit.vue';
 import MkInfo from '@/components/MkInfo.vue';
 import MkButton from '@/components/MkButton.vue';
-import { getScrollPosition } from '@@/js/scroll.js';
 import { getUserMenu } from '@/scripts/get-user-menu.js';
 import number from '@/filters/number.js';
 import { userPage } from '@/filters/user.js';
diff --git a/packages/frontend/src/store.ts b/packages/frontend/src/store.ts
index 1ddcca5afe..9254e71c5c 100644
--- a/packages/frontend/src/store.ts
+++ b/packages/frontend/src/store.ts
@@ -78,6 +78,10 @@ export const defaultStore = markRaw(new Storage('base', {
 			global: false,
 		},
 	},
+	abusesTutorial: {
+		where: 'account',
+		default: false,
+	},
 	keepCw: {
 		where: 'account',
 		default: true,
diff --git a/packages/misskey-js/etc/misskey-js.api.md b/packages/misskey-js/etc/misskey-js.api.md
index de52be3a61..1da8e4e613 100644
--- a/packages/misskey-js/etc/misskey-js.api.md
+++ b/packages/misskey-js/etc/misskey-js.api.md
@@ -213,6 +213,9 @@ type AdminFederationRemoveAllFollowingRequest = operations['admin___federation__
 // @public (undocumented)
 type AdminFederationUpdateInstanceRequest = operations['admin___federation___update-instance']['requestBody']['content']['application/json'];
 
+// @public (undocumented)
+type AdminForwardAbuseUserReportRequest = operations['admin___forward-abuse-user-report']['requestBody']['content']['application/json'];
+
 // @public (undocumented)
 type AdminGetIndexStatsResponse = operations['admin___get-index-stats']['responses']['200']['content']['application/json'];
 
@@ -378,6 +381,9 @@ type AdminUnsetUserBannerRequest = operations['admin___unset-user-banner']['requ
 // @public (undocumented)
 type AdminUnsuspendUserRequest = operations['admin___unsuspend-user']['requestBody']['content']['application/json'];
 
+// @public (undocumented)
+type AdminUpdateAbuseUserReportRequest = operations['admin___update-abuse-user-report']['requestBody']['content']['application/json'];
+
 // @public (undocumented)
 type AdminUpdateMetaRequest = operations['admin___update-meta']['requestBody']['content']['application/json'];
 
@@ -1298,6 +1304,8 @@ declare namespace entities {
         AdminResetPasswordRequest,
         AdminResetPasswordResponse,
         AdminResolveAbuseUserReportRequest,
+        AdminForwardAbuseUserReportRequest,
+        AdminUpdateAbuseUserReportRequest,
         AdminSendEmailRequest,
         AdminServerInfoResponse,
         AdminShowModerationLogsRequest,
@@ -2546,6 +2554,12 @@ type ModerationLog = {
 } | {
     type: 'resolveAbuseReport';
     info: ModerationLogPayloads['resolveAbuseReport'];
+} | {
+    type: 'forwardAbuseReport';
+    info: ModerationLogPayloads['forwardAbuseReport'];
+} | {
+    type: 'updateAbuseReportNote';
+    info: ModerationLogPayloads['updateAbuseReportNote'];
 } | {
     type: 'unsetUserAvatar';
     info: ModerationLogPayloads['unsetUserAvatar'];
@@ -2585,7 +2599,7 @@ type ModerationLog = {
 });
 
 // @public (undocumented)
-export const moderationLogTypes: readonly ["updateServerSettings", "suspend", "unsuspend", "updateUserNote", "addCustomEmoji", "updateCustomEmoji", "deleteCustomEmoji", "assignRole", "unassignRole", "createRole", "updateRole", "deleteRole", "clearQueue", "promoteQueue", "deleteDriveFile", "deleteNote", "createGlobalAnnouncement", "createUserAnnouncement", "updateGlobalAnnouncement", "updateUserAnnouncement", "deleteGlobalAnnouncement", "deleteUserAnnouncement", "resetPassword", "suspendRemoteInstance", "unsuspendRemoteInstance", "updateRemoteInstanceNote", "markSensitiveDriveFile", "unmarkSensitiveDriveFile", "resolveAbuseReport", "createInvitation", "createAd", "updateAd", "deleteAd", "createAvatarDecoration", "updateAvatarDecoration", "deleteAvatarDecoration", "unsetUserAvatar", "unsetUserBanner", "createSystemWebhook", "updateSystemWebhook", "deleteSystemWebhook", "createAbuseReportNotificationRecipient", "updateAbuseReportNotificationRecipient", "deleteAbuseReportNotificationRecipient", "deleteAccount", "deletePage", "deleteFlash", "deleteGalleryPost"];
+export const moderationLogTypes: readonly ["updateServerSettings", "suspend", "unsuspend", "updateUserNote", "addCustomEmoji", "updateCustomEmoji", "deleteCustomEmoji", "assignRole", "unassignRole", "createRole", "updateRole", "deleteRole", "clearQueue", "promoteQueue", "deleteDriveFile", "deleteNote", "createGlobalAnnouncement", "createUserAnnouncement", "updateGlobalAnnouncement", "updateUserAnnouncement", "deleteGlobalAnnouncement", "deleteUserAnnouncement", "resetPassword", "suspendRemoteInstance", "unsuspendRemoteInstance", "updateRemoteInstanceNote", "markSensitiveDriveFile", "unmarkSensitiveDriveFile", "resolveAbuseReport", "forwardAbuseReport", "updateAbuseReportNote", "createInvitation", "createAd", "updateAd", "deleteAd", "createAvatarDecoration", "updateAvatarDecoration", "deleteAvatarDecoration", "unsetUserAvatar", "unsetUserBanner", "createSystemWebhook", "updateSystemWebhook", "deleteSystemWebhook", "createAbuseReportNotificationRecipient", "updateAbuseReportNotificationRecipient", "deleteAbuseReportNotificationRecipient", "deleteAccount", "deletePage", "deleteFlash", "deleteGalleryPost"];
 
 // @public (undocumented)
 type MuteCreateRequest = operations['mute___create']['requestBody']['content']['application/json'];
diff --git a/packages/misskey-js/src/autogen/apiClientJSDoc.ts b/packages/misskey-js/src/autogen/apiClientJSDoc.ts
index 1d96196d1c..e2c7cbba52 100644
--- a/packages/misskey-js/src/autogen/apiClientJSDoc.ts
+++ b/packages/misskey-js/src/autogen/apiClientJSDoc.ts
@@ -691,6 +691,28 @@ declare module '../api.js' {
       credential?: string | null,
     ): Promise<SwitchCaseResponseType<E, P>>;
 
+    /**
+     * No description provided.
+     * 
+     * **Credential required**: *Yes* / **Permission**: *write:admin:resolve-abuse-user-report*
+     */
+    request<E extends 'admin/forward-abuse-user-report', P extends Endpoints[E]['req']>(
+      endpoint: E,
+      params: P,
+      credential?: string | null,
+    ): Promise<SwitchCaseResponseType<E, P>>;
+
+    /**
+     * No description provided.
+     * 
+     * **Credential required**: *Yes* / **Permission**: *write:admin:resolve-abuse-user-report*
+     */
+    request<E extends 'admin/update-abuse-user-report', P extends Endpoints[E]['req']>(
+      endpoint: E,
+      params: P,
+      credential?: string | null,
+    ): Promise<SwitchCaseResponseType<E, P>>;
+
     /**
      * No description provided.
      * 
diff --git a/packages/misskey-js/src/autogen/endpoint.ts b/packages/misskey-js/src/autogen/endpoint.ts
index bf61c20628..d0367d8496 100644
--- a/packages/misskey-js/src/autogen/endpoint.ts
+++ b/packages/misskey-js/src/autogen/endpoint.ts
@@ -83,6 +83,8 @@ import type {
 	AdminResetPasswordRequest,
 	AdminResetPasswordResponse,
 	AdminResolveAbuseUserReportRequest,
+	AdminForwardAbuseUserReportRequest,
+	AdminUpdateAbuseUserReportRequest,
 	AdminSendEmailRequest,
 	AdminServerInfoResponse,
 	AdminShowModerationLogsRequest,
@@ -639,6 +641,8 @@ export type Endpoints = {
 	'admin/relays/remove': { req: AdminRelaysRemoveRequest; res: EmptyResponse };
 	'admin/reset-password': { req: AdminResetPasswordRequest; res: AdminResetPasswordResponse };
 	'admin/resolve-abuse-user-report': { req: AdminResolveAbuseUserReportRequest; res: EmptyResponse };
+	'admin/forward-abuse-user-report': { req: AdminForwardAbuseUserReportRequest; res: EmptyResponse };
+	'admin/update-abuse-user-report': { req: AdminUpdateAbuseUserReportRequest; res: EmptyResponse };
 	'admin/send-email': { req: AdminSendEmailRequest; res: EmptyResponse };
 	'admin/server-info': { req: EmptyRequest; res: AdminServerInfoResponse };
 	'admin/show-moderation-logs': { req: AdminShowModerationLogsRequest; res: AdminShowModerationLogsResponse };
diff --git a/packages/misskey-js/src/autogen/entities.ts b/packages/misskey-js/src/autogen/entities.ts
index 72c7c35ed4..ced87c4c7e 100644
--- a/packages/misskey-js/src/autogen/entities.ts
+++ b/packages/misskey-js/src/autogen/entities.ts
@@ -86,6 +86,8 @@ export type AdminRelaysRemoveRequest = operations['admin___relays___remove']['re
 export type AdminResetPasswordRequest = operations['admin___reset-password']['requestBody']['content']['application/json'];
 export type AdminResetPasswordResponse = operations['admin___reset-password']['responses']['200']['content']['application/json'];
 export type AdminResolveAbuseUserReportRequest = operations['admin___resolve-abuse-user-report']['requestBody']['content']['application/json'];
+export type AdminForwardAbuseUserReportRequest = operations['admin___forward-abuse-user-report']['requestBody']['content']['application/json'];
+export type AdminUpdateAbuseUserReportRequest = operations['admin___update-abuse-user-report']['requestBody']['content']['application/json'];
 export type AdminSendEmailRequest = operations['admin___send-email']['requestBody']['content']['application/json'];
 export type AdminServerInfoResponse = operations['admin___server-info']['responses']['200']['content']['application/json'];
 export type AdminShowModerationLogsRequest = operations['admin___show-moderation-logs']['requestBody']['content']['application/json'];
diff --git a/packages/misskey-js/src/autogen/types.ts b/packages/misskey-js/src/autogen/types.ts
index 0938973481..43f18bb680 100644
--- a/packages/misskey-js/src/autogen/types.ts
+++ b/packages/misskey-js/src/autogen/types.ts
@@ -576,6 +576,24 @@ export type paths = {
      */
     post: operations['admin___resolve-abuse-user-report'];
   };
+  '/admin/forward-abuse-user-report': {
+    /**
+     * admin/forward-abuse-user-report
+     * @description No description provided.
+     *
+     * **Credential required**: *Yes* / **Permission**: *write:admin:resolve-abuse-user-report*
+     */
+    post: operations['admin___forward-abuse-user-report'];
+  };
+  '/admin/update-abuse-user-report': {
+    /**
+     * admin/update-abuse-user-report
+     * @description No description provided.
+     *
+     * **Credential required**: *Yes* / **Permission**: *write:admin:resolve-abuse-user-report*
+     */
+    post: operations['admin___update-abuse-user-report'];
+  };
   '/admin/send-email': {
     /**
      * admin/send-email
@@ -8693,8 +8711,113 @@ export type operations = {
         'application/json': {
           /** Format: misskey:id */
           reportId: string;
-          /** @default false */
-          forward?: boolean;
+          /** @enum {string|null} */
+          resolvedAs?: 'accept' | 'reject' | null;
+        };
+      };
+    };
+    responses: {
+      /** @description OK (without any results) */
+      204: {
+        content: never;
+      };
+      /** @description Client error */
+      400: {
+        content: {
+          'application/json': components['schemas']['Error'];
+        };
+      };
+      /** @description Authentication error */
+      401: {
+        content: {
+          'application/json': components['schemas']['Error'];
+        };
+      };
+      /** @description Forbidden error */
+      403: {
+        content: {
+          'application/json': components['schemas']['Error'];
+        };
+      };
+      /** @description I'm Ai */
+      418: {
+        content: {
+          'application/json': components['schemas']['Error'];
+        };
+      };
+      /** @description Internal server error */
+      500: {
+        content: {
+          'application/json': components['schemas']['Error'];
+        };
+      };
+    };
+  };
+  /**
+   * admin/forward-abuse-user-report
+   * @description No description provided.
+   *
+   * **Credential required**: *Yes* / **Permission**: *write:admin:resolve-abuse-user-report*
+   */
+  'admin___forward-abuse-user-report': {
+    requestBody: {
+      content: {
+        'application/json': {
+          /** Format: misskey:id */
+          reportId: string;
+        };
+      };
+    };
+    responses: {
+      /** @description OK (without any results) */
+      204: {
+        content: never;
+      };
+      /** @description Client error */
+      400: {
+        content: {
+          'application/json': components['schemas']['Error'];
+        };
+      };
+      /** @description Authentication error */
+      401: {
+        content: {
+          'application/json': components['schemas']['Error'];
+        };
+      };
+      /** @description Forbidden error */
+      403: {
+        content: {
+          'application/json': components['schemas']['Error'];
+        };
+      };
+      /** @description I'm Ai */
+      418: {
+        content: {
+          'application/json': components['schemas']['Error'];
+        };
+      };
+      /** @description Internal server error */
+      500: {
+        content: {
+          'application/json': components['schemas']['Error'];
+        };
+      };
+    };
+  };
+  /**
+   * admin/update-abuse-user-report
+   * @description No description provided.
+   *
+   * **Credential required**: *Yes* / **Permission**: *write:admin:resolve-abuse-user-report*
+   */
+  'admin___update-abuse-user-report': {
+    requestBody: {
+      content: {
+        'application/json': {
+          /** Format: misskey:id */
+          reportId: string;
+          moderationNote?: string;
         };
       };
     };
diff --git a/packages/misskey-js/src/consts.ts b/packages/misskey-js/src/consts.ts
index b4fbcffa97..c5911a70eb 100644
--- a/packages/misskey-js/src/consts.ts
+++ b/packages/misskey-js/src/consts.ts
@@ -142,6 +142,8 @@ export const moderationLogTypes = [
 	'markSensitiveDriveFile',
 	'unmarkSensitiveDriveFile',
 	'resolveAbuseReport',
+	'forwardAbuseReport',
+	'updateAbuseReportNote',
 	'createInvitation',
 	'createAd',
 	'updateAd',
@@ -330,7 +332,18 @@ export type ModerationLogPayloads = {
 	resolveAbuseReport: {
 		reportId: string;
 		report: ReceivedAbuseReport;
-		forwarded: boolean;
+		forwarded?: boolean;
+		resolvedAs?: string | null;
+	};
+	forwardAbuseReport: {
+		reportId: string;
+		report: ReceivedAbuseReport;
+	};
+	updateAbuseReportNote: {
+		reportId: string;
+		report: ReceivedAbuseReport;
+		before: string;
+		after: string;
 	};
 	createInvitation: {
 		invitations: InviteCode[];
diff --git a/packages/misskey-js/src/entities.ts b/packages/misskey-js/src/entities.ts
index 8bbc9c113b..2ffee40fba 100644
--- a/packages/misskey-js/src/entities.ts
+++ b/packages/misskey-js/src/entities.ts
@@ -153,6 +153,12 @@ export type ModerationLog = {
 } | {
 	type: 'resolveAbuseReport';
 	info: ModerationLogPayloads['resolveAbuseReport'];
+} | {
+	type: 'forwardAbuseReport';
+	info: ModerationLogPayloads['forwardAbuseReport'];
+} | {
+	type: 'updateAbuseReportNote';
+	info: ModerationLogPayloads['updateAbuseReportNote'];
 } | {
 	type: 'unsetUserAvatar';
 	info: ModerationLogPayloads['unsetUserAvatar'];
-- 
cgit v1.2.3-freya


From ddf8e2a3dc61e0dc7b3ffe12e767d41a5b7c4526 Mon Sep 17 00:00:00 2001
From: zyoshoka <107108195+zyoshoka@users.noreply.github.com>
Date: Sat, 5 Oct 2024 18:35:37 +0900
Subject: fix(backend): correct `admin/abuse-user-reports` schema (#14711)

* fix(backend): correct `abuse-user-reports` schema

* Update CHANGELOG.md
---
 CHANGELOG.md                                             |  1 +
 .../src/server/api/endpoints/admin/abuse-user-reports.ts | 16 ++++++++++++++--
 packages/misskey-js/src/autogen/types.ts                 |  8 +++++---
 3 files changed, 20 insertions(+), 5 deletions(-)

(limited to 'packages/backend/src/server/api')

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 3fd1b7f899..85f5da28dd 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -26,6 +26,7 @@
 - Enhance: セキュリティ向上のため、ログイン時にメール通知を行うように
 - Enhance: 自分とモデレーター以外のユーザーから二要素認証関連のデータが取得できないように
 - Enhance: 通報および通報解決時に送出されるSystemWebhookにユーザ情報を含めるように ( #14697 )
+- Fix: `admin/abuse-user-reports`エンドポイントのスキーマが間違っていた問題を修正
 
 ## 2024.9.0
 
diff --git a/packages/backend/src/server/api/endpoints/admin/abuse-user-reports.ts b/packages/backend/src/server/api/endpoints/admin/abuse-user-reports.ts
index cf3f257ca6..0dbfaae054 100644
--- a/packages/backend/src/server/api/endpoints/admin/abuse-user-reports.ts
+++ b/packages/backend/src/server/api/endpoints/admin/abuse-user-reports.ts
@@ -71,9 +71,22 @@ export const meta = {
 				},
 				assignee: {
 					type: 'object',
-					nullable: true, optional: true,
+					nullable: true, optional: false,
 					ref: 'UserDetailedNotMe',
 				},
+				forwarded: {
+					type: 'boolean',
+					nullable: false, optional: false,
+				},
+				resolvedAs: {
+					type: 'string',
+					nullable: true, optional: false,
+					enum: ['accept', 'reject', null],
+				},
+				moderationNote: {
+					type: 'string',
+					nullable: false, optional: false,
+				},
 			},
 		},
 	},
@@ -88,7 +101,6 @@ export const paramDef = {
 		state: { type: 'string', nullable: true, default: null },
 		reporterOrigin: { type: 'string', enum: ['combined', 'local', 'remote'], default: 'combined' },
 		targetUserOrigin: { type: 'string', enum: ['combined', 'local', 'remote'], default: 'combined' },
-		forwarded: { type: 'boolean', default: false },
 	},
 	required: [],
 } as const;
diff --git a/packages/misskey-js/src/autogen/types.ts b/packages/misskey-js/src/autogen/types.ts
index 43f18bb680..76ef7ea1fb 100644
--- a/packages/misskey-js/src/autogen/types.ts
+++ b/packages/misskey-js/src/autogen/types.ts
@@ -5270,8 +5270,6 @@ export type operations = {
            * @enum {string}
            */
           targetUserOrigin?: 'combined' | 'local' | 'remote';
-          /** @default false */
-          forwarded?: boolean;
         };
       };
     };
@@ -5298,7 +5296,11 @@ export type operations = {
               assigneeId: string | null;
               reporter: components['schemas']['UserDetailedNotMe'];
               targetUser: components['schemas']['UserDetailedNotMe'];
-              assignee?: components['schemas']['UserDetailedNotMe'] | null;
+              assignee: components['schemas']['UserDetailedNotMe'] | null;
+              forwarded: boolean;
+              /** @enum {string|null} */
+              resolvedAs: 'accept' | 'reject' | null;
+              moderationNote: string;
             })[];
         };
       };
-- 
cgit v1.2.3-freya


From 12bc671511f301598d57635a7125157b963a1973 Mon Sep 17 00:00:00 2001
From: FineArchs <133759614+FineArchs@users.noreply.github.com>
Date: Fri, 11 Oct 2024 17:17:45 +0900
Subject: fix: admin/emoji/update で不正なエラーが発生する (#14750)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* fix emoji updating bug

* update changelog

* type fix

* " -> '

* conprehensiveness check

* lint

* undefined -> null
---
 CHANGELOG.md                                       |  3 ++
 packages/backend/src/core/CustomEmojiService.ts    | 29 ++++++++++++++-----
 .../src/server/api/endpoints/admin/emoji/update.ts | 33 ++++++++++------------
 3 files changed, 40 insertions(+), 25 deletions(-)

(limited to 'packages/backend/src/server/api')

diff --git a/CHANGELOG.md b/CHANGELOG.md
index ee37bb3c6f..b449a1b91e 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,9 @@
 - Enhance: l10nの更新
 - Fix: メールアドレス不要でCaptchaが有効な場合にアカウント登録完了後自動でのログインに失敗する問題を修正
 
+### Server
+- Fix: `admin/emoji/update`エンドポイントのidのみ指定した時不正なエラーが発生するバグを修正
+
 ## 2024.10.0
 
 ### Note
diff --git a/packages/backend/src/core/CustomEmojiService.ts b/packages/backend/src/core/CustomEmojiService.ts
index 5db3c5b980..4566113449 100644
--- a/packages/backend/src/core/CustomEmojiService.ts
+++ b/packages/backend/src/core/CustomEmojiService.ts
@@ -103,19 +103,33 @@ export class CustomEmojiService implements OnApplicationShutdown {
 	}
 
 	@bindThis
-	public async update(id: MiEmoji['id'], data: {
+	public async update(data: (
+		{ id: MiEmoji['id'], name?: string; } | { name: string; id?: MiEmoji['id'], }
+	) & {
 		driveFile?: MiDriveFile;
-		name?: string;
 		category?: string | null;
 		aliases?: string[];
 		license?: string | null;
 		isSensitive?: boolean;
 		localOnly?: boolean;
 		roleIdsThatCanBeUsedThisEmojiAsReaction?: MiRole['id'][];
-	}, moderator?: MiUser): Promise<void> {
-		const emoji = await this.emojisRepository.findOneByOrFail({ id: id });
-		const sameNameEmoji = await this.emojisRepository.findOneBy({ name: data.name, host: IsNull() });
-		if (sameNameEmoji != null && sameNameEmoji.id !== id) throw new Error('name already exists');
+	}, moderator?: MiUser): Promise<
+		null
+		| 'NO_SUCH_EMOJI'
+		| 'SAME_NAME_EMOJI_EXISTS'
+	> {
+		const emoji = data.id
+			? await this.getEmojiById(data.id)
+			: await this.getEmojiByName(data.name!);
+		if (emoji === null) return 'NO_SUCH_EMOJI';
+		const id = emoji.id;
+
+		// IDと絵文字名が両方指定されている場合は絵文字名の変更を行うため重複チェックが必要
+		const doNameUpdate = data.id && data.name && (data.name !== emoji.name);
+		if (doNameUpdate) {
+			const isDuplicate = await this.checkDuplicate(data.name!);
+			if (isDuplicate) return 'SAME_NAME_EMOJI_EXISTS';
+		}
 
 		await this.emojisRepository.update(emoji.id, {
 			updatedAt: new Date(),
@@ -135,7 +149,7 @@ export class CustomEmojiService implements OnApplicationShutdown {
 
 		const packed = await this.emojiEntityService.packDetailed(emoji.id);
 
-		if (emoji.name === data.name) {
+		if (!doNameUpdate) {
 			this.globalEventService.publishBroadcastStream('emojiUpdated', {
 				emojis: [packed],
 			});
@@ -157,6 +171,7 @@ export class CustomEmojiService implements OnApplicationShutdown {
 				after: updated,
 			});
 		}
+		return null;
 	}
 
 	@bindThis
diff --git a/packages/backend/src/server/api/endpoints/admin/emoji/update.ts b/packages/backend/src/server/api/endpoints/admin/emoji/update.ts
index 22609a16a3..212cba5c5d 100644
--- a/packages/backend/src/server/api/endpoints/admin/emoji/update.ts
+++ b/packages/backend/src/server/api/endpoints/admin/emoji/update.ts
@@ -6,7 +6,7 @@
 import { Inject, Injectable } from '@nestjs/common';
 import { Endpoint } from '@/server/api/endpoint-base.js';
 import { CustomEmojiService } from '@/core/CustomEmojiService.js';
-import type { DriveFilesRepository } from '@/models/_.js';
+import type { DriveFilesRepository, MiEmoji } from '@/models/_.js';
 import { DI } from '@/di-symbols.js';
 import { ApiError } from '../../../error.js';
 
@@ -78,25 +78,14 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 				if (driveFile == null) throw new ApiError(meta.errors.noSuchFile);
 			}
 
-			let emojiId;
-			if (ps.id) {
-				emojiId = ps.id;
-				const emoji = await this.customEmojiService.getEmojiById(ps.id);
-				if (!emoji) throw new ApiError(meta.errors.noSuchEmoji);
-				if (ps.name && (ps.name !== emoji.name)) {
-					const isDuplicate = await this.customEmojiService.checkDuplicate(ps.name);
-					if (isDuplicate) throw new ApiError(meta.errors.sameNameEmojiExists);
-				}
-			} else {
-				if (!ps.name) throw new Error('Invalid Params unexpectedly passed. This is a BUG. Please report it to the development team.');
-				const emoji = await this.customEmojiService.getEmojiByName(ps.name);
-				if (!emoji) throw new ApiError(meta.errors.noSuchEmoji);
-				emojiId = emoji.id;
-			}
+			// JSON schemeのanyOfの型変換がうまくいっていないらしい
+			const required = { id: ps.id, name: ps.name } as 
+				| { id: MiEmoji['id']; name?: string }
+				| { id?: MiEmoji['id']; name: string };
 
-			await this.customEmojiService.update(emojiId, {
+			const error = await this.customEmojiService.update({
+				...required,
 				driveFile,
-				name: ps.name,
 				category: ps.category,
 				aliases: ps.aliases,
 				license: ps.license,
@@ -104,6 +93,14 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 				localOnly: ps.localOnly,
 				roleIdsThatCanBeUsedThisEmojiAsReaction: ps.roleIdsThatCanBeUsedThisEmojiAsReaction,
 			}, me);
+
+			switch (error) {
+				case null: return;
+				case 'NO_SUCH_EMOJI': throw new ApiError(meta.errors.noSuchEmoji);
+				case 'SAME_NAME_EMOJI_EXISTS': throw new ApiError(meta.errors.sameNameEmojiExists);
+			}
+			// 網羅性チェック
+			const mustBeNever: never = error;
 		});
 	}
 }
-- 
cgit v1.2.3-freya


From a2cd6a7709ffacfabb738deac22cb0fd1eb7d493 Mon Sep 17 00:00:00 2001
From: おさむのひと <46447427+samunohito@users.noreply.github.com>
Date: Fri, 11 Oct 2024 20:59:36 +0900
Subject: feat(backend):
 7日間運営のアクティビティがないサーバを自動的に招待制にする (#14746)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* feat(backend): 7日間運営のアクティビティがないサーバを自動的に招待制にする

* fix RoleService.

* fix

* fix

* fix

* add test and fix

* fix

* fix CHANGELOG.md

* fix test
---
 CHANGELOG.md                                       |   5 +
 .../src/core/AbuseReportNotificationService.ts     |  10 +-
 packages/backend/src/core/QueueService.ts          |   7 +
 packages/backend/src/core/RoleService.ts           |  77 +++++--
 packages/backend/src/queue/QueueProcessorModule.ts |   3 +
 .../backend/src/queue/QueueProcessorService.ts     |   3 +
 .../CheckModeratorsActivityProcessorService.ts     | 127 +++++++++++
 .../src/server/api/endpoints/admin/show-users.ts   |   4 +-
 packages/backend/test/unit/RoleService.ts          | 150 +++++++++++--
 .../CheckModeratorsActivityProcessorService.ts     | 235 +++++++++++++++++++++
 10 files changed, 576 insertions(+), 45 deletions(-)
 create mode 100644 packages/backend/src/queue/processors/CheckModeratorsActivityProcessorService.ts
 create mode 100644 packages/backend/test/unit/queue/processors/CheckModeratorsActivityProcessorService.ts

(limited to 'packages/backend/src/server/api')

diff --git a/CHANGELOG.md b/CHANGELOG.md
index b449a1b91e..030dbfda28 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,10 +1,15 @@
 ## 2024.10.1
+### Note
+- 悪質なユーザからサーバを守る措置の一環として、モデレータ権限を持つユーザの最終アクティブ日時を確認し、 
+7日間活動していない場合は自動的に招待制へと移行（コントロールパネル -> モデレーション -> "誰でも新規登録できるようにする"をオフに変更）するようになりました。  
+詳細な経緯は https://github.com/misskey-dev/misskey/issues/13437 をご確認ください。
 
 ### Client
 - Enhance: l10nの更新
 - Fix: メールアドレス不要でCaptchaが有効な場合にアカウント登録完了後自動でのログインに失敗する問題を修正
 
 ### Server
+- Feat: モデレータ権限を持つユーザが全員7日間活動しなかった場合は自動的に招待制へと移行するように ( #13437 )
 - Fix: `admin/emoji/update`エンドポイントのidのみ指定した時不正なエラーが発生するバグを修正
 
 ## 2024.10.0
diff --git a/packages/backend/src/core/AbuseReportNotificationService.ts b/packages/backend/src/core/AbuseReportNotificationService.ts
index fb7c7bd2c3..7d030f2f16 100644
--- a/packages/backend/src/core/AbuseReportNotificationService.ts
+++ b/packages/backend/src/core/AbuseReportNotificationService.ts
@@ -61,7 +61,10 @@ export class AbuseReportNotificationService implements OnApplicationShutdown {
 			return;
 		}
 
-		const moderatorIds = await this.roleService.getModeratorIds(true, true);
+		const moderatorIds = await this.roleService.getModeratorIds({
+			includeAdmins: true,
+			excludeExpire: true,
+		});
 
 		for (const moderatorId of moderatorIds) {
 			for (const abuseReport of abuseReports) {
@@ -370,7 +373,10 @@ export class AbuseReportNotificationService implements OnApplicationShutdown {
 		}
 
 		// モデレータ権限の有無で通知先設定を振り分ける
-		const authorizedUserIds = await this.roleService.getModeratorIds(true, true);
+		const authorizedUserIds = await this.roleService.getModeratorIds({
+			includeAdmins: true,
+			excludeExpire: true,
+		});
 		const authorizedUserRecipients = Array.of<MiAbuseReportNotificationRecipient>();
 		const unauthorizedUserRecipients = Array.of<MiAbuseReportNotificationRecipient>();
 		for (const recipient of userRecipients) {
diff --git a/packages/backend/src/core/QueueService.ts b/packages/backend/src/core/QueueService.ts
index f35e456556..37028026cc 100644
--- a/packages/backend/src/core/QueueService.ts
+++ b/packages/backend/src/core/QueueService.ts
@@ -93,6 +93,13 @@ export class QueueService {
 			repeat: { pattern: '0 0 * * *' },
 			removeOnComplete: true,
 		});
+
+		this.systemQueue.add('checkModeratorsActivity', {
+		}, {
+			// 毎時30分に起動
+			repeat: { pattern: '30 * * * *' },
+			removeOnComplete: true,
+		});
 	}
 
 	@bindThis
diff --git a/packages/backend/src/core/RoleService.ts b/packages/backend/src/core/RoleService.ts
index 583eea1a34..5af6b05942 100644
--- a/packages/backend/src/core/RoleService.ts
+++ b/packages/backend/src/core/RoleService.ts
@@ -101,6 +101,7 @@ export const DEFAULT_POLICIES: RolePolicies = {
 
 @Injectable()
 export class RoleService implements OnApplicationShutdown, OnModuleInit {
+	private rootUserIdCache: MemorySingleCache<MiUser['id']>;
 	private rolesCache: MemorySingleCache<MiRole[]>;
 	private roleAssignmentByUserIdCache: MemoryKVCache<MiRoleAssignment[]>;
 	private notificationService: NotificationService;
@@ -136,6 +137,7 @@ export class RoleService implements OnApplicationShutdown, OnModuleInit {
 		private moderationLogService: ModerationLogService,
 		private fanoutTimelineService: FanoutTimelineService,
 	) {
+		this.rootUserIdCache = new MemorySingleCache<MiUser['id']>(1000 * 60 * 60 * 24 * 7); // 1week. rootユーザのIDは不変なので長めに
 		this.rolesCache = new MemorySingleCache<MiRole[]>(1000 * 60 * 60); // 1h
 		this.roleAssignmentByUserIdCache = new MemoryKVCache<MiRoleAssignment[]>(1000 * 60 * 5); // 5m
 
@@ -416,49 +418,78 @@ export class RoleService implements OnApplicationShutdown, OnModuleInit {
 	}
 
 	@bindThis
-	public async isExplorable(role: { id: MiRole['id']} | null): Promise<boolean> {
+	public async isExplorable(role: { id: MiRole['id'] } | null): Promise<boolean> {
 		if (role == null) return false;
 		const check = await this.rolesRepository.findOneBy({ id: role.id });
 		if (check == null) return false;
 		return check.isExplorable;
 	}
 
+	/**
+	 * モデレーター権限のロールが割り当てられているユーザID一覧を取得する.
+	 *
+	 * @param opts.includeAdmins 管理者権限も含めるか(デフォルト: true)
+	 * @param opts.includeRoot rootユーザも含めるか(デフォルト: false)
+	 * @param opts.excludeExpire 期限切れのロールを除外するか(デフォルト: false)
+	 */
 	@bindThis
-	public async getModeratorIds(includeAdmins = true, excludeExpire = false): Promise<MiUser['id'][]> {
+	public async getModeratorIds(opts?: {
+		includeAdmins?: boolean,
+		includeRoot?: boolean,
+		excludeExpire?: boolean,
+	}): Promise<MiUser['id'][]> {
+		const includeAdmins = opts?.includeAdmins ?? true;
+		const includeRoot = opts?.includeRoot ?? false;
+		const excludeExpire = opts?.excludeExpire ?? false;
+
 		const roles = await this.rolesCache.fetch(() => this.rolesRepository.findBy({}));
 		const moderatorRoles = includeAdmins
 			? roles.filter(r => r.isModerator || r.isAdministrator)
 			: roles.filter(r => r.isModerator);
 
-		// TODO: isRootなアカウントも含める
 		const assigns = moderatorRoles.length > 0
 			? await this.roleAssignmentsRepository.findBy({ roleId: In(moderatorRoles.map(r => r.id)) })
 			: [];
 
+		// Setを経由して重複を除去（ユーザIDは重複する可能性があるので）
 		const now = Date.now();
-		const result = [
-			// Setを経由して重複を除去（ユーザIDは重複する可能性があるので）
-			...new Set(
-				assigns
-					.filter(it =>
-						(excludeExpire)
-							? (it.expiresAt == null || it.expiresAt.getTime() > now)
-							: true,
-					)
-					.map(a => a.userId),
-			),
-		];
-
-		return result.sort((x, y) => x.localeCompare(y));
+		const resultSet = new Set(
+			assigns
+				.filter(it =>
+					(excludeExpire)
+						? (it.expiresAt == null || it.expiresAt.getTime() > now)
+						: true,
+				)
+				.map(a => a.userId),
+		);
+
+		if (includeRoot) {
+			const rootUserId = await this.rootUserIdCache.fetch(async () => {
+				const it = await this.usersRepository.createQueryBuilder('users')
+					.select('id')
+					.where({ isRoot: true })
+					.getRawOne<{ id: string }>();
+				// eslint-disable-next-line @typescript-eslint/no-non-null-assertion
+				return it!.id;
+			});
+			resultSet.add(rootUserId);
+		}
+
+		return [...resultSet].sort((x, y) => x.localeCompare(y));
 	}
 
 	@bindThis
-	public async getModerators(includeAdmins = true): Promise<MiUser[]> {
-		const ids = await this.getModeratorIds(includeAdmins);
-		const users = ids.length > 0 ? await this.usersRepository.findBy({
-			id: In(ids),
-		}) : [];
-		return users;
+	public async getModerators(opts?: {
+		includeAdmins?: boolean,
+		includeRoot?: boolean,
+		excludeExpire?: boolean,
+	}): Promise<MiUser[]> {
+		const ids = await this.getModeratorIds(opts);
+		return ids.length > 0
+			? await this.usersRepository.findBy({
+				id: In(ids),
+			})
+			: [];
 	}
 
 	@bindThis
diff --git a/packages/backend/src/queue/QueueProcessorModule.ts b/packages/backend/src/queue/QueueProcessorModule.ts
index 0027b5ef3d..9044285bf6 100644
--- a/packages/backend/src/queue/QueueProcessorModule.ts
+++ b/packages/backend/src/queue/QueueProcessorModule.ts
@@ -6,6 +6,7 @@
 import { Module } from '@nestjs/common';
 import { CoreModule } from '@/core/CoreModule.js';
 import { GlobalModule } from '@/GlobalModule.js';
+import { CheckModeratorsActivityProcessorService } from '@/queue/processors/CheckModeratorsActivityProcessorService.js';
 import { QueueLoggerService } from './QueueLoggerService.js';
 import { QueueProcessorService } from './QueueProcessorService.js';
 import { DeliverProcessorService } from './processors/DeliverProcessorService.js';
@@ -80,6 +81,8 @@ import { RelationshipProcessorService } from './processors/RelationshipProcessor
 		DeliverProcessorService,
 		InboxProcessorService,
 		AggregateRetentionProcessorService,
+		CheckExpiredMutingsProcessorService,
+		CheckModeratorsActivityProcessorService,
 		QueueProcessorService,
 	],
 	exports: [
diff --git a/packages/backend/src/queue/QueueProcessorService.ts b/packages/backend/src/queue/QueueProcessorService.ts
index e9e1c45224..85e148e900 100644
--- a/packages/backend/src/queue/QueueProcessorService.ts
+++ b/packages/backend/src/queue/QueueProcessorService.ts
@@ -10,6 +10,7 @@ import type { Config } from '@/config.js';
 import { DI } from '@/di-symbols.js';
 import type Logger from '@/logger.js';
 import { bindThis } from '@/decorators.js';
+import { CheckModeratorsActivityProcessorService } from '@/queue/processors/CheckModeratorsActivityProcessorService.js';
 import { UserWebhookDeliverProcessorService } from './processors/UserWebhookDeliverProcessorService.js';
 import { SystemWebhookDeliverProcessorService } from './processors/SystemWebhookDeliverProcessorService.js';
 import { EndedPollNotificationProcessorService } from './processors/EndedPollNotificationProcessorService.js';
@@ -120,6 +121,7 @@ export class QueueProcessorService implements OnApplicationShutdown {
 		private aggregateRetentionProcessorService: AggregateRetentionProcessorService,
 		private checkExpiredMutingsProcessorService: CheckExpiredMutingsProcessorService,
 		private bakeBufferedReactionsProcessorService: BakeBufferedReactionsProcessorService,
+		private checkModeratorsActivityProcessorService: CheckModeratorsActivityProcessorService,
 		private cleanProcessorService: CleanProcessorService,
 	) {
 		this.logger = this.queueLoggerService.logger;
@@ -150,6 +152,7 @@ export class QueueProcessorService implements OnApplicationShutdown {
 					case 'aggregateRetention': return this.aggregateRetentionProcessorService.process();
 					case 'checkExpiredMutings': return this.checkExpiredMutingsProcessorService.process();
 					case 'bakeBufferedReactions': return this.bakeBufferedReactionsProcessorService.process();
+					case 'checkModeratorsActivity': return this.checkModeratorsActivityProcessorService.process();
 					case 'clean': return this.cleanProcessorService.process();
 					default: throw new Error(`unrecognized job type ${job.name} for system`);
 				}
diff --git a/packages/backend/src/queue/processors/CheckModeratorsActivityProcessorService.ts b/packages/backend/src/queue/processors/CheckModeratorsActivityProcessorService.ts
new file mode 100644
index 0000000000..f2677f8e5c
--- /dev/null
+++ b/packages/backend/src/queue/processors/CheckModeratorsActivityProcessorService.ts
@@ -0,0 +1,127 @@
+/*
+ * SPDX-FileCopyrightText: syuilo and misskey-project
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+import { Injectable } from '@nestjs/common';
+import type Logger from '@/logger.js';
+import { bindThis } from '@/decorators.js';
+import { MetaService } from '@/core/MetaService.js';
+import { RoleService } from '@/core/RoleService.js';
+import { QueueLoggerService } from '../QueueLoggerService.js';
+
+// モデレーターが不在と判断する日付の閾値
+const MODERATOR_INACTIVITY_LIMIT_DAYS = 7;
+const ONE_DAY_MILLI_SEC = 1000 * 60 * 60 * 24;
+
+@Injectable()
+export class CheckModeratorsActivityProcessorService {
+	private logger: Logger;
+
+	constructor(
+		private metaService: MetaService,
+		private roleService: RoleService,
+		private queueLoggerService: QueueLoggerService,
+	) {
+		this.logger = this.queueLoggerService.logger.createSubLogger('check-moderators-activity');
+	}
+
+	@bindThis
+	public async process(): Promise<void> {
+		this.logger.info('start.');
+
+		const meta = await this.metaService.fetch(false);
+		if (!meta.disableRegistration) {
+			await this.processImpl();
+		} else {
+			this.logger.info('is already invitation only.');
+		}
+
+		this.logger.succ('finish.');
+	}
+
+	@bindThis
+	private async processImpl() {
+		const { isModeratorsInactive, inactivityLimitCountdown } = await this.evaluateModeratorsInactiveDays();
+		if (isModeratorsInactive) {
+			this.logger.warn(`The moderator has been inactive for ${MODERATOR_INACTIVITY_LIMIT_DAYS} days. We will move to invitation only.`);
+			await this.changeToInvitationOnly();
+
+			// TODO: モデレータに通知メール＋Misskey通知
+			// TODO: SystemWebhook通知
+		} else {
+			if (inactivityLimitCountdown <= 2) {
+				this.logger.warn(`A moderator has been inactive for a period of time. If you are inactive for an additional ${inactivityLimitCountdown} days, it will switch to invitation only.`);
+
+				// TODO: 警告メール
+			}
+		}
+	}
+
+	/**
+	 * モデレーターが不在であるかどうかを確認する。trueの場合はモデレーターが不在である。
+	 * isModerator, isAdministrator, isRootのいずれかがtrueのユーザを対象に、
+	 * {@link MiUser.lastActiveDate}の値が実行日時の{@link MODERATOR_INACTIVITY_LIMIT_DAYS}日前よりも古いユーザがいるかどうかを確認する。
+	 * {@link MiUser.lastActiveDate}がnullの場合は、そのユーザは確認の対象外とする。
+	 *
+	 * -----
+	 *
+	 * ### サンプルパターン
+	 * - 実行日時: 2022-01-30 12:00:00
+	 * - 判定基準: 2022-01-23 12:00:00（実行日時の{@link MODERATOR_INACTIVITY_LIMIT_DAYS}日前）
+	 *
+	 * #### パターン①
+	 * - モデレータA: lastActiveDate = 2022-01-20 00:00:00 ※アウト
+	 * - モデレータB: lastActiveDate = 2022-01-23 12:00:00 ※セーフ（判定基準と同値なのでギリギリ残り0日）
+	 * - モデレータC: lastActiveDate = 2022-01-23 11:59:59 ※アウト（残り-1日）
+	 * - モデレータD: lastActiveDate = null
+	 *
+	 * この場合、モデレータBのアクティビティのみ判定基準日よりも古くないため、モデレーターが在席と判断される。
+	 *
+	 * #### パターン②
+	 * - モデレータA: lastActiveDate = 2022-01-20 00:00:00 ※アウト
+	 * - モデレータB: lastActiveDate = 2022-01-22 12:00:00 ※アウト（残り-1日）
+	 * - モデレータC: lastActiveDate = 2022-01-23 11:59:59 ※アウト（残り-1日）
+	 * - モデレータD: lastActiveDate = null
+	 *
+	 * この場合、モデレータA, B, Cのアクティビティは判定基準日よりも古いため、モデレーターが不在と判断される。
+	 */
+	@bindThis
+	public async evaluateModeratorsInactiveDays() {
+		const today = new Date();
+		const inactivePeriod = new Date(today);
+		inactivePeriod.setDate(today.getDate() - MODERATOR_INACTIVITY_LIMIT_DAYS);
+
+		const moderators = await this.fetchModerators()
+			.then(it => it.filter(it => it.lastActiveDate != null));
+		const inactiveModerators = moderators
+			// eslint-disable-next-line @typescript-eslint/no-non-null-assertion
+			.filter(it => it.lastActiveDate!.getTime() < inactivePeriod.getTime());
+
+		// 残りの猶予を示したいので、最終アクティブ日時が一番若いモデレータの日数を基準に猶予を計算する
+		// eslint-disable-next-line @typescript-eslint/no-non-null-assertion
+		const newestLastActiveDate = new Date(Math.max(...moderators.map(it => it.lastActiveDate!.getTime())));
+		const inactivityLimitCountdown = Math.floor((newestLastActiveDate.getTime() - inactivePeriod.getTime()) / ONE_DAY_MILLI_SEC);
+
+		return {
+			isModeratorsInactive: inactiveModerators.length === moderators.length,
+			inactiveModerators,
+			inactivityLimitCountdown,
+		};
+	}
+
+	@bindThis
+	private async changeToInvitationOnly() {
+		await this.metaService.update({ disableRegistration: true });
+	}
+
+	@bindThis
+	private async fetchModerators() {
+		// TODO: モデレーター以外にも特別な権限を持つユーザーがいる場合は考慮する
+		return this.roleService.getModerators({
+			includeAdmins: true,
+			includeRoot: true,
+			excludeExpire: true,
+		});
+	}
+}
diff --git a/packages/backend/src/server/api/endpoints/admin/show-users.ts b/packages/backend/src/server/api/endpoints/admin/show-users.ts
index 2fef9abbf9..2b2c8c60ab 100644
--- a/packages/backend/src/server/api/endpoints/admin/show-users.ts
+++ b/packages/backend/src/server/api/endpoints/admin/show-users.ts
@@ -71,13 +71,13 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 					break;
 				}
 				case 'moderator': {
-					const moderatorIds = await this.roleService.getModeratorIds(false);
+					const moderatorIds = await this.roleService.getModeratorIds({ includeAdmins: false });
 					if (moderatorIds.length === 0) return [];
 					query.where('user.id IN (:...moderatorIds)', { moderatorIds: moderatorIds });
 					break;
 				}
 				case 'adminOrModerator': {
-					const adminOrModeratorIds = await this.roleService.getModeratorIds();
+					const adminOrModeratorIds = await this.roleService.getModeratorIds({ includeAdmins: true });
 					if (adminOrModeratorIds.length === 0) return [];
 					query.where('user.id IN (:...adminOrModeratorIds)', { adminOrModeratorIds: adminOrModeratorIds });
 					break;
diff --git a/packages/backend/test/unit/RoleService.ts b/packages/backend/test/unit/RoleService.ts
index ef80d25f81..9c1b1008d6 100644
--- a/packages/backend/test/unit/RoleService.ts
+++ b/packages/backend/test/unit/RoleService.ts
@@ -10,6 +10,8 @@ import { jest } from '@jest/globals';
 import { ModuleMocker } from 'jest-mock';
 import { Test } from '@nestjs/testing';
 import * as lolex from '@sinonjs/fake-timers';
+import type { TestingModule } from '@nestjs/testing';
+import type { MockFunctionMetadata } from 'jest-mock';
 import { GlobalModule } from '@/GlobalModule.js';
 import { RoleService } from '@/core/RoleService.js';
 import {
@@ -31,8 +33,6 @@ import { secureRndstr } from '@/misc/secure-rndstr.js';
 import { NotificationService } from '@/core/NotificationService.js';
 import { RoleCondFormulaValue } from '@/models/Role.js';
 import { UserEntityService } from '@/core/entities/UserEntityService.js';
-import type { TestingModule } from '@nestjs/testing';
-import type { MockFunctionMetadata } from 'jest-mock';
 
 const moduleMocker = new ModuleMocker(global);
 
@@ -277,9 +277,9 @@ describe('RoleService', () => {
 	});
 
 	describe('getModeratorIds', () => {
-		test('includeAdmins = false, excludeExpire = false', async () => {
-			const [adminUser1, adminUser2, modeUser1, modeUser2, normalUser1, normalUser2] = await Promise.all([
-				createUser(), createUser(), createUser(), createUser(), createUser(), createUser(),
+		test('includeAdmins = false, includeRoot = false, excludeExpire = false', async () => {
+			const [adminUser1, adminUser2, modeUser1, modeUser2, normalUser1, normalUser2, rootUser] = await Promise.all([
+				createUser(), createUser(), createUser(), createUser(), createUser(), createUser(), createUser({ isRoot: true }),
 			]);
 
 			const role1 = await createRole({ name: 'admin', isAdministrator: true });
@@ -295,13 +295,17 @@ describe('RoleService', () => {
 				assignRole({ userId: normalUser2.id, roleId: role3.id, expiresAt: new Date(Date.now() - 1000) }),
 			]);
 
-			const result = await roleService.getModeratorIds(false, false);
+			const result = await roleService.getModeratorIds({
+				includeAdmins: false,
+				includeRoot: false,
+				excludeExpire: false,
+			});
 			expect(result).toEqual([modeUser1.id, modeUser2.id]);
 		});
 
-		test('includeAdmins = false, excludeExpire = true', async () => {
-			const [adminUser1, adminUser2, modeUser1, modeUser2, normalUser1, normalUser2] = await Promise.all([
-				createUser(), createUser(), createUser(), createUser(), createUser(), createUser(),
+		test('includeAdmins = false, includeRoot = false, excludeExpire = true', async () => {
+			const [adminUser1, adminUser2, modeUser1, modeUser2, normalUser1, normalUser2, rootUser] = await Promise.all([
+				createUser(), createUser(), createUser(), createUser(), createUser(), createUser(), createUser({ isRoot: true }),
 			]);
 
 			const role1 = await createRole({ name: 'admin', isAdministrator: true });
@@ -317,13 +321,17 @@ describe('RoleService', () => {
 				assignRole({ userId: normalUser2.id, roleId: role3.id, expiresAt: new Date(Date.now() - 1000) }),
 			]);
 
-			const result = await roleService.getModeratorIds(false, true);
+			const result = await roleService.getModeratorIds({
+				includeAdmins: false,
+				includeRoot: false,
+				excludeExpire: true,
+			});
 			expect(result).toEqual([modeUser1.id]);
 		});
 
-		test('includeAdmins = true, excludeExpire = false', async () => {
-			const [adminUser1, adminUser2, modeUser1, modeUser2, normalUser1, normalUser2] = await Promise.all([
-				createUser(), createUser(), createUser(), createUser(), createUser(), createUser(),
+		test('includeAdmins = true, includeRoot = false, excludeExpire = false', async () => {
+			const [adminUser1, adminUser2, modeUser1, modeUser2, normalUser1, normalUser2, rootUser] = await Promise.all([
+				createUser(), createUser(), createUser(), createUser(), createUser(), createUser(), createUser({ isRoot: true }),
 			]);
 
 			const role1 = await createRole({ name: 'admin', isAdministrator: true });
@@ -339,13 +347,17 @@ describe('RoleService', () => {
 				assignRole({ userId: normalUser2.id, roleId: role3.id, expiresAt: new Date(Date.now() - 1000) }),
 			]);
 
-			const result = await roleService.getModeratorIds(true, false);
+			const result = await roleService.getModeratorIds({
+				includeAdmins: true,
+				includeRoot: false,
+				excludeExpire: false,
+			});
 			expect(result).toEqual([adminUser1.id, adminUser2.id, modeUser1.id, modeUser2.id]);
 		});
 
-		test('includeAdmins = true, excludeExpire = true', async () => {
-			const [adminUser1, adminUser2, modeUser1, modeUser2, normalUser1, normalUser2] = await Promise.all([
-				createUser(), createUser(), createUser(), createUser(), createUser(), createUser(),
+		test('includeAdmins = true, includeRoot = false, excludeExpire = true', async () => {
+			const [adminUser1, adminUser2, modeUser1, modeUser2, normalUser1, normalUser2, rootUser] = await Promise.all([
+				createUser(), createUser(), createUser(), createUser(), createUser(), createUser(), createUser({ isRoot: true }),
 			]);
 
 			const role1 = await createRole({ name: 'admin', isAdministrator: true });
@@ -361,9 +373,111 @@ describe('RoleService', () => {
 				assignRole({ userId: normalUser2.id, roleId: role3.id, expiresAt: new Date(Date.now() - 1000) }),
 			]);
 
-			const result = await roleService.getModeratorIds(true, true);
+			const result = await roleService.getModeratorIds({
+				includeAdmins: true,
+				includeRoot: false,
+				excludeExpire: true,
+			});
 			expect(result).toEqual([adminUser1.id, modeUser1.id]);
 		});
+
+		test('includeAdmins = false, includeRoot = true, excludeExpire = false', async () => {
+			const [adminUser1, adminUser2, modeUser1, modeUser2, normalUser1, normalUser2, rootUser] = await Promise.all([
+				createUser(), createUser(), createUser(), createUser(), createUser(), createUser(), createUser({ isRoot: true }),
+			]);
+
+			const role1 = await createRole({ name: 'admin', isAdministrator: true });
+			const role2 = await createRole({ name: 'moderator', isModerator: true });
+			const role3 = await createRole({ name: 'normal' });
+
+			await Promise.all([
+				assignRole({ userId: adminUser1.id, roleId: role1.id }),
+				assignRole({ userId: adminUser2.id, roleId: role1.id, expiresAt: new Date(Date.now() - 1000) }),
+				assignRole({ userId: modeUser1.id, roleId: role2.id }),
+				assignRole({ userId: modeUser2.id, roleId: role2.id, expiresAt: new Date(Date.now() - 1000) }),
+				assignRole({ userId: normalUser1.id, roleId: role3.id }),
+				assignRole({ userId: normalUser2.id, roleId: role3.id, expiresAt: new Date(Date.now() - 1000) }),
+			]);
+
+			const result = await roleService.getModeratorIds({
+				includeAdmins: false,
+				includeRoot: true,
+				excludeExpire: false,
+			});
+			expect(result).toEqual([modeUser1.id, modeUser2.id, rootUser.id]);
+		});
+
+		test('root has moderator role', async () => {
+			const [adminUser1, modeUser1, normalUser1, rootUser] = await Promise.all([
+				createUser(), createUser(), createUser(), createUser({ isRoot: true }),
+			]);
+
+			const role1 = await createRole({ name: 'admin', isAdministrator: true });
+			const role2 = await createRole({ name: 'moderator', isModerator: true });
+			const role3 = await createRole({ name: 'normal' });
+
+			await Promise.all([
+				assignRole({ userId: adminUser1.id, roleId: role1.id }),
+				assignRole({ userId: modeUser1.id, roleId: role2.id }),
+				assignRole({ userId: rootUser.id, roleId: role2.id }),
+				assignRole({ userId: normalUser1.id, roleId: role3.id }),
+			]);
+
+			const result = await roleService.getModeratorIds({
+				includeAdmins: false,
+				includeRoot: true,
+				excludeExpire: false,
+			});
+			expect(result).toEqual([modeUser1.id, rootUser.id]);
+		});
+
+		test('root has administrator role', async () => {
+			const [adminUser1, modeUser1, normalUser1, rootUser] = await Promise.all([
+				createUser(), createUser(), createUser(), createUser({ isRoot: true }),
+			]);
+
+			const role1 = await createRole({ name: 'admin', isAdministrator: true });
+			const role2 = await createRole({ name: 'moderator', isModerator: true });
+			const role3 = await createRole({ name: 'normal' });
+
+			await Promise.all([
+				assignRole({ userId: adminUser1.id, roleId: role1.id }),
+				assignRole({ userId: rootUser.id, roleId: role1.id }),
+				assignRole({ userId: modeUser1.id, roleId: role2.id }),
+				assignRole({ userId: normalUser1.id, roleId: role3.id }),
+			]);
+
+			const result = await roleService.getModeratorIds({
+				includeAdmins: true,
+				includeRoot: true,
+				excludeExpire: false,
+			});
+			expect(result).toEqual([adminUser1.id, modeUser1.id, rootUser.id]);
+		});
+
+		test('root has moderator role(expire)', async () => {
+			const [adminUser1, modeUser1, normalUser1, rootUser] = await Promise.all([
+				createUser(), createUser(), createUser(), createUser({ isRoot: true }),
+			]);
+
+			const role1 = await createRole({ name: 'admin', isAdministrator: true });
+			const role2 = await createRole({ name: 'moderator', isModerator: true });
+			const role3 = await createRole({ name: 'normal' });
+
+			await Promise.all([
+				assignRole({ userId: adminUser1.id, roleId: role1.id }),
+				assignRole({ userId: modeUser1.id, roleId: role2.id, expiresAt: new Date(Date.now() - 1000) }),
+				assignRole({ userId: rootUser.id, roleId: role2.id, expiresAt: new Date(Date.now() - 1000) }),
+				assignRole({ userId: normalUser1.id, roleId: role3.id }),
+			]);
+
+			const result = await roleService.getModeratorIds({
+				includeAdmins: false,
+				includeRoot: true,
+				excludeExpire: true,
+			});
+			expect(result).toEqual([rootUser.id]);
+		});
 	});
 
 	describe('conditional role', () => {
diff --git a/packages/backend/test/unit/queue/processors/CheckModeratorsActivityProcessorService.ts b/packages/backend/test/unit/queue/processors/CheckModeratorsActivityProcessorService.ts
new file mode 100644
index 0000000000..b783320aa0
--- /dev/null
+++ b/packages/backend/test/unit/queue/processors/CheckModeratorsActivityProcessorService.ts
@@ -0,0 +1,235 @@
+/*
+ * SPDX-FileCopyrightText: syuilo and misskey-project
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+import { jest } from '@jest/globals';
+import { Test, TestingModule } from '@nestjs/testing';
+import * as lolex from '@sinonjs/fake-timers';
+import { addHours, addSeconds, subDays, subHours, subSeconds } from 'date-fns';
+import { CheckModeratorsActivityProcessorService } from '@/queue/processors/CheckModeratorsActivityProcessorService.js';
+import { MiUser, UserProfilesRepository, UsersRepository } from '@/models/_.js';
+import { IdService } from '@/core/IdService.js';
+import { RoleService } from '@/core/RoleService.js';
+import { GlobalModule } from '@/GlobalModule.js';
+import { MetaService } from '@/core/MetaService.js';
+import { DI } from '@/di-symbols.js';
+import { QueueLoggerService } from '@/queue/QueueLoggerService.js';
+
+const baseDate = new Date(Date.UTC(2000, 11, 15, 12, 0, 0));
+
+describe('CheckModeratorsActivityProcessorService', () => {
+	let app: TestingModule;
+	let clock: lolex.InstalledClock;
+	let service: CheckModeratorsActivityProcessorService;
+
+	// --------------------------------------------------------------------------------------
+
+	let usersRepository: UsersRepository;
+	let userProfilesRepository: UserProfilesRepository;
+	let idService: IdService;
+	let roleService: jest.Mocked<RoleService>;
+
+	// --------------------------------------------------------------------------------------
+
+	async function createUser(data: Partial<MiUser> = {}) {
+		const id = idService.gen();
+		const user = await usersRepository
+			.insert({
+				id: id,
+				username: `user_${id}`,
+				usernameLower: `user_${id}`.toLowerCase(),
+				...data,
+			})
+			.then(x => usersRepository.findOneByOrFail(x.identifiers[0]));
+
+		await userProfilesRepository.insert({
+			userId: user.id,
+		});
+
+		return user;
+	}
+
+	function mockModeratorRole(users: MiUser[]) {
+		roleService.getModerators.mockReset();
+		roleService.getModerators.mockResolvedValue(users);
+	}
+
+	// --------------------------------------------------------------------------------------
+
+	beforeAll(async () => {
+		app = await Test
+			.createTestingModule({
+				imports: [
+					GlobalModule,
+				],
+				providers: [
+					CheckModeratorsActivityProcessorService,
+					IdService,
+					{
+						provide: RoleService, useFactory: () => ({ getModerators: jest.fn() }),
+					},
+					{
+						provide: MetaService, useFactory: () => ({ fetch: jest.fn() }),
+					},
+					{
+						provide: QueueLoggerService, useFactory: () => ({
+							logger: ({
+								createSubLogger: () => ({
+									info: jest.fn(),
+									warn: jest.fn(),
+									succ: jest.fn(),
+								}),
+							}),
+						}),
+					},
+				],
+			})
+			.compile();
+
+		usersRepository = app.get(DI.usersRepository);
+		userProfilesRepository = app.get(DI.userProfilesRepository);
+
+		service = app.get(CheckModeratorsActivityProcessorService);
+		idService = app.get(IdService);
+		roleService = app.get(RoleService) as jest.Mocked<RoleService>;
+
+		app.enableShutdownHooks();
+	});
+
+	beforeEach(async () => {
+		clock = lolex.install({
+			now: new Date(baseDate),
+			shouldClearNativeTimers: true,
+		});
+	});
+
+	afterEach(async () => {
+		clock.uninstall();
+		await usersRepository.delete({});
+		await userProfilesRepository.delete({});
+		roleService.getModerators.mockReset();
+	});
+
+	afterAll(async () => {
+		await app.close();
+	});
+
+	// --------------------------------------------------------------------------------------
+
+	describe('evaluateModeratorsInactiveDays', () => {
+		test('[isModeratorsInactive] inactiveなモデレーターがいても他のモデレーターがアクティブなら"運営が非アクティブ"としてみなされない', async () => {
+			const [user1, user2, user3, user4] = await Promise.all([
+				// 期限よりも1秒新しいタイミングでアクティブ化（セーフ）
+				createUser({ lastActiveDate: subDays(addSeconds(baseDate, 1), 7) }),
+				// 期限ちょうどにアクティブ化（セーフ）
+				createUser({ lastActiveDate: subDays(baseDate, 7) }),
+				// 期限よりも1秒古いタイミングでアクティブ化（アウト）
+				createUser({ lastActiveDate: subDays(subSeconds(baseDate, 1), 7) }),
+				// 対象外
+				createUser({ lastActiveDate: null }),
+			]);
+
+			mockModeratorRole([user1, user2, user3, user4]);
+
+			const result = await service.evaluateModeratorsInactiveDays();
+			expect(result.isModeratorsInactive).toBe(false);
+			expect(result.inactiveModerators).toEqual([user3]);
+		});
+
+		test('[isModeratorsInactive] 全員非アクティブなら"運営が非アクティブ"としてみなされる', async () => {
+			const [user1, user2] = await Promise.all([
+				// 期限よりも1秒古いタイミングでアクティブ化（アウト）
+				createUser({ lastActiveDate: subDays(subSeconds(baseDate, 1), 7) }),
+				// 対象外
+				createUser({ lastActiveDate: null }),
+			]);
+
+			mockModeratorRole([user1, user2]);
+
+			const result = await service.evaluateModeratorsInactiveDays();
+			expect(result.isModeratorsInactive).toBe(true);
+			expect(result.inactiveModerators).toEqual([user1]);
+		});
+
+		test('[countdown] 猶予まで24時間ある場合、猶予1日として計算される', async () => {
+			const [user1, user2] = await Promise.all([
+				createUser({ lastActiveDate: subDays(baseDate, 8) }),
+				// 猶予はこのユーザ基準で計算される想定。
+				// 期限まで残り24時間->猶予1日として計算されるはずである
+				createUser({ lastActiveDate: subDays(baseDate, 6) }),
+			]);
+
+			mockModeratorRole([user1, user2]);
+
+			const result = await service.evaluateModeratorsInactiveDays();
+			expect(result.isModeratorsInactive).toBe(false);
+			expect(result.inactiveModerators).toEqual([user1]);
+			expect(result.inactivityLimitCountdown).toBe(1);
+		});
+
+		test('[countdown] 猶予まで25時間ある場合、猶予1日として計算される', async () => {
+			const [user1, user2] = await Promise.all([
+				createUser({ lastActiveDate: subDays(baseDate, 8) }),
+				// 猶予はこのユーザ基準で計算される想定。
+				// 期限まで残り25時間->猶予1日として計算されるはずである
+				createUser({ lastActiveDate: subDays(addHours(baseDate, 1), 6) }),
+			]);
+
+			mockModeratorRole([user1, user2]);
+
+			const result = await service.evaluateModeratorsInactiveDays();
+			expect(result.isModeratorsInactive).toBe(false);
+			expect(result.inactiveModerators).toEqual([user1]);
+			expect(result.inactivityLimitCountdown).toBe(1);
+		});
+
+		test('[countdown] 猶予まで23時間ある場合、猶予0日として計算される', async () => {
+			const [user1, user2] = await Promise.all([
+				createUser({ lastActiveDate: subDays(baseDate, 8) }),
+				// 猶予はこのユーザ基準で計算される想定。
+				// 期限まで残り23時間->猶予0日として計算されるはずである
+				createUser({ lastActiveDate: subDays(subHours(baseDate, 1), 6) }),
+			]);
+
+			mockModeratorRole([user1, user2]);
+
+			const result = await service.evaluateModeratorsInactiveDays();
+			expect(result.isModeratorsInactive).toBe(false);
+			expect(result.inactiveModerators).toEqual([user1]);
+			expect(result.inactivityLimitCountdown).toBe(0);
+		});
+
+		test('[countdown] 期限ちょうどの場合、猶予0日として計算される', async () => {
+			const [user1, user2] = await Promise.all([
+				createUser({ lastActiveDate: subDays(baseDate, 8) }),
+				// 猶予はこのユーザ基準で計算される想定。
+				// 期限ちょうど->猶予0日として計算されるはずである
+				createUser({ lastActiveDate: subDays(baseDate, 7) }),
+			]);
+
+			mockModeratorRole([user1, user2]);
+
+			const result = await service.evaluateModeratorsInactiveDays();
+			expect(result.isModeratorsInactive).toBe(false);
+			expect(result.inactiveModerators).toEqual([user1]);
+			expect(result.inactivityLimitCountdown).toBe(0);
+		});
+
+		test('[countdown] 期限より1時間超過している場合、猶予-1日として計算される', async () => {
+			const [user1, user2] = await Promise.all([
+				createUser({ lastActiveDate: subDays(baseDate, 8) }),
+				// 猶予はこのユーザ基準で計算される想定。
+				// 期限より1時間超過->猶予-1日として計算されるはずである
+				createUser({ lastActiveDate: subDays(subHours(baseDate, 1), 7) }),
+			]);
+
+			mockModeratorRole([user1, user2]);
+
+			const result = await service.evaluateModeratorsInactiveDays();
+			expect(result.isModeratorsInactive).toBe(true);
+			expect(result.inactiveModerators).toEqual([user1, user2]);
+			expect(result.inactivityLimitCountdown).toBe(-1);
+		});
+	});
+});
-- 
cgit v1.2.3-freya


From af1cbc131fc9e045692f9f9def708c0978817fff Mon Sep 17 00:00:00 2001
From: syuilo <4439005+syuilo@users.noreply.github.com>
Date: Fri, 11 Oct 2024 21:05:53 +0900
Subject: wip (#14745)

---
 locales/index.d.ts                                 |   4 +++
 locales/ja-JP.yml                                  |   1 +
 .../backend/migration/1728550878802-testcaptcha.js |  16 ++++++++++++
 packages/backend/src/core/CaptchaService.ts        |  13 ++++++++++
 .../backend/src/core/entities/MetaEntityService.ts |   1 +
 packages/backend/src/models/Meta.ts                |   5 ++++
 packages/backend/src/models/json-schema/meta.ts    |   4 +++
 .../backend/src/server/api/ApiServerService.ts     |   2 ++
 .../backend/src/server/api/SigninApiService.ts     |   7 ++++++
 .../backend/src/server/api/SignupApiService.ts     |   7 ++++++
 .../backend/src/server/api/endpoints/admin/meta.ts |   5 ++++
 .../src/server/api/endpoints/admin/update-meta.ts  |   5 ++++
 packages/frontend/assets/testcaptcha.png           | Bin 0 -> 2634 bytes
 packages/frontend/src/components/MkCaptcha.vue     |  28 +++++++++++++++++++--
 .../frontend/src/components/MkSignin.password.vue  |   9 ++++++-
 packages/frontend/src/components/MkSignin.vue      |   6 ++---
 .../src/components/MkSignupDialog.form.vue         |   6 +++++
 .../frontend/src/pages/admin/bot-protection.vue    |  15 ++++++++++-
 packages/misskey-js/src/autogen/types.ts           |   3 +++
 19 files changed, 130 insertions(+), 7 deletions(-)
 create mode 100644 packages/backend/migration/1728550878802-testcaptcha.js
 create mode 100644 packages/frontend/assets/testcaptcha.png

(limited to 'packages/backend/src/server/api')

diff --git a/locales/index.d.ts b/locales/index.d.ts
index f0dead1245..dab8eb0361 100644
--- a/locales/index.d.ts
+++ b/locales/index.d.ts
@@ -5166,6 +5166,10 @@ export interface Locale extends ILocale {
      * 対象
      */
     "target": string;
+    /**
+     * CAPTCHAのテストを目的とした機能です。<strong>本番環境で使用しないでください。</strong>
+     */
+    "testCaptchaWarning": string;
     "_abuseUserReport": {
         /**
          * 転送
diff --git a/locales/ja-JP.yml b/locales/ja-JP.yml
index 48a670ce50..440ffa9306 100644
--- a/locales/ja-JP.yml
+++ b/locales/ja-JP.yml
@@ -1287,6 +1287,7 @@ passkeyVerificationFailed: "パスキーの検証に失敗しました。"
 passkeyVerificationSucceededButPasswordlessLoginDisabled: "パスキーの検証に成功しましたが、パスワードレスログインが無効になっています。"
 messageToFollower: "フォロワーへのメッセージ"
 target: "対象"
+testCaptchaWarning: "CAPTCHAのテストを目的とした機能です。<strong>本番環境で使用しないでください。</strong>"
 
 _abuseUserReport:
   forward: "転送"
diff --git a/packages/backend/migration/1728550878802-testcaptcha.js b/packages/backend/migration/1728550878802-testcaptcha.js
new file mode 100644
index 0000000000..d8d987c0c1
--- /dev/null
+++ b/packages/backend/migration/1728550878802-testcaptcha.js
@@ -0,0 +1,16 @@
+/*
+ * SPDX-FileCopyrightText: syuilo and misskey-project
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+export class Testcaptcha1728550878802 {
+    name = 'Testcaptcha1728550878802'
+
+    async up(queryRunner) {
+			await queryRunner.query(`ALTER TABLE "meta" ADD "enableTestcaptcha" boolean NOT NULL DEFAULT false`);
+    }
+
+    async down(queryRunner) {
+			await queryRunner.query(`ALTER TABLE "meta" DROP COLUMN "enableTestcaptcha"`);
+    }
+}
diff --git a/packages/backend/src/core/CaptchaService.ts b/packages/backend/src/core/CaptchaService.ts
index f6b7955cd2..206d0dbe0a 100644
--- a/packages/backend/src/core/CaptchaService.ts
+++ b/packages/backend/src/core/CaptchaService.ts
@@ -119,5 +119,18 @@ export class CaptchaService {
 			throw new Error(`turnstile-failed: ${errorCodes}`);
 		}
 	}
+
+	@bindThis
+	public async verifyTestcaptcha(response: string | null | undefined): Promise<void> {
+		if (response == null) {
+			throw new Error('testcaptcha-failed: no response provided');
+		}
+
+		const success = response === 'testcaptcha-passed';
+
+		if (!success) {
+			throw new Error('testcaptcha-failed');
+		}
+	}
 }
 
diff --git a/packages/backend/src/core/entities/MetaEntityService.ts b/packages/backend/src/core/entities/MetaEntityService.ts
index fbd982eb34..409dca3426 100644
--- a/packages/backend/src/core/entities/MetaEntityService.ts
+++ b/packages/backend/src/core/entities/MetaEntityService.ts
@@ -96,6 +96,7 @@ export class MetaEntityService {
 			recaptchaSiteKey: instance.recaptchaSiteKey,
 			enableTurnstile: instance.enableTurnstile,
 			turnstileSiteKey: instance.turnstileSiteKey,
+			enableTestcaptcha: instance.enableTestcaptcha,
 			swPublickey: instance.swPublicKey,
 			themeColor: instance.themeColor,
 			mascotImageUrl: instance.mascotImageUrl ?? '/assets/ai.png',
diff --git a/packages/backend/src/models/Meta.ts b/packages/backend/src/models/Meta.ts
index d29689f907..fd007de6c6 100644
--- a/packages/backend/src/models/Meta.ts
+++ b/packages/backend/src/models/Meta.ts
@@ -258,6 +258,11 @@ export class MiMeta {
 	})
 	public turnstileSecretKey: string | null;
 
+	@Column('boolean', {
+		default: false,
+	})
+	public enableTestcaptcha: boolean;
+
 	// chaptcha系を追加した際にはnodeinfoのレスポンスに追加するのを忘れないようにすること
 
 	@Column('enum', {
diff --git a/packages/backend/src/models/json-schema/meta.ts b/packages/backend/src/models/json-schema/meta.ts
index 99feeaa7d7..e3fd63464a 100644
--- a/packages/backend/src/models/json-schema/meta.ts
+++ b/packages/backend/src/models/json-schema/meta.ts
@@ -115,6 +115,10 @@ export const packedMetaLiteSchema = {
 			type: 'string',
 			optional: false, nullable: true,
 		},
+		enableTestcaptcha: {
+			type: 'boolean',
+			optional: false, nullable: false,
+		},
 		swPublickey: {
 			type: 'string',
 			optional: false, nullable: true,
diff --git a/packages/backend/src/server/api/ApiServerService.ts b/packages/backend/src/server/api/ApiServerService.ts
index be63635efe..3a8cb19f01 100644
--- a/packages/backend/src/server/api/ApiServerService.ts
+++ b/packages/backend/src/server/api/ApiServerService.ts
@@ -119,6 +119,7 @@ export class ApiServerService {
 				'g-recaptcha-response'?: string;
 				'turnstile-response'?: string;
 				'm-captcha-response'?: string;
+				'testcaptcha-response'?: string;
 			}
 		}>('/signup', (request, reply) => this.signupApiService.signup(request, reply));
 
@@ -132,6 +133,7 @@ export class ApiServerService {
 				'g-recaptcha-response'?: string;
 				'turnstile-response'?: string;
 				'm-captcha-response'?: string;
+				'testcaptcha-response'?: string;
 			};
 		}>('/signin-flow', (request, reply) => this.signinApiService.signin(request, reply));
 
diff --git a/packages/backend/src/server/api/SigninApiService.ts b/packages/backend/src/server/api/SigninApiService.ts
index 0d24ffa56a..1d983ca4bc 100644
--- a/packages/backend/src/server/api/SigninApiService.ts
+++ b/packages/backend/src/server/api/SigninApiService.ts
@@ -71,6 +71,7 @@ export class SigninApiService {
 				'g-recaptcha-response'?: string;
 				'turnstile-response'?: string;
 				'm-captcha-response'?: string;
+				'testcaptcha-response'?: string;
 			};
 		}>,
 		reply: FastifyReply,
@@ -194,6 +195,12 @@ export class SigninApiService {
 						throw new FastifyReplyError(400, err);
 					});
 				}
+
+				if (this.meta.enableTestcaptcha) {
+					await this.captchaService.verifyTestcaptcha(body['testcaptcha-response']).catch(err => {
+						throw new FastifyReplyError(400, err);
+					});
+				}
 			}
 
 			if (same) {
diff --git a/packages/backend/src/server/api/SignupApiService.ts b/packages/backend/src/server/api/SignupApiService.ts
index c499638018..3ec5e5d3e6 100644
--- a/packages/backend/src/server/api/SignupApiService.ts
+++ b/packages/backend/src/server/api/SignupApiService.ts
@@ -67,6 +67,7 @@ export class SignupApiService {
 				'g-recaptcha-response'?: string;
 				'turnstile-response'?: string;
 				'm-captcha-response'?: string;
+				'testcaptcha-response'?: string;
 			}
 		}>,
 		reply: FastifyReply,
@@ -99,6 +100,12 @@ export class SignupApiService {
 					throw new FastifyReplyError(400, err);
 				});
 			}
+
+			if (this.meta.enableTestcaptcha) {
+				await this.captchaService.verifyTestcaptcha(body['testcaptcha-response']).catch(err => {
+					throw new FastifyReplyError(400, err);
+				});
+			}
 		}
 
 		const username = body['username'];
diff --git a/packages/backend/src/server/api/endpoints/admin/meta.ts b/packages/backend/src/server/api/endpoints/admin/meta.ts
index b76ed5c524..abb3c17be3 100644
--- a/packages/backend/src/server/api/endpoints/admin/meta.ts
+++ b/packages/backend/src/server/api/endpoints/admin/meta.ts
@@ -69,6 +69,10 @@ export const meta = {
 				type: 'string',
 				optional: false, nullable: true,
 			},
+			enableTestcaptcha: {
+				type: 'boolean',
+				optional: false, nullable: false,
+			},
 			swPublickey: {
 				type: 'string',
 				optional: false, nullable: true,
@@ -555,6 +559,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 				recaptchaSiteKey: instance.recaptchaSiteKey,
 				enableTurnstile: instance.enableTurnstile,
 				turnstileSiteKey: instance.turnstileSiteKey,
+				enableTestcaptcha: instance.enableTestcaptcha,
 				swPublickey: instance.swPublicKey,
 				themeColor: instance.themeColor,
 				mascotImageUrl: instance.mascotImageUrl,
diff --git a/packages/backend/src/server/api/endpoints/admin/update-meta.ts b/packages/backend/src/server/api/endpoints/admin/update-meta.ts
index 9ffae840b6..e97ac4e2b9 100644
--- a/packages/backend/src/server/api/endpoints/admin/update-meta.ts
+++ b/packages/backend/src/server/api/endpoints/admin/update-meta.ts
@@ -78,6 +78,7 @@ export const paramDef = {
 		enableTurnstile: { type: 'boolean' },
 		turnstileSiteKey: { type: 'string', nullable: true },
 		turnstileSecretKey: { type: 'string', nullable: true },
+		enableTestcaptcha: { type: 'boolean' },
 		sensitiveMediaDetection: { type: 'string', enum: ['none', 'all', 'local', 'remote'] },
 		sensitiveMediaDetectionSensitivity: { type: 'string', enum: ['medium', 'low', 'high', 'veryLow', 'veryHigh'] },
 		setSensitiveFlagAutomatically: { type: 'boolean' },
@@ -357,6 +358,10 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 				set.turnstileSecretKey = ps.turnstileSecretKey;
 			}
 
+			if (ps.enableTestcaptcha !== undefined) {
+				set.enableTestcaptcha = ps.enableTestcaptcha;
+			}
+
 			if (ps.sensitiveMediaDetection !== undefined) {
 				set.sensitiveMediaDetection = ps.sensitiveMediaDetection;
 			}
diff --git a/packages/frontend/assets/testcaptcha.png b/packages/frontend/assets/testcaptcha.png
new file mode 100644
index 0000000000..9bfd252b51
Binary files /dev/null and b/packages/frontend/assets/testcaptcha.png differ
diff --git a/packages/frontend/src/components/MkCaptcha.vue b/packages/frontend/src/components/MkCaptcha.vue
index c5b6e0caed..82fc89e51c 100644
--- a/packages/frontend/src/components/MkCaptcha.vue
+++ b/packages/frontend/src/components/MkCaptcha.vue
@@ -10,6 +10,17 @@ SPDX-License-Identifier: AGPL-3.0-only
 		<div id="mcaptcha__widget-container" class="m-captcha-style"></div>
 		<div ref="captchaEl"></div>
 	</div>
+	<div v-if="props.provider == 'testcaptcha'" style="background: #eee; border: solid 1px #888; padding: 8px; color: #000; max-width: 320px; display: flex; gap: 10px; align-items: center; box-shadow: 2px 2px 6px #0004; border-radius: 4px;">
+		<img src="/client-assets/testcaptcha.png" style="width: 60px; height: 60px; "/>
+		<div v-if="testcaptchaPassed">
+			<div style="color: green;">Test captcha passed!</div>
+		</div>
+		<div v-else>
+			<div style="font-size: 13px; margin-bottom: 4px;">Type "ai-chan-kawaii" to pass captcha</div>
+			<input v-model="testcaptchaInput" data-cy-testcaptcha-input/>
+			<button type="button" data-cy-testcaptcha-submit @click="testcaptchaSubmit">Submit</button>
+		</div>
+	</div>
 	<div v-else ref="captchaEl"></div>
 </div>
 </template>
@@ -29,7 +40,7 @@ export type Captcha = {
 	getResponse(id: string): string;
 };
 
-export type CaptchaProvider = 'hcaptcha' | 'recaptcha' | 'turnstile' | 'mcaptcha';
+export type CaptchaProvider = 'hcaptcha' | 'recaptcha' | 'turnstile' | 'mcaptcha' | 'testcaptcha';
 
 type CaptchaContainer = {
 	readonly [_ in CaptchaProvider]?: Captcha;
@@ -54,12 +65,16 @@ const available = ref(false);
 
 const captchaEl = shallowRef<HTMLDivElement | undefined>();
 
+const testcaptchaInput = ref('');
+const testcaptchaPassed = ref(false);
+
 const variable = computed(() => {
 	switch (props.provider) {
 		case 'hcaptcha': return 'hcaptcha';
 		case 'recaptcha': return 'grecaptcha';
 		case 'turnstile': return 'turnstile';
 		case 'mcaptcha': return 'mcaptcha';
+		case 'testcaptcha': return 'testcaptcha';
 	}
 });
 
@@ -71,6 +86,7 @@ const src = computed(() => {
 		case 'recaptcha': return 'https://www.recaptcha.net/recaptcha/api.js?render=explicit';
 		case 'turnstile': return 'https://challenges.cloudflare.com/turnstile/v0/api.js?render=explicit';
 		case 'mcaptcha': return null;
+		case 'testcaptcha': return null;
 	}
 });
 
@@ -78,7 +94,7 @@ const scriptId = computed(() => `script-${props.provider}`);
 
 const captcha = computed<Captcha>(() => window[variable.value] || {} as unknown as Captcha);
 
-if (loaded || props.provider === 'mcaptcha') {
+if (loaded || props.provider === 'mcaptcha' || props.provider === 'testcaptcha') {
 	available.value = true;
 } else if (src.value !== null) {
 	(document.getElementById(scriptId.value) ?? document.head.appendChild(Object.assign(document.createElement('script'), {
@@ -91,6 +107,8 @@ if (loaded || props.provider === 'mcaptcha') {
 
 function reset() {
 	if (captcha.value.reset) captcha.value.reset();
+	testcaptchaPassed.value = false;
+	testcaptchaInput.value = '';
 }
 
 async function requestRender() {
@@ -127,6 +145,12 @@ function onReceivedMessage(message: MessageEvent) {
 	}
 }
 
+function testcaptchaSubmit() {
+	testcaptchaPassed.value = testcaptchaInput.value === 'ai-chan-kawaii';
+	callback(testcaptchaPassed.value ? 'testcaptcha-passed' : undefined);
+	if (!testcaptchaPassed.value) testcaptchaInput.value = '';
+}
+
 onMounted(() => {
 	if (available.value) {
 		window.addEventListener('message', onReceivedMessage);
diff --git a/packages/frontend/src/components/MkSignin.password.vue b/packages/frontend/src/components/MkSignin.password.vue
index f30bf5f861..5608122a39 100644
--- a/packages/frontend/src/components/MkSignin.password.vue
+++ b/packages/frontend/src/components/MkSignin.password.vue
@@ -28,6 +28,7 @@ SPDX-License-Identifier: AGPL-3.0-only
 				<MkCaptcha v-if="instance.enableMcaptcha" ref="mcaptcha" v-model="mCaptchaResponse" :class="$style.captcha" provider="mcaptcha" :sitekey="instance.mcaptchaSiteKey" :instanceUrl="instance.mcaptchaInstanceUrl"/>
 				<MkCaptcha v-if="instance.enableRecaptcha" ref="recaptcha" v-model="reCaptchaResponse" :class="$style.captcha" provider="recaptcha" :sitekey="instance.recaptchaSiteKey"/>
 				<MkCaptcha v-if="instance.enableTurnstile" ref="turnstile" v-model="turnstileResponse" :class="$style.captcha" provider="turnstile" :sitekey="instance.turnstileSiteKey"/>
+				<MkCaptcha v-if="instance.enableTestcaptcha" ref="testcaptcha" v-model="testcaptchaResponse" :class="$style.captcha" provider="testcaptcha"/>
 			</div>
 
 			<MkButton type="submit" :disabled="needCaptcha && captchaFailed" large primary rounded style="margin: 0 auto;" data-cy-signin-page-password-continue>{{ i18n.ts.continue }} <i class="ti ti-arrow-right"></i></MkButton>
@@ -44,6 +45,7 @@ export type PwResponse = {
 		mCaptchaResponse: string | null;
 		reCaptchaResponse: string | null;
 		turnstileResponse: string | null;
+		testcaptchaResponse: string | null;
 	};
 };
 </script>
@@ -75,18 +77,21 @@ const hCaptcha = useTemplateRef('hcaptcha');
 const mCaptcha = useTemplateRef('mcaptcha');
 const reCaptcha = useTemplateRef('recaptcha');
 const turnstile = useTemplateRef('turnstile');
+const testcaptcha = useTemplateRef('testcaptcha');
 
 const hCaptchaResponse = ref<string | null>(null);
 const mCaptchaResponse = ref<string | null>(null);
 const reCaptchaResponse = ref<string | null>(null);
 const turnstileResponse = ref<string | null>(null);
+const testcaptchaResponse = ref<string | null>(null);
 
 const captchaFailed = computed((): boolean => {
 	return (
 		(instance.enableHcaptcha && !hCaptchaResponse.value) ||
 		(instance.enableMcaptcha && !mCaptchaResponse.value) ||
 		(instance.enableRecaptcha && !reCaptchaResponse.value) ||
-		(instance.enableTurnstile && !turnstileResponse.value)
+		(instance.enableTurnstile && !turnstileResponse.value) ||
+		(instance.enableTestcaptcha && !testcaptchaResponse.value)
 	);
 });
 
@@ -104,6 +109,7 @@ function onSubmit() {
 			mCaptchaResponse: mCaptchaResponse.value,
 			reCaptchaResponse: reCaptchaResponse.value,
 			turnstileResponse: turnstileResponse.value,
+			testcaptchaResponse: testcaptchaResponse.value,
 		},
 	});
 }
@@ -113,6 +119,7 @@ function resetCaptcha() {
 	mCaptcha.value?.reset();
 	reCaptcha.value?.reset();
 	turnstile.value?.reset();
+	testcaptcha.value?.reset();
 }
 
 defineExpose({
diff --git a/packages/frontend/src/components/MkSignin.vue b/packages/frontend/src/components/MkSignin.vue
index a773cefdab..776ee20e36 100644
--- a/packages/frontend/src/components/MkSignin.vue
+++ b/packages/frontend/src/components/MkSignin.vue
@@ -68,6 +68,8 @@ import { nextTick, onBeforeUnmount, ref, shallowRef, useTemplateRef } from 'vue'
 import * as Misskey from 'misskey-js';
 import { supported as webAuthnSupported, parseRequestOptionsFromJSON } from '@github/webauthn-json/browser-ponyfill';
 
+import type { AuthenticationPublicKeyCredential } from '@github/webauthn-json/browser-ponyfill';
+import type { OpenOnRemoteOptions } from '@/scripts/please-login.js';
 import { misskeyApi } from '@/scripts/misskey-api.js';
 import { showSuspendedDialog } from '@/scripts/show-suspended-dialog.js';
 import { login } from '@/account.js';
@@ -79,9 +81,6 @@ import XPassword, { type PwResponse } from '@/components/MkSignin.password.vue';
 import XTotp from '@/components/MkSignin.totp.vue';
 import XPasskey from '@/components/MkSignin.passkey.vue';
 
-import type { AuthenticationPublicKeyCredential } from '@github/webauthn-json/browser-ponyfill';
-import type { OpenOnRemoteOptions } from '@/scripts/please-login.js';
-
 const emit = defineEmits<{
 	(ev: 'login', v: Misskey.entities.SigninFlowResponse & { finished: true }): void;
 }>();
@@ -188,6 +187,7 @@ async function onPasswordSubmitted(pw: PwResponse) {
 			'm-captcha-response': pw.captcha.mCaptchaResponse,
 			'g-recaptcha-response': pw.captcha.reCaptchaResponse,
 			'turnstile-response': pw.captcha.turnstileResponse,
+			'testcaptcha-response': pw.captcha.testcaptchaResponse,
 		});
 	}
 }
diff --git a/packages/frontend/src/components/MkSignupDialog.form.vue b/packages/frontend/src/components/MkSignupDialog.form.vue
index ffb5551ff3..3d1c44fc90 100644
--- a/packages/frontend/src/components/MkSignupDialog.form.vue
+++ b/packages/frontend/src/components/MkSignupDialog.form.vue
@@ -66,6 +66,7 @@ SPDX-License-Identifier: AGPL-3.0-only
 			<MkCaptcha v-if="instance.enableMcaptcha" ref="mcaptcha" v-model="mCaptchaResponse" :class="$style.captcha" provider="mcaptcha" :sitekey="instance.mcaptchaSiteKey" :instanceUrl="instance.mcaptchaInstanceUrl"/>
 			<MkCaptcha v-if="instance.enableRecaptcha" ref="recaptcha" v-model="reCaptchaResponse" :class="$style.captcha" provider="recaptcha" :sitekey="instance.recaptchaSiteKey"/>
 			<MkCaptcha v-if="instance.enableTurnstile" ref="turnstile" v-model="turnstileResponse" :class="$style.captcha" provider="turnstile" :sitekey="instance.turnstileSiteKey"/>
+			<MkCaptcha v-if="instance.enableTestcaptcha" ref="testcaptcha" v-model="testcaptchaResponse" :class="$style.captcha" provider="testcaptcha"/>
 			<MkButton type="submit" :disabled="shouldDisableSubmitting" large gradate rounded data-cy-signup-submit style="margin: 0 auto;">
 				<template v-if="submitting">
 					<MkLoading :em="true" :colored="false"/>
@@ -108,6 +109,7 @@ const hcaptcha = ref<Captcha | undefined>();
 const mcaptcha = ref<Captcha | undefined>();
 const recaptcha = ref<Captcha | undefined>();
 const turnstile = ref<Captcha | undefined>();
+const testcaptcha = ref<Captcha | undefined>();
 
 const username = ref<string>('');
 const password = ref<string>('');
@@ -123,6 +125,7 @@ const hCaptchaResponse = ref<string | null>(null);
 const mCaptchaResponse = ref<string | null>(null);
 const reCaptchaResponse = ref<string | null>(null);
 const turnstileResponse = ref<string | null>(null);
+const testcaptchaResponse = ref<string | null>(null);
 const usernameAbortController = ref<null | AbortController>(null);
 const emailAbortController = ref<null | AbortController>(null);
 
@@ -132,6 +135,7 @@ const shouldDisableSubmitting = computed((): boolean => {
 		instance.enableMcaptcha && !mCaptchaResponse.value ||
 		instance.enableRecaptcha && !reCaptchaResponse.value ||
 		instance.enableTurnstile && !turnstileResponse.value ||
+		instance.enableTestcaptcha && !testcaptchaResponse.value ||
 		instance.emailRequiredForSignup && emailState.value !== 'ok' ||
 		usernameState.value !== 'ok' ||
 		passwordRetypeState.value !== 'match';
@@ -259,6 +263,7 @@ async function onSubmit(): Promise<void> {
 		'm-captcha-response': mCaptchaResponse.value,
 		'g-recaptcha-response': reCaptchaResponse.value,
 		'turnstile-response': turnstileResponse.value,
+		'testcaptcha-response': testcaptchaResponse.value,
 	};
 
 	const res = await fetch(`${config.apiUrl}/signup`, {
@@ -301,6 +306,7 @@ function onSignupApiError() {
 	mcaptcha.value?.reset?.();
 	recaptcha.value?.reset?.();
 	turnstile.value?.reset?.();
+	testcaptcha.value?.reset?.();
 
 	os.alert({
 		type: 'error',
diff --git a/packages/frontend/src/pages/admin/bot-protection.vue b/packages/frontend/src/pages/admin/bot-protection.vue
index b34592cd6a..d07add4408 100644
--- a/packages/frontend/src/pages/admin/bot-protection.vue
+++ b/packages/frontend/src/pages/admin/bot-protection.vue
@@ -11,6 +11,7 @@ SPDX-License-Identifier: AGPL-3.0-only
 	<template v-else-if="botProtectionForm.savedState.provider === 'mcaptcha'" #suffix>mCaptcha</template>
 	<template v-else-if="botProtectionForm.savedState.provider === 'recaptcha'" #suffix>reCAPTCHA</template>
 	<template v-else-if="botProtectionForm.savedState.provider === 'turnstile'" #suffix>Turnstile</template>
+	<template v-else-if="botProtectionForm.savedState.provider === 'testcaptcha'" #suffix>testCaptcha</template>
 	<template v-else #suffix>{{ i18n.ts.none }} ({{ i18n.ts.notRecommended }})</template>
 	<template v-if="botProtectionForm.modified.value" #footer>
 		<MkFormFooter :form="botProtectionForm"/>
@@ -23,6 +24,7 @@ SPDX-License-Identifier: AGPL-3.0-only
 			<option value="mcaptcha">mCaptcha</option>
 			<option value="recaptcha">reCAPTCHA</option>
 			<option value="turnstile">Turnstile</option>
+			<option value="testcaptcha">testCaptcha</option>
 		</MkRadios>
 
 		<template v-if="botProtectionForm.state.provider === 'hcaptcha'">
@@ -85,6 +87,13 @@ SPDX-License-Identifier: AGPL-3.0-only
 				<MkCaptcha provider="turnstile" :sitekey="botProtectionForm.state.turnstileSiteKey || '1x00000000000000000000AA'"/>
 			</FormSlot>
 		</template>
+		<template v-else-if="botProtectionForm.state.provider === 'testcaptcha'">
+			<MkInfo warn><span v-html="i18n.ts.testCaptchaWarning"></span></MkInfo>
+			<FormSlot>
+				<template #label>{{ i18n.ts.preview }}</template>
+				<MkCaptcha provider="testcaptcha"/>
+			</FormSlot>
+		</template>
 	</div>
 </MkFolder>
 </template>
@@ -101,6 +110,7 @@ import { i18n } from '@/i18n.js';
 import { useForm } from '@/scripts/use-form.js';
 import MkFormFooter from '@/components/MkFormFooter.vue';
 import MkFolder from '@/components/MkFolder.vue';
+import MkInfo from '@/components/MkInfo.vue';
 
 const MkCaptcha = defineAsyncComponent(() => import('@/components/MkCaptcha.vue'));
 
@@ -115,7 +125,9 @@ const botProtectionForm = useForm({
 				? 'turnstile'
 				: meta.enableMcaptcha
 					? 'mcaptcha'
-					: null,
+					: meta.enableTestcaptcha
+						? 'testcaptcha'
+						: null,
 	hcaptchaSiteKey: meta.hcaptchaSiteKey,
 	hcaptchaSecretKey: meta.hcaptchaSecretKey,
 	mcaptchaSiteKey: meta.mcaptchaSiteKey,
@@ -140,6 +152,7 @@ const botProtectionForm = useForm({
 		enableTurnstile: state.provider === 'turnstile',
 		turnstileSiteKey: state.turnstileSiteKey,
 		turnstileSecretKey: state.turnstileSecretKey,
+		enableTestcaptcha: state.provider === 'testcaptcha',
 	});
 	fetchInstance(true);
 });
diff --git a/packages/misskey-js/src/autogen/types.ts b/packages/misskey-js/src/autogen/types.ts
index 76ef7ea1fb..e40cb050fd 100644
--- a/packages/misskey-js/src/autogen/types.ts
+++ b/packages/misskey-js/src/autogen/types.ts
@@ -4972,6 +4972,7 @@ export type components = {
       recaptchaSiteKey: string | null;
       enableTurnstile: boolean;
       turnstileSiteKey: string | null;
+      enableTestcaptcha: boolean;
       swPublickey: string | null;
       /** @default /assets/ai.png */
       mascotImageUrl: string;
@@ -5102,6 +5103,7 @@ export type operations = {
             recaptchaSiteKey: string | null;
             enableTurnstile: boolean;
             turnstileSiteKey: string | null;
+            enableTestcaptcha: boolean;
             swPublickey: string | null;
             /** @default /assets/ai.png */
             mascotImageUrl: string | null;
@@ -9491,6 +9493,7 @@ export type operations = {
           enableTurnstile?: boolean;
           turnstileSiteKey?: string | null;
           turnstileSecretKey?: string | null;
+          enableTestcaptcha?: boolean;
           /** @enum {string} */
           sensitiveMediaDetection?: 'none' | 'all' | 'local' | 'remote';
           /** @enum {string} */
-- 
cgit v1.2.3-freya


From 45d42b8641585cbe582e4c2a95e03ef511df00be Mon Sep 17 00:00:00 2001
From: かっこかり <67428053+kakkokari-gtyih@users.noreply.github.com>
Date: Sun, 13 Oct 2024 20:21:25 +0900
Subject: feat: ユーザーの名前に禁止ワードを設定できるように (#14756)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* wip

* :art:

* Enhance: モデレーター以上は制限の影響を受けないように

* refactor

* better error handling

* fix

* Revert "better error handling"

This reverts commit 5670b29cfa18a3894d0c2abfe0e5ef862e3b9ffa.

* error handling

* エラーが出ないのを修正

* translation

* Update Changelog

* status code

* :v:

* モデレーター以上は影響ないことを明記

* :art:

* update changelog

* spdx

* Update update.ts

* refactor

* eliminate `screen name`

* remove untracked file

---------

Co-authored-by: KanariKanaru <93921745+kanarikanaru@users.noreply.github.com>
---
 CHANGELOG.md                                       |  3 +++
 locales/index.d.ts                                 | 16 +++++++++++++++
 locales/ja-JP.yml                                  |  4 ++++
 .../1728634286056-prohibitedWordsForNameOfUser.js  | 14 +++++++++++++
 packages/backend/src/models/Meta.ts                |  5 +++++
 .../backend/src/server/api/endpoints/admin/meta.ts |  8 ++++++++
 .../src/server/api/endpoints/admin/update-meta.ts  |  8 ++++++++
 .../backend/src/server/api/endpoints/i/update.ts   | 22 +++++++++++++++++++-
 .../src/components/MkUserSetupDialog.Profile.vue   |  5 +++++
 packages/frontend/src/os.ts                        |  8 ++++++--
 packages/frontend/src/pages/admin/moderation.vue   | 24 +++++++++++++++++++++-
 packages/frontend/src/pages/settings/profile.vue   | 11 +++++++++-
 packages/frontend/src/scripts/get-note-menu.ts     | 11 ++++------
 packages/misskey-js/src/autogen/types.ts           |  2 ++
 14 files changed, 129 insertions(+), 12 deletions(-)
 create mode 100644 packages/backend/migration/1728634286056-prohibitedWordsForNameOfUser.js

(limited to 'packages/backend/src/server/api')

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 143b63f7b2..130eb00b77 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,9 @@
 7日間活動していない場合は自動的に招待制へと移行（コントロールパネル -> モデレーション -> "誰でも新規登録できるようにする"をオフに変更）するようになりました。  
 詳細な経緯は https://github.com/misskey-dev/misskey/issues/13437 をご確認ください。
 
+### General
+- Feat: ユーザーの名前に禁止ワードを設定できるように
+
 ### Client
 - Enhance: l10nの更新
 - Fix: メールアドレス不要でCaptchaが有効な場合にアカウント登録完了後自動でのログインに失敗する問題を修正
diff --git a/locales/index.d.ts b/locales/index.d.ts
index 2dca73bfa6..7585410291 100644
--- a/locales/index.d.ts
+++ b/locales/index.d.ts
@@ -5170,6 +5170,22 @@ export interface Locale extends ILocale {
      * CAPTCHAのテストを目的とした機能です。<strong>本番環境で使用しないでください。</strong>
      */
     "testCaptchaWarning": string;
+    /**
+     * 禁止ワード（ユーザーの名前）
+     */
+    "prohibitedWordsForNameOfUser": string;
+    /**
+     * このリストに含まれる文字列がユーザーの名前に含まれる場合、ユーザーの名前の変更を拒否します。モデレーター権限を持つユーザーはこの制限の影響を受けません。
+     */
+    "prohibitedWordsForNameOfUserDescription": string;
+    /**
+     * 変更しようとした名前に禁止された文字列が含まれています
+     */
+    "yourNameContainsProhibitedWords": string;
+    /**
+     * 名前に禁止されている文字列が含まれています。この名前を使用したい場合は、サーバー管理者にお問い合わせください。
+     */
+    "yourNameContainsProhibitedWordsDescription": string;
     "_abuseUserReport": {
         /**
          * 転送
diff --git a/locales/ja-JP.yml b/locales/ja-JP.yml
index 440ffa9306..330f7ef473 100644
--- a/locales/ja-JP.yml
+++ b/locales/ja-JP.yml
@@ -1288,6 +1288,10 @@ passkeyVerificationSucceededButPasswordlessLoginDisabled: "パスキーの検証
 messageToFollower: "フォロワーへのメッセージ"
 target: "対象"
 testCaptchaWarning: "CAPTCHAのテストを目的とした機能です。<strong>本番環境で使用しないでください。</strong>"
+prohibitedWordsForNameOfUser: "禁止ワード（ユーザーの名前）"
+prohibitedWordsForNameOfUserDescription: "このリストに含まれる文字列がユーザーの名前に含まれる場合、ユーザーの名前の変更を拒否します。モデレーター権限を持つユーザーはこの制限の影響を受けません。"
+yourNameContainsProhibitedWords: "変更しようとした名前に禁止された文字列が含まれています"
+yourNameContainsProhibitedWordsDescription: "名前に禁止されている文字列が含まれています。この名前を使用したい場合は、サーバー管理者にお問い合わせください。"
 
 _abuseUserReport:
   forward: "転送"
diff --git a/packages/backend/migration/1728634286056-prohibitedWordsForNameOfUser.js b/packages/backend/migration/1728634286056-prohibitedWordsForNameOfUser.js
new file mode 100644
index 0000000000..36e698d120
--- /dev/null
+++ b/packages/backend/migration/1728634286056-prohibitedWordsForNameOfUser.js
@@ -0,0 +1,14 @@
+/*
+ * SPDX-FileCopyrightText: syuilo and misskey-project
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+export class ProhibitedWordsForNameOfUser1728634286056 {
+		async up(queryRunner) {
+			await queryRunner.query(`ALTER TABLE "meta" ADD "prohibitedWordsForNameOfUser" character varying(1024) array NOT NULL DEFAULT '{}'`);
+		}
+
+		async down(queryRunner) {
+			await queryRunner.query(`ALTER TABLE "meta" DROP COLUMN "prohibitedWordsForNameOfUser"`);
+		}
+}
diff --git a/packages/backend/src/models/Meta.ts b/packages/backend/src/models/Meta.ts
index fd007de6c6..5ceee1c3f5 100644
--- a/packages/backend/src/models/Meta.ts
+++ b/packages/backend/src/models/Meta.ts
@@ -81,6 +81,11 @@ export class MiMeta {
 	})
 	public prohibitedWords: string[];
 
+	@Column('varchar', {
+		length: 1024, array: true, default: '{}',
+	})
+	public prohibitedWordsForNameOfUser: string[];
+
 	@Column('varchar', {
 		length: 1024, array: true, default: '{}',
 	})
diff --git a/packages/backend/src/server/api/endpoints/admin/meta.ts b/packages/backend/src/server/api/endpoints/admin/meta.ts
index abb3c17be3..16cbbc9aa4 100644
--- a/packages/backend/src/server/api/endpoints/admin/meta.ts
+++ b/packages/backend/src/server/api/endpoints/admin/meta.ts
@@ -177,6 +177,13 @@ export const meta = {
 					type: 'string',
 				},
 			},
+			prohibitedWordsForNameOfUser: {
+				type: 'array',
+				optional: false, nullable: false,
+				items: {
+					type: 'string',
+				},
+			},
 			bannedEmailDomains: {
 				type: 'array',
 				optional: true, nullable: false,
@@ -586,6 +593,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 				mediaSilencedHosts: instance.mediaSilencedHosts,
 				sensitiveWords: instance.sensitiveWords,
 				prohibitedWords: instance.prohibitedWords,
+				prohibitedWordsForNameOfUser: instance.prohibitedWordsForNameOfUser,
 				preservedUsernames: instance.preservedUsernames,
 				hcaptchaSecretKey: instance.hcaptchaSecretKey,
 				mcaptchaSecretKey: instance.mcaptchaSecretKey,
diff --git a/packages/backend/src/server/api/endpoints/admin/update-meta.ts b/packages/backend/src/server/api/endpoints/admin/update-meta.ts
index e97ac4e2b9..536645e0d7 100644
--- a/packages/backend/src/server/api/endpoints/admin/update-meta.ts
+++ b/packages/backend/src/server/api/endpoints/admin/update-meta.ts
@@ -46,6 +46,11 @@ export const paramDef = {
 				type: 'string',
 			},
 		},
+		prohibitedWordsForNameOfUser: {
+			type: 'array', nullable: true, items: {
+				type: 'string',
+			},
+		},
 		themeColor: { type: 'string', nullable: true, pattern: '^#[0-9a-fA-F]{6}$' },
 		mascotImageUrl: { type: 'string', nullable: true },
 		bannerUrl: { type: 'string', nullable: true },
@@ -214,6 +219,9 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 			if (Array.isArray(ps.prohibitedWords)) {
 				set.prohibitedWords = ps.prohibitedWords.filter(Boolean);
 			}
+			if (Array.isArray(ps.prohibitedWordsForNameOfUser)) {
+				set.prohibitedWordsForNameOfUser = ps.prohibitedWordsForNameOfUser.filter(Boolean);
+			}
 			if (Array.isArray(ps.silencedHosts)) {
 				let lastValue = '';
 				set.silencedHosts = ps.silencedHosts.sort().filter((h) => {
diff --git a/packages/backend/src/server/api/endpoints/i/update.ts b/packages/backend/src/server/api/endpoints/i/update.ts
index 798bd98cf1..0b35005a87 100644
--- a/packages/backend/src/server/api/endpoints/i/update.ts
+++ b/packages/backend/src/server/api/endpoints/i/update.ts
@@ -11,7 +11,7 @@ import { JSDOM } from 'jsdom';
 import { extractCustomEmojisFromMfm } from '@/misc/extract-custom-emojis-from-mfm.js';
 import { extractHashtags } from '@/misc/extract-hashtags.js';
 import * as Acct from '@/misc/acct.js';
-import type { UsersRepository, DriveFilesRepository, UserProfilesRepository, PagesRepository } from '@/models/_.js';
+import type { UsersRepository, DriveFilesRepository, MiMeta, UserProfilesRepository, PagesRepository } from '@/models/_.js';
 import type { MiLocalUser, MiUser } from '@/models/User.js';
 import { birthdaySchema, descriptionSchema, followedMessageSchema, locationSchema, nameSchema } from '@/models/User.js';
 import type { MiUserProfile } from '@/models/UserProfile.js';
@@ -22,6 +22,7 @@ import { UserEntityService } from '@/core/entities/UserEntityService.js';
 import { GlobalEventService } from '@/core/GlobalEventService.js';
 import { UserFollowingService } from '@/core/UserFollowingService.js';
 import { AccountUpdateService } from '@/core/AccountUpdateService.js';
+import { UtilityService } from '@/core/UtilityService.js';
 import { HashtagService } from '@/core/HashtagService.js';
 import { DI } from '@/di-symbols.js';
 import { RolePolicies, RoleService } from '@/core/RoleService.js';
@@ -114,6 +115,13 @@ export const meta = {
 			code: 'RESTRICTED_BY_ROLE',
 			id: '8feff0ba-5ab5-585b-31f4-4df816663fad',
 		},
+
+		nameContainsProhibitedWords: {
+			message: 'Your new name contains prohibited words.',
+			code: 'YOUR_NAME_CONTAINS_PROHIBITED_WORDS',
+			id: '0b3f9f6a-2f4d-4b1f-9fb4-49d3a2fd7191',
+			httpStatusCode: 422,
+		},
 	},
 
 	res: {
@@ -223,6 +231,9 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 		@Inject(DI.config)
 		private config: Config,
 
+		@Inject(DI.meta)
+		private instanceMeta: MiMeta,
+
 		@Inject(DI.usersRepository)
 		private usersRepository: UsersRepository,
 
@@ -247,6 +258,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 		private cacheService: CacheService,
 		private httpRequestService: HttpRequestService,
 		private avatarDecorationService: AvatarDecorationService,
+		private utilityService: UtilityService,
 	) {
 		super(meta, paramDef, async (ps, _user, token) => {
 			const user = await this.usersRepository.findOneByOrFail({ id: _user.id }) as MiLocalUser;
@@ -449,6 +461,14 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 			const newFields = profileUpdates.fields === undefined ? profile.fields : profileUpdates.fields;
 
 			if (newName != null) {
+				let hasProhibitedWords = false;
+				if (!await this.roleService.isModerator(user)) {
+					hasProhibitedWords = this.utilityService.isKeyWordIncluded(newName, this.instanceMeta.prohibitedWordsForNameOfUser);
+				}
+				if (hasProhibitedWords) {
+					throw new ApiError(meta.errors.nameContainsProhibitedWords);
+				}
+
 				const tokens = mfm.parseSimple(newName);
 				emojis = emojis.concat(extractCustomEmojisFromMfm(tokens));
 			}
diff --git a/packages/frontend/src/components/MkUserSetupDialog.Profile.vue b/packages/frontend/src/components/MkUserSetupDialog.Profile.vue
index 3194641cdb..7cb48f6afb 100644
--- a/packages/frontend/src/components/MkUserSetupDialog.Profile.vue
+++ b/packages/frontend/src/components/MkUserSetupDialog.Profile.vue
@@ -51,6 +51,11 @@ watch(name, () => {
 		// 空文字列をnullにしたいので??は使うな
 		// eslint-disable-next-line @typescript-eslint/prefer-nullish-coalescing
 		name: name.value || null,
+	}, undefined, {
+		'0b3f9f6a-2f4d-4b1f-9fb4-49d3a2fd7191': {
+			title: i18n.ts.yourNameContainsProhibitedWords,
+			text: i18n.ts.yourNameContainsProhibitedWordsDescription,
+		},
 	});
 });
 
diff --git a/packages/frontend/src/os.ts b/packages/frontend/src/os.ts
index 60e4218a48..4d41cf5bc0 100644
--- a/packages/frontend/src/os.ts
+++ b/packages/frontend/src/os.ts
@@ -10,6 +10,7 @@ import { EventEmitter } from 'eventemitter3';
 import * as Misskey from 'misskey-js';
 import type { ComponentProps as CP } from 'vue-component-type-helpers';
 import type { Form, GetFormResultType } from '@/scripts/form.js';
+import type { MenuItem } from '@/types/menu.js';
 import { misskeyApi } from '@/scripts/misskey-api.js';
 import { defaultStore } from '@/store.js';
 import { i18n } from '@/i18n.js';
@@ -22,7 +23,6 @@ import MkPasswordDialog from '@/components/MkPasswordDialog.vue';
 import MkEmojiPickerDialog from '@/components/MkEmojiPickerDialog.vue';
 import MkPopupMenu from '@/components/MkPopupMenu.vue';
 import MkContextMenu from '@/components/MkContextMenu.vue';
-import type { MenuItem } from '@/types/menu.js';
 import { copyToClipboard } from '@/scripts/copy-to-clipboard.js';
 import { pleaseLogin } from '@/scripts/please-login.js';
 import { showMovedDialog } from '@/scripts/show-moved-dialog.js';
@@ -35,6 +35,7 @@ export const apiWithDialog = (<E extends keyof Misskey.Endpoints = keyof Misskey
 	endpoint: E,
 	data: P = {} as any,
 	token?: string | null | undefined,
+	customErrors?: Record<string, { title?: string; text: string; }>,
 ) => {
 	const promise = misskeyApi(endpoint, data, token);
 	promiseDialog(promise, null, async (err) => {
@@ -77,6 +78,9 @@ export const apiWithDialog = (<E extends keyof Misskey.Endpoints = keyof Misskey
 		} else if (err.message.startsWith('Unexpected token')) {
 			title = i18n.ts.gotInvalidResponseError;
 			text = i18n.ts.gotInvalidResponseErrorDescription;
+		} else if (customErrors && customErrors[err.id] != null) {
+			title = customErrors[err.id].title;
+			text = customErrors[err.id].text;
 		}
 		alert({
 			type: 'error',
@@ -86,7 +90,7 @@ export const apiWithDialog = (<E extends keyof Misskey.Endpoints = keyof Misskey
 	});
 
 	return promise;
-}) as typeof misskeyApi;
+});
 
 export function promiseDialog<T extends Promise<any>>(
 	promise: T,
diff --git a/packages/frontend/src/pages/admin/moderation.vue b/packages/frontend/src/pages/admin/moderation.vue
index 04d23b1358..5d8a581b2e 100644
--- a/packages/frontend/src/pages/admin/moderation.vue
+++ b/packages/frontend/src/pages/admin/moderation.vue
@@ -57,6 +57,18 @@ SPDX-License-Identifier: AGPL-3.0-only
 						</div>
 					</MkFolder>
 
+					<MkFolder>
+						<template #icon><i class="ti ti-user-x"></i></template>
+						<template #label>{{ i18n.ts.prohibitedWordsForNameOfUser }}</template>
+
+						<div class="_gaps">
+							<MkTextarea v-model="prohibitedWordsForNameOfUser">
+								<template #caption>{{ i18n.ts.prohibitedWordsForNameOfUserDescription }}<br>{{ i18n.ts.prohibitedWordsDescription2 }}</template>
+							</MkTextarea>
+							<MkButton primary @click="save_prohibitedWordsForNameOfUser">{{ i18n.ts.save }}</MkButton>
+						</div>
+					</MkFolder>
+
 					<MkFolder>
 						<template #icon><i class="ti ti-eye-off"></i></template>
 						<template #label>{{ i18n.ts.hiddenTags }}</template>
@@ -131,6 +143,7 @@ const enableRegistration = ref<boolean>(false);
 const emailRequiredForSignup = ref<boolean>(false);
 const sensitiveWords = ref<string>('');
 const prohibitedWords = ref<string>('');
+const prohibitedWordsForNameOfUser = ref<string>('');
 const hiddenTags = ref<string>('');
 const preservedUsernames = ref<string>('');
 const blockedHosts = ref<string>('');
@@ -143,10 +156,11 @@ async function init() {
 	emailRequiredForSignup.value = meta.emailRequiredForSignup;
 	sensitiveWords.value = meta.sensitiveWords.join('\n');
 	prohibitedWords.value = meta.prohibitedWords.join('\n');
+	prohibitedWordsForNameOfUser.value = meta.prohibitedWordsForNameOfUser.join('\n');
 	hiddenTags.value = meta.hiddenTags.join('\n');
 	preservedUsernames.value = meta.preservedUsernames.join('\n');
 	blockedHosts.value = meta.blockedHosts.join('\n');
-	silencedHosts.value = meta.silencedHosts.join('\n');
+	silencedHosts.value = meta.silencedHosts?.join('\n') ?? '';
 	mediaSilencedHosts.value = meta.mediaSilencedHosts.join('\n');
 }
 
@@ -190,6 +204,14 @@ function save_prohibitedWords() {
 	});
 }
 
+function save_prohibitedWordsForNameOfUser() {
+	os.apiWithDialog('admin/update-meta', {
+		prohibitedWordsForNameOfUser: prohibitedWordsForNameOfUser.value.split('\n'),
+	}).then(() => {
+		fetchInstance(true);
+	});
+}
+
 function save_hiddenTags() {
 	os.apiWithDialog('admin/update-meta', {
 		hiddenTags: hiddenTags.value.split('\n'),
diff --git a/packages/frontend/src/pages/settings/profile.vue b/packages/frontend/src/pages/settings/profile.vue
index 0d61f8d851..561894d2b7 100644
--- a/packages/frontend/src/pages/settings/profile.vue
+++ b/packages/frontend/src/pages/settings/profile.vue
@@ -142,13 +142,17 @@ const Sortable = defineAsyncComponent(() => import('vuedraggable').then(x => x.d
 
 const reactionAcceptance = computed(defaultStore.makeGetterSetter('reactionAcceptance'));
 
+function assertVaildLang(lang: string | null): lang is keyof typeof langmap {
+	return lang != null && lang in langmap;
+}
+
 const profile = reactive({
 	name: $i.name,
 	description: $i.description,
 	followedMessage: $i.followedMessage,
 	location: $i.location,
 	birthday: $i.birthday,
-	lang: $i.lang,
+	lang: assertVaildLang($i.lang) ? $i.lang : null,
 	isBot: $i.isBot ?? false,
 	isCat: $i.isCat ?? false,
 });
@@ -202,6 +206,11 @@ function save() {
 		lang: profile.lang || null,
 		isBot: !!profile.isBot,
 		isCat: !!profile.isCat,
+	}, undefined, {
+		'0b3f9f6a-2f4d-4b1f-9fb4-49d3a2fd7191': {
+			title: i18n.ts.yourNameContainsProhibitedWords,
+			text: i18n.ts.yourNameContainsProhibitedWordsDescription,
+		},
 	});
 	globalEvents.emit('requestClearPageCache');
 	claimAchievement('profileFilled');
diff --git a/packages/frontend/src/scripts/get-note-menu.ts b/packages/frontend/src/scripts/get-note-menu.ts
index 4ffa0ab94d..c1846b0589 100644
--- a/packages/frontend/src/scripts/get-note-menu.ts
+++ b/packages/frontend/src/scripts/get-note-menu.ts
@@ -245,13 +245,10 @@ export function getNoteMenu(props: {
 	function togglePin(pin: boolean): void {
 		os.apiWithDialog(pin ? 'i/pin' : 'i/unpin', {
 			noteId: appearNote.id,
-		}, undefined, null, res => {
-			if (res.id === '72dab508-c64d-498f-8740-a8eec1ba385a') {
-				os.alert({
-					type: 'error',
-					text: i18n.ts.pinLimitExceeded,
-				});
-			}
+		}, undefined, {
+			'72dab508-c64d-498f-8740-a8eec1ba385a': {
+				text: i18n.ts.pinLimitExceeded,
+			},
 		});
 	}
 
diff --git a/packages/misskey-js/src/autogen/types.ts b/packages/misskey-js/src/autogen/types.ts
index e40cb050fd..f61d72e280 100644
--- a/packages/misskey-js/src/autogen/types.ts
+++ b/packages/misskey-js/src/autogen/types.ts
@@ -5124,6 +5124,7 @@ export type operations = {
             blockedHosts: string[];
             sensitiveWords: string[];
             prohibitedWords: string[];
+            prohibitedWordsForNameOfUser: string[];
             bannedEmailDomains?: string[];
             preservedUsernames: string[];
             hcaptchaSecretKey: string | null;
@@ -9461,6 +9462,7 @@ export type operations = {
           blockedHosts?: string[] | null;
           sensitiveWords?: string[] | null;
           prohibitedWords?: string[] | null;
+          prohibitedWordsForNameOfUser?: string[] | null;
           themeColor?: string | null;
           mascotImageUrl?: string | null;
           bannerUrl?: string | null;
-- 
cgit v1.2.3-freya


From ff47fef5725ba31efc7016534c2d9db8b0ad242a Mon Sep 17 00:00:00 2001
From: syuilo <4439005+syuilo@users.noreply.github.com>
Date: Sun, 13 Oct 2024 20:22:16 +0900
Subject: feat: リモートサーバーのサーバー情報を収集しないオプション (#14634)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* wip

* wip

* Update FetchInstanceMetadataService.ts

* Update FetchInstanceMetadataService.ts

* Update types.ts
---
 locales/index.d.ts                                 |  4 ++
 locales/ja-JP.yml                                  |  1 +
 ...27318020265-enableStatsForFederatedInstances.js | 16 ++++++
 packages/backend/src/core/AccountMoveService.ts    | 16 +++---
 .../backend/src/core/FederatedInstanceService.ts   | 20 +++++++-
 .../src/core/FetchInstanceMetadataService.ts       |  2 +-
 packages/backend/src/core/NoteCreateService.ts     | 16 +++---
 packages/backend/src/core/NoteDeleteService.ts     | 16 +++---
 packages/backend/src/core/UserFollowingService.ts  | 60 ++++++++++++----------
 .../src/core/activitypub/models/ApPersonService.ts | 16 +++---
 packages/backend/src/models/Meta.ts                |  5 ++
 .../queue/processors/DeliverProcessorService.ts    | 31 +++++++----
 .../src/queue/processors/InboxProcessorService.ts  | 20 +++++---
 .../backend/src/server/api/endpoints/admin/meta.ts |  5 ++
 .../src/server/api/endpoints/admin/update-meta.ts  |  5 ++
 .../test/unit/FetchInstanceMetadataService.ts      | 20 ++++----
 packages/frontend/src/pages/admin/performance.vue  | 16 ++++++
 packages/misskey-js/src/autogen/types.ts           |  2 +
 18 files changed, 185 insertions(+), 86 deletions(-)
 create mode 100644 packages/backend/migration/1727318020265-enableStatsForFederatedInstances.js

(limited to 'packages/backend/src/server/api')

diff --git a/locales/index.d.ts b/locales/index.d.ts
index 7585410291..3ffb67f31c 100644
--- a/locales/index.d.ts
+++ b/locales/index.d.ts
@@ -4366,6 +4366,10 @@ export interface Locale extends ILocale {
      * リモートサーバーのチャートを生成
      */
     "enableChartsForFederatedInstances": string;
+    /**
+     * リモートサーバーの情報を取得
+     */
+    "enableStatsForFederatedInstances": string;
     /**
      * ノートのアクションにクリップを追加
      */
diff --git a/locales/ja-JP.yml b/locales/ja-JP.yml
index 330f7ef473..919be1e3ec 100644
--- a/locales/ja-JP.yml
+++ b/locales/ja-JP.yml
@@ -1087,6 +1087,7 @@ retryAllQueuesConfirmTitle: "今すぐ再試行しますか？"
 retryAllQueuesConfirmText: "一時的にサーバーの負荷が増大することがあります。"
 enableChartsForRemoteUser: "リモートユーザーのチャートを生成"
 enableChartsForFederatedInstances: "リモートサーバーのチャートを生成"
+enableStatsForFederatedInstances: "リモートサーバーの情報を取得"
 showClipButtonInNoteFooter: "ノートのアクションにクリップを追加"
 reactionsDisplaySize: "リアクションの表示サイズ"
 limitWidthOfReaction: "リアクションの最大横幅を制限し、縮小して表示する"
diff --git a/packages/backend/migration/1727318020265-enableStatsForFederatedInstances.js b/packages/backend/migration/1727318020265-enableStatsForFederatedInstances.js
new file mode 100644
index 0000000000..4ff520172b
--- /dev/null
+++ b/packages/backend/migration/1727318020265-enableStatsForFederatedInstances.js
@@ -0,0 +1,16 @@
+/*
+ * SPDX-FileCopyrightText: syuilo and misskey-project
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+export class EnableStatsForFederatedInstances1727318020265 {
+    name = 'EnableStatsForFederatedInstances1727318020265'
+
+    async up(queryRunner) {
+        await queryRunner.query(`ALTER TABLE "meta" ADD "enableStatsForFederatedInstances" boolean NOT NULL DEFAULT true`);
+    }
+
+    async down(queryRunner) {
+        await queryRunner.query(`ALTER TABLE "meta" DROP COLUMN "enableStatsForFederatedInstances"`);
+    }
+}
diff --git a/packages/backend/src/core/AccountMoveService.ts b/packages/backend/src/core/AccountMoveService.ts
index 6e3125044c..24d11f29ff 100644
--- a/packages/backend/src/core/AccountMoveService.ts
+++ b/packages/backend/src/core/AccountMoveService.ts
@@ -274,13 +274,15 @@ export class AccountMoveService {
 		}
 
 		// Update instance stats by decreasing remote followers count by the number of local followers who were following the old account.
-		if (this.userEntityService.isRemoteUser(oldAccount)) {
-			this.federatedInstanceService.fetch(oldAccount.host).then(async i => {
-				this.instancesRepository.decrement({ id: i.id }, 'followersCount', localFollowerIds.length);
-				if (this.meta.enableChartsForFederatedInstances) {
-					this.instanceChart.updateFollowers(i.host, false);
-				}
-			});
+		if (this.meta.enableStatsForFederatedInstances) {
+			if (this.userEntityService.isRemoteUser(oldAccount)) {
+				this.federatedInstanceService.fetchOrRegister(oldAccount.host).then(async i => {
+					this.instancesRepository.decrement({ id: i.id }, 'followersCount', localFollowerIds.length);
+					if (this.meta.enableChartsForFederatedInstances) {
+						this.instanceChart.updateFollowers(i.host, false);
+					}
+				});
+			}
 		}
 
 		// FIXME: expensive?
diff --git a/packages/backend/src/core/FederatedInstanceService.ts b/packages/backend/src/core/FederatedInstanceService.ts
index 7aeeb78178..73bbf03b26 100644
--- a/packages/backend/src/core/FederatedInstanceService.ts
+++ b/packages/backend/src/core/FederatedInstanceService.ts
@@ -47,7 +47,7 @@ export class FederatedInstanceService implements OnApplicationShutdown {
 	}
 
 	@bindThis
-	public async fetch(host: string): Promise<MiInstance> {
+	public async fetchOrRegister(host: string): Promise<MiInstance> {
 		host = this.utilityService.toPuny(host);
 
 		const cached = await this.federatedInstanceCache.get(host);
@@ -70,6 +70,24 @@ export class FederatedInstanceService implements OnApplicationShutdown {
 		}
 	}
 
+	@bindThis
+	public async fetch(host: string): Promise<MiInstance | null> {
+		host = this.utilityService.toPuny(host);
+
+		const cached = await this.federatedInstanceCache.get(host);
+		if (cached !== undefined) return cached;
+
+		const index = await this.instancesRepository.findOneBy({ host });
+
+		if (index == null) {
+			this.federatedInstanceCache.set(host, null);
+			return null;
+		} else {
+			this.federatedInstanceCache.set(host, index);
+			return index;
+		}
+	}
+
 	@bindThis
 	public async update(id: MiInstance['id'], data: Partial<MiInstance>): Promise<void> {
 		const result = await this.instancesRepository.createQueryBuilder().update()
diff --git a/packages/backend/src/core/FetchInstanceMetadataService.ts b/packages/backend/src/core/FetchInstanceMetadataService.ts
index aa16468ecb..987999bce7 100644
--- a/packages/backend/src/core/FetchInstanceMetadataService.ts
+++ b/packages/backend/src/core/FetchInstanceMetadataService.ts
@@ -82,7 +82,7 @@ export class FetchInstanceMetadataService {
 
 		try {
 			if (!force) {
-				const _instance = await this.federatedInstanceService.fetch(host);
+				const _instance = await this.federatedInstanceService.fetchOrRegister(host);
 				const now = Date.now();
 				if (_instance && _instance.infoUpdatedAt && (now - _instance.infoUpdatedAt.getTime() < 1000 * 60 * 60 * 24)) {
 					// unlock at the finally caluse
diff --git a/packages/backend/src/core/NoteCreateService.ts b/packages/backend/src/core/NoteCreateService.ts
index 0ce57f16e6..3647fa7231 100644
--- a/packages/backend/src/core/NoteCreateService.ts
+++ b/packages/backend/src/core/NoteCreateService.ts
@@ -511,13 +511,15 @@ export class NoteCreateService implements OnApplicationShutdown {
 		}
 
 		// Register host
-		if (this.userEntityService.isRemoteUser(user)) {
-			this.federatedInstanceService.fetch(user.host).then(async i => {
-				this.updateNotesCountQueue.enqueue(i.id, 1);
-				if (this.meta.enableChartsForFederatedInstances) {
-					this.instanceChart.updateNote(i.host, note, true);
-				}
-			});
+		if (this.meta.enableStatsForFederatedInstances) {
+			if (this.userEntityService.isRemoteUser(user)) {
+				this.federatedInstanceService.fetchOrRegister(user.host).then(async i => {
+					this.updateNotesCountQueue.enqueue(i.id, 1);
+					if (this.meta.enableChartsForFederatedInstances) {
+						this.instanceChart.updateNote(i.host, note, true);
+					}
+				});
+			}
 		}
 
 		// ハッシュタグ更新
diff --git a/packages/backend/src/core/NoteDeleteService.ts b/packages/backend/src/core/NoteDeleteService.ts
index f9f8ace386..4ecd2592b2 100644
--- a/packages/backend/src/core/NoteDeleteService.ts
+++ b/packages/backend/src/core/NoteDeleteService.ts
@@ -106,13 +106,15 @@ export class NoteDeleteService {
 				this.perUserNotesChart.update(user, note, false);
 			}
 
-			if (this.userEntityService.isRemoteUser(user)) {
-				this.federatedInstanceService.fetch(user.host).then(async i => {
-					this.instancesRepository.decrement({ id: i.id }, 'notesCount', 1);
-					if (this.meta.enableChartsForFederatedInstances) {
-						this.instanceChart.updateNote(i.host, note, false);
-					}
-				});
+			if (this.meta.enableStatsForFederatedInstances) {
+				if (this.userEntityService.isRemoteUser(user)) {
+					this.federatedInstanceService.fetchOrRegister(user.host).then(async i => {
+						this.instancesRepository.decrement({ id: i.id }, 'notesCount', 1);
+						if (this.meta.enableChartsForFederatedInstances) {
+							this.instanceChart.updateNote(i.host, note, false);
+						}
+					});
+				}
 			}
 		}
 
diff --git a/packages/backend/src/core/UserFollowingService.ts b/packages/backend/src/core/UserFollowingService.ts
index 77e7b60bea..8963003057 100644
--- a/packages/backend/src/core/UserFollowingService.ts
+++ b/packages/backend/src/core/UserFollowingService.ts
@@ -305,20 +305,22 @@ export class UserFollowingService implements OnModuleInit {
 			//#endregion
 
 			//#region Update instance stats
-			if (this.userEntityService.isRemoteUser(follower) && this.userEntityService.isLocalUser(followee)) {
-				this.federatedInstanceService.fetch(follower.host).then(async i => {
-					this.instancesRepository.increment({ id: i.id }, 'followingCount', 1);
-					if (this.meta.enableChartsForFederatedInstances) {
-						this.instanceChart.updateFollowing(i.host, true);
-					}
-				});
-			} else if (this.userEntityService.isLocalUser(follower) && this.userEntityService.isRemoteUser(followee)) {
-				this.federatedInstanceService.fetch(followee.host).then(async i => {
-					this.instancesRepository.increment({ id: i.id }, 'followersCount', 1);
-					if (this.meta.enableChartsForFederatedInstances) {
-						this.instanceChart.updateFollowers(i.host, true);
-					}
-				});
+			if (this.meta.enableStatsForFederatedInstances) {
+				if (this.userEntityService.isRemoteUser(follower) && this.userEntityService.isLocalUser(followee)) {
+					this.federatedInstanceService.fetchOrRegister(follower.host).then(async i => {
+						this.instancesRepository.increment({ id: i.id }, 'followingCount', 1);
+						if (this.meta.enableChartsForFederatedInstances) {
+							this.instanceChart.updateFollowing(i.host, true);
+						}
+					});
+				} else if (this.userEntityService.isLocalUser(follower) && this.userEntityService.isRemoteUser(followee)) {
+					this.federatedInstanceService.fetchOrRegister(followee.host).then(async i => {
+						this.instancesRepository.increment({ id: i.id }, 'followersCount', 1);
+						if (this.meta.enableChartsForFederatedInstances) {
+							this.instanceChart.updateFollowers(i.host, true);
+						}
+					});
+				}
 			}
 			//#endregion
 
@@ -437,20 +439,22 @@ export class UserFollowingService implements OnModuleInit {
 			//#endregion
 
 			//#region Update instance stats
-			if (this.userEntityService.isRemoteUser(follower) && this.userEntityService.isLocalUser(followee)) {
-				this.federatedInstanceService.fetch(follower.host).then(async i => {
-					this.instancesRepository.decrement({ id: i.id }, 'followingCount', 1);
-					if (this.meta.enableChartsForFederatedInstances) {
-						this.instanceChart.updateFollowing(i.host, false);
-					}
-				});
-			} else if (this.userEntityService.isLocalUser(follower) && this.userEntityService.isRemoteUser(followee)) {
-				this.federatedInstanceService.fetch(followee.host).then(async i => {
-					this.instancesRepository.decrement({ id: i.id }, 'followersCount', 1);
-					if (this.meta.enableChartsForFederatedInstances) {
-						this.instanceChart.updateFollowers(i.host, false);
-					}
-				});
+			if (this.meta.enableStatsForFederatedInstances) {
+				if (this.userEntityService.isRemoteUser(follower) && this.userEntityService.isLocalUser(followee)) {
+					this.federatedInstanceService.fetchOrRegister(follower.host).then(async i => {
+						this.instancesRepository.decrement({ id: i.id }, 'followingCount', 1);
+						if (this.meta.enableChartsForFederatedInstances) {
+							this.instanceChart.updateFollowing(i.host, false);
+						}
+					});
+				} else if (this.userEntityService.isLocalUser(follower) && this.userEntityService.isRemoteUser(followee)) {
+					this.federatedInstanceService.fetchOrRegister(followee.host).then(async i => {
+						this.instancesRepository.decrement({ id: i.id }, 'followersCount', 1);
+						if (this.meta.enableChartsForFederatedInstances) {
+							this.instanceChart.updateFollowers(i.host, false);
+						}
+					});
+				}
 			}
 			//#endregion
 
diff --git a/packages/backend/src/core/activitypub/models/ApPersonService.ts b/packages/backend/src/core/activitypub/models/ApPersonService.ts
index e042a85782..73281078e5 100644
--- a/packages/backend/src/core/activitypub/models/ApPersonService.ts
+++ b/packages/backend/src/core/activitypub/models/ApPersonService.ts
@@ -408,13 +408,15 @@ export class ApPersonService implements OnModuleInit {
 		this.cacheService.uriPersonCache.set(user.uri, user);
 
 		// Register host
-		this.federatedInstanceService.fetch(host).then(i => {
-			this.instancesRepository.increment({ id: i.id }, 'usersCount', 1);
-			this.fetchInstanceMetadataService.fetchInstanceMetadata(i);
-			if (this.meta.enableChartsForFederatedInstances) {
-				this.instanceChart.newUser(i.host);
-			}
-		});
+		if (this.meta.enableStatsForFederatedInstances) {
+			this.federatedInstanceService.fetchOrRegister(host).then(i => {
+				this.instancesRepository.increment({ id: i.id }, 'usersCount', 1);
+				if (this.meta.enableChartsForFederatedInstances) {
+					this.instanceChart.newUser(i.host);
+				}
+				this.fetchInstanceMetadataService.fetchInstanceMetadata(i);
+			});
+		}
 
 		this.usersChart.update(user, true);
 
diff --git a/packages/backend/src/models/Meta.ts b/packages/backend/src/models/Meta.ts
index 5ceee1c3f5..ad5e31ad6f 100644
--- a/packages/backend/src/models/Meta.ts
+++ b/packages/backend/src/models/Meta.ts
@@ -529,6 +529,11 @@ export class MiMeta {
 	})
 	public enableChartsForFederatedInstances: boolean;
 
+	@Column('boolean', {
+		default: true,
+	})
+	public enableStatsForFederatedInstances: boolean;
+
 	@Column('boolean', {
 		default: false,
 	})
diff --git a/packages/backend/src/queue/processors/DeliverProcessorService.ts b/packages/backend/src/queue/processors/DeliverProcessorService.ts
index 9590a4fe71..5a16496011 100644
--- a/packages/backend/src/queue/processors/DeliverProcessorService.ts
+++ b/packages/backend/src/queue/processors/DeliverProcessorService.ts
@@ -74,8 +74,17 @@ export class DeliverProcessorService {
 		try {
 			await this.apRequestService.signedPost(job.data.user, job.data.to, job.data.content, job.data.digest);
 
-			// Update stats
-			this.federatedInstanceService.fetch(host).then(i => {
+			this.apRequestChart.deliverSucc();
+			this.federationChart.deliverd(host, true);
+
+			// Update instance stats
+			process.nextTick(async () => {
+				const i = await (this.meta.enableStatsForFederatedInstances
+					? this.federatedInstanceService.fetchOrRegister(host)
+					: this.federatedInstanceService.fetch(host));
+
+				if (i == null) return;
+
 				if (i.isNotResponding) {
 					this.federatedInstanceService.update(i.id, {
 						isNotResponding: false,
@@ -83,9 +92,9 @@ export class DeliverProcessorService {
 					});
 				}
 
-				this.fetchInstanceMetadataService.fetchInstanceMetadata(i);
-				this.apRequestChart.deliverSucc();
-				this.federationChart.deliverd(i.host, true);
+				if (this.meta.enableStatsForFederatedInstances) {
+					this.fetchInstanceMetadataService.fetchInstanceMetadata(i);
+				}
 
 				if (this.meta.enableChartsForFederatedInstances) {
 					this.instanceChart.requestSent(i.host, true);
@@ -94,8 +103,11 @@ export class DeliverProcessorService {
 
 			return 'Success';
 		} catch (res) {
-			// Update stats
-			this.federatedInstanceService.fetch(host).then(i => {
+			this.apRequestChart.deliverFail();
+			this.federationChart.deliverd(host, false);
+
+			// Update instance stats
+			this.federatedInstanceService.fetchOrRegister(host).then(i => {
 				if (!i.isNotResponding) {
 					this.federatedInstanceService.update(i.id, {
 						isNotResponding: true,
@@ -116,9 +128,6 @@ export class DeliverProcessorService {
 					});
 				}
 
-				this.apRequestChart.deliverFail();
-				this.federationChart.deliverd(i.host, false);
-
 				if (this.meta.enableChartsForFederatedInstances) {
 					this.instanceChart.requestSent(i.host, false);
 				}
@@ -129,7 +138,7 @@ export class DeliverProcessorService {
 				if (!res.isRetryable) {
 					// 相手が閉鎖していることを明示しているため、配送停止する
 					if (job.data.isSharedInbox && res.statusCode === 410) {
-						this.federatedInstanceService.fetch(host).then(i => {
+						this.federatedInstanceService.fetchOrRegister(host).then(i => {
 							this.federatedInstanceService.update(i.id, {
 								suspensionState: 'goneSuspended',
 							});
diff --git a/packages/backend/src/queue/processors/InboxProcessorService.ts b/packages/backend/src/queue/processors/InboxProcessorService.ts
index a77c968395..95d764e4d8 100644
--- a/packages/backend/src/queue/processors/InboxProcessorService.ts
+++ b/packages/backend/src/queue/processors/InboxProcessorService.ts
@@ -192,21 +192,27 @@ export class InboxProcessorService implements OnApplicationShutdown {
 			}
 		}
 
-		// Update stats
-		this.federatedInstanceService.fetch(authUser.user.host).then(i => {
+		this.apRequestChart.inbox();
+		this.federationChart.inbox(authUser.user.host);
+
+		// Update instance stats
+		process.nextTick(async () => {
+			const i = await (this.meta.enableStatsForFederatedInstances
+				? this.federatedInstanceService.fetchOrRegister(authUser.user.host)
+				: this.federatedInstanceService.fetch(authUser.user.host));
+
+			if (i == null) return;
+
 			this.updateInstanceQueue.enqueue(i.id, {
 				latestRequestReceivedAt: new Date(),
 				shouldUnsuspend: i.suspensionState === 'autoSuspendedForNotResponding',
 			});
 
-			this.fetchInstanceMetadataService.fetchInstanceMetadata(i);
-
-			this.apRequestChart.inbox();
-			this.federationChart.inbox(i.host);
-
 			if (this.meta.enableChartsForFederatedInstances) {
 				this.instanceChart.requestReceived(i.host);
 			}
+
+			this.fetchInstanceMetadataService.fetchInstanceMetadata(i);
 		});
 
 		// アクティビティを処理
diff --git a/packages/backend/src/server/api/endpoints/admin/meta.ts b/packages/backend/src/server/api/endpoints/admin/meta.ts
index 16cbbc9aa4..64e3cc33bd 100644
--- a/packages/backend/src/server/api/endpoints/admin/meta.ts
+++ b/packages/backend/src/server/api/endpoints/admin/meta.ts
@@ -348,6 +348,10 @@ export const meta = {
 				type: 'boolean',
 				optional: false, nullable: false,
 			},
+			enableStatsForFederatedInstances: {
+				type: 'boolean',
+				optional: false, nullable: false,
+			},
 			enableServerMachineStats: {
 				type: 'boolean',
 				optional: false, nullable: false,
@@ -635,6 +639,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 				truemailAuthKey: instance.truemailAuthKey,
 				enableChartsForRemoteUser: instance.enableChartsForRemoteUser,
 				enableChartsForFederatedInstances: instance.enableChartsForFederatedInstances,
+				enableStatsForFederatedInstances: instance.enableStatsForFederatedInstances,
 				enableServerMachineStats: instance.enableServerMachineStats,
 				enableIdenticonGeneration: instance.enableIdenticonGeneration,
 				bannedEmailDomains: instance.bannedEmailDomains,
diff --git a/packages/backend/src/server/api/endpoints/admin/update-meta.ts b/packages/backend/src/server/api/endpoints/admin/update-meta.ts
index 536645e0d7..38ef0d1de8 100644
--- a/packages/backend/src/server/api/endpoints/admin/update-meta.ts
+++ b/packages/backend/src/server/api/endpoints/admin/update-meta.ts
@@ -136,6 +136,7 @@ export const paramDef = {
 		truemailAuthKey: { type: 'string', nullable: true },
 		enableChartsForRemoteUser: { type: 'boolean' },
 		enableChartsForFederatedInstances: { type: 'boolean' },
+		enableStatsForFederatedInstances: { type: 'boolean' },
 		enableServerMachineStats: { type: 'boolean' },
 		enableIdenticonGeneration: { type: 'boolean' },
 		serverRules: { type: 'array', items: { type: 'string' } },
@@ -578,6 +579,10 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 				set.enableChartsForFederatedInstances = ps.enableChartsForFederatedInstances;
 			}
 
+			if (ps.enableStatsForFederatedInstances !== undefined) {
+				set.enableStatsForFederatedInstances = ps.enableStatsForFederatedInstances;
+			}
+
 			if (ps.enableServerMachineStats !== undefined) {
 				set.enableServerMachineStats = ps.enableServerMachineStats;
 			}
diff --git a/packages/backend/test/unit/FetchInstanceMetadataService.ts b/packages/backend/test/unit/FetchInstanceMetadataService.ts
index bf8f3ab0e3..1e3605aafc 100644
--- a/packages/backend/test/unit/FetchInstanceMetadataService.ts
+++ b/packages/backend/test/unit/FetchInstanceMetadataService.ts
@@ -8,6 +8,7 @@ process.env.NODE_ENV = 'test';
 import { jest } from '@jest/globals';
 import { Test } from '@nestjs/testing';
 import { Redis } from 'ioredis';
+import type { TestingModule } from '@nestjs/testing';
 import { GlobalModule } from '@/GlobalModule.js';
 import { FetchInstanceMetadataService } from '@/core/FetchInstanceMetadataService.js';
 import { FederatedInstanceService } from '@/core/FederatedInstanceService.js';
@@ -16,7 +17,6 @@ import { LoggerService } from '@/core/LoggerService.js';
 import { UtilityService } from '@/core/UtilityService.js';
 import { IdService } from '@/core/IdService.js';
 import { DI } from '@/di-symbols.js';
-import type { TestingModule } from '@nestjs/testing';
 
 function mockRedis() {
 	const hash = {} as any;
@@ -52,7 +52,7 @@ describe('FetchInstanceMetadataService', () => {
 				if (token === HttpRequestService) {
 					return { getJson: jest.fn(), getHtml: jest.fn(), send: jest.fn() };
 				} else if (token === FederatedInstanceService) {
-					return { fetch: jest.fn() };
+					return { fetchOrRegister: jest.fn() };
 				} else if (token === DI.redis) {
 					return mockRedis;
 				}
@@ -75,7 +75,7 @@ describe('FetchInstanceMetadataService', () => {
 	test('Lock and update', async () => {
 		redisClient.set = mockRedis();
 		const now = Date.now();
-		federatedInstanceService.fetch.mockResolvedValue({ infoUpdatedAt: { getTime: () => { return now - 10 * 1000 * 60 * 60 * 24; } } } as any);
+		federatedInstanceService.fetchOrRegister.mockResolvedValue({ infoUpdatedAt: { getTime: () => { return now - 10 * 1000 * 60 * 60 * 24; } } } as any);
 		httpRequestService.getJson.mockImplementation(() => { throw Error(); });
 		const tryLockSpy = jest.spyOn(fetchInstanceMetadataService, 'tryLock');
 		const unlockSpy = jest.spyOn(fetchInstanceMetadataService, 'unlock');
@@ -83,14 +83,14 @@ describe('FetchInstanceMetadataService', () => {
 		await fetchInstanceMetadataService.fetchInstanceMetadata({ host: 'example.com' } as any);
 		expect(tryLockSpy).toHaveBeenCalledTimes(1);
 		expect(unlockSpy).toHaveBeenCalledTimes(1);
-		expect(federatedInstanceService.fetch).toHaveBeenCalledTimes(1);
+		expect(federatedInstanceService.fetchOrRegister).toHaveBeenCalledTimes(1);
 		expect(httpRequestService.getJson).toHaveBeenCalled();
 	});
 
 	test('Lock and don\'t update', async () => {
 		redisClient.set = mockRedis();
 		const now = Date.now();
-		federatedInstanceService.fetch.mockResolvedValue({ infoUpdatedAt: { getTime: () => now } } as any);
+		federatedInstanceService.fetchOrRegister.mockResolvedValue({ infoUpdatedAt: { getTime: () => now } } as any);
 		httpRequestService.getJson.mockImplementation(() => { throw Error(); });
 		const tryLockSpy = jest.spyOn(fetchInstanceMetadataService, 'tryLock');
 		const unlockSpy = jest.spyOn(fetchInstanceMetadataService, 'unlock');
@@ -98,14 +98,14 @@ describe('FetchInstanceMetadataService', () => {
 		await fetchInstanceMetadataService.fetchInstanceMetadata({ host: 'example.com' } as any);
 		expect(tryLockSpy).toHaveBeenCalledTimes(1);
 		expect(unlockSpy).toHaveBeenCalledTimes(1);
-		expect(federatedInstanceService.fetch).toHaveBeenCalledTimes(1);
+		expect(federatedInstanceService.fetchOrRegister).toHaveBeenCalledTimes(1);
 		expect(httpRequestService.getJson).toHaveBeenCalledTimes(0);
 	});
 
 	test('Do nothing when lock not acquired', async () => {
 		redisClient.set = mockRedis();
 		const now = Date.now();
-		federatedInstanceService.fetch.mockResolvedValue({ infoUpdatedAt: { getTime: () => now - 10 * 1000 * 60 * 60 * 24 } } as any);
+		federatedInstanceService.fetchOrRegister.mockResolvedValue({ infoUpdatedAt: { getTime: () => now - 10 * 1000 * 60 * 60 * 24 } } as any);
 		httpRequestService.getJson.mockImplementation(() => { throw Error(); });
 		await fetchInstanceMetadataService.tryLock('example.com');
 		const tryLockSpy = jest.spyOn(fetchInstanceMetadataService, 'tryLock');
@@ -114,14 +114,14 @@ describe('FetchInstanceMetadataService', () => {
 		await fetchInstanceMetadataService.fetchInstanceMetadata({ host: 'example.com' } as any);
 		expect(tryLockSpy).toHaveBeenCalledTimes(1);
 		expect(unlockSpy).toHaveBeenCalledTimes(0);
-		expect(federatedInstanceService.fetch).toHaveBeenCalledTimes(0);
+		expect(federatedInstanceService.fetchOrRegister).toHaveBeenCalledTimes(0);
 		expect(httpRequestService.getJson).toHaveBeenCalledTimes(0);
 	});
 
 	test('Do when lock not acquired but forced', async () => {
 		redisClient.set = mockRedis();
 		const now = Date.now();
-		federatedInstanceService.fetch.mockResolvedValue({ infoUpdatedAt: { getTime: () => now - 10 * 1000 * 60 * 60 * 24 } } as any);
+		federatedInstanceService.fetchOrRegister.mockResolvedValue({ infoUpdatedAt: { getTime: () => now - 10 * 1000 * 60 * 60 * 24 } } as any);
 		httpRequestService.getJson.mockImplementation(() => { throw Error(); });
 		await fetchInstanceMetadataService.tryLock('example.com');
 		const tryLockSpy = jest.spyOn(fetchInstanceMetadataService, 'tryLock');
@@ -130,7 +130,7 @@ describe('FetchInstanceMetadataService', () => {
 		await fetchInstanceMetadataService.fetchInstanceMetadata({ host: 'example.com' } as any, true);
 		expect(tryLockSpy).toHaveBeenCalledTimes(0);
 		expect(unlockSpy).toHaveBeenCalledTimes(1);
-		expect(federatedInstanceService.fetch).toHaveBeenCalledTimes(0);
+		expect(federatedInstanceService.fetchOrRegister).toHaveBeenCalledTimes(0);
 		expect(httpRequestService.getJson).toHaveBeenCalled();
 	});
 });
diff --git a/packages/frontend/src/pages/admin/performance.vue b/packages/frontend/src/pages/admin/performance.vue
index 7e0a932f82..12338f0bf9 100644
--- a/packages/frontend/src/pages/admin/performance.vue
+++ b/packages/frontend/src/pages/admin/performance.vue
@@ -29,6 +29,13 @@ SPDX-License-Identifier: AGPL-3.0-only
 				</MkSwitch>
 			</div>
 
+			<div class="_panel" style="padding: 16px;">
+				<MkSwitch v-model="enableStatsForFederatedInstances" @change="onChange_enableStatsForFederatedInstances">
+					<template #label>{{ i18n.ts.enableStatsForFederatedInstances }}</template>
+					<template #caption>{{ i18n.ts.turnOffToImprovePerformance }}</template>
+				</MkSwitch>
+			</div>
+
 			<div class="_panel" style="padding: 16px;">
 				<MkSwitch v-model="enableChartsForFederatedInstances" @change="onChange_enableChartsForFederatedInstances">
 					<template #label>{{ i18n.ts.enableChartsForFederatedInstances }}</template>
@@ -120,6 +127,7 @@ const meta = await misskeyApi('admin/meta');
 const enableServerMachineStats = ref(meta.enableServerMachineStats);
 const enableIdenticonGeneration = ref(meta.enableIdenticonGeneration);
 const enableChartsForRemoteUser = ref(meta.enableChartsForRemoteUser);
+const enableStatsForFederatedInstances = ref(meta.enableStatsForFederatedInstances);
 const enableChartsForFederatedInstances = ref(meta.enableChartsForFederatedInstances);
 
 function onChange_enableServerMachineStats(value: boolean) {
@@ -146,6 +154,14 @@ function onChange_enableChartsForRemoteUser(value: boolean) {
 	});
 }
 
+function onChange_enableStatsForFederatedInstances(value: boolean) {
+	os.apiWithDialog('admin/update-meta', {
+		enableStatsForFederatedInstances: value,
+	}).then(() => {
+		fetchInstance(true);
+	});
+}
+
 function onChange_enableChartsForFederatedInstances(value: boolean) {
 	os.apiWithDialog('admin/update-meta', {
 		enableChartsForFederatedInstances: value,
diff --git a/packages/misskey-js/src/autogen/types.ts b/packages/misskey-js/src/autogen/types.ts
index f61d72e280..6494614026 100644
--- a/packages/misskey-js/src/autogen/types.ts
+++ b/packages/misskey-js/src/autogen/types.ts
@@ -5165,6 +5165,7 @@ export type operations = {
             truemailAuthKey: string | null;
             enableChartsForRemoteUser: boolean;
             enableChartsForFederatedInstances: boolean;
+            enableStatsForFederatedInstances: boolean;
             enableServerMachineStats: boolean;
             enableIdenticonGeneration: boolean;
             manifestJsonOverride: string;
@@ -9547,6 +9548,7 @@ export type operations = {
           truemailAuthKey?: string | null;
           enableChartsForRemoteUser?: boolean;
           enableChartsForFederatedInstances?: boolean;
+          enableStatsForFederatedInstances?: boolean;
           enableServerMachineStats?: boolean;
           enableIdenticonGeneration?: boolean;
           serverRules?: string[];
-- 
cgit v1.2.3-freya


From 5c79d8db208da1fd7c5bc4900090c3d7b9512196 Mon Sep 17 00:00:00 2001
From: syuilo <4439005+syuilo@users.noreply.github.com>
Date: Mon, 21 Oct 2024 12:49:29 +0900
Subject: feat: ノートの閲覧にログイン必須にする設定 (#14799)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* wip

* wip

* wip

* Update packages/frontend/src/pages/note.vue

Co-authored-by: かっこかり <67428053+kakkokari-gtyih@users.noreply.github.com>

* wip

* Update WebhookTestService.ts

* Update privacy.vue

* wip

* rename

* Update locales/ja-JP.yml

Co-authored-by: Sayamame-beans <61457993+Sayamame-beans@users.noreply.github.com>

* :art:

* wip

---------

Co-authored-by: かっこかり <67428053+kakkokari-gtyih@users.noreply.github.com>
Co-authored-by: Sayamame-beans <61457993+Sayamame-beans@users.noreply.github.com>
---
 CHANGELOG.md                                       |  2 +-
 locales/index.d.ts                                 | 26 ++++++++++++++++++++++
 locales/ja-JP.yml                                  |  8 +++++++
 .../1729333924409-signinRequiredForShowContents.js | 16 +++++++++++++
 packages/backend/src/core/WebhookTestService.ts    |  1 +
 .../src/core/activitypub/ApRendererService.ts      |  1 +
 .../backend/src/core/activitypub/misc/contexts.ts  |  1 +
 .../src/core/activitypub/models/ApPersonService.ts |  1 +
 packages/backend/src/core/activitypub/type.ts      |  1 +
 .../backend/src/core/entities/NoteEntityService.ts |  4 ++++
 .../backend/src/core/entities/UserEntityService.ts |  1 +
 packages/backend/src/models/User.ts                |  5 +++++
 packages/backend/src/models/json-schema/user.ts    |  4 ++++
 packages/backend/src/server/api/GetterService.ts   | 11 +++++++++
 .../backend/src/server/api/endpoints/i/update.ts   |  2 ++
 .../backend/src/server/api/endpoints/notes/show.ts | 12 +++++++++-
 .../src/server/api/endpoints/users/notes.ts        |  6 +++++
 .../backend/src/server/web/ClientServerService.ts  | 11 +++++----
 .../frontend/src/components/MkFollowButton.vue     |  4 ++--
 packages/frontend/src/components/MkNote.vue        |  8 +++----
 .../frontend/src/components/MkNoteDetailed.vue     | 10 ++++-----
 packages/frontend/src/components/MkPoll.vue        |  6 ++---
 packages/frontend/src/os.ts                        | 18 ++++++++-------
 packages/frontend/src/pages/not-found.vue          |  2 +-
 packages/frontend/src/pages/note.vue               |  6 +++++
 packages/frontend/src/pages/settings/privacy.vue   | 19 +++++++++++++++-
 packages/frontend/src/scripts/please-login.ts      | 14 +++++++-----
 packages/misskey-js/src/autogen/types.ts           |  2 ++
 28 files changed, 167 insertions(+), 35 deletions(-)
 create mode 100644 packages/backend/migration/1729333924409-signinRequiredForShowContents.js

(limited to 'packages/backend/src/server/api')

diff --git a/CHANGELOG.md b/CHANGELOG.md
index c815e65ab3..4d8c8ded3a 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,7 +1,7 @@
 ## Unreleased
 
 ### General
--
+- Feat: コンテンツの表示にログインを必須にできるように
 
 ### Client
 - Enhance: Bull DashboardでRelationship Queueの状態も確認できるように  
diff --git a/locales/index.d.ts b/locales/index.d.ts
index fb010d9353..e002540307 100644
--- a/locales/index.d.ts
+++ b/locales/index.d.ts
@@ -5190,6 +5190,32 @@ export interface Locale extends ILocale {
      * 名前に禁止されている文字列が含まれています。この名前を使用したい場合は、サーバー管理者にお問い合わせください。
      */
     "yourNameContainsProhibitedWordsDescription": string;
+    /**
+     * 投稿者により、表示にはログインが必要と設定されています
+     */
+    "thisContentsAreMarkedAsSigninRequiredByAuthor": string;
+    /**
+     * ロックダウン
+     */
+    "lockdown": string;
+    "_accountSettings": {
+        /**
+         * コンテンツの表示にログインを必須にする
+         */
+        "requireSigninToViewContents": string;
+        /**
+         * あなたが作成した全てのノートなどのコンテンツを表示するのにログインを必須にします。クローラーから情報を収集されるのを防ぐ効果が期待できます。
+         */
+        "requireSigninToViewContentsDescription1": string;
+        /**
+         * URLプレビュー(OGP)、Webページへの埋め込み、ノートの引用に対応していないサーバーからの表示も不可になります。
+         */
+        "requireSigninToViewContentsDescription2": string;
+        /**
+         * リモートサーバーに連合されたコンテンツでは、これらの制限が適用されない場合があります。
+         */
+        "requireSigninToViewContentsDescription3": string;
+    };
     "_abuseUserReport": {
         /**
          * 転送
diff --git a/locales/ja-JP.yml b/locales/ja-JP.yml
index c241a9e560..f3f7e5c77f 100644
--- a/locales/ja-JP.yml
+++ b/locales/ja-JP.yml
@@ -1293,6 +1293,14 @@ prohibitedWordsForNameOfUser: "禁止ワード（ユーザーの名前）"
 prohibitedWordsForNameOfUserDescription: "このリストに含まれる文字列がユーザーの名前に含まれる場合、ユーザーの名前の変更を拒否します。モデレーター権限を持つユーザーはこの制限の影響を受けません。"
 yourNameContainsProhibitedWords: "変更しようとした名前に禁止された文字列が含まれています"
 yourNameContainsProhibitedWordsDescription: "名前に禁止されている文字列が含まれています。この名前を使用したい場合は、サーバー管理者にお問い合わせください。"
+thisContentsAreMarkedAsSigninRequiredByAuthor: "投稿者により、表示にはログインが必要と設定されています"
+lockdown: "ロックダウン"
+
+_accountSettings:
+  requireSigninToViewContents: "コンテンツの表示にログインを必須にする"
+  requireSigninToViewContentsDescription1: "あなたが作成した全てのノートなどのコンテンツを表示するのにログインを必須にします。クローラーから情報を収集されるのを防ぐ効果が期待できます。"
+  requireSigninToViewContentsDescription2: "URLプレビュー(OGP)、Webページへの埋め込み、ノートの引用に対応していないサーバーからの表示も不可になります。"
+  requireSigninToViewContentsDescription3: "リモートサーバーに連合されたコンテンツでは、これらの制限が適用されない場合があります。"
 
 _abuseUserReport:
   forward: "転送"
diff --git a/packages/backend/migration/1729333924409-signinRequiredForShowContents.js b/packages/backend/migration/1729333924409-signinRequiredForShowContents.js
new file mode 100644
index 0000000000..5d4d1fcce2
--- /dev/null
+++ b/packages/backend/migration/1729333924409-signinRequiredForShowContents.js
@@ -0,0 +1,16 @@
+/*
+ * SPDX-FileCopyrightText: syuilo and misskey-project
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+export class SigninRequiredForShowContents1729333924409 {
+    name = 'SigninRequiredForShowContents1729333924409'
+
+    async up(queryRunner) {
+        await queryRunner.query(`ALTER TABLE "user" ADD "requireSigninToViewContents" boolean NOT NULL DEFAULT false`);
+    }
+
+    async down(queryRunner) {
+        await queryRunner.query(`ALTER TABLE "user" DROP COLUMN "requireSigninToViewContents"`);
+    }
+}
diff --git a/packages/backend/src/core/WebhookTestService.ts b/packages/backend/src/core/WebhookTestService.ts
index 55c8a52705..254d961040 100644
--- a/packages/backend/src/core/WebhookTestService.ts
+++ b/packages/backend/src/core/WebhookTestService.ts
@@ -83,6 +83,7 @@ function generateDummyUser(override?: Partial<MiUser>): MiUser {
 		isExplorable: true,
 		isHibernated: false,
 		isDeleted: false,
+		requireSigninToViewContents: false,
 		emojis: [],
 		score: 0,
 		host: null,
diff --git a/packages/backend/src/core/activitypub/ApRendererService.ts b/packages/backend/src/core/activitypub/ApRendererService.ts
index fba8947f03..8235d7ba30 100644
--- a/packages/backend/src/core/activitypub/ApRendererService.ts
+++ b/packages/backend/src/core/activitypub/ApRendererService.ts
@@ -495,6 +495,7 @@ export class ApRendererService {
 			summary: profile.description ? this.mfmService.toHtml(mfm.parse(profile.description)) : null,
 			_misskey_summary: profile.description,
 			_misskey_followedMessage: profile.followedMessage,
+			_misskey_requireSigninToViewContents: user.requireSigninToViewContents,
 			icon: avatar ? this.renderImage(avatar) : null,
 			image: banner ? this.renderImage(banner) : null,
 			tag,
diff --git a/packages/backend/src/core/activitypub/misc/contexts.ts b/packages/backend/src/core/activitypub/misc/contexts.ts
index 3dd85b9b86..447f7ef3db 100644
--- a/packages/backend/src/core/activitypub/misc/contexts.ts
+++ b/packages/backend/src/core/activitypub/misc/contexts.ts
@@ -555,6 +555,7 @@ const extension_context_definition = {
 	'_misskey_votes': 'misskey:_misskey_votes',
 	'_misskey_summary': 'misskey:_misskey_summary',
 	'_misskey_followedMessage': 'misskey:_misskey_followedMessage',
+	'_misskey_requireSigninToViewContents': 'misskey:_misskey_requireSigninToViewContents',
 	'isCat': 'misskey:isCat',
 	// vcard
 	vcard: 'http://www.w3.org/2006/vcard/ns#',
diff --git a/packages/backend/src/core/activitypub/models/ApPersonService.ts b/packages/backend/src/core/activitypub/models/ApPersonService.ts
index 73281078e5..c7915ed94f 100644
--- a/packages/backend/src/core/activitypub/models/ApPersonService.ts
+++ b/packages/backend/src/core/activitypub/models/ApPersonService.ts
@@ -356,6 +356,7 @@ export class ApPersonService implements OnModuleInit {
 					tags,
 					isBot,
 					isCat: (person as any).isCat === true,
+					requireSigninToViewContents: (person as any).requireSigninToViewContents === true,
 					emojis,
 				})) as MiRemoteUser;
 
diff --git a/packages/backend/src/core/activitypub/type.ts b/packages/backend/src/core/activitypub/type.ts
index 154965b9d5..8a860335fa 100644
--- a/packages/backend/src/core/activitypub/type.ts
+++ b/packages/backend/src/core/activitypub/type.ts
@@ -14,6 +14,7 @@ export interface IObject {
 	summary?: string;
 	_misskey_summary?: string;
 	_misskey_followedMessage?: string | null;
+	_misskey_requireSigninToViewContents?: boolean;
 	published?: string;
 	cc?: ApObject;
 	to?: ApObject;
diff --git a/packages/backend/src/core/entities/NoteEntityService.ts b/packages/backend/src/core/entities/NoteEntityService.ts
index 3e1f094fce..62016936a2 100644
--- a/packages/backend/src/core/entities/NoteEntityService.ts
+++ b/packages/backend/src/core/entities/NoteEntityService.ts
@@ -149,6 +149,10 @@ export class NoteEntityService implements OnModuleInit {
 			}
 		}
 
+		if (packedNote.user.requireSigninToViewContents && meId == null) {
+			hide = true;
+		}
+
 		if (hide) {
 			packedNote.visibleUserIds = undefined;
 			packedNote.fileIds = [];
diff --git a/packages/backend/src/core/entities/UserEntityService.ts b/packages/backend/src/core/entities/UserEntityService.ts
index c9939adf11..747ffc780f 100644
--- a/packages/backend/src/core/entities/UserEntityService.ts
+++ b/packages/backend/src/core/entities/UserEntityService.ts
@@ -490,6 +490,7 @@ export class UserEntityService implements OnModuleInit {
 			}))) : [],
 			isBot: user.isBot,
 			isCat: user.isCat,
+			requireSigninToViewContents: user.requireSigninToViewContents === false ? undefined : true,
 			instance: user.host ? this.federatedInstanceService.federatedInstanceCache.fetch(user.host).then(instance => instance ? {
 				name: instance.name,
 				softwareName: instance.softwareName,
diff --git a/packages/backend/src/models/User.ts b/packages/backend/src/models/User.ts
index 805a1e75ae..6fcff77854 100644
--- a/packages/backend/src/models/User.ts
+++ b/packages/backend/src/models/User.ts
@@ -202,6 +202,11 @@ export class MiUser {
 	})
 	public isHibernated: boolean;
 
+	@Column('boolean', {
+		default: false,
+	})
+	public requireSigninToViewContents: boolean;
+
 	// アカウントが削除されたかどうかのフラグだが、完全に削除される際は物理削除なので実質削除されるまでの「削除が進行しているかどうか」のフラグ
 	@Column('boolean', {
 		default: false,
diff --git a/packages/backend/src/models/json-schema/user.ts b/packages/backend/src/models/json-schema/user.ts
index 9cffd680f2..817f8e9292 100644
--- a/packages/backend/src/models/json-schema/user.ts
+++ b/packages/backend/src/models/json-schema/user.ts
@@ -115,6 +115,10 @@ export const packedUserLiteSchema = {
 			type: 'boolean',
 			nullable: false, optional: true,
 		},
+		requireSigninToViewContents: {
+			type: 'boolean',
+			nullable: false, optional: true,
+		},
 		instance: {
 			type: 'object',
 			nullable: false, optional: true,
diff --git a/packages/backend/src/server/api/GetterService.ts b/packages/backend/src/server/api/GetterService.ts
index bff3ab96f3..444e6db744 100644
--- a/packages/backend/src/server/api/GetterService.ts
+++ b/packages/backend/src/server/api/GetterService.ts
@@ -39,6 +39,17 @@ export class GetterService {
 		return note;
 	}
 
+	@bindThis
+	public async getNoteWithUser(noteId: MiNote['id']) {
+		const note = await this.notesRepository.findOne({ where: { id: noteId }, relations: ['user'] });
+
+		if (note == null) {
+			throw new IdentifiableError('9725d0ce-ba28-4dde-95a7-2cbb2c15de24', 'No such note.');
+		}
+
+		return note;
+	}
+
 	/**
 	 * Get user for API processing
 	 */
diff --git a/packages/backend/src/server/api/endpoints/i/update.ts b/packages/backend/src/server/api/endpoints/i/update.ts
index 0b35005a87..6680c96f3f 100644
--- a/packages/backend/src/server/api/endpoints/i/update.ts
+++ b/packages/backend/src/server/api/endpoints/i/update.ts
@@ -179,6 +179,7 @@ export const paramDef = {
 		autoAcceptFollowed: { type: 'boolean' },
 		noCrawle: { type: 'boolean' },
 		preventAiLearning: { type: 'boolean' },
+		requireSigninToViewContents: { type: 'boolean' },
 		isBot: { type: 'boolean' },
 		isCat: { type: 'boolean' },
 		injectFeaturedNote: { type: 'boolean' },
@@ -334,6 +335,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 			if (typeof ps.autoAcceptFollowed === 'boolean') profileUpdates.autoAcceptFollowed = ps.autoAcceptFollowed;
 			if (typeof ps.noCrawle === 'boolean') profileUpdates.noCrawle = ps.noCrawle;
 			if (typeof ps.preventAiLearning === 'boolean') profileUpdates.preventAiLearning = ps.preventAiLearning;
+			if (typeof ps.requireSigninToViewContents === 'boolean') updates.requireSigninToViewContents = ps.requireSigninToViewContents;
 			if (typeof ps.isCat === 'boolean') updates.isCat = ps.isCat;
 			if (typeof ps.injectFeaturedNote === 'boolean') profileUpdates.injectFeaturedNote = ps.injectFeaturedNote;
 			if (typeof ps.receiveAnnouncementEmail === 'boolean') profileUpdates.receiveAnnouncementEmail = ps.receiveAnnouncementEmail;
diff --git a/packages/backend/src/server/api/endpoints/notes/show.ts b/packages/backend/src/server/api/endpoints/notes/show.ts
index adcda30a7d..11839bce36 100644
--- a/packages/backend/src/server/api/endpoints/notes/show.ts
+++ b/packages/backend/src/server/api/endpoints/notes/show.ts
@@ -26,6 +26,12 @@ export const meta = {
 			code: 'NO_SUCH_NOTE',
 			id: '24fcbfc6-2e37-42b6-8388-c29b3861a08d',
 		},
+
+		signinRequired: {
+			message: 'Signin required.',
+			code: 'SIGNIN_REQUIRED',
+			id: '8e75455b-738c-471d-9f80-62693f33372e',
+		},
 	},
 } as const;
 
@@ -44,11 +50,15 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 		private getterService: GetterService,
 	) {
 		super(meta, paramDef, async (ps, me) => {
-			const note = await this.getterService.getNote(ps.noteId).catch(err => {
+			const note = await this.getterService.getNoteWithUser(ps.noteId).catch(err => {
 				if (err.id === '9725d0ce-ba28-4dde-95a7-2cbb2c15de24') throw new ApiError(meta.errors.noSuchNote);
 				throw err;
 			});
 
+			if (note.user!.requireSigninToViewContents && me == null) {
+				throw new ApiError(meta.errors.signinRequired);
+			}
+
 			return await this.noteEntityService.pack(note, me, {
 				detail: true,
 			});
diff --git a/packages/backend/src/server/api/endpoints/users/notes.ts b/packages/backend/src/server/api/endpoints/users/notes.ts
index 7fc11ba369..e9c334057e 100644
--- a/packages/backend/src/server/api/endpoints/users/notes.ts
+++ b/packages/backend/src/server/api/endpoints/users/notes.ts
@@ -42,6 +42,12 @@ export const meta = {
 			code: 'BOTH_WITH_REPLIES_AND_WITH_FILES',
 			id: '91c8cb9f-36ed-46e7-9ca2-7df96ed6e222',
 		},
+
+		signinRequired: {
+			message: 'Signin required.',
+			code: 'SIGNIN_REQUIRED',
+			id: 'd1588a9e-4b4d-4c07-807f-16f1486577a2',
+		},
 	},
 } as const;
 
diff --git a/packages/backend/src/server/web/ClientServerService.ts b/packages/backend/src/server/web/ClientServerService.ts
index c9c29e42a8..4860ef3e12 100644
--- a/packages/backend/src/server/web/ClientServerService.ts
+++ b/packages/backend/src/server/web/ClientServerService.ts
@@ -601,12 +601,15 @@ export class ClientServerService {
 		fastify.get<{ Params: { note: string; } }>('/notes/:note', async (request, reply) => {
 			vary(reply.raw, 'Accept');
 
-			const note = await this.notesRepository.findOneBy({
-				id: request.params.note,
-				visibility: In(['public', 'home']),
+			const note = await this.notesRepository.findOne({
+				where: {
+					id: request.params.note,
+					visibility: In(['public', 'home']),
+				},
+				relations: ['user'],
 			});
 
-			if (note) {
+			if (note && !note.user!.requireSigninToViewContents) {
 				const _note = await this.noteEntityService.pack(note);
 				const profile = await this.userProfilesRepository.findOneByOrFail({ userId: note.userId });
 				reply.header('Cache-Control', 'public, max-age=15');
diff --git a/packages/frontend/src/components/MkFollowButton.vue b/packages/frontend/src/components/MkFollowButton.vue
index ccea7cd453..cc07175907 100644
--- a/packages/frontend/src/components/MkFollowButton.vue
+++ b/packages/frontend/src/components/MkFollowButton.vue
@@ -37,13 +37,13 @@ SPDX-License-Identifier: AGPL-3.0-only
 <script lang="ts" setup>
 import { onBeforeUnmount, onMounted, ref } from 'vue';
 import * as Misskey from 'misskey-js';
+import { host } from '@@/js/config.js';
 import * as os from '@/os.js';
 import { misskeyApi } from '@/scripts/misskey-api.js';
 import { useStream } from '@/stream.js';
 import { i18n } from '@/i18n.js';
 import { claimAchievement } from '@/scripts/achievements.js';
 import { pleaseLogin } from '@/scripts/please-login.js';
-import { host } from '@@/js/config.js';
 import { $i } from '@/account.js';
 import { defaultStore } from '@/store.js';
 
@@ -80,7 +80,7 @@ function onFollowChange(user: Misskey.entities.UserDetailed) {
 }
 
 async function onClick() {
-	pleaseLogin(undefined, { type: 'web', path: `/@${props.user.username}@${props.user.host ?? host}` });
+	pleaseLogin({ openOnRemote: { type: 'web', path: `/@${props.user.username}@${props.user.host ?? host}` } });
 
 	wait.value = true;
 
diff --git a/packages/frontend/src/components/MkNote.vue b/packages/frontend/src/components/MkNote.vue
index 828ad2e872..425c4992da 100644
--- a/packages/frontend/src/components/MkNote.vue
+++ b/packages/frontend/src/components/MkNote.vue
@@ -419,7 +419,7 @@ if (!props.mock) {
 }
 
 function renote(viaKeyboard = false) {
-	pleaseLogin(undefined, pleaseLoginContext.value);
+	pleaseLogin({ openOnRemote: pleaseLoginContext.value });
 	showMovedDialog();
 
 	const { menu } = getRenoteMenu({ note: note.value, renoteButton, mock: props.mock });
@@ -429,7 +429,7 @@ function renote(viaKeyboard = false) {
 }
 
 function reply(): void {
-	pleaseLogin(undefined, pleaseLoginContext.value);
+	pleaseLogin({ openOnRemote: pleaseLoginContext.value });
 	if (props.mock) {
 		return;
 	}
@@ -442,7 +442,7 @@ function reply(): void {
 }
 
 function react(): void {
-	pleaseLogin(undefined, pleaseLoginContext.value);
+	pleaseLogin({ openOnRemote: pleaseLoginContext.value });
 	showMovedDialog();
 	if (appearNote.value.reactionAcceptance === 'likeOnly') {
 		sound.playMisskeySfx('reaction');
@@ -563,7 +563,7 @@ function showRenoteMenu(): void {
 	}
 
 	if (isMyRenote) {
-		pleaseLogin(undefined, pleaseLoginContext.value);
+		pleaseLogin({ openOnRemote: pleaseLoginContext.value });
 		os.popupMenu([
 			getCopyNoteLinkMenu(note.value, i18n.ts.copyLinkRenote),
 			{ type: 'divider' },
diff --git a/packages/frontend/src/components/MkNoteDetailed.vue b/packages/frontend/src/components/MkNoteDetailed.vue
index 6d53685651..e0473dce5e 100644
--- a/packages/frontend/src/components/MkNoteDetailed.vue
+++ b/packages/frontend/src/components/MkNoteDetailed.vue
@@ -207,6 +207,7 @@ import { computed, inject, onMounted, provide, ref, shallowRef } from 'vue';
 import * as mfm from 'mfm-js';
 import * as Misskey from 'misskey-js';
 import { isLink } from '@@/js/is-link.js';
+import { host } from '@@/js/config.js';
 import MkNoteSub from '@/components/MkNoteSub.vue';
 import MkNoteSimple from '@/components/MkNoteSimple.vue';
 import MkReactionsViewer from '@/components/MkReactionsViewer.vue';
@@ -230,7 +231,6 @@ import { reactionPicker } from '@/scripts/reaction-picker.js';
 import { extractUrlFromMfm } from '@/scripts/extract-url-from-mfm.js';
 import { $i } from '@/account.js';
 import { i18n } from '@/i18n.js';
-import { host } from '@@/js/config.js';
 import { getNoteClipMenu, getNoteMenu, getRenoteMenu } from '@/scripts/get-note-menu.js';
 import { useNoteCapture } from '@/scripts/use-note-capture.js';
 import { deepClone } from '@/scripts/clone.js';
@@ -404,7 +404,7 @@ if (appearNote.value.reactionAcceptance === 'likeOnly') {
 }
 
 function renote() {
-	pleaseLogin(undefined, pleaseLoginContext.value);
+	pleaseLogin({ openOnRemote: pleaseLoginContext.value });
 	showMovedDialog();
 
 	const { menu } = getRenoteMenu({ note: note.value, renoteButton });
@@ -412,7 +412,7 @@ function renote() {
 }
 
 function reply(): void {
-	pleaseLogin(undefined, pleaseLoginContext.value);
+	pleaseLogin({ openOnRemote: pleaseLoginContext.value });
 	showMovedDialog();
 	os.post({
 		reply: appearNote.value,
@@ -423,7 +423,7 @@ function reply(): void {
 }
 
 function react(): void {
-	pleaseLogin(undefined, pleaseLoginContext.value);
+	pleaseLogin({ openOnRemote: pleaseLoginContext.value });
 	showMovedDialog();
 	if (appearNote.value.reactionAcceptance === 'likeOnly') {
 		sound.playMisskeySfx('reaction');
@@ -499,7 +499,7 @@ async function clip(): Promise<void> {
 
 function showRenoteMenu(): void {
 	if (!isMyRenote) return;
-	pleaseLogin(undefined, pleaseLoginContext.value);
+	pleaseLogin({ openOnRemote: pleaseLoginContext.value });
 	os.popupMenu([{
 		text: i18n.ts.unrenote,
 		icon: 'ti ti-trash',
diff --git a/packages/frontend/src/components/MkPoll.vue b/packages/frontend/src/components/MkPoll.vue
index 48913004e0..e70ac7ff1a 100644
--- a/packages/frontend/src/components/MkPoll.vue
+++ b/packages/frontend/src/components/MkPoll.vue
@@ -29,14 +29,14 @@ SPDX-License-Identifier: AGPL-3.0-only
 <script lang="ts" setup>
 import { computed, ref } from 'vue';
 import * as Misskey from 'misskey-js';
+import { host } from '@@/js/config.js';
+import { useInterval } from '@@/js/use-interval.js';
 import type { OpenOnRemoteOptions } from '@/scripts/please-login.js';
 import { sum } from '@/scripts/array.js';
 import { pleaseLogin } from '@/scripts/please-login.js';
 import * as os from '@/os.js';
 import { misskeyApi } from '@/scripts/misskey-api.js';
 import { i18n } from '@/i18n.js';
-import { host } from '@@/js/config.js';
-import { useInterval } from '@@/js/use-interval.js';
 
 const props = defineProps<{
 	noteId: string;
@@ -85,7 +85,7 @@ if (props.poll.expiresAt) {
 const vote = async (id) => {
 	if (props.readOnly || closed.value || isVoted.value) return;
 
-	pleaseLogin(undefined, pleaseLoginContext.value);
+	pleaseLogin({ openOnRemote: pleaseLoginContext.value });
 
 	const { canceled } = await os.confirm({
 		type: 'question',
diff --git a/packages/frontend/src/os.ts b/packages/frontend/src/os.ts
index 4d41cf5bc0..07d91a0644 100644
--- a/packages/frontend/src/os.ts
+++ b/packages/frontend/src/os.ts
@@ -688,14 +688,16 @@ export function contextMenu(items: MenuItem[], ev: MouseEvent): Promise<void> {
 }
 
 export function post(props: Record<string, any> = {}): Promise<void> {
-	pleaseLogin(undefined, (props.initialText || props.initialNote ? {
-		type: 'share',
-		params: {
-			text: props.initialText ?? props.initialNote.text,
-			visibility: props.initialVisibility ?? props.initialNote?.visibility,
-			localOnly: (props.initialLocalOnly || props.initialNote?.localOnly) ? '1' : '0',
-		},
-	} : undefined));
+	pleaseLogin({
+		openOnRemote: (props.initialText || props.initialNote ? {
+			type: 'share',
+			params: {
+				text: props.initialText ?? props.initialNote.text,
+				visibility: props.initialVisibility ?? props.initialNote?.visibility,
+				localOnly: (props.initialLocalOnly || props.initialNote?.localOnly) ? '1' : '0',
+			},
+		} : undefined),
+	});
 
 	showMovedDialog();
 	return new Promise(resolve => {
diff --git a/packages/frontend/src/pages/not-found.vue b/packages/frontend/src/pages/not-found.vue
index 93a792c42f..6a2d01b6fa 100644
--- a/packages/frontend/src/pages/not-found.vue
+++ b/packages/frontend/src/pages/not-found.vue
@@ -24,7 +24,7 @@ const props = defineProps<{
 }>();
 
 if (props.showLoginPopup) {
-	pleaseLogin('/');
+	pleaseLogin({ path: '/' });
 }
 
 const headerActions = computed(() => []);
diff --git a/packages/frontend/src/pages/note.vue b/packages/frontend/src/pages/note.vue
index 448244204d..454ee3c6bc 100644
--- a/packages/frontend/src/pages/note.vue
+++ b/packages/frontend/src/pages/note.vue
@@ -61,6 +61,7 @@ import { i18n } from '@/i18n.js';
 import { dateString } from '@/filters/date.js';
 import MkClipPreview from '@/components/MkClipPreview.vue';
 import { defaultStore } from '@/store.js';
+import { pleaseLogin } from '@/scripts/please-login.js';
 
 const props = defineProps<{
 	noteId: string;
@@ -128,6 +129,11 @@ function fetchNote() {
 			});
 		}
 	}).catch(err => {
+		if (err.id === '8e75455b-738c-471d-9f80-62693f33372e') {
+			pleaseLogin({
+				message: i18n.ts.thisContentsAreMarkedAsSigninRequiredByAuthor,
+			});
+		}
 		error.value = err;
 	});
 }
diff --git a/packages/frontend/src/pages/settings/privacy.vue b/packages/frontend/src/pages/settings/privacy.vue
index d418be624e..e277dfad71 100644
--- a/packages/frontend/src/pages/settings/privacy.vue
+++ b/packages/frontend/src/pages/settings/privacy.vue
@@ -36,7 +36,7 @@ SPDX-License-Identifier: AGPL-3.0-only
 		<template #caption>{{ i18n.ts.noCrawleDescription }}</template>
 	</MkSwitch>
 	<MkSwitch v-model="preventAiLearning" @update:modelValue="save()">
-		{{ i18n.ts.preventAiLearning }}<span class="_beta">{{ i18n.ts.beta }}</span>
+		{{ i18n.ts.preventAiLearning }}
 		<template #caption>{{ i18n.ts.preventAiLearningDescription }}</template>
 	</MkSwitch>
 	<MkSwitch v-model="isExplorable" @update:modelValue="save()">
@@ -44,6 +44,21 @@ SPDX-License-Identifier: AGPL-3.0-only
 		<template #caption>{{ i18n.ts.makeExplorableDescription }}</template>
 	</MkSwitch>
 
+	<FormSection>
+		<template #label>{{ i18n.ts.lockdown }}</template>
+
+		<div class="_gaps_m">
+			<MkSwitch v-model="requireSigninToViewContents" @update:modelValue="save()">
+				{{ i18n.ts._accountSettings.requireSigninToViewContents }}<span class="_beta">{{ i18n.ts.beta }}</span>
+				<template #caption>
+					<div>{{ i18n.ts._accountSettings.requireSigninToViewContentsDescription1 }}</div>
+					<div><i class="ti ti-alert-triangle" style="color: var(--MI_THEME-warn);"></i> {{ i18n.ts._accountSettings.requireSigninToViewContentsDescription2 }}</div>
+					<div><i class="ti ti-alert-triangle" style="color: var(--MI_THEME-warn);"></i> {{ i18n.ts._accountSettings.requireSigninToViewContentsDescription3 }}</div>
+				</template>
+			</MkSwitch>
+		</div>
+	</FormSection>
+
 	<FormSection>
 		<div class="_gaps_m">
 			<MkSwitch v-model="rememberNoteVisibility" @update:modelValue="save()">{{ i18n.ts.rememberNoteVisibility }}</MkSwitch>
@@ -90,6 +105,7 @@ const autoAcceptFollowed = ref($i.autoAcceptFollowed);
 const noCrawle = ref($i.noCrawle);
 const preventAiLearning = ref($i.preventAiLearning);
 const isExplorable = ref($i.isExplorable);
+const requireSigninToViewContents = ref($i.requireSigninToViewContents ?? false);
 const hideOnlineStatus = ref($i.hideOnlineStatus);
 const publicReactions = ref($i.publicReactions);
 const followingVisibility = ref($i.followingVisibility);
@@ -107,6 +123,7 @@ function save() {
 		noCrawle: !!noCrawle.value,
 		preventAiLearning: !!preventAiLearning.value,
 		isExplorable: !!isExplorable.value,
+		requireSigninToViewContents: !!requireSigninToViewContents.value,
 		hideOnlineStatus: !!hideOnlineStatus.value,
 		publicReactions: !!publicReactions.value,
 		followingVisibility: followingVisibility.value,
diff --git a/packages/frontend/src/scripts/please-login.ts b/packages/frontend/src/scripts/please-login.ts
index 18f05bc7f4..43dcf11936 100644
--- a/packages/frontend/src/scripts/please-login.ts
+++ b/packages/frontend/src/scripts/please-login.ts
@@ -44,17 +44,21 @@ export type OpenOnRemoteOptions = {
 	params: Record<string, string>;
 };
 
-export function pleaseLogin(path?: string, openOnRemote?: OpenOnRemoteOptions) {
+export function pleaseLogin(opts: {
+	path?: string;
+	message?: string;
+	openOnRemote?: OpenOnRemoteOptions;
+} = {}) {
 	if ($i) return;
 
 	const { dispose } = popup(defineAsyncComponent(() => import('@/components/MkSigninDialog.vue')), {
 		autoSet: true,
-		message: openOnRemote ? i18n.ts.signinOrContinueOnRemote : i18n.ts.signinRequired,
-		openOnRemote,
+		message: opts.message ?? (opts.openOnRemote ? i18n.ts.signinOrContinueOnRemote : i18n.ts.signinRequired),
+		openOnRemote: opts.openOnRemote,
 	}, {
 		cancelled: () => {
-			if (path) {
-				window.location.href = path;
+			if (opts.path) {
+				window.location.href = opts.path;
 			}
 		},
 		closed: () => dispose(),
diff --git a/packages/misskey-js/src/autogen/types.ts b/packages/misskey-js/src/autogen/types.ts
index 698c08826a..8f84aa37ff 100644
--- a/packages/misskey-js/src/autogen/types.ts
+++ b/packages/misskey-js/src/autogen/types.ts
@@ -3736,6 +3736,7 @@ export type components = {
         }[];
       isBot?: boolean;
       isCat?: boolean;
+      requireSigninToViewContents?: boolean;
       instance?: {
         name: string | null;
         softwareName: string | null;
@@ -19844,6 +19845,7 @@ export type operations = {
           autoAcceptFollowed?: boolean;
           noCrawle?: boolean;
           preventAiLearning?: boolean;
+          requireSigninToViewContents?: boolean;
           isBot?: boolean;
           isCat?: boolean;
           injectFeaturedNote?: boolean;
-- 
cgit v1.2.3-freya


From 952fec5665ce0712a78f3ee68f5c46554426dfb4 Mon Sep 17 00:00:00 2001
From: syuilo <4439005+syuilo@users.noreply.github.com>
Date: Tue, 22 Oct 2024 17:08:53 +0900
Subject: feat: 過去のノートを非公開化/フォロワーのみ表示可能にできる機能
 (#14814)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* wip

* Update CHANGELOG.md

* wip

* wip

* wip

* Update privacy.vue

* wip
---
 CHANGELOG.md                                       |   1 +
 locales/index.d.ts                                 |  42 +++++++-
 locales/ja-JP.yml                                  |  12 ++-
 .../1729486255072-makeNotesHiddenBefore.js         |  18 ++++
 packages/backend/src/core/WebhookTestService.ts    |   2 +
 .../src/core/activitypub/ApRendererService.ts      |   2 +
 .../backend/src/core/activitypub/misc/contexts.ts  |   2 +
 .../src/core/activitypub/models/ApPersonService.ts |   2 +
 packages/backend/src/core/activitypub/type.ts      |   2 +
 .../backend/src/core/entities/NoteEntityService.ts |  99 ++++++++++++-------
 .../backend/src/core/entities/UserEntityService.ts |   2 +
 packages/backend/src/models/User.ts                |  12 +++
 packages/backend/src/models/json-schema/user.ts    |   8 ++
 .../backend/src/server/api/endpoints/i/update.ts   |   4 +
 packages/frontend/src/components/MkSelect.vue      |   2 +-
 packages/frontend/src/pages/settings/privacy.vue   | 109 ++++++++++++++++++++-
 packages/misskey-js/src/autogen/types.ts           |   4 +
 17 files changed, 281 insertions(+), 42 deletions(-)
 create mode 100644 packages/backend/migration/1729486255072-makeNotesHiddenBefore.js

(limited to 'packages/backend/src/server/api')

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 421237c32d..d56abb29b4 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,7 @@
 
 ### General
 - Feat: コンテンツの表示にログインを必須にできるように
+- Feat: 過去のノートを非公開化/フォロワーのみ表示可能にできるように
 
 ### Client
 - Enhance: Bull DashboardでRelationship Queueの状態も確認できるように  
diff --git a/locales/index.d.ts b/locales/index.d.ts
index e002540307..8350297a79 100644
--- a/locales/index.d.ts
+++ b/locales/index.d.ts
@@ -3806,6 +3806,18 @@ export interface Locale extends ILocale {
      * 1ヶ月
      */
     "oneMonth": string;
+    /**
+     * 3ヶ月
+     */
+    "threeMonths": string;
+    /**
+     * 1年
+     */
+    "oneYear": string;
+    /**
+     * 3日
+     */
+    "threeDays": string;
     /**
      * 反映されるまで時間がかかる場合があります。
      */
@@ -5204,7 +5216,7 @@ export interface Locale extends ILocale {
          */
         "requireSigninToViewContents": string;
         /**
-         * あなたが作成した全てのノートなどのコンテンツを表示するのにログインを必須にします。クローラーから情報を収集されるのを防ぐ効果が期待できます。
+         * あなたが作成した全てのノートなどのコンテンツを表示するのにログインを必須にします。クローラーに情報が収集されるのを防ぐ効果が期待できます。
          */
         "requireSigninToViewContentsDescription1": string;
         /**
@@ -5215,6 +5227,34 @@ export interface Locale extends ILocale {
          * リモートサーバーに連合されたコンテンツでは、これらの制限が適用されない場合があります。
          */
         "requireSigninToViewContentsDescription3": string;
+        /**
+         * 過去のノートをフォロワーのみ表示可能にする
+         */
+        "makeNotesFollowersOnlyBefore": string;
+        /**
+         * この機能が有効になっている間、設定された日時より過去、または設定された時間を経過しているノートがフォロワーのみ表示可能になります。無効に戻すと、ノートの公開状態も元に戻ります。
+         */
+        "makeNotesFollowersOnlyBeforeDescription": string;
+        /**
+         * 過去のノートを非公開化する
+         */
+        "makeNotesHiddenBefore": string;
+        /**
+         * この機能が有効になっている間、設定された日時より過去、または設定された時間を経過しているノートが自分のみ表示可能(非公開化)になります。無効に戻すと、ノートの公開状態も元に戻ります。
+         */
+        "makeNotesHiddenBeforeDescription": string;
+        /**
+         * リモートサーバーに連合されたノートには効果が及ばない場合があります。
+         */
+        "mayNotEffectForFederatedNotes": string;
+        /**
+         * 指定した時間を経過しているノート
+         */
+        "notesHavePassedSpecifiedPeriod": string;
+        /**
+         * 指定した日時より前のノート
+         */
+        "notesOlderThanSpecifiedDateAndTime": string;
     };
     "_abuseUserReport": {
         /**
diff --git a/locales/ja-JP.yml b/locales/ja-JP.yml
index f3f7e5c77f..93ed879a08 100644
--- a/locales/ja-JP.yml
+++ b/locales/ja-JP.yml
@@ -947,6 +947,9 @@ oneHour: "1時間"
 oneDay: "1日"
 oneWeek: "1週間"
 oneMonth: "1ヶ月"
+threeMonths: "3ヶ月"
+oneYear: "1年"
+threeDays: "3日"
 reflectMayTakeTime: "反映されるまで時間がかかる場合があります。"
 failedToFetchAccountInformation: "アカウント情報の取得に失敗しました"
 rateLimitExceeded: "レート制限を超えました"
@@ -1298,9 +1301,16 @@ lockdown: "ロックダウン"
 
 _accountSettings:
   requireSigninToViewContents: "コンテンツの表示にログインを必須にする"
-  requireSigninToViewContentsDescription1: "あなたが作成した全てのノートなどのコンテンツを表示するのにログインを必須にします。クローラーから情報を収集されるのを防ぐ効果が期待できます。"
+  requireSigninToViewContentsDescription1: "あなたが作成した全てのノートなどのコンテンツを表示するのにログインを必須にします。クローラーに情報が収集されるのを防ぐ効果が期待できます。"
   requireSigninToViewContentsDescription2: "URLプレビュー(OGP)、Webページへの埋め込み、ノートの引用に対応していないサーバーからの表示も不可になります。"
   requireSigninToViewContentsDescription3: "リモートサーバーに連合されたコンテンツでは、これらの制限が適用されない場合があります。"
+  makeNotesFollowersOnlyBefore: "過去のノートをフォロワーのみ表示可能にする"
+  makeNotesFollowersOnlyBeforeDescription: "この機能が有効になっている間、設定された日時より過去、または設定された時間を経過しているノートがフォロワーのみ表示可能になります。無効に戻すと、ノートの公開状態も元に戻ります。"
+  makeNotesHiddenBefore: "過去のノートを非公開化する"
+  makeNotesHiddenBeforeDescription: "この機能が有効になっている間、設定された日時より過去、または設定された時間を経過しているノートが自分のみ表示可能(非公開化)になります。無効に戻すと、ノートの公開状態も元に戻ります。"
+  mayNotEffectForFederatedNotes: "リモートサーバーに連合されたノートには効果が及ばない場合があります。"
+  notesHavePassedSpecifiedPeriod: "指定した時間を経過しているノート"
+  notesOlderThanSpecifiedDateAndTime: "指定した日時より前のノート"
 
 _abuseUserReport:
   forward: "転送"
diff --git a/packages/backend/migration/1729486255072-makeNotesHiddenBefore.js b/packages/backend/migration/1729486255072-makeNotesHiddenBefore.js
new file mode 100644
index 0000000000..5fe4886b04
--- /dev/null
+++ b/packages/backend/migration/1729486255072-makeNotesHiddenBefore.js
@@ -0,0 +1,18 @@
+/*
+ * SPDX-FileCopyrightText: syuilo and misskey-project
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+export class MakeNotesHiddenBefore1729486255072 {
+    name = 'MakeNotesHiddenBefore1729486255072'
+
+    async up(queryRunner) {
+        await queryRunner.query(`ALTER TABLE "user" ADD "makeNotesFollowersOnlyBefore" integer`);
+        await queryRunner.query(`ALTER TABLE "user" ADD "makeNotesHiddenBefore" integer`);
+    }
+
+    async down(queryRunner) {
+        await queryRunner.query(`ALTER TABLE "user" DROP COLUMN "makeNotesHiddenBefore"`);
+        await queryRunner.query(`ALTER TABLE "user" DROP COLUMN "makeNotesFollowersOnlyBefore"`);
+    }
+}
diff --git a/packages/backend/src/core/WebhookTestService.ts b/packages/backend/src/core/WebhookTestService.ts
index 254d961040..c826a28963 100644
--- a/packages/backend/src/core/WebhookTestService.ts
+++ b/packages/backend/src/core/WebhookTestService.ts
@@ -84,6 +84,8 @@ function generateDummyUser(override?: Partial<MiUser>): MiUser {
 		isHibernated: false,
 		isDeleted: false,
 		requireSigninToViewContents: false,
+		makeNotesFollowersOnlyBefore: null,
+		makeNotesHiddenBefore: null,
 		emojis: [],
 		score: 0,
 		host: null,
diff --git a/packages/backend/src/core/activitypub/ApRendererService.ts b/packages/backend/src/core/activitypub/ApRendererService.ts
index 8235d7ba30..5617a29bab 100644
--- a/packages/backend/src/core/activitypub/ApRendererService.ts
+++ b/packages/backend/src/core/activitypub/ApRendererService.ts
@@ -496,6 +496,8 @@ export class ApRendererService {
 			_misskey_summary: profile.description,
 			_misskey_followedMessage: profile.followedMessage,
 			_misskey_requireSigninToViewContents: user.requireSigninToViewContents,
+			_misskey_makeNotesFollowersOnlyBefore: user.makeNotesFollowersOnlyBefore,
+			_misskey_makeNotesHiddenBefore: user.makeNotesHiddenBefore,
 			icon: avatar ? this.renderImage(avatar) : null,
 			image: banner ? this.renderImage(banner) : null,
 			tag,
diff --git a/packages/backend/src/core/activitypub/misc/contexts.ts b/packages/backend/src/core/activitypub/misc/contexts.ts
index 447f7ef3db..94cb0785cb 100644
--- a/packages/backend/src/core/activitypub/misc/contexts.ts
+++ b/packages/backend/src/core/activitypub/misc/contexts.ts
@@ -556,6 +556,8 @@ const extension_context_definition = {
 	'_misskey_summary': 'misskey:_misskey_summary',
 	'_misskey_followedMessage': 'misskey:_misskey_followedMessage',
 	'_misskey_requireSigninToViewContents': 'misskey:_misskey_requireSigninToViewContents',
+	'_misskey_makeNotesFollowersOnlyBefore': 'misskey:_misskey_makeNotesFollowersOnlyBefore',
+	'_misskey_makeNotesHiddenBefore': 'misskey:_misskey_makeNotesHiddenBefore',
 	'isCat': 'misskey:isCat',
 	// vcard
 	vcard: 'http://www.w3.org/2006/vcard/ns#',
diff --git a/packages/backend/src/core/activitypub/models/ApPersonService.ts b/packages/backend/src/core/activitypub/models/ApPersonService.ts
index c7915ed94f..0e2934301b 100644
--- a/packages/backend/src/core/activitypub/models/ApPersonService.ts
+++ b/packages/backend/src/core/activitypub/models/ApPersonService.ts
@@ -357,6 +357,8 @@ export class ApPersonService implements OnModuleInit {
 					isBot,
 					isCat: (person as any).isCat === true,
 					requireSigninToViewContents: (person as any).requireSigninToViewContents === true,
+					makeNotesFollowersOnlyBefore: (person as any).makeNotesFollowersOnlyBefore ?? null,
+					makeNotesHiddenBefore: (person as any).makeNotesHiddenBefore ?? null,
 					emojis,
 				})) as MiRemoteUser;
 
diff --git a/packages/backend/src/core/activitypub/type.ts b/packages/backend/src/core/activitypub/type.ts
index 8a860335fa..7496315f09 100644
--- a/packages/backend/src/core/activitypub/type.ts
+++ b/packages/backend/src/core/activitypub/type.ts
@@ -15,6 +15,8 @@ export interface IObject {
 	_misskey_summary?: string;
 	_misskey_followedMessage?: string | null;
 	_misskey_requireSigninToViewContents?: boolean;
+	_misskey_makeNotesFollowersOnlyBefore?: number | null;
+	_misskey_makeNotesHiddenBefore?: number | null;
 	published?: string;
 	cc?: ApObject;
 	to?: ApObject;
diff --git a/packages/backend/src/core/entities/NoteEntityService.ts b/packages/backend/src/core/entities/NoteEntityService.ts
index 62016936a2..96cc6b028e 100644
--- a/packages/backend/src/core/entities/NoteEntityService.ts
+++ b/packages/backend/src/core/entities/NoteEntityService.ts
@@ -102,57 +102,83 @@ export class NoteEntityService implements OnModuleInit {
 	}
 
 	@bindThis
-	private async hideNote(packedNote: Packed<'Note'>, meId: MiUser['id'] | null) {
+	private async hideNote(packedNote: Packed<'Note'>, meId: MiUser['id'] | null): Promise<void> {
+		// FIXME: このvisibility変更処理が当関数にあるのは若干不自然かもしれない(関数名を treatVisibility とかに変える手もある)
+		if (packedNote.visibility === 'public' || packedNote.visibility === 'home') {
+			const followersOnlyBefore = packedNote.user.makeNotesFollowersOnlyBefore;
+			if ((followersOnlyBefore != null)
+				&& (
+					(followersOnlyBefore <= 0 && (Date.now() - new Date(packedNote.createdAt).getTime() > 0 - (followersOnlyBefore * 1000)))
+					|| (followersOnlyBefore > 0 && (new Date(packedNote.createdAt).getTime() < followersOnlyBefore * 1000))
+				)
+			) {
+				packedNote.visibility = 'followers';
+			}
+		}
+
+		if (meId === packedNote.userId) return;
+
 		// TODO: isVisibleForMe を使うようにしても良さそう(型違うけど)
 		let hide = false;
 
-		// visibility が specified かつ自分が指定されていなかったら非表示
-		if (packedNote.visibility === 'specified') {
-			if (meId == null) {
+		if (packedNote.user.requireSigninToViewContents && meId == null) {
+			hide = true;
+		}
+
+		if (!hide) {
+			const hiddenBefore = packedNote.user.makeNotesHiddenBefore;
+			if ((hiddenBefore != null)
+				&& (
+					(hiddenBefore <= 0 && (Date.now() - new Date(packedNote.createdAt).getTime() > 0 - (hiddenBefore * 1000)))
+					|| (hiddenBefore > 0 && (new Date(packedNote.createdAt).getTime() < hiddenBefore * 1000))
+				)
+			) {
 				hide = true;
-			} else if (meId === packedNote.userId) {
-				hide = false;
-			} else {
-				// 指定されているかどうか
-				const specified = packedNote.visibleUserIds!.some(id => meId === id);
+			}
+		}
 
-				if (specified) {
-					hide = false;
-				} else {
+		// visibility が specified かつ自分が指定されていなかったら非表示
+		if (!hide) {
+			if (packedNote.visibility === 'specified') {
+				if (meId == null) {
 					hide = true;
+				} else {
+					// 指定されているかどうか
+					const specified = packedNote.visibleUserIds!.some(id => meId === id);
+
+					if (!specified) {
+						hide = true;
+					}
 				}
 			}
 		}
 
 		// visibility が followers かつ自分が投稿者のフォロワーでなかったら非表示
-		if (packedNote.visibility === 'followers') {
-			if (meId == null) {
-				hide = true;
-			} else if (meId === packedNote.userId) {
-				hide = false;
-			} else if (packedNote.reply && (meId === packedNote.reply.userId)) {
-				// 自分の投稿に対するリプライ
-				hide = false;
-			} else if (packedNote.mentions && packedNote.mentions.some(id => meId === id)) {
-				// 自分へのメンション
-				hide = false;
-			} else {
-				// フォロワーかどうか
-				const isFollowing = await this.followingsRepository.exists({
-					where: {
-						followeeId: packedNote.userId,
-						followerId: meId,
-					},
-				});
+		if (!hide) {
+			if (packedNote.visibility === 'followers') {
+				if (meId == null) {
+					hide = true;
+				} else if (packedNote.reply && (meId === packedNote.reply.userId)) {
+					// 自分の投稿に対するリプライ
+					hide = false;
+				} else if (packedNote.mentions && packedNote.mentions.some(id => meId === id)) {
+					// 自分へのメンション
+					hide = false;
+				} else {
+					// フォロワーかどうか
+					// TODO: 当関数呼び出しごとにクエリが走るのは重そうだからなんとかする
+					const isFollowing = await this.followingsRepository.exists({
+						where: {
+							followeeId: packedNote.userId,
+							followerId: meId,
+						},
+					});
 
-				hide = !isFollowing;
+					hide = !isFollowing;
+				}
 			}
 		}
 
-		if (packedNote.user.requireSigninToViewContents && meId == null) {
-			hide = true;
-		}
-
 		if (hide) {
 			packedNote.visibleUserIds = undefined;
 			packedNote.fileIds = [];
@@ -161,6 +187,7 @@ export class NoteEntityService implements OnModuleInit {
 			packedNote.poll = undefined;
 			packedNote.cw = null;
 			packedNote.isHidden = true;
+			// TODO: hiddenReason みたいなのを提供しても良さそう
 		}
 	}
 
diff --git a/packages/backend/src/core/entities/UserEntityService.ts b/packages/backend/src/core/entities/UserEntityService.ts
index 747ffc780f..d3c087a153 100644
--- a/packages/backend/src/core/entities/UserEntityService.ts
+++ b/packages/backend/src/core/entities/UserEntityService.ts
@@ -491,6 +491,8 @@ export class UserEntityService implements OnModuleInit {
 			isBot: user.isBot,
 			isCat: user.isCat,
 			requireSigninToViewContents: user.requireSigninToViewContents === false ? undefined : true,
+			makeNotesFollowersOnlyBefore: user.makeNotesFollowersOnlyBefore ?? undefined,
+			makeNotesHiddenBefore: user.makeNotesHiddenBefore ?? undefined,
 			instance: user.host ? this.federatedInstanceService.federatedInstanceCache.fetch(user.host).then(instance => instance ? {
 				name: instance.name,
 				softwareName: instance.softwareName,
diff --git a/packages/backend/src/models/User.ts b/packages/backend/src/models/User.ts
index 6fcff77854..96de30c4c2 100644
--- a/packages/backend/src/models/User.ts
+++ b/packages/backend/src/models/User.ts
@@ -207,6 +207,18 @@ export class MiUser {
 	})
 	public requireSigninToViewContents: boolean;
 
+	// in sec, マイナスで相対時間
+	@Column('integer', {
+		nullable: true,
+	})
+	public makeNotesFollowersOnlyBefore: number | null;
+
+	// in sec, マイナスで相対時間
+	@Column('integer', {
+		nullable: true,
+	})
+	public makeNotesHiddenBefore: number | null;
+
 	// アカウントが削除されたかどうかのフラグだが、完全に削除される際は物理削除なので実質削除されるまでの「削除が進行しているかどうか」のフラグ
 	@Column('boolean', {
 		default: false,
diff --git a/packages/backend/src/models/json-schema/user.ts b/packages/backend/src/models/json-schema/user.ts
index 817f8e9292..38631f907d 100644
--- a/packages/backend/src/models/json-schema/user.ts
+++ b/packages/backend/src/models/json-schema/user.ts
@@ -119,6 +119,14 @@ export const packedUserLiteSchema = {
 			type: 'boolean',
 			nullable: false, optional: true,
 		},
+		makeNotesFollowersOnlyBefore: {
+			type: 'number',
+			nullable: true, optional: true,
+		},
+		makeNotesHiddenBefore: {
+			type: 'number',
+			nullable: true, optional: true,
+		},
 		instance: {
 			type: 'object',
 			nullable: false, optional: true,
diff --git a/packages/backend/src/server/api/endpoints/i/update.ts b/packages/backend/src/server/api/endpoints/i/update.ts
index 6680c96f3f..2183beac7c 100644
--- a/packages/backend/src/server/api/endpoints/i/update.ts
+++ b/packages/backend/src/server/api/endpoints/i/update.ts
@@ -180,6 +180,8 @@ export const paramDef = {
 		noCrawle: { type: 'boolean' },
 		preventAiLearning: { type: 'boolean' },
 		requireSigninToViewContents: { type: 'boolean' },
+		makeNotesFollowersOnlyBefore: { type: 'integer', nullable: true },
+		makeNotesHiddenBefore: { type: 'integer', nullable: true },
 		isBot: { type: 'boolean' },
 		isCat: { type: 'boolean' },
 		injectFeaturedNote: { type: 'boolean' },
@@ -336,6 +338,8 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 			if (typeof ps.noCrawle === 'boolean') profileUpdates.noCrawle = ps.noCrawle;
 			if (typeof ps.preventAiLearning === 'boolean') profileUpdates.preventAiLearning = ps.preventAiLearning;
 			if (typeof ps.requireSigninToViewContents === 'boolean') updates.requireSigninToViewContents = ps.requireSigninToViewContents;
+			if ((typeof ps.makeNotesFollowersOnlyBefore === 'number') || (ps.makeNotesFollowersOnlyBefore === null)) updates.makeNotesFollowersOnlyBefore = ps.makeNotesFollowersOnlyBefore;
+			if ((typeof ps.makeNotesHiddenBefore === 'number') || (ps.makeNotesHiddenBefore === null)) updates.makeNotesHiddenBefore = ps.makeNotesHiddenBefore;
 			if (typeof ps.isCat === 'boolean') updates.isCat = ps.isCat;
 			if (typeof ps.injectFeaturedNote === 'boolean') profileUpdates.injectFeaturedNote = ps.injectFeaturedNote;
 			if (typeof ps.receiveAnnouncementEmail === 'boolean') profileUpdates.receiveAnnouncementEmail = ps.receiveAnnouncementEmail;
diff --git a/packages/frontend/src/components/MkSelect.vue b/packages/frontend/src/components/MkSelect.vue
index 8bd02000e6..eeadd49936 100644
--- a/packages/frontend/src/components/MkSelect.vue
+++ b/packages/frontend/src/components/MkSelect.vue
@@ -46,7 +46,7 @@ import type { MenuItem } from '@/types/menu.js';
 import * as os from '@/os.js';
 
 const props = defineProps<{
-	modelValue: string | null;
+	modelValue: string | number | null;
 	required?: boolean;
 	readonly?: boolean;
 	disabled?: boolean;
diff --git a/packages/frontend/src/pages/settings/privacy.vue b/packages/frontend/src/pages/settings/privacy.vue
index e277dfad71..da3d36b31a 100644
--- a/packages/frontend/src/pages/settings/privacy.vue
+++ b/packages/frontend/src/pages/settings/privacy.vue
@@ -45,17 +45,89 @@ SPDX-License-Identifier: AGPL-3.0-only
 	</MkSwitch>
 
 	<FormSection>
-		<template #label>{{ i18n.ts.lockdown }}</template>
+		<template #label>{{ i18n.ts.lockdown }}<span class="_beta">{{ i18n.ts.beta }}</span></template>
 
 		<div class="_gaps_m">
 			<MkSwitch v-model="requireSigninToViewContents" @update:modelValue="save()">
-				{{ i18n.ts._accountSettings.requireSigninToViewContents }}<span class="_beta">{{ i18n.ts.beta }}</span>
+				{{ i18n.ts._accountSettings.requireSigninToViewContents }}
 				<template #caption>
 					<div>{{ i18n.ts._accountSettings.requireSigninToViewContentsDescription1 }}</div>
 					<div><i class="ti ti-alert-triangle" style="color: var(--MI_THEME-warn);"></i> {{ i18n.ts._accountSettings.requireSigninToViewContentsDescription2 }}</div>
 					<div><i class="ti ti-alert-triangle" style="color: var(--MI_THEME-warn);"></i> {{ i18n.ts._accountSettings.requireSigninToViewContentsDescription3 }}</div>
 				</template>
 			</MkSwitch>
+
+			<FormSlot>
+				<template #label>{{ i18n.ts._accountSettings.makeNotesFollowersOnlyBefore }}</template>
+
+				<div class="_gaps_s">
+					<MkSelect :modelValue="makeNotesFollowersOnlyBefore_type" @update:modelValue="makeNotesFollowersOnlyBefore = $event === 'relative' ? -604800 : $event === 'absolute' ? Math.floor(Date.now() / 1000) : null">
+						<option :value="null">{{ i18n.ts.none }}</option>
+						<option value="relative">{{ i18n.ts._accountSettings.notesHavePassedSpecifiedPeriod }}</option>
+						<option value="absolute">{{ i18n.ts._accountSettings.notesOlderThanSpecifiedDateAndTime }}</option>
+					</MkSelect>
+
+					<MkSelect v-if="makeNotesFollowersOnlyBefore_type === 'relative'" v-model="makeNotesFollowersOnlyBefore">
+						<option :value="-3600">{{ i18n.ts.oneHour }}</option>
+						<option :value="-86400">{{ i18n.ts.oneDay }}</option>
+						<option :value="-259200">{{ i18n.ts.threeDays }}</option>
+						<option :value="-604800">{{ i18n.ts.oneWeek }}</option>
+						<option :value="-2592000">{{ i18n.ts.oneMonth }}</option>
+						<option :value="-7776000">{{ i18n.ts.threeMonths }}</option>
+						<option :value="-31104000">{{ i18n.ts.oneYear }}</option>
+					</MkSelect>
+
+					<MkInput
+						v-if="makeNotesFollowersOnlyBefore_type === 'absolute'"
+						:modelValue="formatDateTimeString(new Date(makeNotesFollowersOnlyBefore * 1000), 'yyyy-MM-dd')"
+						type="date"
+						:manualSave="true"
+						@update:modelValue="makeNotesFollowersOnlyBefore = Math.floor(new Date($event).getTime() / 1000)"
+					>
+					</MkInput>
+				</div>
+
+				<template #caption>
+					<div>{{ i18n.ts._accountSettings.makeNotesFollowersOnlyBeforeDescription }}</div>
+					<div><i class="ti ti-alert-triangle" style="color: var(--MI_THEME-warn);"></i> {{ i18n.ts._accountSettings.mayNotEffectForFederatedNotes }}</div>
+				</template>
+			</FormSlot>
+
+			<FormSlot>
+				<template #label>{{ i18n.ts._accountSettings.makeNotesHiddenBefore }}</template>
+
+				<div class="_gaps_s">
+					<MkSelect :modelValue="makeNotesHiddenBefore_type" @update:modelValue="makeNotesHiddenBefore = $event === 'relative' ? -604800 : $event === 'absolute' ? Math.floor(Date.now() / 1000) : null">
+						<option :value="null">{{ i18n.ts.none }}</option>
+						<option value="relative">{{ i18n.ts._accountSettings.notesHavePassedSpecifiedPeriod }}</option>
+						<option value="absolute">{{ i18n.ts._accountSettings.notesOlderThanSpecifiedDateAndTime }}</option>
+					</MkSelect>
+
+					<MkSelect v-if="makeNotesHiddenBefore_type === 'relative'" v-model="makeNotesHiddenBefore">
+						<option :value="-3600">{{ i18n.ts.oneHour }}</option>
+						<option :value="-86400">{{ i18n.ts.oneDay }}</option>
+						<option :value="-259200">{{ i18n.ts.threeDays }}</option>
+						<option :value="-604800">{{ i18n.ts.oneWeek }}</option>
+						<option :value="-2592000">{{ i18n.ts.oneMonth }}</option>
+						<option :value="-7776000">{{ i18n.ts.threeMonths }}</option>
+						<option :value="-31104000">{{ i18n.ts.oneYear }}</option>
+					</MkSelect>
+
+					<MkInput
+						v-if="makeNotesHiddenBefore_type === 'absolute'"
+						:modelValue="formatDateTimeString(new Date(makeNotesHiddenBefore * 1000), 'yyyy-MM-dd')"
+						type="date"
+						:manualSave="true"
+						@update:modelValue="makeNotesHiddenBefore = Math.floor(new Date($event).getTime() / 1000)"
+					>
+					</MkInput>
+				</div>
+
+				<template #caption>
+					<div>{{ i18n.ts._accountSettings.makeNotesHiddenBeforeDescription }}</div>
+					<div><i class="ti ti-alert-triangle" style="color: var(--MI_THEME-warn);"></i> {{ i18n.ts._accountSettings.mayNotEffectForFederatedNotes }}</div>
+				</template>
+			</FormSlot>
 		</div>
 	</FormSection>
 
@@ -87,7 +159,7 @@ SPDX-License-Identifier: AGPL-3.0-only
 </template>
 
 <script lang="ts" setup>
-import { ref, computed } from 'vue';
+import { ref, computed, watch } from 'vue';
 import MkSwitch from '@/components/MkSwitch.vue';
 import MkSelect from '@/components/MkSelect.vue';
 import FormSection from '@/components/form/section.vue';
@@ -97,6 +169,9 @@ import { defaultStore } from '@/store.js';
 import { i18n } from '@/i18n.js';
 import { signinRequired } from '@/account.js';
 import { definePageMetadata } from '@/scripts/page-metadata.js';
+import FormSlot from '@/components/form/slot.vue';
+import { formatDateTimeString } from '@/scripts/format-time-string.js';
+import MkInput from '@/components/MkInput.vue';
 
 const $i = signinRequired();
 
@@ -106,6 +181,8 @@ const noCrawle = ref($i.noCrawle);
 const preventAiLearning = ref($i.preventAiLearning);
 const isExplorable = ref($i.isExplorable);
 const requireSigninToViewContents = ref($i.requireSigninToViewContents ?? false);
+const makeNotesFollowersOnlyBefore = ref($i.makeNotesFollowersOnlyBefore ?? null);
+const makeNotesHiddenBefore = ref($i.makeNotesHiddenBefore ?? null);
 const hideOnlineStatus = ref($i.hideOnlineStatus);
 const publicReactions = ref($i.publicReactions);
 const followingVisibility = ref($i.followingVisibility);
@@ -116,6 +193,30 @@ const defaultNoteLocalOnly = computed(defaultStore.makeGetterSetter('defaultNote
 const rememberNoteVisibility = computed(defaultStore.makeGetterSetter('rememberNoteVisibility'));
 const keepCw = computed(defaultStore.makeGetterSetter('keepCw'));
 
+const makeNotesFollowersOnlyBefore_type = computed(() => {
+	if (makeNotesFollowersOnlyBefore.value == null) {
+		return null;
+	} else if (makeNotesFollowersOnlyBefore.value >= 0) {
+		return 'absolute';
+	} else {
+		return 'relative';
+	}
+});
+
+const makeNotesHiddenBefore_type = computed(() => {
+	if (makeNotesHiddenBefore.value == null) {
+		return null;
+	} else if (makeNotesHiddenBefore.value >= 0) {
+		return 'absolute';
+	} else {
+		return 'relative';
+	}
+});
+
+watch([makeNotesFollowersOnlyBefore, makeNotesHiddenBefore], () => {
+	save();
+});
+
 function save() {
 	misskeyApi('i/update', {
 		isLocked: !!isLocked.value,
@@ -124,6 +225,8 @@ function save() {
 		preventAiLearning: !!preventAiLearning.value,
 		isExplorable: !!isExplorable.value,
 		requireSigninToViewContents: !!requireSigninToViewContents.value,
+		makeNotesFollowersOnlyBefore: makeNotesFollowersOnlyBefore.value,
+		makeNotesHiddenBefore: makeNotesHiddenBefore.value,
 		hideOnlineStatus: !!hideOnlineStatus.value,
 		publicReactions: !!publicReactions.value,
 		followingVisibility: followingVisibility.value,
diff --git a/packages/misskey-js/src/autogen/types.ts b/packages/misskey-js/src/autogen/types.ts
index 8f84aa37ff..560960f018 100644
--- a/packages/misskey-js/src/autogen/types.ts
+++ b/packages/misskey-js/src/autogen/types.ts
@@ -3737,6 +3737,8 @@ export type components = {
       isBot?: boolean;
       isCat?: boolean;
       requireSigninToViewContents?: boolean;
+      makeNotesFollowersOnlyBefore?: number | null;
+      makeNotesHiddenBefore?: number | null;
       instance?: {
         name: string | null;
         softwareName: string | null;
@@ -19846,6 +19848,8 @@ export type operations = {
           noCrawle?: boolean;
           preventAiLearning?: boolean;
           requireSigninToViewContents?: boolean;
+          makeNotesFollowersOnlyBefore?: number | null;
+          makeNotesHiddenBefore?: number | null;
           isBot?: boolean;
           isCat?: boolean;
           injectFeaturedNote?: boolean;
-- 
cgit v1.2.3-freya


From eeea4ec00b4ed1aeabee85d2761699765f9b2af9 Mon Sep 17 00:00:00 2001
From: かっこかり <67428053+kakkokari-gtyih@users.noreply.github.com>
Date: Fri, 25 Oct 2024 15:09:37 +0900
Subject: fix(backend):
 招待コード発行可能残り数算出に使用すべきロールポリシーの値が違うのを修正
 (#14834)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* fix: should use invite limit cycle to calculate invite/limit

* Update Changelog

* Update changelog

---------

Co-authored-by: Lhc_fl <lhcfl@outlook.com>
---
 CHANGELOG.md                                              | 2 ++
 packages/backend/src/server/api/endpoints/invite/limit.ts | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

(limited to 'packages/backend/src/server/api')

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 2bb021317d..c35aa3679f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -22,6 +22,8 @@
 ### Server
 - Fix: Nested proxy requestsを検出した際にブロックするように
   [ghsa-gq5q-c77c-v236](https://github.com/misskey-dev/misskey/security/advisories/ghsa-gq5q-c77c-v236)
+- Fix: 招待コードの発行可能な残り数算出に使用すべきロールポリシーの値が違う問題を修正  
+  (Cherry-picked from https://activitypub.software/TransFem-org/Sharkey/-/merge_requests/706)
 
 ## 2024.10.1
 
diff --git a/packages/backend/src/server/api/endpoints/invite/limit.ts b/packages/backend/src/server/api/endpoints/invite/limit.ts
index 2786bd98d5..2ffd41ae28 100644
--- a/packages/backend/src/server/api/endpoints/invite/limit.ts
+++ b/packages/backend/src/server/api/endpoints/invite/limit.ts
@@ -49,7 +49,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 			const policies = await this.roleService.getUserPolicies(me.id);
 
 			const count = policies.inviteLimit ? await this.registrationTicketsRepository.countBy({
-				id: MoreThan(this.idService.gen(Date.now() - (policies.inviteExpirationTime * 60 * 1000))),
+				id: MoreThan(this.idService.gen(Date.now() - (policies.inviteLimitCycle * 60 * 1000))),
 				createdById: me.id,
 			}) : null;
 
-- 
cgit v1.2.3-freya


From 74847bce303449124282a748fc50b1c6588288fc Mon Sep 17 00:00:00 2001
From: syuilo <4439005+syuilo@users.noreply.github.com>
Date: Mon, 28 Oct 2024 20:42:14 +0900
Subject: enhance: アイコンデコレーション管理画面の改善
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 CHANGELOG.md                                       |   1 +
 locales/index.d.ts                                 |   4 +
 locales/ja-JP.yml                                  |   1 +
 .../endpoints/admin/avatar-decorations/create.ts   |  57 +++++-
 .../api/endpoints/admin/avatar-decorations/list.ts |   3 -
 .../src/pages/avatar-decoration-edit-dialog.vue    | 220 +++++++++++++++++++++
 packages/frontend/src/pages/avatar-decorations.vue | 172 ++++++----------
 .../settings/avatar-decoration.decoration.vue      |   7 +-
 .../pages/settings/avatar-decoration.dialog.vue    |   4 +-
 packages/misskey-js/etc/misskey-js.api.md          |   4 +
 packages/misskey-js/src/autogen/endpoint.ts        |   3 +-
 packages/misskey-js/src/autogen/entities.ts        |   1 +
 packages/misskey-js/src/autogen/types.ts           |  19 +-
 13 files changed, 374 insertions(+), 122 deletions(-)
 create mode 100644 packages/frontend/src/pages/avatar-decoration-edit-dialog.vue

(limited to 'packages/backend/src/server/api')

diff --git a/CHANGELOG.md b/CHANGELOG.md
index cbd48b8b6c..52077f813f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -8,6 +8,7 @@
 - Enhance: Bull DashboardでRelationship Queueの状態も確認できるように  
   (Cherry-picked from https://github.com/MisskeyIO/misskey/pull/751)
 - Enhance: ドライブでソートができるように
+- Enhance: アイコンデコレーション管理画面の改善
 - Enhance: 「単なるラッキー」の取得条件を変更
 - Enhance: 投稿フォームでEscキーを押したときIME入力中ならフォームを閉じないように（ #10866 ）  
 - Enhance: MiAuth, OAuthの認可画面の改善
diff --git a/locales/index.d.ts b/locales/index.d.ts
index 9058c70496..440f24ac84 100644
--- a/locales/index.d.ts
+++ b/locales/index.d.ts
@@ -5214,6 +5214,10 @@ export interface Locale extends ILocale {
      * アカウントを選択してください
      */
     "pleaseSelectAccount": string;
+    /**
+     * 利用可能なロール
+     */
+    "availableRoles": string;
     "_accountSettings": {
         /**
          * コンテンツの表示にログインを必須にする
diff --git a/locales/ja-JP.yml b/locales/ja-JP.yml
index 1d426f1705..5d8e1a5e72 100644
--- a/locales/ja-JP.yml
+++ b/locales/ja-JP.yml
@@ -1299,6 +1299,7 @@ yourNameContainsProhibitedWordsDescription: "名前に禁止されている文
 thisContentsAreMarkedAsSigninRequiredByAuthor: "投稿者により、表示にはログインが必要と設定されています"
 lockdown: "ロックダウン"
 pleaseSelectAccount: "アカウントを選択してください"
+availableRoles: "利用可能なロール"
 
 _accountSettings:
   requireSigninToViewContents: "コンテンツの表示にログインを必須にする"
diff --git a/packages/backend/src/server/api/endpoints/admin/avatar-decorations/create.ts b/packages/backend/src/server/api/endpoints/admin/avatar-decorations/create.ts
index fd21309818..87d80cbe80 100644
--- a/packages/backend/src/server/api/endpoints/admin/avatar-decorations/create.ts
+++ b/packages/backend/src/server/api/endpoints/admin/avatar-decorations/create.ts
@@ -6,6 +6,7 @@
 import { Injectable } from '@nestjs/common';
 import { Endpoint } from '@/server/api/endpoint-base.js';
 import { AvatarDecorationService } from '@/core/AvatarDecorationService.js';
+import { IdService } from '@/core/IdService.js';
 
 export const meta = {
 	tags: ['admin'],
@@ -13,6 +14,49 @@ export const meta = {
 	requireCredential: true,
 	requireRolePolicy: 'canManageAvatarDecorations',
 	kind: 'write:admin:avatar-decorations',
+
+	res: {
+		type: 'object',
+		optional: false, nullable: false,
+		properties: {
+			id: {
+				type: 'string',
+				optional: false, nullable: false,
+				format: 'id',
+			},
+			createdAt: {
+				type: 'string',
+				optional: false, nullable: false,
+				format: 'date-time',
+			},
+			updatedAt: {
+				type: 'string',
+				optional: false, nullable: true,
+				format: 'date-time',
+			},
+			name: {
+				type: 'string',
+				optional: false, nullable: false,
+			},
+			description: {
+				type: 'string',
+				optional: false, nullable: false,
+			},
+			url: {
+				type: 'string',
+				optional: false, nullable: false,
+			},
+			roleIdsThatCanBeUsedThisDecoration: {
+				type: 'array',
+				optional: false, nullable: false,
+				items: {
+					type: 'string',
+					optional: false, nullable: false,
+					format: 'id',
+				},
+			},
+		},
+	},
 } as const;
 
 export const paramDef = {
@@ -32,14 +76,25 @@ export const paramDef = {
 export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-disable-line import/no-default-export
 	constructor(
 		private avatarDecorationService: AvatarDecorationService,
+		private idService: IdService,
 	) {
 		super(meta, paramDef, async (ps, me) => {
-			await this.avatarDecorationService.create({
+			const created = await this.avatarDecorationService.create({
 				name: ps.name,
 				description: ps.description,
 				url: ps.url,
 				roleIdsThatCanBeUsedThisDecoration: ps.roleIdsThatCanBeUsedThisDecoration,
 			}, me);
+
+			return {
+				id: created.id,
+				createdAt: this.idService.parse(created.id).date.toISOString(),
+				updatedAt: null,
+				name: created.name,
+				description: created.description,
+				url: created.url,
+				roleIdsThatCanBeUsedThisDecoration: created.roleIdsThatCanBeUsedThisDecoration,
+			};
 		});
 	}
 }
diff --git a/packages/backend/src/server/api/endpoints/admin/avatar-decorations/list.ts b/packages/backend/src/server/api/endpoints/admin/avatar-decorations/list.ts
index aee90023e1..d785f085ac 100644
--- a/packages/backend/src/server/api/endpoints/admin/avatar-decorations/list.ts
+++ b/packages/backend/src/server/api/endpoints/admin/avatar-decorations/list.ts
@@ -4,10 +4,7 @@
  */
 
 import { Inject, Injectable } from '@nestjs/common';
-import type { AnnouncementsRepository, AnnouncementReadsRepository } from '@/models/_.js';
-import type { MiAnnouncement } from '@/models/Announcement.js';
 import { Endpoint } from '@/server/api/endpoint-base.js';
-import { QueryService } from '@/core/QueryService.js';
 import { DI } from '@/di-symbols.js';
 import { IdService } from '@/core/IdService.js';
 import { AvatarDecorationService } from '@/core/AvatarDecorationService.js';
diff --git a/packages/frontend/src/pages/avatar-decoration-edit-dialog.vue b/packages/frontend/src/pages/avatar-decoration-edit-dialog.vue
new file mode 100644
index 0000000000..a834f1c5fd
--- /dev/null
+++ b/packages/frontend/src/pages/avatar-decoration-edit-dialog.vue
@@ -0,0 +1,220 @@
+<!--
+SPDX-FileCopyrightText: syuilo and misskey-project
+SPDX-License-Identifier: AGPL-3.0-only
+-->
+
+<template>
+<MkWindow
+	ref="windowEl"
+	:initialWidth="400"
+	:initialHeight="500"
+	:canResize="true"
+	@close="windowEl?.close()"
+	@closed="emit('closed')"
+>
+	<template v-if="avatarDecoration" #header>{{ avatarDecoration.name }}</template>
+	<template v-else #header>New decoration</template>
+
+	<div style="display: flex; flex-direction: column; min-height: 100%;">
+		<MkSpacer :marginMin="20" :marginMax="28" style="flex-grow: 1;">
+			<div class="_gaps_m">
+				<div :class="$style.preview">
+					<div :class="[$style.previewItem, $style.light]">
+						<MkAvatar style="width: 60px; height: 60px;" :user="$i" :decorations="url != '' ? [{ url }] : []" forceShowDecoration/>
+					</div>
+					<div :class="[$style.previewItem, $style.dark]">
+						<MkAvatar style="width: 60px; height: 60px;" :user="$i" :decorations="url != '' ? [{ url }] : []" forceShowDecoration/>
+					</div>
+				</div>
+				<MkInput v-model="name">
+					<template #label>{{ i18n.ts.name }}</template>
+				</MkInput>
+				<MkInput v-model="url">
+					<template #label>{{ i18n.ts.imageUrl }}</template>
+				</MkInput>
+				<MkTextarea v-model="description">
+					<template #label>{{ i18n.ts.description }}</template>
+				</MkTextarea>
+				<MkFolder>
+					<template #label>{{ i18n.ts.availableRoles }}</template>
+					<template #suffix>{{ rolesThatCanBeUsedThisDecoration.length === 0 ? i18n.ts.all : rolesThatCanBeUsedThisDecoration.length }}</template>
+
+					<div class="_gaps">
+						<MkButton rounded @click="addRole"><i class="ti ti-plus"></i> {{ i18n.ts.add }}</MkButton>
+
+						<div v-for="role in rolesThatCanBeUsedThisDecoration" :key="role.id" :class="$style.roleItem">
+							<MkRolePreview :class="$style.role" :role="role" :forModeration="true" :detailed="false" style="pointer-events: none;"/>
+							<button v-if="role.target === 'manual'" class="_button" :class="$style.roleUnassign" @click="removeRole(role, $event)"><i class="ti ti-x"></i></button>
+							<button v-else class="_button" :class="$style.roleUnassign" disabled><i class="ti ti-ban"></i></button>
+						</div>
+					</div>
+				</MkFolder>
+				<MkButton v-if="avatarDecoration" danger @click="del()"><i class="ti ti-trash"></i> {{ i18n.ts.delete }}</MkButton>
+			</div>
+		</MkSpacer>
+		<div :class="$style.footer">
+			<MkButton primary rounded style="margin: 0 auto;" @click="done"><i class="ti ti-check"></i> {{ props.avatarDecoration ? i18n.ts.update : i18n.ts.create }}</MkButton>
+		</div>
+	</div>
+</MkWindow>
+</template>
+
+<script lang="ts" setup>
+import { computed, watch, ref } from 'vue';
+import * as Misskey from 'misskey-js';
+import MkWindow from '@/components/MkWindow.vue';
+import MkButton from '@/components/MkButton.vue';
+import MkInput from '@/components/MkInput.vue';
+import MkInfo from '@/components/MkInfo.vue';
+import MkFolder from '@/components/MkFolder.vue';
+import * as os from '@/os.js';
+import { misskeyApi } from '@/scripts/misskey-api.js';
+import { i18n } from '@/i18n.js';
+import MkSwitch from '@/components/MkSwitch.vue';
+import MkRolePreview from '@/components/MkRolePreview.vue';
+import MkTextarea from '@/components/MkTextarea.vue';
+import { signinRequired } from '@/account.js';
+
+const $i = signinRequired();
+
+const props = defineProps<{
+	avatarDecoration?: any,
+}>();
+
+const emit = defineEmits<{
+	(ev: 'done', v: { deleted?: boolean; updated?: any; created?: any }): void,
+	(ev: 'closed'): void
+}>();
+
+const windowEl = ref<InstanceType<typeof MkWindow> | null>(null);
+const url = ref<string>(props.avatarDecoration ? props.avatarDecoration.url : '');
+const name = ref<string>(props.avatarDecoration ? props.avatarDecoration.name : '');
+const description = ref<string>(props.avatarDecoration ? props.avatarDecoration.description : '');
+const roleIdsThatCanBeUsedThisDecoration = ref(props.avatarDecoration ? props.avatarDecoration.roleIdsThatCanBeUsedThisDecoration : []);
+const rolesThatCanBeUsedThisDecoration = ref<Misskey.entities.Role[]>([]);
+
+watch(roleIdsThatCanBeUsedThisDecoration, async () => {
+	rolesThatCanBeUsedThisDecoration.value = (await Promise.all(roleIdsThatCanBeUsedThisDecoration.value.map((id) => misskeyApi('admin/roles/show', { roleId: id }).catch(() => null)))).filter(x => x != null);
+}, { immediate: true });
+
+async function addRole() {
+	const roles = await misskeyApi('admin/roles/list');
+	const currentRoleIds = rolesThatCanBeUsedThisDecoration.value.map(x => x.id);
+
+	const { canceled, result: role } = await os.select({
+		items: roles.filter(r => r.isPublic).filter(r => !currentRoleIds.includes(r.id)).map(r => ({ text: r.name, value: r })),
+	});
+	if (canceled || role == null) return;
+
+	rolesThatCanBeUsedThisDecoration.value.push(role);
+}
+
+async function removeRole(role, ev) {
+	rolesThatCanBeUsedThisDecoration.value = rolesThatCanBeUsedThisDecoration.value.filter(x => x.id !== role.id);
+}
+
+async function done() {
+	const params = {
+		url: url.value,
+		name: name.value,
+		description: description.value,
+		roleIdsThatCanBeUsedThisDecoration: rolesThatCanBeUsedThisDecoration.value.map(x => x.id),
+	};
+
+	if (props.avatarDecoration) {
+		await os.apiWithDialog('admin/avatar-decorations/update', {
+			id: props.avatarDecoration.id,
+			...params,
+		});
+
+		emit('done', {
+			updated: {
+				id: props.avatarDecoration.id,
+				...params,
+			},
+		});
+
+		windowEl.value?.close();
+	} else {
+		const created = await os.apiWithDialog('admin/avatar-decorations/create', params);
+
+		emit('done', {
+			created: created,
+		});
+
+		windowEl.value?.close();
+	}
+}
+
+async function del() {
+	const { canceled } = await os.confirm({
+		type: 'warning',
+		text: i18n.tsx.removeAreYouSure({ x: name.value }),
+	});
+	if (canceled) return;
+
+	misskeyApi('admin/avatar-decorations/delete', {
+		id: props.avatarDecoration.id,
+	}).then(() => {
+		emit('done', {
+			deleted: true,
+		});
+		windowEl.value?.close();
+	});
+}
+</script>
+
+<style lang="scss" module>
+.preview {
+	display: grid;
+	place-items: center;
+	grid-template-columns: 1fr 1fr;
+	grid-template-rows: 1fr;
+	gap: var(--MI-margin);
+}
+
+.previewItem {
+	width: 100%;
+	height: 100%;
+	min-height: 160px;
+	display: flex;
+	align-items: center;
+	justify-content: center;
+	border-radius: var(--MI-radius);
+
+	&.light {
+		background: #eee;
+	}
+
+	&.dark {
+		background: #222;
+	}
+}
+
+.roleItem {
+	display: flex;
+}
+
+.role {
+	flex: 1;
+}
+
+.roleUnassign {
+	width: 32px;
+	height: 32px;
+	margin-left: 8px;
+	align-self: center;
+}
+
+.footer {
+	position: sticky;
+	z-index: 10000;
+	bottom: 0;
+	left: 0;
+	padding: 12px;
+	border-top: solid 0.5px var(--MI_THEME-divider);
+	background: var(--MI_THEME-acrylicBg);
+	-webkit-backdrop-filter: var(--MI-blur, blur(15px));
+	backdrop-filter: var(--MI-blur, blur(15px));
+}
+</style>
diff --git a/packages/frontend/src/pages/avatar-decorations.vue b/packages/frontend/src/pages/avatar-decorations.vue
index b97e7c0eea..a5cafb1678 100644
--- a/packages/frontend/src/pages/avatar-decorations.vue
+++ b/packages/frontend/src/pages/avatar-decorations.vue
@@ -5,92 +5,38 @@ SPDX-License-Identifier: AGPL-3.0-only
 
 <template>
 <MkStickyContainer>
-	<template #header><MkPageHeader v-model:tab="tab" :actions="headerActions" :tabs="headerTabs"/></template>
+	<template #header><MkPageHeader :actions="headerActions" :tabs="headerTabs"/></template>
 	<MkSpacer :contentMax="900">
 		<div class="_gaps">
-			<MkFolder v-for="avatarDecoration in avatarDecorations" :key="avatarDecoration.id ?? avatarDecoration._id" :defaultOpen="avatarDecoration.id == null">
-				<template #label>{{ avatarDecoration.name }}</template>
-				<template #caption>{{ avatarDecoration.description }}</template>
-
-				<div :class="$style.editorRoot">
-					<div :class="$style.editorWrapper">
-						<div :class="$style.preview">
-							<div :class="[$style.previewItem, $style.light]">
-								<MkAvatar style="width: 60px; height: 60px;" :user="$i" :decorations="[avatarDecoration]" forceShowDecoration/>
-							</div>
-							<div :class="[$style.previewItem, $style.dark]">
-								<MkAvatar style="width: 60px; height: 60px;" :user="$i" :decorations="[avatarDecoration]" forceShowDecoration/>
-							</div>
-						</div>
-						<div class="_gaps_m">
-							<MkInput v-model="avatarDecoration.name">
-								<template #label>{{ i18n.ts.name }}</template>
-							</MkInput>
-							<MkTextarea v-model="avatarDecoration.description">
-								<template #label>{{ i18n.ts.description }}</template>
-							</MkTextarea>
-							<MkInput v-model="avatarDecoration.url">
-								<template #label>{{ i18n.ts.imageUrl }}</template>
-							</MkInput>
-							<div class="_buttons">
-								<MkButton inline primary @click="save(avatarDecoration)"><i class="ti ti-device-floppy"></i> {{ i18n.ts.save }}</MkButton>
-								<MkButton v-if="avatarDecoration.id != null" inline danger @click="del(avatarDecoration)"><i class="ti ti-trash"></i> {{ i18n.ts.delete }}</MkButton>
-							</div>
-						</div>
-					</div>
+			<div :class="$style.decorations">
+				<div
+					v-for="avatarDecoration in avatarDecorations"
+					:key="avatarDecoration.id"
+					v-panel
+					:class="$style.decoration"
+					@click="edit(avatarDecoration)"
+				>
+					<div :class="$style.decorationName"><MkCondensedLine :minScale="0.5">{{ avatarDecoration.name }}</MkCondensedLine></div>
+					<MkAvatar style="width: 60px; height: 60px;" :user="$i" :decorations="[{ url: avatarDecoration.url }]" forceShowDecoration/>
 				</div>
-			</MkFolder>
+			</div>
 		</div>
 	</MkSpacer>
 </MkStickyContainer>
 </template>
 
 <script lang="ts" setup>
-import { ref, computed } from 'vue';
+import { ref, computed, defineAsyncComponent } from 'vue';
 import * as Misskey from 'misskey-js';
-import MkButton from '@/components/MkButton.vue';
-import MkInput from '@/components/MkInput.vue';
-import MkTextarea from '@/components/MkTextarea.vue';
 import { signinRequired } from '@/account.js';
 import * as os from '@/os.js';
 import { misskeyApi } from '@/scripts/misskey-api.js';
 import { i18n } from '@/i18n.js';
 import { definePageMetadata } from '@/scripts/page-metadata.js';
-import MkFolder from '@/components/MkFolder.vue';
-
-const avatarDecorations = ref<Misskey.entities.AdminAvatarDecorationsListResponse>([]);
 
 const $i = signinRequired();
 
-function add() {
-	avatarDecorations.value.unshift({
-		_id: Math.random().toString(36),
-		id: null,
-		name: '',
-		description: '',
-		url: '',
-	});
-}
-
-function del(avatarDecoration) {
-	os.confirm({
-		type: 'warning',
-		text: i18n.tsx.deleteAreYouSure({ x: avatarDecoration.name }),
-	}).then(({ canceled }) => {
-		if (canceled) return;
-		avatarDecorations.value = avatarDecorations.value.filter(x => x !== avatarDecoration);
-		misskeyApi('admin/avatar-decorations/delete', avatarDecoration);
-	});
-}
-
-async function save(avatarDecoration) {
-	if (avatarDecoration.id == null) {
-		await os.apiWithDialog('admin/avatar-decorations/create', avatarDecoration);
-		load();
-	} else {
-		os.apiWithDialog('admin/avatar-decorations/update', avatarDecoration);
-	}
-}
+const avatarDecorations = ref<Misskey.entities.AdminAvatarDecorationsListResponse>([]);
 
 function load() {
 	misskeyApi('admin/avatar-decorations/list').then(_avatarDecorations => {
@@ -100,6 +46,37 @@ function load() {
 
 load();
 
+async function add(ev: MouseEvent) {
+	const { dispose } = os.popup(defineAsyncComponent(() => import('./avatar-decoration-edit-dialog.vue')), {
+	}, {
+		done: result => {
+			if (result.created) {
+				avatarDecorations.value.unshift(result.created);
+			}
+		},
+		closed: () => dispose(),
+	});
+}
+
+function edit(avatarDecoration) {
+	const { dispose } = os.popup(defineAsyncComponent(() => import('./avatar-decoration-edit-dialog.vue')), {
+		avatarDecoration: avatarDecoration,
+	}, {
+		done: result => {
+			if (result.updated) {
+				const index = avatarDecorations.value.findIndex(x => x.id === avatarDecoration.id);
+				avatarDecorations.value[index] = {
+					...avatarDecorations.value[index],
+					...result.updated,
+				};
+			} else if (result.deleted) {
+				avatarDecorations.value = avatarDecorations.value.filter(x => x.id !== avatarDecoration.id);
+			}
+		},
+		closed: () => dispose(),
+	});
+}
+
 const headerActions = computed(() => [{
 	asFullButton: true,
 	icon: 'ti ti-plus',
@@ -116,53 +93,26 @@ definePageMetadata(() => ({
 </script>
 
 <style lang="scss" module>
-.editorRoot {
-	container: editor / inline-size;
-}
-
-.editorWrapper {
+.decorations {
 	display: grid;
-	grid-template-columns: 1fr;
-	grid-template-rows: auto auto;
-	gap: var(--MI-margin);
+	grid-template-columns: repeat(auto-fill, minmax(140px, 1fr));
+	grid-gap: 12px;
 }
 
-.preview {
-	display: grid;
-	place-items: center;
-	grid-template-columns: 1fr 1fr;
-	grid-template-rows: 1fr;
-	gap: var(--MI-margin);
-}
-
-.previewItem {
-	width: 100%;
-	height: 100%;
-	min-height: 160px;
-	display: flex;
-	align-items: center;
-	justify-content: center;
-	border-radius: var(--MI-radius);
-
-	&.light {
-		background: #eee;
-	}
-
-	&.dark {
-		background: #222;
-	}
+.decoration {
+	cursor: pointer;
+	padding: 16px 16px 28px 16px;
+	border-radius: 8px;
+	text-align: center;
+	font-size: 90%;
+	overflow: clip;
+	contain: content;
 }
 
-@container editor (min-width: 600px) {
-	.editorWrapper {
-		grid-template-columns: 200px 1fr;
-		grid-template-rows: 1fr;
-		gap: calc(var(--MI-margin) * 2);
-	}
-
-	.preview {
-		grid-template-columns: 1fr;
-		grid-template-rows: 1fr 1fr;
-	}
+.decorationName {
+	position: relative;
+	z-index: 10;
+	font-weight: bold;
+	margin-bottom: 20px;
 }
 </style>
diff --git a/packages/frontend/src/pages/settings/avatar-decoration.decoration.vue b/packages/frontend/src/pages/settings/avatar-decoration.decoration.vue
index f72a0b9383..3c9914b4e2 100644
--- a/packages/frontend/src/pages/settings/avatar-decoration.decoration.vue
+++ b/packages/frontend/src/pages/settings/avatar-decoration.decoration.vue
@@ -10,12 +10,12 @@ SPDX-License-Identifier: AGPL-3.0-only
 >
 	<div :class="$style.name"><MkCondensedLine :minScale="0.5">{{ decoration.name }}</MkCondensedLine></div>
 	<MkAvatar style="width: 60px; height: 60px;" :user="$i" :decorations="[{ url: decoration.url, angle, flipH, offsetX, offsetY }]" forceShowDecoration/>
-	<i v-if="decoration.roleIdsThatCanBeUsedThisDecoration.length > 0 && !$i.roles.some(r => decoration.roleIdsThatCanBeUsedThisDecoration.includes(r.id))" :class="$style.lock" class="ti ti-lock"></i>
+	<i v-if="locked" :class="$style.lock" class="ti ti-lock"></i>
 </div>
 </template>
 
 <script lang="ts" setup>
-import { } from 'vue';
+import { computed } from 'vue';
 import { signinRequired } from '@/account.js';
 
 const $i = signinRequired();
@@ -37,6 +37,8 @@ const props = defineProps<{
 const emit = defineEmits<{
 	(ev: 'click'): void;
 }>();
+
+const locked = computed(() => props.decoration.roleIdsThatCanBeUsedThisDecoration.length > 0 && !$i.roles.some(r => props.decoration.roleIdsThatCanBeUsedThisDecoration.includes(r.id)));
 </script>
 
 <style lang="scss" module>
@@ -67,5 +69,6 @@ const emit = defineEmits<{
 	position: absolute;
 	bottom: 12px;
 	right: 12px;
+	color: var(--MI_THEME-warn);
 }
 </style>
diff --git a/packages/frontend/src/pages/settings/avatar-decoration.dialog.vue b/packages/frontend/src/pages/settings/avatar-decoration.dialog.vue
index 853e536ea3..aa899ac649 100644
--- a/packages/frontend/src/pages/settings/avatar-decoration.dialog.vue
+++ b/packages/frontend/src/pages/settings/avatar-decoration.dialog.vue
@@ -38,7 +38,7 @@ SPDX-License-Identifier: AGPL-3.0-only
 		<div :class="$style.footer" class="_buttonsCenter">
 			<MkButton v-if="usingIndex != null" primary rounded @click="update"><i class="ti ti-check"></i> {{ i18n.ts.update }}</MkButton>
 			<MkButton v-if="usingIndex != null" rounded @click="detach"><i class="ti ti-x"></i> {{ i18n.ts.detach }}</MkButton>
-			<MkButton v-else :disabled="exceeded" primary rounded @click="attach"><i class="ti ti-check"></i> {{ i18n.ts.attach }}</MkButton>
+			<MkButton v-else :disabled="exceeded || locked" primary rounded @click="attach"><i class="ti ti-check"></i> {{ i18n.ts.attach }}</MkButton>
 		</div>
 	</div>
 </MkModalWindow>
@@ -61,6 +61,7 @@ const props = defineProps<{
 		id: string;
 		url: string;
 		name: string;
+		roleIdsThatCanBeUsedThisDecoration: string[];
 	};
 }>();
 
@@ -83,6 +84,7 @@ const emit = defineEmits<{
 
 const dialog = shallowRef<InstanceType<typeof MkModalWindow>>();
 const exceeded = computed(() => ($i.policies.avatarDecorationLimit - $i.avatarDecorations.length) <= 0);
+const locked = computed(() => props.decoration.roleIdsThatCanBeUsedThisDecoration.length > 0 && !$i.roles.some(r => props.decoration.roleIdsThatCanBeUsedThisDecoration.includes(r.id)));
 const angle = ref((props.usingIndex != null ? $i.avatarDecorations[props.usingIndex].angle : null) ?? 0);
 const flipH = ref((props.usingIndex != null ? $i.avatarDecorations[props.usingIndex].flipH : null) ?? false);
 const offsetX = ref((props.usingIndex != null ? $i.avatarDecorations[props.usingIndex].offsetX : null) ?? 0);
diff --git a/packages/misskey-js/etc/misskey-js.api.md b/packages/misskey-js/etc/misskey-js.api.md
index 61de8b8c7e..061b533b72 100644
--- a/packages/misskey-js/etc/misskey-js.api.md
+++ b/packages/misskey-js/etc/misskey-js.api.md
@@ -121,6 +121,9 @@ type AdminAnnouncementsUpdateRequest = operations['admin___announcements___updat
 // @public (undocumented)
 type AdminAvatarDecorationsCreateRequest = operations['admin___avatar-decorations___create']['requestBody']['content']['application/json'];
 
+// @public (undocumented)
+type AdminAvatarDecorationsCreateResponse = operations['admin___avatar-decorations___create']['responses']['200']['content']['application/json'];
+
 // @public (undocumented)
 type AdminAvatarDecorationsDeleteRequest = operations['admin___avatar-decorations___delete']['requestBody']['content']['application/json'];
 
@@ -1253,6 +1256,7 @@ declare namespace entities {
         AdminAnnouncementsListResponse,
         AdminAnnouncementsUpdateRequest,
         AdminAvatarDecorationsCreateRequest,
+        AdminAvatarDecorationsCreateResponse,
         AdminAvatarDecorationsDeleteRequest,
         AdminAvatarDecorationsListRequest,
         AdminAvatarDecorationsListResponse,
diff --git a/packages/misskey-js/src/autogen/endpoint.ts b/packages/misskey-js/src/autogen/endpoint.ts
index d0367d8496..5e6bc0a99c 100644
--- a/packages/misskey-js/src/autogen/endpoint.ts
+++ b/packages/misskey-js/src/autogen/endpoint.ts
@@ -31,6 +31,7 @@ import type {
 	AdminAnnouncementsListResponse,
 	AdminAnnouncementsUpdateRequest,
 	AdminAvatarDecorationsCreateRequest,
+	AdminAvatarDecorationsCreateResponse,
 	AdminAvatarDecorationsDeleteRequest,
 	AdminAvatarDecorationsListRequest,
 	AdminAvatarDecorationsListResponse,
@@ -597,7 +598,7 @@ export type Endpoints = {
 	'admin/announcements/delete': { req: AdminAnnouncementsDeleteRequest; res: EmptyResponse };
 	'admin/announcements/list': { req: AdminAnnouncementsListRequest; res: AdminAnnouncementsListResponse };
 	'admin/announcements/update': { req: AdminAnnouncementsUpdateRequest; res: EmptyResponse };
-	'admin/avatar-decorations/create': { req: AdminAvatarDecorationsCreateRequest; res: EmptyResponse };
+	'admin/avatar-decorations/create': { req: AdminAvatarDecorationsCreateRequest; res: AdminAvatarDecorationsCreateResponse };
 	'admin/avatar-decorations/delete': { req: AdminAvatarDecorationsDeleteRequest; res: EmptyResponse };
 	'admin/avatar-decorations/list': { req: AdminAvatarDecorationsListRequest; res: AdminAvatarDecorationsListResponse };
 	'admin/avatar-decorations/update': { req: AdminAvatarDecorationsUpdateRequest; res: EmptyResponse };
diff --git a/packages/misskey-js/src/autogen/entities.ts b/packages/misskey-js/src/autogen/entities.ts
index ced87c4c7e..f3ddf64481 100644
--- a/packages/misskey-js/src/autogen/entities.ts
+++ b/packages/misskey-js/src/autogen/entities.ts
@@ -34,6 +34,7 @@ export type AdminAnnouncementsListRequest = operations['admin___announcements___
 export type AdminAnnouncementsListResponse = operations['admin___announcements___list']['responses']['200']['content']['application/json'];
 export type AdminAnnouncementsUpdateRequest = operations['admin___announcements___update']['requestBody']['content']['application/json'];
 export type AdminAvatarDecorationsCreateRequest = operations['admin___avatar-decorations___create']['requestBody']['content']['application/json'];
+export type AdminAvatarDecorationsCreateResponse = operations['admin___avatar-decorations___create']['responses']['200']['content']['application/json'];
 export type AdminAvatarDecorationsDeleteRequest = operations['admin___avatar-decorations___delete']['requestBody']['content']['application/json'];
 export type AdminAvatarDecorationsListRequest = operations['admin___avatar-decorations___list']['requestBody']['content']['application/json'];
 export type AdminAvatarDecorationsListResponse = operations['admin___avatar-decorations___list']['responses']['200']['content']['application/json'];
diff --git a/packages/misskey-js/src/autogen/types.ts b/packages/misskey-js/src/autogen/types.ts
index 560960f018..a5333d4f93 100644
--- a/packages/misskey-js/src/autogen/types.ts
+++ b/packages/misskey-js/src/autogen/types.ts
@@ -6324,9 +6324,22 @@ export type operations = {
       };
     };
     responses: {
-      /** @description OK (without any results) */
-      204: {
-        content: never;
+      /** @description OK (with results) */
+      200: {
+        content: {
+          'application/json': {
+            /** Format: id */
+            id: string;
+            /** Format: date-time */
+            createdAt: string;
+            /** Format: date-time */
+            updatedAt: string | null;
+            name: string;
+            description: string;
+            url: string;
+            roleIdsThatCanBeUsedThisDecoration: string[];
+          };
+        };
       };
       /** @description Client error */
       400: {
-- 
cgit v1.2.3-freya


From 8477909af208b7e0f3ce9357350be6b0a0fc783d Mon Sep 17 00:00:00 2001
From: Kio! <im@kio.moe>
Date: Sun, 3 Nov 2024 19:50:25 +0000
Subject: Update report-abuse.ts

---
 packages/backend/src/server/api/endpoints/users/report-abuse.ts | 4 ----
 1 file changed, 4 deletions(-)

(limited to 'packages/backend/src/server/api')

diff --git a/packages/backend/src/server/api/endpoints/users/report-abuse.ts b/packages/backend/src/server/api/endpoints/users/report-abuse.ts
index 5ff6de37d2..38ded8ee1e 100644
--- a/packages/backend/src/server/api/endpoints/users/report-abuse.ts
+++ b/packages/backend/src/server/api/endpoints/users/report-abuse.ts
@@ -66,10 +66,6 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 				throw new ApiError(meta.errors.cannotReportYourself);
 			}
 
-			if (await this.roleService.isAdministrator(targetUser)) {
-				throw new ApiError(meta.errors.cannotReportAdmin);
-			}
-
 			await this.abuseReportService.report([{
 				targetUserId: targetUser.id,
 				targetUserHost: targetUser.host,
-- 
cgit v1.2.3-freya


From b1c82213a320dd7c83f8b2e742406646ef18ff1c Mon Sep 17 00:00:00 2001
From: かっこかり <67428053+kakkokari-gtyih@users.noreply.github.com>
Date: Wed, 6 Nov 2024 22:01:21 +0900
Subject: fix(backend):
 FTT無効時にユーザーリストタイムラインが使用できない問題を修正 (#14878)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* fix: return getfromdb when FanoutTimeline is not enabled

* Update Changelog

* fix

---------

Co-authored-by: Lhc_fl <lhcfl@outlook.com>
---
 CHANGELOG.md                                                          | 2 ++
 packages/backend/src/server/api/endpoints/notes/user-list-timeline.ts | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

(limited to 'packages/backend/src/server/api')

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 0309f338f1..1740d0171e 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -35,6 +35,8 @@
   (Cherry-picked from https://activitypub.software/TransFem-org/Sharkey/-/merge_requests/706)
 - Fix: 連合への配信時に、acctの大小文字が区別されてしまい正しくメンションが処理されないことがある問題を修正  
   (Cherry-picked from https://activitypub.software/TransFem-org/Sharkey/-/merge_requests/711)
+- Fix: FTT無効時にユーザーリストタイムラインが使用できない問題を修正  
+  (Cherry-picked from https://activitypub.software/TransFem-org/Sharkey/-/merge_requests/709)
 
 ### Misskey.js
 - Fix: Stream初期化時、別途WebSocketを指定する場合の型定義を修正
diff --git a/packages/backend/src/server/api/endpoints/notes/user-list-timeline.ts b/packages/backend/src/server/api/endpoints/notes/user-list-timeline.ts
index 6c7185c9eb..87f9b322a6 100644
--- a/packages/backend/src/server/api/endpoints/notes/user-list-timeline.ts
+++ b/packages/backend/src/server/api/endpoints/notes/user-list-timeline.ts
@@ -112,7 +112,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 
 				this.activeUsersChart.read(me);
 
-				await this.noteEntityService.packMany(timeline, me);
+				return await this.noteEntityService.packMany(timeline, me);
 			}
 
 			const timeline = await this.fanoutTimelineEndpointService.timeline({
-- 
cgit v1.2.3-freya


From bca690f256721815fb1c918c1f66a2172f4fcf40 Mon Sep 17 00:00:00 2001
From: 4ster1sk <146138447+4ster1sk@users.noreply.github.com>
Date: Thu, 7 Nov 2024 15:10:10 +0900
Subject: fix(backend): フォロワーへのメッセージの絵文字をemojisに含めるように
 (#14904)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 packages/backend/src/server/api/endpoints/i/update.ts | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'packages/backend/src/server/api')

diff --git a/packages/backend/src/server/api/endpoints/i/update.ts b/packages/backend/src/server/api/endpoints/i/update.ts
index 2183beac7c..d91e2fef4b 100644
--- a/packages/backend/src/server/api/endpoints/i/update.ts
+++ b/packages/backend/src/server/api/endpoints/i/update.ts
@@ -465,6 +465,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 			const newName = updates.name === undefined ? user.name : updates.name;
 			const newDescription = profileUpdates.description === undefined ? profile.description : profileUpdates.description;
 			const newFields = profileUpdates.fields === undefined ? profile.fields : profileUpdates.fields;
+			const newFollowedMessage = profileUpdates.description === undefined ? profile.followedMessage : profileUpdates.followedMessage;
 
 			if (newName != null) {
 				let hasProhibitedWords = false;
@@ -494,6 +495,11 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 				]);
 			}
 
+			if (newFollowedMessage != null) {
+				const tokens = mfm.parse(newFollowedMessage);
+				emojis = emojis.concat(extractCustomEmojisFromMfm(tokens));
+			}
+
 			updates.emojis = emojis;
 			updates.tags = tags;
 
-- 
cgit v1.2.3-freya


From 794cb9ffe205b1e2ca838978f80d2d6a35f17f77 Mon Sep 17 00:00:00 2001
From: 4ster1sk <146138447+4ster1sk@users.noreply.github.com>
Date: Thu, 7 Nov 2024 17:16:51 +0900
Subject: fix(backend): followedMessageではなくdescriptionになっていたのを修正
 (#14908)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 packages/backend/src/server/api/endpoints/i/update.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'packages/backend/src/server/api')

diff --git a/packages/backend/src/server/api/endpoints/i/update.ts b/packages/backend/src/server/api/endpoints/i/update.ts
index d91e2fef4b..d3eeb75b27 100644
--- a/packages/backend/src/server/api/endpoints/i/update.ts
+++ b/packages/backend/src/server/api/endpoints/i/update.ts
@@ -465,7 +465,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 			const newName = updates.name === undefined ? user.name : updates.name;
 			const newDescription = profileUpdates.description === undefined ? profile.description : profileUpdates.description;
 			const newFields = profileUpdates.fields === undefined ? profile.fields : profileUpdates.fields;
-			const newFollowedMessage = profileUpdates.description === undefined ? profile.followedMessage : profileUpdates.followedMessage;
+			const newFollowedMessage = profileUpdates.followedMessage === undefined ? profile.followedMessage : profileUpdates.followedMessage;
 
 			if (newName != null) {
 				let hasProhibitedWords = false;
-- 
cgit v1.2.3-freya


From ec875d9c40d517a788a450f3b68bd589adcde5ba Mon Sep 17 00:00:00 2001
From: dakkar <dakkar@thenautilus.net>
Date: Fri, 8 Nov 2024 16:09:02 +0000
Subject: fix merge mistakes in `admin/accounts/create.ts`

---
 packages/backend/src/server/api/endpoints/admin/accounts/create.ts | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'packages/backend/src/server/api')

diff --git a/packages/backend/src/server/api/endpoints/admin/accounts/create.ts b/packages/backend/src/server/api/endpoints/admin/accounts/create.ts
index d5d2e909a2..53b1c4c4ec 100644
--- a/packages/backend/src/server/api/endpoints/admin/accounts/create.ts
+++ b/packages/backend/src/server/api/endpoints/admin/accounts/create.ts
@@ -3,8 +3,9 @@
  * SPDX-License-Identifier: AGPL-3.0-only
  */
 
-import { Injectable } from '@nestjs/common';
+import { Inject, Injectable } from '@nestjs/common';
 import { Endpoint } from '@/server/api/endpoint-base.js';
+import type { UsersRepository } from '@/models/_.js';
 import { MiAccessToken, MiUser } from '@/models/_.js';
 import { SignupService } from '@/core/SignupService.js';
 import { UserEntityService } from '@/core/entities/UserEntityService.js';
@@ -15,7 +16,6 @@ import type { Config } from '@/config.js';
 import { ApiError } from '@/server/api/error.js';
 import { Packed } from '@/misc/json-schema.js';
 import { RoleService } from '@/core/RoleService.js';
-import { ApiError } from '@/server/api/error.js';
 
 export const meta = {
 	tags: ['admin'],
-- 
cgit v1.2.3-freya


From 0a15ffba55054bc4446339948198049ce7a54974 Mon Sep 17 00:00:00 2001
From: dakkar <dakkar@thenautilus.net>
Date: Fri, 8 Nov 2024 17:53:34 +0000
Subject: remove duplicate import

---
 packages/backend/src/server/api/SigninApiService.ts | 1 -
 1 file changed, 1 deletion(-)

(limited to 'packages/backend/src/server/api')

diff --git a/packages/backend/src/server/api/SigninApiService.ts b/packages/backend/src/server/api/SigninApiService.ts
index 1e7a2e80ef..2945384e14 100644
--- a/packages/backend/src/server/api/SigninApiService.ts
+++ b/packages/backend/src/server/api/SigninApiService.ts
@@ -30,7 +30,6 @@ import { SigninService } from './SigninService.js';
 import type { AuthenticationResponseJSON } from '@simplewebauthn/types';
 import type { FastifyReply, FastifyRequest } from 'fastify';
 import { isSystemAccount } from '@/misc/is-system-account.js';
-import type { MiMeta } from '@/models/_.js';
 
 @Injectable()
 export class SigninApiService {
-- 
cgit v1.2.3-freya


From 03559156b923ce5e337c998868f4fe12acfb7f14 Mon Sep 17 00:00:00 2001
From: Caramel <caramel@sylveon.social>
Date: Sat, 9 Nov 2024 00:32:03 +0100
Subject: Improve performance of notes/following API

---
 .../src/server/api/endpoints/notes/following.ts        | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

(limited to 'packages/backend/src/server/api')

diff --git a/packages/backend/src/server/api/endpoints/notes/following.ts b/packages/backend/src/server/api/endpoints/notes/following.ts
index b6604b9798..f8e9e5c4a1 100644
--- a/packages/backend/src/server/api/endpoints/notes/following.ts
+++ b/packages/backend/src/server/api/endpoints/notes/following.ts
@@ -103,6 +103,15 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 							sub.andWhere('latest.is_quote = false');
 						}
 
+						// Select the appropriate collection of users
+						if (ps.list === 'followers') {
+							addFollower(sub);
+						} else if (ps.list === 'following') {
+							addFollowee(sub);
+						} else {
+							addMutual(sub);
+						}
+
 						return sub;
 					},
 					'latest',
@@ -118,15 +127,6 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 				.leftJoinAndSelect('note.channel', 'channel')
 			;
 
-			// Select the appropriate collection of users
-			if (ps.list === 'followers') {
-				addFollower(query);
-			} else if (ps.list === 'following') {
-				addFollowee(query);
-			} else {
-				addMutual(query);
-			}
-
 			// Limit to files, if requested
 			if (ps.filesOnly) {
 				query.andWhere('note."fileIds" != \'{}\'');
-- 
cgit v1.2.3-freya


From c0d168260482caa974e3fc9e084b121fc32e8ec4 Mon Sep 17 00:00:00 2001
From: かっこかり <67428053+kakkokari-gtyih@users.noreply.github.com>
Date: Fri, 15 Nov 2024 17:30:54 +0900
Subject: feat: 送信したフォローリクエストを確認できるように (#14856)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* FEAT: Allow users to view pending follow requests they sent

This commit implements the `following/requests/sent` interface firstly
implemented on Firefish, and provides a UI interface to view the pending
follow requests users sent.

* ux: should not show follow requests tab when have no pending sent follow req

* fix default followreq tab

* fix default followreq tab

* restore missing hasPendingReceivedFollowRequest in navbar

* refactor

* use tabler icons

* tweak design

* Revert "ux: should not show follow requests tab when have no pending sent follow req"

This reverts commit e580b92c37f27c2849c6d27e22ca4c47086081bb.

* Update Changelog

* Update Changelog

* change tab titles

---------

Co-authored-by: Lhc_fl <lhcfl@outlook.com>
Co-authored-by: Hazelnoot <acomputerdog@gmail.com>
---
 CHANGELOG.md                                       |   2 +
 locales/index.d.ts                                 |  10 ++
 locales/ja-JP.yml                                  |   4 +
 packages/backend/src/server/api/EndpointsModule.ts |   3 +
 packages/backend/src/server/api/endpoints.ts       |   2 +
 .../api/endpoints/following/requests/sent.ts       |  77 +++++++++++++++
 .../frontend/src/components/MkFollowButton.vue     |  10 +-
 packages/frontend/src/navbar.ts                    |   1 -
 packages/frontend/src/pages/follow-requests.vue    | 105 ++++++++++++++-------
 packages/misskey-js/etc/misskey-js.api.md          |   8 ++
 packages/misskey-js/src/autogen/apiClientJSDoc.ts  |  11 +++
 packages/misskey-js/src/autogen/endpoint.ts        |   3 +
 packages/misskey-js/src/autogen/entities.ts        |   2 +
 packages/misskey-js/src/autogen/types.ts           |  72 ++++++++++++++
 14 files changed, 272 insertions(+), 38 deletions(-)
 create mode 100644 packages/backend/src/server/api/endpoints/following/requests/sent.ts

(limited to 'packages/backend/src/server/api')

diff --git a/CHANGELOG.md b/CHANGELOG.md
index fcbfed5900..232d52d7e1 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -24,6 +24,8 @@
 - Enhance: カタルーニャ語 (ca-ES) に対応
 - Enhance: 個別お知らせページではMetaタグを出力するように
 - Enhance: ノート詳細画面にロールのバッジを表示
+- Enhance: 過去に送信したフォローリクエストを確認できるように  
+  (Based on https://activitypub.software/TransFem-org/Sharkey/-/merge_requests/663)
 - Fix: 通知の範囲指定の設定項目が必要ない通知設定でも範囲指定の設定がでている問題を修正
 - Fix: Turnstileが失敗・期限切れした際にも成功扱いとなってしまう問題を修正  
   (Cherry-picked from https://github.com/MisskeyIO/misskey/pull/768)
diff --git a/locales/index.d.ts b/locales/index.d.ts
index 440f24ac84..18fbfd15f0 100644
--- a/locales/index.d.ts
+++ b/locales/index.d.ts
@@ -10579,6 +10579,16 @@ export interface Locale extends ILocale {
          */
         "description3": ParameterizedString<"link">;
     };
+    "_followRequest": {
+        /**
+         * 受け取った申請
+         */
+        "recieved": string;
+        /**
+         * 送った申請
+         */
+        "sent": string;
+    };
 }
 declare const locales: {
     [lang: string]: Locale;
diff --git a/locales/ja-JP.yml b/locales/ja-JP.yml
index 5d8e1a5e72..439ae708c5 100644
--- a/locales/ja-JP.yml
+++ b/locales/ja-JP.yml
@@ -2819,3 +2819,7 @@ _selfXssPrevention:
   description1: "ここに何かを貼り付けると、悪意のあるユーザーにアカウントを乗っ取られたり、個人情報を盗まれたりする可能性があります。"
   description2: "貼り付けようとしているものが何なのかを正確に理解していない場合は、%c今すぐ作業を中止してこのウィンドウを閉じてください。"
   description3: "詳しくはこちらをご確認ください。 {link}"
+
+_followRequest:
+  recieved: "受け取った申請"
+  sent: "送った申請"
diff --git a/packages/backend/src/server/api/EndpointsModule.ts b/packages/backend/src/server/api/EndpointsModule.ts
index 3557fa40a5..5bb194313d 100644
--- a/packages/backend/src/server/api/EndpointsModule.ts
+++ b/packages/backend/src/server/api/EndpointsModule.ts
@@ -187,6 +187,7 @@ import * as ep___following_invalidate from './endpoints/following/invalidate.js'
 import * as ep___following_requests_accept from './endpoints/following/requests/accept.js';
 import * as ep___following_requests_cancel from './endpoints/following/requests/cancel.js';
 import * as ep___following_requests_list from './endpoints/following/requests/list.js';
+import * as ep___following_requests_sent from './endpoints/following/requests/sent.js';
 import * as ep___following_requests_reject from './endpoints/following/requests/reject.js';
 import * as ep___gallery_featured from './endpoints/gallery/featured.js';
 import * as ep___gallery_popular from './endpoints/gallery/popular.js';
@@ -574,6 +575,7 @@ const $following_invalidate: Provider = { provide: 'ep:following/invalidate', us
 const $following_requests_accept: Provider = { provide: 'ep:following/requests/accept', useClass: ep___following_requests_accept.default };
 const $following_requests_cancel: Provider = { provide: 'ep:following/requests/cancel', useClass: ep___following_requests_cancel.default };
 const $following_requests_list: Provider = { provide: 'ep:following/requests/list', useClass: ep___following_requests_list.default };
+const $following_requests_sent: Provider = { provide: 'ep:following/requests/sent', useClass: ep___following_requests_sent.default };
 const $following_requests_reject: Provider = { provide: 'ep:following/requests/reject', useClass: ep___following_requests_reject.default };
 const $gallery_featured: Provider = { provide: 'ep:gallery/featured', useClass: ep___gallery_featured.default };
 const $gallery_popular: Provider = { provide: 'ep:gallery/popular', useClass: ep___gallery_popular.default };
@@ -965,6 +967,7 @@ const $reversi_verify: Provider = { provide: 'ep:reversi/verify', useClass: ep__
 		$following_requests_accept,
 		$following_requests_cancel,
 		$following_requests_list,
+		$following_requests_sent,
 		$following_requests_reject,
 		$gallery_featured,
 		$gallery_popular,
diff --git a/packages/backend/src/server/api/endpoints.ts b/packages/backend/src/server/api/endpoints.ts
index 49b07d6ced..15809b2678 100644
--- a/packages/backend/src/server/api/endpoints.ts
+++ b/packages/backend/src/server/api/endpoints.ts
@@ -193,6 +193,7 @@ import * as ep___following_invalidate from './endpoints/following/invalidate.js'
 import * as ep___following_requests_accept from './endpoints/following/requests/accept.js';
 import * as ep___following_requests_cancel from './endpoints/following/requests/cancel.js';
 import * as ep___following_requests_list from './endpoints/following/requests/list.js';
+import * as ep___following_requests_sent from './endpoints/following/requests/sent.js';
 import * as ep___following_requests_reject from './endpoints/following/requests/reject.js';
 import * as ep___gallery_featured from './endpoints/gallery/featured.js';
 import * as ep___gallery_popular from './endpoints/gallery/popular.js';
@@ -578,6 +579,7 @@ const eps = [
 	['following/requests/accept', ep___following_requests_accept],
 	['following/requests/cancel', ep___following_requests_cancel],
 	['following/requests/list', ep___following_requests_list],
+	['following/requests/sent', ep___following_requests_sent],
 	['following/requests/reject', ep___following_requests_reject],
 	['gallery/featured', ep___gallery_featured],
 	['gallery/popular', ep___gallery_popular],
diff --git a/packages/backend/src/server/api/endpoints/following/requests/sent.ts b/packages/backend/src/server/api/endpoints/following/requests/sent.ts
new file mode 100644
index 0000000000..6325f01bb8
--- /dev/null
+++ b/packages/backend/src/server/api/endpoints/following/requests/sent.ts
@@ -0,0 +1,77 @@
+/*
+ * SPDX-FileCopyrightText: syuilo and misskey-project
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+import { Inject, Injectable } from '@nestjs/common';
+import { Endpoint } from '@/server/api/endpoint-base.js';
+import { QueryService } from '@/core/QueryService.js';
+import type { FollowRequestsRepository } from '@/models/_.js';
+import { FollowRequestEntityService } from '@/core/entities/FollowRequestEntityService.js';
+import { DI } from '@/di-symbols.js';
+
+export const meta = {
+	tags: ['following', 'account'],
+
+	requireCredential: true,
+
+	kind: 'read:following',
+
+	res: {
+		type: 'array',
+		optional: false, nullable: false,
+		items: {
+			type: 'object',
+			optional: false, nullable: false,
+			properties: {
+				id: {
+					type: 'string',
+					optional: false, nullable: false,
+					format: 'id',
+				},
+				follower: {
+					type: 'object',
+					optional: false, nullable: false,
+					ref: 'UserLite',
+				},
+				followee: {
+					type: 'object',
+					optional: false, nullable: false,
+					ref: 'UserLite',
+				},
+			},
+		},
+	},
+} as const;
+
+export const paramDef = {
+	type: 'object',
+	properties: {
+		sinceId: { type: 'string', format: 'misskey:id' },
+		untilId: { type: 'string', format: 'misskey:id' },
+		limit: { type: 'integer', minimum: 1, maximum: 100, default: 10 },
+	},
+	required: [],
+} as const;
+
+@Injectable()
+export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-disable-line import/no-default-export
+	constructor(
+		@Inject(DI.followRequestsRepository)
+		private followRequestsRepository: FollowRequestsRepository,
+
+		private followRequestEntityService: FollowRequestEntityService,
+		private queryService: QueryService,
+	) {
+		super(meta, paramDef, async (ps, me) => {
+			const query = this.queryService.makePaginationQuery(this.followRequestsRepository.createQueryBuilder('request'), ps.sinceId, ps.untilId)
+				.andWhere('request.followerId = :meId', { meId: me.id });
+
+			const requests = await query
+				.limit(ps.limit)
+				.getMany();
+
+			return await this.followRequestEntityService.packMany(requests, me);
+		});
+	}
+}
diff --git a/packages/frontend/src/components/MkFollowButton.vue b/packages/frontend/src/components/MkFollowButton.vue
index cc07175907..c1dc67f776 100644
--- a/packages/frontend/src/components/MkFollowButton.vue
+++ b/packages/frontend/src/components/MkFollowButton.vue
@@ -91,7 +91,10 @@ async function onClick() {
 				text: i18n.tsx.unfollowConfirm({ name: props.user.name || props.user.username }),
 			});
 
-			if (canceled) return;
+			if (canceled) {
+				wait.value = false;
+				return;
+			}
 
 			await misskeyApi('following/delete', {
 				userId: props.user.id,
@@ -125,7 +128,10 @@ async function onClick() {
 				});
 				hasPendingFollowRequestFromYou.value = true;
 
-				if ($i == null) return;
+				if ($i == null) {
+					wait.value = false;
+					return;
+				}
 
 				claimAchievement('following1');
 
diff --git a/packages/frontend/src/navbar.ts b/packages/frontend/src/navbar.ts
index ac730f8021..096d404a57 100644
--- a/packages/frontend/src/navbar.ts
+++ b/packages/frontend/src/navbar.ts
@@ -40,7 +40,6 @@ export const navbarItemDef = reactive({
 	followRequests: {
 		title: i18n.ts.followRequests,
 		icon: 'ti ti-user-plus',
-		show: computed(() => $i != null && $i.isLocked),
 		indicated: computed(() => $i != null && $i.hasPendingReceivedFollowRequest),
 		to: '/my/follow-requests',
 	},
diff --git a/packages/frontend/src/pages/follow-requests.vue b/packages/frontend/src/pages/follow-requests.vue
index a840d0d0b3..8688863c2c 100644
--- a/packages/frontend/src/pages/follow-requests.vue
+++ b/packages/frontend/src/pages/follow-requests.vue
@@ -5,69 +5,104 @@ SPDX-License-Identifier: AGPL-3.0-only
 
 <template>
 <MkStickyContainer>
-	<template #header><MkPageHeader/></template>
+	<template #header><MkPageHeader v-model:tab="tab" :actions="headerActions" :tabs="headerTabs"/></template>
 	<MkSpacer :contentMax="800">
-		<MkPagination ref="paginationComponent" :pagination="pagination">
-			<template #empty>
-				<div class="_fullinfo">
-					<img :src="infoImageUrl" class="_ghost"/>
-					<div>{{ i18n.ts.noFollowRequests }}</div>
-				</div>
-			</template>
-			<template #default="{items}">
-				<div class="mk-follow-requests">
-					<div v-for="req in items" :key="req.id" class="user _panel">
-						<MkAvatar class="avatar" :user="req.follower" indicator link preview/>
-						<div class="body">
-							<div class="name">
-								<MkA v-user-preview="req.follower.id" class="name" :to="userPage(req.follower)"><MkUserName :user="req.follower"/></MkA>
-								<p class="acct">@{{ acct(req.follower) }}</p>
-							</div>
-							<div class="commands">
-								<MkButton class="command" rounded primary @click="accept(req.follower)"><i class="ti ti-check"/> {{ i18n.ts.accept }}</MkButton>
-								<MkButton class="command" rounded danger @click="reject(req.follower)"><i class="ti ti-x"/> {{ i18n.ts.reject }}</MkButton>
+		<MkHorizontalSwipe v-model:tab="tab" :tabs="headerTabs">
+			<div :key="tab" class="_gaps">
+				<MkPagination ref="paginationComponent" :pagination="pagination">
+					<template #empty>
+						<div class="_fullinfo">
+							<img :src="infoImageUrl" class="_ghost"/>
+							<div>{{ i18n.ts.noFollowRequests }}</div>
+						</div>
+					</template>
+					<template #default="{items}">
+						<div class="mk-follow-requests">
+							<div v-for="req in items" :key="req.id" class="user _panel">
+								<MkAvatar class="avatar" :user="displayUser(req)" indicator link preview/>
+								<div class="body">
+									<div class="name">
+										<MkA v-user-preview="displayUser(req).id" class="name" :to="userPage(displayUser(req))"><MkUserName :user="displayUser(req)"/></MkA>
+										<p class="acct">@{{ acct(displayUser(req)) }}</p>
+									</div>
+									<div v-if="tab === 'list'" class="commands">
+										<MkButton class="command" rounded primary @click="accept(displayUser(req))"><i class="ti ti-check"/> {{ i18n.ts.accept }}</MkButton>
+										<MkButton class="command" rounded danger @click="reject(displayUser(req))"><i class="ti ti-x"/> {{ i18n.ts.reject }}</MkButton>
+									</div>
+									<div v-else class="commands">
+										<MkButton class="command" rounded danger @click="cancel(displayUser(req))"><i class="ti ti-x"/> {{ i18n.ts.cancel }}</MkButton>
+									</div>
+								</div>
 							</div>
 						</div>
-					</div>
-				</div>
-			</template>
-		</MkPagination>
+					</template>
+				</MkPagination>
+			</div>
+		</MkHorizontalSwipe>
 	</MkSpacer>
 </MkStickyContainer>
 </template>
 
 <script lang="ts" setup>
-import { shallowRef, computed } from 'vue';
-import MkPagination from '@/components/MkPagination.vue';
+import * as Misskey from 'misskey-js';
+import { shallowRef, computed, ref } from 'vue';
+import MkPagination, { type Paging } from '@/components/MkPagination.vue';
 import MkButton from '@/components/MkButton.vue';
 import { userPage, acct } from '@/filters/user.js';
-import { misskeyApi } from '@/scripts/misskey-api.js';
+import * as os from '@/os.js';
 import { i18n } from '@/i18n.js';
 import { definePageMetadata } from '@/scripts/page-metadata.js';
 import { infoImageUrl } from '@/instance.js';
+import { $i } from '@/account.js';
+import MkHorizontalSwipe from '@/components/MkHorizontalSwipe.vue';
 
 const paginationComponent = shallowRef<InstanceType<typeof MkPagination>>();
 
-const pagination = {
-	endpoint: 'following/requests/list' as const,
+const pagination = computed<Paging>(() => tab.value === 'list' ? {
+	endpoint: 'following/requests/list',
+	limit: 10,
+} : {
+	endpoint: 'following/requests/sent',
 	limit: 10,
-};
+});
 
-function accept(user) {
-	misskeyApi('following/requests/accept', { userId: user.id }).then(() => {
+function accept(user: Misskey.entities.UserLite) {
+	os.apiWithDialog('following/requests/accept', { userId: user.id }).then(() => {
 		paginationComponent.value?.reload();
 	});
 }
 
-function reject(user) {
-	misskeyApi('following/requests/reject', { userId: user.id }).then(() => {
+function reject(user: Misskey.entities.UserLite) {
+	os.apiWithDialog('following/requests/reject', { userId: user.id }).then(() => {
 		paginationComponent.value?.reload();
 	});
 }
 
+function cancel(user: Misskey.entities.UserLite) {
+	os.apiWithDialog('following/requests/cancel', { userId: user.id }).then(() => {
+		paginationComponent.value?.reload();
+	});
+}
+
+function displayUser(req) {
+	return tab.value === 'list' ? req.follower : req.followee;
+}
+
 const headerActions = computed(() => []);
 
-const headerTabs = computed(() => []);
+const headerTabs = computed(() => [
+	{
+		key: 'list',
+		title: i18n.ts._followRequest.recieved,
+		icon: 'ti ti-mail',
+	}, {
+		key: 'sent',
+		title: i18n.ts._followRequest.sent,
+		icon: 'ti ti-send',
+	},
+]);
+
+const tab = ref($i?.isLocked ? 'list' : 'sent');
 
 definePageMetadata(() => ({
 	title: i18n.ts.followRequests,
diff --git a/packages/misskey-js/etc/misskey-js.api.md b/packages/misskey-js/etc/misskey-js.api.md
index 061b533b72..01a3dbbb30 100644
--- a/packages/misskey-js/etc/misskey-js.api.md
+++ b/packages/misskey-js/etc/misskey-js.api.md
@@ -1504,6 +1504,8 @@ declare namespace entities {
         FollowingRequestsCancelResponse,
         FollowingRequestsListRequest,
         FollowingRequestsListResponse,
+        FollowingRequestsSentRequest,
+        FollowingRequestsSentResponse,
         FollowingRequestsRejectRequest,
         GalleryFeaturedRequest,
         GalleryFeaturedResponse,
@@ -2018,6 +2020,12 @@ type FollowingRequestsListResponse = operations['following___requests___list']['
 // @public (undocumented)
 type FollowingRequestsRejectRequest = operations['following___requests___reject']['requestBody']['content']['application/json'];
 
+// @public (undocumented)
+type FollowingRequestsSentRequest = operations['following___requests___sent']['requestBody']['content']['application/json'];
+
+// @public (undocumented)
+type FollowingRequestsSentResponse = operations['following___requests___sent']['responses']['200']['content']['application/json'];
+
 // @public (undocumented)
 type FollowingUpdateAllRequest = operations['following___update-all']['requestBody']['content']['application/json'];
 
diff --git a/packages/misskey-js/src/autogen/apiClientJSDoc.ts b/packages/misskey-js/src/autogen/apiClientJSDoc.ts
index e2c7cbba52..1837f3db4f 100644
--- a/packages/misskey-js/src/autogen/apiClientJSDoc.ts
+++ b/packages/misskey-js/src/autogen/apiClientJSDoc.ts
@@ -2008,6 +2008,17 @@ declare module '../api.js' {
       credential?: string | null,
     ): Promise<SwitchCaseResponseType<E, P>>;
 
+    /**
+     * No description provided.
+     * 
+     * **Credential required**: *Yes* / **Permission**: *read:following*
+     */
+    request<E extends 'following/requests/sent', P extends Endpoints[E]['req']>(
+      endpoint: E,
+      params: P,
+      credential?: string | null,
+    ): Promise<SwitchCaseResponseType<E, P>>;
+
     /**
      * No description provided.
      * 
diff --git a/packages/misskey-js/src/autogen/endpoint.ts b/packages/misskey-js/src/autogen/endpoint.ts
index 5e6bc0a99c..cb1f4dbe96 100644
--- a/packages/misskey-js/src/autogen/endpoint.ts
+++ b/packages/misskey-js/src/autogen/endpoint.ts
@@ -279,6 +279,8 @@ import type {
 	FollowingRequestsCancelResponse,
 	FollowingRequestsListRequest,
 	FollowingRequestsListResponse,
+	FollowingRequestsSentRequest,
+	FollowingRequestsSentResponse,
 	FollowingRequestsRejectRequest,
 	GalleryFeaturedRequest,
 	GalleryFeaturedResponse,
@@ -761,6 +763,7 @@ export type Endpoints = {
 	'following/requests/accept': { req: FollowingRequestsAcceptRequest; res: EmptyResponse };
 	'following/requests/cancel': { req: FollowingRequestsCancelRequest; res: FollowingRequestsCancelResponse };
 	'following/requests/list': { req: FollowingRequestsListRequest; res: FollowingRequestsListResponse };
+	'following/requests/sent': { req: FollowingRequestsSentRequest; res: FollowingRequestsSentResponse };
 	'following/requests/reject': { req: FollowingRequestsRejectRequest; res: EmptyResponse };
 	'gallery/featured': { req: GalleryFeaturedRequest; res: GalleryFeaturedResponse };
 	'gallery/popular': { req: EmptyRequest; res: GalleryPopularResponse };
diff --git a/packages/misskey-js/src/autogen/entities.ts b/packages/misskey-js/src/autogen/entities.ts
index f3ddf64481..a8f474c25c 100644
--- a/packages/misskey-js/src/autogen/entities.ts
+++ b/packages/misskey-js/src/autogen/entities.ts
@@ -282,6 +282,8 @@ export type FollowingRequestsCancelRequest = operations['following___requests___
 export type FollowingRequestsCancelResponse = operations['following___requests___cancel']['responses']['200']['content']['application/json'];
 export type FollowingRequestsListRequest = operations['following___requests___list']['requestBody']['content']['application/json'];
 export type FollowingRequestsListResponse = operations['following___requests___list']['responses']['200']['content']['application/json'];
+export type FollowingRequestsSentRequest = operations['following___requests___sent']['requestBody']['content']['application/json'];
+export type FollowingRequestsSentResponse = operations['following___requests___sent']['responses']['200']['content']['application/json'];
 export type FollowingRequestsRejectRequest = operations['following___requests___reject']['requestBody']['content']['application/json'];
 export type GalleryFeaturedRequest = operations['gallery___featured']['requestBody']['content']['application/json'];
 export type GalleryFeaturedResponse = operations['gallery___featured']['responses']['200']['content']['application/json'];
diff --git a/packages/misskey-js/src/autogen/types.ts b/packages/misskey-js/src/autogen/types.ts
index a5333d4f93..280abba727 100644
--- a/packages/misskey-js/src/autogen/types.ts
+++ b/packages/misskey-js/src/autogen/types.ts
@@ -1753,6 +1753,15 @@ export type paths = {
      */
     post: operations['following___requests___list'];
   };
+  '/following/requests/sent': {
+    /**
+     * following/requests/sent
+     * @description No description provided.
+     *
+     * **Credential required**: *Yes* / **Permission**: *read:following*
+     */
+    post: operations['following___requests___sent'];
+  };
   '/following/requests/reject': {
     /**
      * following/requests/reject
@@ -16040,6 +16049,69 @@ export type operations = {
       };
     };
   };
+  /**
+   * following/requests/sent
+   * @description No description provided.
+   *
+   * **Credential required**: *Yes* / **Permission**: *read:following*
+   */
+  following___requests___sent: {
+    requestBody: {
+      content: {
+        'application/json': {
+          /** Format: misskey:id */
+          sinceId?: string;
+          /** Format: misskey:id */
+          untilId?: string;
+          /** @default 10 */
+          limit?: number;
+        };
+      };
+    };
+    responses: {
+      /** @description OK (with results) */
+      200: {
+        content: {
+          'application/json': {
+              /** Format: id */
+              id: string;
+              follower: components['schemas']['UserLite'];
+              followee: components['schemas']['UserLite'];
+            }[];
+        };
+      };
+      /** @description Client error */
+      400: {
+        content: {
+          'application/json': components['schemas']['Error'];
+        };
+      };
+      /** @description Authentication error */
+      401: {
+        content: {
+          'application/json': components['schemas']['Error'];
+        };
+      };
+      /** @description Forbidden error */
+      403: {
+        content: {
+          'application/json': components['schemas']['Error'];
+        };
+      };
+      /** @description I'm Ai */
+      418: {
+        content: {
+          'application/json': components['schemas']['Error'];
+        };
+      };
+      /** @description Internal server error */
+      500: {
+        content: {
+          'application/json': components['schemas']['Error'];
+        };
+      };
+    };
+  };
   /**
    * following/requests/reject
    * @description No description provided.
-- 
cgit v1.2.3-freya


From eaad96aae30d0e1ab1ae05b5c0fef908cd002d79 Mon Sep 17 00:00:00 2001
From: piuvas <piuvas@proton.me>
Date: Fri, 15 Nov 2024 13:40:53 -0300
Subject: edit query

---
 packages/backend/src/server/api/endpoints/emojis.ts | 15 +++++----------
 1 file changed, 5 insertions(+), 10 deletions(-)

(limited to 'packages/backend/src/server/api')

diff --git a/packages/backend/src/server/api/endpoints/emojis.ts b/packages/backend/src/server/api/endpoints/emojis.ts
index 46ef4eca1b..8054de3d95 100644
--- a/packages/backend/src/server/api/endpoints/emojis.ts
+++ b/packages/backend/src/server/api/endpoints/emojis.ts
@@ -50,16 +50,11 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 		private emojiEntityService: EmojiEntityService,
 	) {
 		super(meta, paramDef, async (ps, me) => {
-			const emojis = await this.emojisRepository.find({
-				where: {
-					host: IsNull(),
-				},
-				order: {
-					category: 'ASC',
-					name: 'ASC',
-				},
-			});
-
+			const emojis = await this.emojisRepository.createQueryBuilder()
+				.where('host IS NULL')
+				.orderBy('LOWER(category)', 'ASC')
+				.orderBy('LOWER(name)', 'ASC')
+				.getMany()
 			return {
 				emojis: await this.emojiEntityService.packSimpleMany(emojis),
 			};
-- 
cgit v1.2.3-freya


From e800c0f85ad968dc1505463cc5e4cf0c8ea862fb Mon Sep 17 00:00:00 2001
From: "饺子w (Yumechi)" <35571479+eternal-flame-AD@users.noreply.github.com>
Date: Mon, 18 Nov 2024 19:29:42 -0600
Subject: fix(backend):
 お知らせ作成時に画像URL入力欄を空欄に変更できないのを修正  (#14990)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* fix(backend): アナウンスメントを作成ときに画像URLを後悔できないのを修正

Signed-off-by: eternal-flame-AD <yume@yumechi.jp>

* Update CHANGELOG.md

Co-authored-by: おさむのひと <46447427+samunohito@users.noreply.github.com>

---------

Signed-off-by: eternal-flame-AD <yume@yumechi.jp>
Co-authored-by: おさむのひと <46447427+samunohito@users.noreply.github.com>
---
 CHANGELOG.md                                                         | 1 +
 packages/backend/src/core/AnnouncementService.ts                     | 2 +-
 .../backend/src/server/api/endpoints/admin/announcements/create.ts   | 5 +++--
 3 files changed, 5 insertions(+), 3 deletions(-)

(limited to 'packages/backend/src/server/api')

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 9bafcebfa5..fe132a2098 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -8,6 +8,7 @@
 ### General
 - Feat: コンテンツの表示にログインを必須にできるように
 - Feat: 過去のノートを非公開化/フォロワーのみ表示可能にできるように
+- Fix: お知らせ作成時に画像URL入力欄を空欄に変更できないのを修正 ( #14976 )
 - Enhance: 依存関係の更新
 - Enhance: l10nの更新
 
diff --git a/packages/backend/src/core/AnnouncementService.ts b/packages/backend/src/core/AnnouncementService.ts
index d4fcf19439..a9f6731977 100644
--- a/packages/backend/src/core/AnnouncementService.ts
+++ b/packages/backend/src/core/AnnouncementService.ts
@@ -72,7 +72,7 @@ export class AnnouncementService {
 			updatedAt: null,
 			title: values.title,
 			text: values.text,
-			imageUrl: values.imageUrl,
+			imageUrl: values.imageUrl || null,
 			icon: values.icon,
 			display: values.display,
 			forExistingUsers: values.forExistingUsers,
diff --git a/packages/backend/src/server/api/endpoints/admin/announcements/create.ts b/packages/backend/src/server/api/endpoints/admin/announcements/create.ts
index 2dae1df87d..b8bfda73a4 100644
--- a/packages/backend/src/server/api/endpoints/admin/announcements/create.ts
+++ b/packages/backend/src/server/api/endpoints/admin/announcements/create.ts
@@ -55,7 +55,7 @@ export const paramDef = {
 	properties: {
 		title: { type: 'string', minLength: 1 },
 		text: { type: 'string', minLength: 1 },
-		imageUrl: { type: 'string', nullable: true, minLength: 1 },
+		imageUrl: { type: 'string', nullable: true, minLength: 0 },
 		icon: { type: 'string', enum: ['info', 'warning', 'error', 'success'], default: 'info' },
 		display: { type: 'string', enum: ['normal', 'banner', 'dialog'], default: 'normal' },
 		forExistingUsers: { type: 'boolean', default: false },
@@ -76,7 +76,8 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 				updatedAt: null,
 				title: ps.title,
 				text: ps.text,
-				imageUrl: ps.imageUrl,
+				/* eslint-disable-next-line @typescript-eslint/prefer-nullish-coalescing -- 空の文字列の場合、nullを渡すようにするため */
+				imageUrl: ps.imageUrl || null,
 				icon: ps.icon,
 				display: ps.display,
 				forExistingUsers: ps.forExistingUsers,
-- 
cgit v1.2.3-freya


From 763c708253161d67358a8e36c27af3b02d133298 Mon Sep 17 00:00:00 2001
From: "zawa-ch." <satellite.2e1834097@gmail.com>
Date: Tue, 19 Nov 2024 21:12:40 +0900
Subject: Fix(backend):
 アカウント削除のモデレーションログが動作していないのを修正 (#14996) (#14997)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* アカウント削除のモデレーションログが動作していないのを修正

* update CHANGELOG
---
 CHANGELOG.md                                                       | 1 +
 packages/backend/src/server/api/endpoints/admin/accounts/delete.ts | 2 +-
 packages/backend/src/server/api/endpoints/admin/delete-account.ts  | 4 ++--
 3 files changed, 4 insertions(+), 3 deletions(-)

(limited to 'packages/backend/src/server/api')

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 058e41c486..befe237b09 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -64,6 +64,7 @@
 - Fix: FTT無効時にユーザーリストタイムラインが使用できない問題を修正  
   (Cherry-picked from https://activitypub.software/TransFem-org/Sharkey/-/merge_requests/709)
 - Fix: User Webhookテスト機能のMock Payloadを修正  
+- Fix: アカウント削除のモデレーションログが動作していないのを修正 (#14996)  
 
 ### Misskey.js
 - Fix: Stream初期化時、別途WebSocketを指定する場合の型定義を修正
diff --git a/packages/backend/src/server/api/endpoints/admin/accounts/delete.ts b/packages/backend/src/server/api/endpoints/admin/accounts/delete.ts
index 01dea703a3..ece1984cff 100644
--- a/packages/backend/src/server/api/endpoints/admin/accounts/delete.ts
+++ b/packages/backend/src/server/api/endpoints/admin/accounts/delete.ts
@@ -46,7 +46,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 				throw new Error('cannot delete a root account');
 			}
 
-			await this.deleteAccoountService.deleteAccount(user);
+			await this.deleteAccoountService.deleteAccount(user, me);
 		});
 	}
 }
diff --git a/packages/backend/src/server/api/endpoints/admin/delete-account.ts b/packages/backend/src/server/api/endpoints/admin/delete-account.ts
index b6f0f22d60..9065a71f6a 100644
--- a/packages/backend/src/server/api/endpoints/admin/delete-account.ts
+++ b/packages/backend/src/server/api/endpoints/admin/delete-account.ts
@@ -33,13 +33,13 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 
 		private deleteAccountService: DeleteAccountService,
 	) {
-		super(meta, paramDef, async (ps) => {
+		super(meta, paramDef, async (ps, me) => {
 			const user = await this.usersRepository.findOneByOrFail({ id: ps.userId });
 			if (user.isDeleted) {
 				return;
 			}
 
-			await this.deleteAccountService.deleteAccount(user);
+			await this.deleteAccountService.deleteAccount(user, me);
 		});
 	}
 }
-- 
cgit v1.2.3-freya


From fb54546573f267701bd82175dc26a431518fb6c8 Mon Sep 17 00:00:00 2001
From: Julia Johannesen <julia@insertdomain.name>
Date: Wed, 20 Nov 2024 01:17:24 -0500
Subject: Fix linter error in emojis endpoint

---
 packages/backend/src/server/api/endpoints/emojis.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'packages/backend/src/server/api')

diff --git a/packages/backend/src/server/api/endpoints/emojis.ts b/packages/backend/src/server/api/endpoints/emojis.ts
index 8054de3d95..4dd3a2ed50 100644
--- a/packages/backend/src/server/api/endpoints/emojis.ts
+++ b/packages/backend/src/server/api/endpoints/emojis.ts
@@ -54,7 +54,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 				.where('host IS NULL')
 				.orderBy('LOWER(category)', 'ASC')
 				.orderBy('LOWER(name)', 'ASC')
-				.getMany()
+				.getMany();
 			return {
 				emojis: await this.emojiEntityService.packSimpleMany(emojis),
 			};
-- 
cgit v1.2.3-freya


From 5f675201f261d5db6a58d3099a190372bb2f09f0 Mon Sep 17 00:00:00 2001
From: Julia <julia@insertdomain.name>
Date: Wed, 20 Nov 2024 18:20:09 -0500
Subject: Merge commit from fork

* enhance: Add a few validation fixes from Sharkey

See the original MR on the GitLab instance:
https://activitypub.software/TransFem-org/Sharkey/-/merge_requests/484

Co-Authored-By: Dakkar <dakkar@thenautilus.net>

* fix: primitive 2: acceptance of cross-origin alternate

Co-Authored-By: Laura Hausmann <laura@hausmann.dev>

* fix: primitive 3: validation of non-final url

* fix: primitive 4: missing same-origin identifier validation of collection-wrapped activities

* fix: primitives 5 & 8: reject activities with non
string identifiers

Co-Authored-By: Laura Hausmann <laura@hausmann.dev>

* fix: primitive 6: reject anonymous objects that were fetched by their id

* fix: primitives 9, 10 & 11: http signature validation
doesn't enforce required headers or specify auth header name

Co-Authored-By: Laura Hausmann <laura@hausmann.dev>

* fix: primitive 14: improper validation of outbox, followers, following & shared inbox collections

* fix: code style for primitive 14

* fix: primitive 15: improper same-origin validation for
note uri and url

Co-Authored-By: Laura Hausmann <laura@hausmann.dev>

* fix: primitive 16: improper same-origin validation for user uri and url

* fix: primitive 17: note same-origin identifier validation can be bypassed by wrapping the id in an array

* fix: code style for primitive 17

* fix: check attribution against actor in notes

While this isn't strictly required to fix the exploits at hand, this
mirrors the fix in `ApQuestionService` for GHSA-5h8r-gq97-xv69, as a
preemptive countermeasure.

* fix: primitive 18: `ap/get` bypasses access checks

One might argue that we could make this one actually preform access
checks against the returned activity object, but I feel like that's a
lot more work than just restricting it to administrators, since, to me
at least, it seems more like a debugging tool than anything else.

* fix: primitive 19 & 20: respect blocks and hide more

Ideally, the user property should also be hidden (as leaving it in leaks
information slightly), but given the schema of the note endpoint, I
don't think that would be possible without introducing some kind of
"ghost" user, who is attributed for posts by users who have you blocked.

* fix: primitives 21, 22, and 23: reuse resolver

This also increases the default `recursionLimit` for `Resolver`, as it
theoretically will go higher that it previously would and could possibly
fail on non-malicious collection activities.

* fix: primitives 25-33: proper local instance checks

* revert: fix: primitive 19 & 20

This reverts commit 465a9fe6591de90f78bd3d084e3c01e65dc3cf3c.

---------

Co-authored-by: Dakkar <dakkar@thenautilus.net>
Co-authored-by: Laura Hausmann <laura@hausmann.dev>
Co-authored-by: syuilo <4439005+syuilo@users.noreply.github.com>
---
 packages/backend/src/core/HttpRequestService.ts    |  8 +-
 .../backend/src/core/RemoteUserResolveService.ts   |  4 +-
 packages/backend/src/core/UtilityService.ts        | 14 +++-
 .../src/core/activitypub/ApDbResolverService.ts    |  6 +-
 .../backend/src/core/activitypub/ApInboxService.ts | 93 +++++++++++++---------
 .../src/core/activitypub/ApRequestService.ts       | 12 ++-
 .../src/core/activitypub/ApResolverService.ts      | 19 ++++-
 .../src/core/activitypub/misc/check-against-url.ts | 19 +++++
 .../src/core/activitypub/models/ApNoteService.ts   | 42 +++++++---
 .../src/core/activitypub/models/ApPersonService.ts | 72 ++++++++++++-----
 .../core/activitypub/models/ApQuestionService.ts   |  4 +-
 .../src/queue/processors/InboxProcessorService.ts  |  2 +
 .../backend/src/server/ActivityPubServerService.ts |  2 +-
 .../backend/src/server/api/endpoints/ap/get.ts     |  1 +
 .../backend/src/server/api/endpoints/ap/show.ts    |  5 ++
 15 files changed, 227 insertions(+), 76 deletions(-)
 create mode 100644 packages/backend/src/core/activitypub/misc/check-against-url.ts

(limited to 'packages/backend/src/server/api')

diff --git a/packages/backend/src/core/HttpRequestService.ts b/packages/backend/src/core/HttpRequestService.ts
index 7f3cac7c58..08e9f46b2d 100644
--- a/packages/backend/src/core/HttpRequestService.ts
+++ b/packages/backend/src/core/HttpRequestService.ts
@@ -15,6 +15,7 @@ import type { Config } from '@/config.js';
 import { StatusError } from '@/misc/status-error.js';
 import { bindThis } from '@/decorators.js';
 import { validateContentTypeSetAsActivityPub } from '@/core/activitypub/misc/validator.js';
+import { assertActivityMatchesUrls } from '@/core/activitypub/misc/check-against-url.js';
 import type { IObject } from '@/core/activitypub/type.js';
 import type { Response } from 'node-fetch';
 import type { URL } from 'node:url';
@@ -125,7 +126,12 @@ export class HttpRequestService {
 			validators: [validateContentTypeSetAsActivityPub],
 		});
 
-		return await res.json() as IObject;
+		const finalUrl = res.url; // redirects may have been involved
+		const activity = await res.json() as IObject;
+
+		assertActivityMatchesUrls(activity, [finalUrl]);
+
+		return activity;
 	}
 
 	@bindThis
diff --git a/packages/backend/src/core/RemoteUserResolveService.ts b/packages/backend/src/core/RemoteUserResolveService.ts
index f5a55eb8bc..678da0cfa6 100644
--- a/packages/backend/src/core/RemoteUserResolveService.ts
+++ b/packages/backend/src/core/RemoteUserResolveService.ts
@@ -54,9 +54,9 @@ export class RemoteUserResolveService {
 			}) as MiLocalUser;
 		}
 
-		host = this.utilityService.toPuny(host);
+		host = this.utilityService.punyHost(host);
 
-		if (this.config.host === host) {
+		if (host === this.utilityService.toPuny(this.config.host)) {
 			this.logger.info(`return local user: ${usernameLower}`);
 			return await this.usersRepository.findOneBy({ usernameLower, host: IsNull() }).then(u => {
 				if (u == null) {
diff --git a/packages/backend/src/core/UtilityService.ts b/packages/backend/src/core/UtilityService.ts
index 86082ccdcd..9a2ba72ed3 100644
--- a/packages/backend/src/core/UtilityService.ts
+++ b/packages/backend/src/core/UtilityService.ts
@@ -34,6 +34,11 @@ export class UtilityService {
 		return this.toPuny(this.config.host) === this.toPuny(host);
 	}
 
+	@bindThis
+	public isUriLocal(uri: string): boolean {
+		return this.punyHost(uri) === this.toPuny(this.config.host);
+	}
+
 	@bindThis
 	public isBlockedHost(blockedHosts: string[], host: string | null): boolean {
 		if (host == null) return false;
@@ -96,7 +101,7 @@ export class UtilityService {
 	@bindThis
 	public extractDbHost(uri: string): string {
 		const url = new URL(uri);
-		return this.toPuny(url.hostname);
+		return this.toPuny(url.host);
 	}
 
 	@bindThis
@@ -110,6 +115,13 @@ export class UtilityService {
 		return toASCII(host.toLowerCase());
 	}
 
+	@bindThis
+	public punyHost(url: string): string {
+		const urlObj = new URL(url);
+		const host = `${this.toPuny(urlObj.hostname)}${urlObj.port.length > 0 ? ':' + urlObj.port : ''}`;
+		return host;
+	}
+
 	@bindThis
 	public isFederationAllowedHost(host: string): boolean {
 		if (this.meta.federation === 'none') return false;
diff --git a/packages/backend/src/core/activitypub/ApDbResolverService.ts b/packages/backend/src/core/activitypub/ApDbResolverService.ts
index 4192e8659a..5c16744a77 100644
--- a/packages/backend/src/core/activitypub/ApDbResolverService.ts
+++ b/packages/backend/src/core/activitypub/ApDbResolverService.ts
@@ -10,6 +10,7 @@ import type { Config } from '@/config.js';
 import { MemoryKVCache } from '@/misc/cache.js';
 import type { MiUserPublickey } from '@/models/UserPublickey.js';
 import { CacheService } from '@/core/CacheService.js';
+import { UtilityService } from '@/core/UtilityService.js';
 import type { MiNote } from '@/models/Note.js';
 import { bindThis } from '@/decorators.js';
 import { MiLocalUser, MiRemoteUser } from '@/models/User.js';
@@ -53,6 +54,7 @@ export class ApDbResolverService implements OnApplicationShutdown {
 
 		private cacheService: CacheService,
 		private apPersonService: ApPersonService,
+		private utilityService: UtilityService,
 	) {
 		this.publicKeyCache = new MemoryKVCache<MiUserPublickey | null>(1000 * 60 * 60 * 12); // 12h
 		this.publicKeyByUserIdCache = new MemoryKVCache<MiUserPublickey | null>(1000 * 60 * 60 * 12); // 12h
@@ -63,7 +65,9 @@ export class ApDbResolverService implements OnApplicationShutdown {
 		const separator = '/';
 
 		const uri = new URL(getApId(value));
-		if (uri.origin !== this.config.url) return { local: false, uri: uri.href };
+		if (this.utilityService.toPuny(uri.host) !== this.utilityService.toPuny(this.config.host)) {
+			return { local: false, uri: uri.href };
+		}
 
 		const [, type, id, ...rest] = uri.pathname.split(separator);
 		return {
diff --git a/packages/backend/src/core/activitypub/ApInboxService.ts b/packages/backend/src/core/activitypub/ApInboxService.ts
index 376c9c0151..8e8ec223cb 100644
--- a/packages/backend/src/core/activitypub/ApInboxService.ts
+++ b/packages/backend/src/core/activitypub/ApInboxService.ts
@@ -89,15 +89,26 @@ export class ApInboxService {
 	}
 
 	@bindThis
-	public async performActivity(actor: MiRemoteUser, activity: IObject): Promise<string | void> {
+	public async performActivity(actor: MiRemoteUser, activity: IObject, resolver?: Resolver): Promise<string | void> {
 		let result = undefined as string | void;
 		if (isCollectionOrOrderedCollection(activity)) {
 			const results = [] as [string, string | void][];
-			const resolver = this.apResolverService.createResolver();
-			for (const item of toArray(isCollection(activity) ? activity.items : activity.orderedItems)) {
+			// eslint-disable-next-line no-param-reassign
+			resolver ??= this.apResolverService.createResolver();
+
+			const items = toArray(isCollection(activity) ? activity.items : activity.orderedItems);
+			if (items.length >= resolver.getRecursionLimit()) {
+				throw new Error(`skipping activity: collection would surpass recursion limit: ${this.utilityService.extractDbHost(actor.uri)}`);
+			}
+
+			for (const item of items) {
 				const act = await resolver.resolve(item);
+				if (act.id == null || this.utilityService.extractDbHost(act.id) !== this.utilityService.extractDbHost(actor.uri)) {
+					this.logger.debug('skipping activity: activity id is null or mismatching');
+					continue;
+				}
 				try {
-					results.push([getApId(item), await this.performOneActivity(actor, act)]);
+					results.push([getApId(item), await this.performOneActivity(actor, act, resolver)]);
 				} catch (err) {
 					if (err instanceof Error || typeof err === 'string') {
 						this.logger.error(err);
@@ -112,7 +123,7 @@ export class ApInboxService {
 				result = results.map(([id, reason]) => `${id}: ${reason}`).join('\n');
 			}
 		} else {
-			result = await this.performOneActivity(actor, activity);
+			result = await this.performOneActivity(actor, activity, resolver);
 		}
 
 		// ついでにリモートユーザーの情報が古かったら更新しておく
@@ -127,37 +138,37 @@ export class ApInboxService {
 	}
 
 	@bindThis
-	public async performOneActivity(actor: MiRemoteUser, activity: IObject): Promise<string | void> {
+	public async performOneActivity(actor: MiRemoteUser, activity: IObject, resolver?: Resolver): Promise<string | void> {
 		if (actor.isSuspended) return;
 
 		if (isCreate(activity)) {
-			return await this.create(actor, activity);
+			return await this.create(actor, activity, resolver);
 		} else if (isDelete(activity)) {
 			return await this.delete(actor, activity);
 		} else if (isUpdate(activity)) {
-			return await this.update(actor, activity);
+			return await this.update(actor, activity, resolver);
 		} else if (isFollow(activity)) {
 			return await this.follow(actor, activity);
 		} else if (isAccept(activity)) {
-			return await this.accept(actor, activity);
+			return await this.accept(actor, activity, resolver);
 		} else if (isReject(activity)) {
-			return await this.reject(actor, activity);
+			return await this.reject(actor, activity, resolver);
 		} else if (isAdd(activity)) {
-			return await this.add(actor, activity);
+			return await this.add(actor, activity, resolver);
 		} else if (isRemove(activity)) {
-			return await this.remove(actor, activity);
+			return await this.remove(actor, activity, resolver);
 		} else if (isAnnounce(activity)) {
-			return await this.announce(actor, activity);
+			return await this.announce(actor, activity, resolver);
 		} else if (isLike(activity)) {
 			return await this.like(actor, activity);
 		} else if (isUndo(activity)) {
-			return await this.undo(actor, activity);
+			return await this.undo(actor, activity, resolver);
 		} else if (isBlock(activity)) {
 			return await this.block(actor, activity);
 		} else if (isFlag(activity)) {
 			return await this.flag(actor, activity);
 		} else if (isMove(activity)) {
-			return await this.move(actor, activity);
+			return await this.move(actor, activity, resolver);
 		} else {
 			return `unrecognized activity type: ${activity.type}`;
 		}
@@ -199,12 +210,13 @@ export class ApInboxService {
 	}
 
 	@bindThis
-	private async accept(actor: MiRemoteUser, activity: IAccept): Promise<string> {
+	private async accept(actor: MiRemoteUser, activity: IAccept, resolver?: Resolver): Promise<string> {
 		const uri = activity.id ?? activity;
 
 		this.logger.info(`Accept: ${uri}`);
 
-		const resolver = this.apResolverService.createResolver();
+		// eslint-disable-next-line no-param-reassign
+		resolver ??= this.apResolverService.createResolver();
 
 		const object = await resolver.resolve(activity.object).catch(err => {
 			this.logger.error(`Resolution failed: ${err}`);
@@ -241,7 +253,7 @@ export class ApInboxService {
 	}
 
 	@bindThis
-	private async add(actor: MiRemoteUser, activity: IAdd): Promise<string | void> {
+	private async add(actor: MiRemoteUser, activity: IAdd, resolver?: Resolver): Promise<string | void> {
 		if (actor.uri !== activity.actor) {
 			return 'invalid actor';
 		}
@@ -251,7 +263,7 @@ export class ApInboxService {
 		}
 
 		if (activity.target === actor.featured) {
-			const note = await this.apNoteService.resolveNote(activity.object);
+			const note = await this.apNoteService.resolveNote(activity.object, { resolver });
 			if (note == null) return 'note not found';
 			await this.notePiningService.addPinned(actor, note.id);
 			return;
@@ -261,12 +273,13 @@ export class ApInboxService {
 	}
 
 	@bindThis
-	private async announce(actor: MiRemoteUser, activity: IAnnounce): Promise<string | void> {
+	private async announce(actor: MiRemoteUser, activity: IAnnounce, resolver?: Resolver): Promise<string | void> {
 		const uri = getApId(activity);
 
 		this.logger.info(`Announce: ${uri}`);
 
-		const resolver = this.apResolverService.createResolver();
+		// eslint-disable-next-line no-param-reassign
+		resolver ??= this.apResolverService.createResolver();
 
 		if (!activity.object) return 'skip: activity has no object property';
 		const targetUri = getApId(activity.object);
@@ -283,7 +296,7 @@ export class ApInboxService {
 	}
 
 	@bindThis
-	private async announceNote(actor: MiRemoteUser, activity: IAnnounce, target: IPost): Promise<string | void> {
+	private async announceNote(actor: MiRemoteUser, activity: IAnnounce, target: IPost, resolver?: Resolver): Promise<string | void> {
 		const uri = getApId(activity);
 
 		if (actor.isSuspended) {
@@ -305,7 +318,7 @@ export class ApInboxService {
 			// Announce対象をresolve
 			let renote;
 			try {
-				renote = await this.apNoteService.resolveNote(target);
+				renote = await this.apNoteService.resolveNote(target, { resolver });
 				if (renote == null) return 'announce target is null';
 			} catch (err) {
 				// 対象が4xxならスキップ
@@ -324,7 +337,7 @@ export class ApInboxService {
 
 			this.logger.info(`Creating the (Re)Note: ${uri}`);
 
-			const activityAudience = await this.apAudienceService.parseAudience(actor, activity.to, activity.cc);
+			const activityAudience = await this.apAudienceService.parseAudience(actor, activity.to, activity.cc, resolver);
 			const createdAt = activity.published ? new Date(activity.published) : null;
 
 			if (createdAt && createdAt < this.idService.parse(renote.id).date) {
@@ -362,7 +375,7 @@ export class ApInboxService {
 	}
 
 	@bindThis
-	private async create(actor: MiRemoteUser, activity: ICreate): Promise<string | void> {
+	private async create(actor: MiRemoteUser, activity: ICreate, resolver?: Resolver): Promise<string | void> {
 		const uri = getApId(activity);
 
 		this.logger.info(`Create: ${uri}`);
@@ -387,7 +400,8 @@ export class ApInboxService {
 			activity.object.attributedTo = activity.actor;
 		}
 
-		const resolver = this.apResolverService.createResolver();
+		// eslint-disable-next-line no-param-reassign
+		resolver ??= this.apResolverService.createResolver();
 
 		const object = await resolver.resolve(activity.object).catch(e => {
 			this.logger.error(`Resolution failed: ${e}`);
@@ -414,6 +428,8 @@ export class ApInboxService {
 				if (this.utilityService.extractDbHost(actor.uri) !== this.utilityService.extractDbHost(note.id)) {
 					return 'skip: host in actor.uri !== note.id';
 				}
+			} else {
+				return 'skip: note.id is not a string';
 			}
 		}
 
@@ -423,7 +439,7 @@ export class ApInboxService {
 			const exist = await this.apNoteService.fetchNote(note);
 			if (exist) return 'skip: note exists';
 
-			await this.apNoteService.createNote(note, resolver, silent);
+			await this.apNoteService.createNote(note, actor, resolver, silent);
 			return 'ok';
 		} catch (err) {
 			if (err instanceof StatusError && !err.isRetryable) {
@@ -555,12 +571,13 @@ export class ApInboxService {
 	}
 
 	@bindThis
-	private async reject(actor: MiRemoteUser, activity: IReject): Promise<string> {
+	private async reject(actor: MiRemoteUser, activity: IReject, resolver?: Resolver): Promise<string> {
 		const uri = activity.id ?? activity;
 
 		this.logger.info(`Reject: ${uri}`);
 
-		const resolver = this.apResolverService.createResolver();
+		// eslint-disable-next-line no-param-reassign
+		resolver ??= this.apResolverService.createResolver();
 
 		const object = await resolver.resolve(activity.object).catch(e => {
 			this.logger.error(`Resolution failed: ${e}`);
@@ -597,7 +614,7 @@ export class ApInboxService {
 	}
 
 	@bindThis
-	private async remove(actor: MiRemoteUser, activity: IRemove): Promise<string | void> {
+	private async remove(actor: MiRemoteUser, activity: IRemove, resolver?: Resolver): Promise<string | void> {
 		if (actor.uri !== activity.actor) {
 			return 'invalid actor';
 		}
@@ -607,7 +624,7 @@ export class ApInboxService {
 		}
 
 		if (activity.target === actor.featured) {
-			const note = await this.apNoteService.resolveNote(activity.object);
+			const note = await this.apNoteService.resolveNote(activity.object, { resolver });
 			if (note == null) return 'note not found';
 			await this.notePiningService.removePinned(actor, note.id);
 			return;
@@ -617,7 +634,7 @@ export class ApInboxService {
 	}
 
 	@bindThis
-	private async undo(actor: MiRemoteUser, activity: IUndo): Promise<string> {
+	private async undo(actor: MiRemoteUser, activity: IUndo, resolver?: Resolver): Promise<string> {
 		if (actor.uri !== activity.actor) {
 			return 'invalid actor';
 		}
@@ -626,7 +643,8 @@ export class ApInboxService {
 
 		this.logger.info(`Undo: ${uri}`);
 
-		const resolver = this.apResolverService.createResolver();
+		// eslint-disable-next-line no-param-reassign
+		resolver ??= this.apResolverService.createResolver();
 
 		const object = await resolver.resolve(activity.object).catch(e => {
 			this.logger.error(`Resolution failed: ${e}`);
@@ -750,14 +768,15 @@ export class ApInboxService {
 	}
 
 	@bindThis
-	private async update(actor: MiRemoteUser, activity: IUpdate): Promise<string> {
+	private async update(actor: MiRemoteUser, activity: IUpdate, resolver?: Resolver): Promise<string> {
 		if (actor.uri !== activity.actor) {
 			return 'skip: invalid actor';
 		}
 
 		this.logger.debug('Update');
 
-		const resolver = this.apResolverService.createResolver();
+		// eslint-disable-next-line no-param-reassign
+		resolver ??= this.apResolverService.createResolver();
 
 		const object = await resolver.resolve(activity.object).catch(e => {
 			this.logger.error(`Resolution failed: ${e}`);
@@ -776,11 +795,11 @@ export class ApInboxService {
 	}
 
 	@bindThis
-	private async move(actor: MiRemoteUser, activity: IMove): Promise<string> {
+	private async move(actor: MiRemoteUser, activity: IMove, resolver?: Resolver): Promise<string> {
 		// fetch the new and old accounts
 		const targetUri = getApHrefNullable(activity.target);
 		if (!targetUri) return 'skip: invalid activity target';
 
-		return await this.apPersonService.updatePerson(actor.uri) ?? 'skip: nothing to do';
+		return await this.apPersonService.updatePerson(actor.uri, resolver) ?? 'skip: nothing to do';
 	}
 }
diff --git a/packages/backend/src/core/activitypub/ApRequestService.ts b/packages/backend/src/core/activitypub/ApRequestService.ts
index c7d19adfd5..8c3b7295e4 100644
--- a/packages/backend/src/core/activitypub/ApRequestService.ts
+++ b/packages/backend/src/core/activitypub/ApRequestService.ts
@@ -11,11 +11,14 @@ import { DI } from '@/di-symbols.js';
 import type { Config } from '@/config.js';
 import type { MiUser } from '@/models/User.js';
 import { UserKeypairService } from '@/core/UserKeypairService.js';
+import { UtilityService } from '@/core/UtilityService.js';
 import { HttpRequestService } from '@/core/HttpRequestService.js';
 import { LoggerService } from '@/core/LoggerService.js';
 import { bindThis } from '@/decorators.js';
 import type Logger from '@/logger.js';
 import { validateContentTypeSetAsActivityPub } from '@/core/activitypub/misc/validator.js';
+import { assertActivityMatchesUrls } from '@/core/activitypub/misc/check-against-url.js';
+import type { IObject } from './type.js';
 
 type Request = {
 	url: string;
@@ -145,6 +148,7 @@ export class ApRequestService {
 		private userKeypairService: UserKeypairService,
 		private httpRequestService: HttpRequestService,
 		private loggerService: LoggerService,
+		private utilityService: UtilityService,
 	) {
 		// eslint-disable-next-line @typescript-eslint/no-unnecessary-condition
 		this.logger = this.loggerService?.getLogger('ap-request'); // なぜか TypeError: Cannot read properties of undefined (reading 'getLogger') と言われる
@@ -238,7 +242,7 @@ export class ApRequestService {
 				const alternate = document.querySelector('head > link[rel="alternate"][type="application/activity+json"]');
 				if (alternate) {
 					const href = alternate.getAttribute('href');
-					if (href) {
+					if (href && this.utilityService.punyHost(url) === this.utilityService.punyHost(href)) {
 						return await this.signedGet(href, user, false);
 					}
 				}
@@ -251,7 +255,11 @@ export class ApRequestService {
 		//#endregion
 
 		validateContentTypeSetAsActivityPub(res);
+		const finalUrl = res.url; // redirects may have been involved
+		const activity = await res.json() as IObject;
 
-		return await res.json();
+		assertActivityMatchesUrls(activity, [finalUrl]);
+
+		return activity;
 	}
 }
diff --git a/packages/backend/src/core/activitypub/ApResolverService.ts b/packages/backend/src/core/activitypub/ApResolverService.ts
index ca35608d9b..b0b35274ea 100644
--- a/packages/backend/src/core/activitypub/ApResolverService.ts
+++ b/packages/backend/src/core/activitypub/ApResolverService.ts
@@ -41,7 +41,7 @@ export class Resolver {
 		private apRendererService: ApRendererService,
 		private apDbResolverService: ApDbResolverService,
 		private loggerService: LoggerService,
-		private recursionLimit = 100,
+		private recursionLimit = 256,
 	) {
 		this.history = new Set();
 		this.logger = this.loggerService.getLogger('ap-resolve');
@@ -52,6 +52,11 @@ export class Resolver {
 		return Array.from(this.history);
 	}
 
+	@bindThis
+	public getRecursionLimit(): number {
+		return this.recursionLimit;
+	}
+
 	@bindThis
 	public async resolveCollection(value: string | IObject): Promise<ICollection | IOrderedCollection> {
 		const collection = typeof value === 'string'
@@ -113,6 +118,18 @@ export class Resolver {
 			throw new Error('invalid response');
 		}
 
+		// HttpRequestService / ApRequestService have already checked that
+		// `object.id` or `object.url` matches the URL used to fetch the
+		// object after redirects; here we double-check that no redirects
+		// bounced between hosts
+		if (object.id == null) {
+			throw new Error('invalid AP object: missing id');
+		}
+
+		if (this.utilityService.punyHost(object.id) !== this.utilityService.punyHost(value)) {
+			throw new Error(`invalid AP object ${value}: id ${object.id} has different host`);
+		}
+
 		return object;
 	}
 
diff --git a/packages/backend/src/core/activitypub/misc/check-against-url.ts b/packages/backend/src/core/activitypub/misc/check-against-url.ts
new file mode 100644
index 0000000000..78ba891a2e
--- /dev/null
+++ b/packages/backend/src/core/activitypub/misc/check-against-url.ts
@@ -0,0 +1,19 @@
+/*
+ * SPDX-FileCopyrightText: dakkar and sharkey-project
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+import type { IObject } from '../type.js';
+
+export function assertActivityMatchesUrls(activity: IObject, urls: string[]) {
+	const idOk = activity.id !== undefined && urls.includes(activity.id);
+
+	// technically `activity.url` could be an `ApObject = IObject |
+	// string | (IObject | string)[]`, but if it's a complicated thing
+	// and the `activity.id` doesn't match, I think we're fine
+	// rejecting the activity
+	const urlOk = typeof(activity.url) === 'string' && urls.includes(activity.url);
+
+	if (!idOk && !urlOk) {
+		throw new Error(`bad Activity: neither id(${activity?.id}) nor url(${activity?.url}) match location(${urls})`);
+	}
+}
diff --git a/packages/backend/src/core/activitypub/models/ApNoteService.ts b/packages/backend/src/core/activitypub/models/ApNoteService.ts
index 2d333b3634..eb2e771a38 100644
--- a/packages/backend/src/core/activitypub/models/ApNoteService.ts
+++ b/packages/backend/src/core/activitypub/models/ApNoteService.ts
@@ -77,7 +77,7 @@ export class ApNoteService {
 	}
 
 	@bindThis
-	public validateNote(object: IObject, uri: string): Error | null {
+	public validateNote(object: IObject, uri: string, actor?: MiRemoteUser): Error | null {
 		const expectHost = this.utilityService.extractDbHost(uri);
 		const apType = getApType(object);
 
@@ -98,6 +98,14 @@ export class ApNoteService {
 			return new IdentifiableError('d450b8a9-48e4-4dab-ae36-f4db763fda7c', 'invalid Note: published timestamp is malformed');
 		}
 
+		if (actor) {
+			const attribution = (object.attributedTo) ? getOneApId(object.attributedTo) : actor.uri;
+
+			if (attribution !== actor.uri) {
+				return new IdentifiableError('d450b8a9-48e4-4dab-ae36-f4db763fda7c', `invalid Note: attribution does not match the actor that send it. attribution: ${attribution}, actor: ${actor.uri}`);
+			}
+		}
+
 		return null;
 	}
 
@@ -115,14 +123,14 @@ export class ApNoteService {
 	 * Noteを作成します。
 	 */
 	@bindThis
-	public async createNote(value: string | IObject, resolver?: Resolver, silent = false): Promise<MiNote | null> {
+	public async createNote(value: string | IObject, actor?: MiRemoteUser, resolver?: Resolver, silent = false): Promise<MiNote | null> {
 		// eslint-disable-next-line no-param-reassign
 		if (resolver == null) resolver = this.apResolverService.createResolver();
 
 		const object = await resolver.resolve(value);
 
 		const entryUri = getApId(value);
-		const err = this.validateNote(object, entryUri);
+		const err = this.validateNote(object, entryUri, actor);
 		if (err) {
 			this.logger.error(err.message, {
 				resolver: { history: resolver.getHistory() },
@@ -136,14 +144,24 @@ export class ApNoteService {
 
 		this.logger.debug(`Note fetched: ${JSON.stringify(note, null, 2)}`);
 
-		if (note.id && !checkHttps(note.id)) {
+		if (note.id == null) {
+			throw new Error('Refusing to create note without id');
+		}
+
+		if (!checkHttps(note.id)) {
 			throw new Error('unexpected schema of note.id: ' + note.id);
 		}
 
 		const url = getOneApHrefNullable(note.url);
 
-		if (url && !checkHttps(url)) {
-			throw new Error('unexpected schema of note url: ' + url);
+		if (url != null) {
+			if (!checkHttps(url)) {
+				throw new Error('unexpected schema of note url: ' + url);
+			}
+
+			if (this.utilityService.punyHost(url) !== this.utilityService.punyHost(note.id)) {
+				throw new Error(`note url & uri host mismatch: note url: ${url}, note uri: ${note.id}`);
+			}
 		}
 
 		this.logger.info(`Creating the Note: ${note.id}`);
@@ -156,8 +174,9 @@ export class ApNoteService {
 		const uri = getOneApId(note.attributedTo);
 
 		// ローカルで投稿者を検索し、もし凍結されていたらスキップ
-		const cachedActor = await this.apPersonService.fetchPerson(uri) as MiRemoteUser;
-		if (cachedActor && cachedActor.isSuspended) {
+		// eslint-disable-next-line no-param-reassign
+		actor ??= await this.apPersonService.fetchPerson(uri) as MiRemoteUser | undefined;
+		if (actor && actor.isSuspended) {
 			throw new IdentifiableError('85ab9bd7-3a41-4530-959d-f07073900109', 'actor has been suspended');
 		}
 
@@ -189,7 +208,8 @@ export class ApNoteService {
 		}
 		//#endregion
 
-		const actor = cachedActor ?? await this.apPersonService.resolvePerson(uri, resolver) as MiRemoteUser;
+		// eslint-disable-next-line no-param-reassign
+		actor ??= await this.apPersonService.resolvePerson(uri, resolver) as MiRemoteUser;
 
 		// 解決した投稿者が凍結されていたらスキップ
 		if (actor.isSuspended) {
@@ -348,7 +368,7 @@ export class ApNoteService {
 			if (exist) return exist;
 			//#endregion
 
-			if (uri.startsWith(this.config.url)) {
+			if (this.utilityService.isUriLocal(uri)) {
 				throw new StatusError('cannot resolve local note', 400, 'cannot resolve local note');
 			}
 
@@ -356,7 +376,7 @@ export class ApNoteService {
 			// ここでuriの代わりに添付されてきたNote Objectが指定されていると、サーバーフェッチを経ずにノートが生成されるが
 			// 添付されてきたNote Objectは偽装されている可能性があるため、常にuriを指定してサーバーフェッチを行う。
 			const createFrom = options.sentFrom?.origin === new URL(uri).origin ? value : uri;
-			return await this.createNote(createFrom, options.resolver, true);
+			return await this.createNote(createFrom, undefined, options.resolver, true);
 		} finally {
 			unlock();
 		}
diff --git a/packages/backend/src/core/activitypub/models/ApPersonService.ts b/packages/backend/src/core/activitypub/models/ApPersonService.ts
index 8c4e40c561..026ddb6ece 100644
--- a/packages/backend/src/core/activitypub/models/ApPersonService.ts
+++ b/packages/backend/src/core/activitypub/models/ApPersonService.ts
@@ -129,12 +129,6 @@ export class ApPersonService implements OnModuleInit {
 		this.logger = this.apLoggerService.logger;
 	}
 
-	private punyHost(url: string): string {
-		const urlObj = new URL(url);
-		const host = `${this.utilityService.toPuny(urlObj.hostname)}${urlObj.port.length > 0 ? ':' + urlObj.port : ''}`;
-		return host;
-	}
-
 	/**
 	 * Validate and convert to actor object
 	 * @param x Fetched object
@@ -142,7 +136,7 @@ export class ApPersonService implements OnModuleInit {
 	 */
 	@bindThis
 	private validateActor(x: IObject, uri: string): IActor {
-		const expectHost = this.punyHost(uri);
+		const expectHost = this.utilityService.punyHost(uri);
 
 		if (!isActor(x)) {
 			throw new Error(`invalid Actor type '${x.type}'`);
@@ -156,6 +150,29 @@ export class ApPersonService implements OnModuleInit {
 			throw new Error('invalid Actor: wrong inbox');
 		}
 
+		if (this.utilityService.punyHost(x.inbox) !== expectHost) {
+			throw new Error('invalid Actor: inbox has different host');
+		}
+
+		const sharedInboxObject = x.sharedInbox ?? (x.endpoints ? x.endpoints.sharedInbox : undefined);
+		if (sharedInboxObject != null) {
+			const sharedInbox = getApId(sharedInboxObject);
+			if (!(typeof sharedInbox === 'string' && sharedInbox.length > 0 && this.utilityService.punyHost(sharedInbox) === expectHost)) {
+				throw new Error('invalid Actor: wrong shared inbox');
+			}
+		}
+
+		for (const collection of ['outbox', 'followers', 'following'] as (keyof IActor)[]) {
+			const collectionUri = getApId((x as IActor)[collection]);
+			if (typeof collectionUri === 'string' && collectionUri.length > 0) {
+				if (this.utilityService.punyHost(collectionUri) !== expectHost) {
+					throw new Error(`invalid Actor: ${collection} has different host`);
+				}
+			} else if (collectionUri != null) {
+				throw new Error(`invalid Actor: wrong ${collection}`);
+			}
+		}
+
 		if (!(typeof x.preferredUsername === 'string' && x.preferredUsername.length > 0 && x.preferredUsername.length <= 128 && /^\w([\w-.]*\w)?$/.test(x.preferredUsername))) {
 			throw new Error('invalid Actor: wrong username');
 		}
@@ -179,7 +196,7 @@ export class ApPersonService implements OnModuleInit {
 			x.summary = truncate(x.summary, summaryLength);
 		}
 
-		const idHost = this.punyHost(x.id);
+		const idHost = this.utilityService.punyHost(x.id);
 		if (idHost !== expectHost) {
 			throw new Error('invalid Actor: id has different host');
 		}
@@ -189,7 +206,7 @@ export class ApPersonService implements OnModuleInit {
 				throw new Error('invalid Actor: publicKey.id is not a string');
 			}
 
-			const publicKeyIdHost = this.punyHost(x.publicKey.id);
+			const publicKeyIdHost = this.utilityService.punyHost(x.publicKey.id);
 			if (publicKeyIdHost !== expectHost) {
 				throw new Error('invalid Actor: publicKey.id has different host');
 			}
@@ -280,7 +297,8 @@ export class ApPersonService implements OnModuleInit {
 	public async createPerson(uri: string, resolver?: Resolver): Promise<MiRemoteUser> {
 		if (typeof uri !== 'string') throw new Error('uri is not string');
 
-		if (uri.startsWith(this.config.url)) {
+		const host = this.utilityService.punyHost(uri);
+		if (host === this.utilityService.toPuny(this.config.host)) {
 			throw new StatusError('cannot resolve local user', 400, 'cannot resolve local user');
 		}
 
@@ -294,8 +312,6 @@ export class ApPersonService implements OnModuleInit {
 
 		this.logger.info(`Creating the Person: ${person.id}`);
 
-		const host = this.punyHost(object.id);
-
 		const fields = this.analyzeAttachments(person.attachment ?? []);
 
 		const tags = extractApHashtags(person.tag).map(normalizeForSearch).splice(0, 32);
@@ -321,8 +337,18 @@ export class ApPersonService implements OnModuleInit {
 
 		const url = getOneApHrefNullable(person.url);
 
-		if (url && !checkHttps(url)) {
-			throw new Error('unexpected schema of person url: ' + url);
+		if (person.id == null) {
+			throw new Error('Refusing to create person without id');
+		}
+
+		if (url != null) {
+			if (!checkHttps(url)) {
+				throw new Error('unexpected schema of person url: ' + url);
+			}
+
+			if (this.utilityService.punyHost(url) !== this.utilityService.punyHost(person.id)) {
+				throw new Error(`person url <> uri host mismatch: ${url} <> ${person.id}`);
+			}
 		}
 
 		// Create user
@@ -465,7 +491,7 @@ export class ApPersonService implements OnModuleInit {
 		if (typeof uri !== 'string') throw new Error('uri is not string');
 
 		// URIがこのサーバーを指しているならスキップ
-		if (uri.startsWith(`${this.config.url}/`)) return;
+		if (this.utilityService.isUriLocal(uri)) return;
 
 		//#region このサーバーに既に登録されているか
 		const exist = await this.fetchPerson(uri) as MiRemoteUser | null;
@@ -514,8 +540,18 @@ export class ApPersonService implements OnModuleInit {
 
 		const url = getOneApHrefNullable(person.url);
 
-		if (url && !checkHttps(url)) {
-			throw new Error('unexpected schema of person url: ' + url);
+		if (person.id == null) {
+			throw new Error('Refusing to update person without id');
+		}
+
+		if (url != null) {
+			if (!checkHttps(url)) {
+				throw new Error('unexpected schema of person url: ' + url);
+			}
+
+			if (this.utilityService.punyHost(url) !== this.utilityService.punyHost(person.id)) {
+				throw new Error(`person url <> uri host mismatch: ${url} <> ${person.id}`);
+			}
 		}
 
 		const updates = {
@@ -728,7 +764,7 @@ export class ApPersonService implements OnModuleInit {
 			await this.updatePerson(src.movedToUri, undefined, undefined, [...movePreventUris, src.uri]);
 			dst = await this.fetchPerson(src.movedToUri) ?? dst;
 		} else {
-			if (src.movedToUri.startsWith(`${this.config.url}/`)) {
+			if (this.utilityService.isUriLocal(src.movedToUri)) {
 				// ローカルユーザーっぽいのにfetchPersonで見つからないということはmovedToUriが間違っている
 				return 'failed: movedTo is local but not found';
 			}
diff --git a/packages/backend/src/core/activitypub/models/ApQuestionService.ts b/packages/backend/src/core/activitypub/models/ApQuestionService.ts
index 73004d10b0..1655a307c4 100644
--- a/packages/backend/src/core/activitypub/models/ApQuestionService.ts
+++ b/packages/backend/src/core/activitypub/models/ApQuestionService.ts
@@ -10,6 +10,7 @@ import type { Config } from '@/config.js';
 import type { IPoll } from '@/models/Poll.js';
 import type Logger from '@/logger.js';
 import { bindThis } from '@/decorators.js';
+import { UtilityService } from '@/core/UtilityService.js';
 import { isQuestion } from '../type.js';
 import { ApLoggerService } from '../ApLoggerService.js';
 import { ApResolverService } from '../ApResolverService.js';
@@ -32,6 +33,7 @@ export class ApQuestionService {
 
 		private apResolverService: ApResolverService,
 		private apLoggerService: ApLoggerService,
+		private utilityService: UtilityService,
 	) {
 		this.logger = this.apLoggerService.logger;
 	}
@@ -70,7 +72,7 @@ export class ApQuestionService {
 		if (uri == null) throw new Error('uri is null');
 
 		// URIがこのサーバーを指しているならスキップ
-		if (uri.startsWith(this.config.url + '/')) throw new Error('uri points local');
+		if (this.utilityService.isUriLocal(uri)) throw new Error('uri points local');
 
 		//#region このサーバーに既に登録されているか
 		const note = await this.notesRepository.findOneBy({ uri });
diff --git a/packages/backend/src/queue/processors/InboxProcessorService.ts b/packages/backend/src/queue/processors/InboxProcessorService.ts
index 95d764e4d8..004fe1382d 100644
--- a/packages/backend/src/queue/processors/InboxProcessorService.ts
+++ b/packages/backend/src/queue/processors/InboxProcessorService.ts
@@ -190,6 +190,8 @@ export class InboxProcessorService implements OnApplicationShutdown {
 			if (signerHost !== activityIdHost) {
 				throw new Bull.UnrecoverableError(`skip: signerHost(${signerHost}) !== activity.id host(${activityIdHost}`);
 			}
+		} else {
+			throw new Bull.UnrecoverableError('skip: activity id is not a string');
 		}
 
 		this.apRequestChart.inbox();
diff --git a/packages/backend/src/server/ActivityPubServerService.ts b/packages/backend/src/server/ActivityPubServerService.ts
index ba2342b630..f34f6583d3 100644
--- a/packages/backend/src/server/ActivityPubServerService.ts
+++ b/packages/backend/src/server/ActivityPubServerService.ts
@@ -105,7 +105,7 @@ export class ActivityPubServerService {
 		let signature;
 
 		try {
-			signature = httpSignature.parseRequest(request.raw, { 'headers': [] });
+			signature = httpSignature.parseRequest(request.raw, { 'headers': ['(request-target)', 'host', 'date'], authorizationHeaderName: 'signature' });
 		} catch (e) {
 			reply.code(401);
 			return;
diff --git a/packages/backend/src/server/api/endpoints/ap/get.ts b/packages/backend/src/server/api/endpoints/ap/get.ts
index d8c55de7ec..14286bc23e 100644
--- a/packages/backend/src/server/api/endpoints/ap/get.ts
+++ b/packages/backend/src/server/api/endpoints/ap/get.ts
@@ -11,6 +11,7 @@ import { ApResolverService } from '@/core/activitypub/ApResolverService.js';
 export const meta = {
 	tags: ['federation'],
 
+	requireAdmin: true,
 	requireCredential: true,
 	kind: 'read:federation',
 
diff --git a/packages/backend/src/server/api/endpoints/ap/show.ts b/packages/backend/src/server/api/endpoints/ap/show.ts
index c52608cefb..aca8258c08 100644
--- a/packages/backend/src/server/api/endpoints/ap/show.ts
+++ b/packages/backend/src/server/api/endpoints/ap/show.ts
@@ -118,6 +118,11 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 		]));
 		if (local != null) return local;
 
+		const host = this.utilityService.extractDbHost(uri);
+
+		// local object, not found in db? fail
+		if (this.utilityService.isSelfHost(host)) return null;
+
 		// リモートから一旦オブジェクトフェッチ
 		const resolver = this.apResolverService.createResolver();
 		const object = await resolver.resolve(uri) as any;
-- 
cgit v1.2.3-freya


From 0f59adc436f80c495b4404807b0bd645da2b1db8 Mon Sep 17 00:00:00 2001
From: syuilo <4439005+syuilo@users.noreply.github.com>
Date: Thu, 21 Nov 2024 09:25:18 +0900
Subject: fix ap/show

---
 packages/backend/src/server/api/endpoints/ap/show.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'packages/backend/src/server/api')

diff --git a/packages/backend/src/server/api/endpoints/ap/show.ts b/packages/backend/src/server/api/endpoints/ap/show.ts
index aca8258c08..5c1d8dce9f 100644
--- a/packages/backend/src/server/api/endpoints/ap/show.ts
+++ b/packages/backend/src/server/api/endpoints/ap/show.ts
@@ -140,7 +140,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 		return await this.mergePack(
 			me,
 			isActor(object) ? await this.apPersonService.createPerson(getApId(object)) : null,
-			isPost(object) ? await this.apNoteService.createNote(getApId(object), undefined, true) : null,
+			isPost(object) ? await this.apNoteService.createNote(getApId(object), undefined, resolver) : null,
 		);
 	}
 
-- 
cgit v1.2.3-freya


From 53e827b18c46f786268278645206404ff2d95f72 Mon Sep 17 00:00:00 2001
From: かっこかり <67428053+kakkokari-gtyih@users.noreply.github.com>
Date: Thu, 21 Nov 2024 10:30:30 +0900
Subject: fix(backend): fix security patches (#15008)

---
 packages/backend/src/core/activitypub/ApInboxService.ts | 2 +-
 packages/backend/src/server/api/endpoints/ap/show.ts    | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

(limited to 'packages/backend/src/server/api')

diff --git a/packages/backend/src/core/activitypub/ApInboxService.ts b/packages/backend/src/core/activitypub/ApInboxService.ts
index 72f5eeda14..9838e3bd30 100644
--- a/packages/backend/src/core/activitypub/ApInboxService.ts
+++ b/packages/backend/src/core/activitypub/ApInboxService.ts
@@ -130,7 +130,7 @@ export class ApInboxService {
 		if (actor.uri) {
 			if (actor.lastFetchedAt == null || Date.now() - actor.lastFetchedAt.getTime() > 1000 * 60 * 60 * 24) {
 				setImmediate(() => {
-					this.apPersonService.updatePerson(actor.uri);
+					this.apPersonService.updatePerson(actor.uri, resolver);
 				});
 			}
 		}
diff --git a/packages/backend/src/server/api/endpoints/ap/show.ts b/packages/backend/src/server/api/endpoints/ap/show.ts
index 5c1d8dce9f..bf99834c17 100644
--- a/packages/backend/src/server/api/endpoints/ap/show.ts
+++ b/packages/backend/src/server/api/endpoints/ap/show.ts
@@ -139,8 +139,8 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 
 		return await this.mergePack(
 			me,
-			isActor(object) ? await this.apPersonService.createPerson(getApId(object)) : null,
-			isPost(object) ? await this.apNoteService.createNote(getApId(object), undefined, resolver) : null,
+			isActor(object) ? await this.apPersonService.createPerson(getApId(object), resolver) : null,
+			isPost(object) ? await this.apNoteService.createNote(getApId(object), undefined, resolver, true) : null,
 		);
 	}
 
-- 
cgit v1.2.3-freya


From c1f19fad1e7e1717898b37bbb4e863e0f26b306b Mon Sep 17 00:00:00 2001
From: かっこかり <67428053+kakkokari-gtyih@users.noreply.github.com>
Date: Thu, 21 Nov 2024 14:36:24 +0900
Subject: fix(backend): fix apResolver (#15010)

* fix(backend): fix apResolver

* fix

* add comments

* tweak comment
---
 packages/backend/src/core/activitypub/ApInboxService.ts | 3 ++-
 packages/backend/src/server/api/endpoints/ap/show.ts    | 5 +++--
 2 files changed, 5 insertions(+), 3 deletions(-)

(limited to 'packages/backend/src/server/api')

diff --git a/packages/backend/src/core/activitypub/ApInboxService.ts b/packages/backend/src/core/activitypub/ApInboxService.ts
index 9838e3bd30..ee3f691c51 100644
--- a/packages/backend/src/core/activitypub/ApInboxService.ts
+++ b/packages/backend/src/core/activitypub/ApInboxService.ts
@@ -130,7 +130,8 @@ export class ApInboxService {
 		if (actor.uri) {
 			if (actor.lastFetchedAt == null || Date.now() - actor.lastFetchedAt.getTime() > 1000 * 60 * 60 * 24) {
 				setImmediate(() => {
-					this.apPersonService.updatePerson(actor.uri, resolver);
+					// 同一ユーザーの情報を再度処理するので、使用済みのresolverを再利用してはいけない
+					this.apPersonService.updatePerson(actor.uri);
 				});
 			}
 		}
diff --git a/packages/backend/src/server/api/endpoints/ap/show.ts b/packages/backend/src/server/api/endpoints/ap/show.ts
index bf99834c17..24d5a7b0f1 100644
--- a/packages/backend/src/server/api/endpoints/ap/show.ts
+++ b/packages/backend/src/server/api/endpoints/ap/show.ts
@@ -137,10 +137,11 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 			if (local != null) return local;
 		}
 
+		// 同一ユーザーの情報を再度処理するので、使用済みのresolverを再利用してはいけない
 		return await this.mergePack(
 			me,
-			isActor(object) ? await this.apPersonService.createPerson(getApId(object), resolver) : null,
-			isPost(object) ? await this.apNoteService.createNote(getApId(object), undefined, resolver, true) : null,
+			isActor(object) ? await this.apPersonService.createPerson(getApId(object)) : null,
+			isPost(object) ? await this.apNoteService.createNote(getApId(object), undefined, undefined, true) : null,
 		);
 	}
 
-- 
cgit v1.2.3-freya


From 56563d8dc478c3e7ccbe9f17d6bd549ad0ce480b Mon Sep 17 00:00:00 2001
From: dakkar <dakkar@thenautilus.net>
Date: Fri, 22 Nov 2024 13:09:58 +0000
Subject: fix lints

---
 packages/backend/src/core/UserWebhookService.ts               | 2 +-
 packages/backend/src/core/WebhookTestService.ts               | 4 ++++
 packages/backend/src/core/activitypub/ApRequestService.ts     | 1 -
 packages/backend/src/core/activitypub/models/ApNoteService.ts | 1 -
 packages/backend/src/server/ActivityPubServerService.ts       | 2 +-
 packages/backend/src/server/api/endpoints/notes/show.ts       | 3 ++-
 6 files changed, 8 insertions(+), 5 deletions(-)

(limited to 'packages/backend/src/server/api')

diff --git a/packages/backend/src/core/UserWebhookService.ts b/packages/backend/src/core/UserWebhookService.ts
index 7117a3d7fa..911efdf768 100644
--- a/packages/backend/src/core/UserWebhookService.ts
+++ b/packages/backend/src/core/UserWebhookService.ts
@@ -14,7 +14,7 @@ import type { OnApplicationShutdown } from '@nestjs/common';
 import type { Packed } from '@/misc/json-schema.js';
 
 export type UserWebhookPayload<T extends WebhookEventTypes> =
-	T extends 'note' | 'reply' | 'renote' |'mention' ? {
+	T extends 'note' | 'reply' | 'renote' |'mention' | 'edited' ? {
 		note: Packed<'Note'>,
 	} :
 	T extends 'follow' | 'unfollow' ? {
diff --git a/packages/backend/src/core/WebhookTestService.ts b/packages/backend/src/core/WebhookTestService.ts
index 746f289311..1530d91532 100644
--- a/packages/backend/src/core/WebhookTestService.ts
+++ b/packages/backend/src/core/WebhookTestService.ts
@@ -389,6 +389,10 @@ export class WebhookTestService {
 				send('mention', { note: toPackedNote(dummyMention1) });
 				break;
 			}
+			case 'edited': {
+				send('edited', { note: toPackedNote(dummyNote1) });
+				break;
+			}
 			case 'follow': {
 				send('follow', { user: toPackedUserDetailedNotMe(dummyUser1) });
 				break;
diff --git a/packages/backend/src/core/activitypub/ApRequestService.ts b/packages/backend/src/core/activitypub/ApRequestService.ts
index a5f96dfac1..8fb4981ed4 100644
--- a/packages/backend/src/core/activitypub/ApRequestService.ts
+++ b/packages/backend/src/core/activitypub/ApRequestService.ts
@@ -16,7 +16,6 @@ import { HttpRequestService } from '@/core/HttpRequestService.js';
 import { LoggerService } from '@/core/LoggerService.js';
 import { bindThis } from '@/decorators.js';
 import type Logger from '@/logger.js';
-import type { IObject } from './type.js';
 import { validateContentTypeSetAsActivityPub } from '@/core/activitypub/misc/validator.js';
 import { assertActivityMatchesUrls } from '@/core/activitypub/misc/check-against-url.js';
 import type { IObject } from './type.js';
diff --git a/packages/backend/src/core/activitypub/models/ApNoteService.ts b/packages/backend/src/core/activitypub/models/ApNoteService.ts
index 48538a7c26..51dd357cc5 100644
--- a/packages/backend/src/core/activitypub/models/ApNoteService.ts
+++ b/packages/backend/src/core/activitypub/models/ApNoteService.ts
@@ -421,7 +421,6 @@ export class ApNoteService {
 
 		const url = getOneApHrefNullable(note.url);
 
-
 		if (url != null) {
 			if (!checkHttps(url)) {
 				throw new Error('unexpected schema of note url: ' + url);
diff --git a/packages/backend/src/server/ActivityPubServerService.ts b/packages/backend/src/server/ActivityPubServerService.ts
index efbc8721b3..815bf278c7 100644
--- a/packages/backend/src/server/ActivityPubServerService.ts
+++ b/packages/backend/src/server/ActivityPubServerService.ts
@@ -814,7 +814,7 @@ export class ActivityPubServerService {
 		});
 
 		fastify.get<{ Params: { acct: string; } }>('/@:acct', { constraints: { apOrHtml: 'ap' } }, async (request, reply) => {
-			if (await this.shouldRefuseGetRequest(request, reply, request.params.user)) return;
+			if (await this.shouldRefuseGetRequest(request, reply, request.params.acct)) return;
 
 			vary(reply.raw, 'Accept');
 
diff --git a/packages/backend/src/server/api/endpoints/notes/show.ts b/packages/backend/src/server/api/endpoints/notes/show.ts
index c189a708f2..a5bc3719cd 100644
--- a/packages/backend/src/server/api/endpoints/notes/show.ts
+++ b/packages/backend/src/server/api/endpoints/notes/show.ts
@@ -8,6 +8,7 @@ import { Endpoint } from '@/server/api/endpoint-base.js';
 import { NoteEntityService } from '@/core/entities/NoteEntityService.js';
 import { DI } from '@/di-symbols.js';
 import type { NotesRepository } from '@/models/_.js';
+import { QueryService } from '@/core/QueryService.js';
 import { ApiError } from '../../error.js';
 
 export const meta = {
@@ -55,7 +56,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 		super(meta, paramDef, async (ps, me) => {
 			const query = await this.notesRepository.createQueryBuilder('note')
 				.where('note.id = :noteId', { noteId: ps.noteId })
-				.innerJoinAndSelect('user');
+				.innerJoinAndSelect('note.user', 'user');
 
 			this.queryService.generateVisibilityQuery(query, me);
 			if (me) {
-- 
cgit v1.2.3-freya


From dbab122a996d732986166d5e3d602698becac558 Mon Sep 17 00:00:00 2001
From: Hazelnoot <acomputerdog@gmail.com>
Date: Fri, 22 Nov 2024 15:26:55 -0500
Subject: fix typo "to many requests"

---
 .../backend/src/server/api/openapi/gen-spec.ts     |   2 +-
 packages/misskey-js/src/autogen/types.ts           | 132 ++++++++++-----------
 2 files changed, 67 insertions(+), 67 deletions(-)

(limited to 'packages/backend/src/server/api')

diff --git a/packages/backend/src/server/api/openapi/gen-spec.ts b/packages/backend/src/server/api/openapi/gen-spec.ts
index fb5954fee0..82ee0f47d7 100644
--- a/packages/backend/src/server/api/openapi/gen-spec.ts
+++ b/packages/backend/src/server/api/openapi/gen-spec.ts
@@ -183,7 +183,7 @@ export function genOpenapiSpec(config: Config, includeSelfRef = false) {
 				},
 				...(endpoint.meta.limit ? {
 					'429': {
-						description: 'To many requests',
+						description: 'Too many requests',
 						content: {
 							'application/json': {
 								schema: {
diff --git a/packages/misskey-js/src/autogen/types.ts b/packages/misskey-js/src/autogen/types.ts
index e275e4b475..d64d604b10 100644
--- a/packages/misskey-js/src/autogen/types.ts
+++ b/packages/misskey-js/src/autogen/types.ts
@@ -10976,7 +10976,7 @@ export type operations = {
           'application/json': components['schemas']['Error'];
         };
       };
-      /** @description To many requests */
+      /** @description Too many requests */
       429: {
         content: {
           'application/json': components['schemas']['Error'];
@@ -11495,7 +11495,7 @@ export type operations = {
           'application/json': components['schemas']['Error'];
         };
       };
-      /** @description To many requests */
+      /** @description Too many requests */
       429: {
         content: {
           'application/json': components['schemas']['Error'];
@@ -11562,7 +11562,7 @@ export type operations = {
           'application/json': components['schemas']['Error'];
         };
       };
-      /** @description To many requests */
+      /** @description Too many requests */
       429: {
         content: {
           'application/json': components['schemas']['Error'];
@@ -11956,7 +11956,7 @@ export type operations = {
           'application/json': components['schemas']['Error'];
         };
       };
-      /** @description To many requests */
+      /** @description Too many requests */
       429: {
         content: {
           'application/json': components['schemas']['Error'];
@@ -12016,7 +12016,7 @@ export type operations = {
           'application/json': components['schemas']['Error'];
         };
       };
-      /** @description To many requests */
+      /** @description Too many requests */
       429: {
         content: {
           'application/json': components['schemas']['Error'];
@@ -12139,7 +12139,7 @@ export type operations = {
           'application/json': components['schemas']['Error'];
         };
       };
-      /** @description To many requests */
+      /** @description Too many requests */
       429: {
         content: {
           'application/json': components['schemas']['Error'];
@@ -13741,7 +13741,7 @@ export type operations = {
           'application/json': components['schemas']['Error'];
         };
       };
-      /** @description To many requests */
+      /** @description Too many requests */
       429: {
         content: {
           'application/json': components['schemas']['Error'];
@@ -14576,7 +14576,7 @@ export type operations = {
           'application/json': components['schemas']['Error'];
         };
       };
-      /** @description To many requests */
+      /** @description Too many requests */
       429: {
         content: {
           'application/json': components['schemas']['Error'];
@@ -14923,7 +14923,7 @@ export type operations = {
           'application/json': components['schemas']['Error'];
         };
       };
-      /** @description To many requests */
+      /** @description Too many requests */
       429: {
         content: {
           'application/json': components['schemas']['Error'];
@@ -15050,7 +15050,7 @@ export type operations = {
           'application/json': components['schemas']['Error'];
         };
       };
-      /** @description To many requests */
+      /** @description Too many requests */
       429: {
         content: {
           'application/json': components['schemas']['Error'];
@@ -15545,7 +15545,7 @@ export type operations = {
           'application/json': components['schemas']['Error'];
         };
       };
-      /** @description To many requests */
+      /** @description Too many requests */
       429: {
         content: {
           'application/json': components['schemas']['Error'];
@@ -16028,7 +16028,7 @@ export type operations = {
           'application/json': components['schemas']['Error'];
         };
       };
-      /** @description To many requests */
+      /** @description Too many requests */
       429: {
         content: {
           'application/json': components['schemas']['Error'];
@@ -16088,7 +16088,7 @@ export type operations = {
           'application/json': components['schemas']['Error'];
         };
       };
-      /** @description To many requests */
+      /** @description Too many requests */
       429: {
         content: {
           'application/json': components['schemas']['Error'];
@@ -16151,7 +16151,7 @@ export type operations = {
           'application/json': components['schemas']['Error'];
         };
       };
-      /** @description To many requests */
+      /** @description Too many requests */
       429: {
         content: {
           'application/json': components['schemas']['Error'];
@@ -16210,7 +16210,7 @@ export type operations = {
           'application/json': components['schemas']['Error'];
         };
       };
-      /** @description To many requests */
+      /** @description Too many requests */
       429: {
         content: {
           'application/json': components['schemas']['Error'];
@@ -16270,7 +16270,7 @@ export type operations = {
           'application/json': components['schemas']['Error'];
         };
       };
-      /** @description To many requests */
+      /** @description Too many requests */
       429: {
         content: {
           'application/json': components['schemas']['Error'];
@@ -16777,7 +16777,7 @@ export type operations = {
           'application/json': components['schemas']['Error'];
         };
       };
-      /** @description To many requests */
+      /** @description Too many requests */
       429: {
         content: {
           'application/json': components['schemas']['Error'];
@@ -17052,7 +17052,7 @@ export type operations = {
           'application/json': components['schemas']['Error'];
         };
       };
-      /** @description To many requests */
+      /** @description Too many requests */
       429: {
         content: {
           'application/json': components['schemas']['Error'];
@@ -17613,7 +17613,7 @@ export type operations = {
           'application/json': components['schemas']['Error'];
         };
       };
-      /** @description To many requests */
+      /** @description Too many requests */
       429: {
         content: {
           'application/json': components['schemas']['Error'];
@@ -17760,7 +17760,7 @@ export type operations = {
           'application/json': components['schemas']['Error'];
         };
       };
-      /** @description To many requests */
+      /** @description Too many requests */
       429: {
         content: {
           'application/json': components['schemas']['Error'];
@@ -17827,7 +17827,7 @@ export type operations = {
           'application/json': components['schemas']['Error'];
         };
       };
-      /** @description To many requests */
+      /** @description Too many requests */
       429: {
         content: {
           'application/json': components['schemas']['Error'];
@@ -17940,7 +17940,7 @@ export type operations = {
           'application/json': components['schemas']['Error'];
         };
       };
-      /** @description To many requests */
+      /** @description Too many requests */
       429: {
         content: {
           'application/json': components['schemas']['Error'];
@@ -17999,7 +17999,7 @@ export type operations = {
           'application/json': components['schemas']['Error'];
         };
       };
-      /** @description To many requests */
+      /** @description Too many requests */
       429: {
         content: {
           'application/json': components['schemas']['Error'];
@@ -18244,7 +18244,7 @@ export type operations = {
           'application/json': components['schemas']['Error'];
         };
       };
-      /** @description To many requests */
+      /** @description Too many requests */
       429: {
         content: {
           'application/json': components['schemas']['Error'];
@@ -18303,7 +18303,7 @@ export type operations = {
           'application/json': components['schemas']['Error'];
         };
       };
-      /** @description To many requests */
+      /** @description Too many requests */
       429: {
         content: {
           'application/json': components['schemas']['Error'];
@@ -18354,7 +18354,7 @@ export type operations = {
           'application/json': components['schemas']['Error'];
         };
       };
-      /** @description To many requests */
+      /** @description Too many requests */
       429: {
         content: {
           'application/json': components['schemas']['Error'];
@@ -18405,7 +18405,7 @@ export type operations = {
           'application/json': components['schemas']['Error'];
         };
       };
-      /** @description To many requests */
+      /** @description Too many requests */
       429: {
         content: {
           'application/json': components['schemas']['Error'];
@@ -18466,7 +18466,7 @@ export type operations = {
           'application/json': components['schemas']['Error'];
         };
       };
-      /** @description To many requests */
+      /** @description Too many requests */
       429: {
         content: {
           'application/json': components['schemas']['Error'];
@@ -18517,7 +18517,7 @@ export type operations = {
           'application/json': components['schemas']['Error'];
         };
       };
-      /** @description To many requests */
+      /** @description Too many requests */
       429: {
         content: {
           'application/json': components['schemas']['Error'];
@@ -18568,7 +18568,7 @@ export type operations = {
           'application/json': components['schemas']['Error'];
         };
       };
-      /** @description To many requests */
+      /** @description Too many requests */
       429: {
         content: {
           'application/json': components['schemas']['Error'];
@@ -18619,7 +18619,7 @@ export type operations = {
           'application/json': components['schemas']['Error'];
         };
       };
-      /** @description To many requests */
+      /** @description Too many requests */
       429: {
         content: {
           'application/json': components['schemas']['Error'];
@@ -18670,7 +18670,7 @@ export type operations = {
           'application/json': components['schemas']['Error'];
         };
       };
-      /** @description To many requests */
+      /** @description Too many requests */
       429: {
         content: {
           'application/json': components['schemas']['Error'];
@@ -18721,7 +18721,7 @@ export type operations = {
           'application/json': components['schemas']['Error'];
         };
       };
-      /** @description To many requests */
+      /** @description Too many requests */
       429: {
         content: {
           'application/json': components['schemas']['Error'];
@@ -18772,7 +18772,7 @@ export type operations = {
           'application/json': components['schemas']['Error'];
         };
       };
-      /** @description To many requests */
+      /** @description Too many requests */
       429: {
         content: {
           'application/json': components['schemas']['Error'];
@@ -19009,7 +19009,7 @@ export type operations = {
           'application/json': components['schemas']['Error'];
         };
       };
-      /** @description To many requests */
+      /** @description Too many requests */
       429: {
         content: {
           'application/json': components['schemas']['Error'];
@@ -19069,7 +19069,7 @@ export type operations = {
           'application/json': components['schemas']['Error'];
         };
       };
-      /** @description To many requests */
+      /** @description Too many requests */
       429: {
         content: {
           'application/json': components['schemas']['Error'];
@@ -19129,7 +19129,7 @@ export type operations = {
           'application/json': components['schemas']['Error'];
         };
       };
-      /** @description To many requests */
+      /** @description Too many requests */
       429: {
         content: {
           'application/json': components['schemas']['Error'];
@@ -19188,7 +19188,7 @@ export type operations = {
           'application/json': components['schemas']['Error'];
         };
       };
-      /** @description To many requests */
+      /** @description Too many requests */
       429: {
         content: {
           'application/json': components['schemas']['Error'];
@@ -19247,7 +19247,7 @@ export type operations = {
           'application/json': components['schemas']['Error'];
         };
       };
-      /** @description To many requests */
+      /** @description Too many requests */
       429: {
         content: {
           'application/json': components['schemas']['Error'];
@@ -19306,7 +19306,7 @@ export type operations = {
           'application/json': components['schemas']['Error'];
         };
       };
-      /** @description To many requests */
+      /** @description Too many requests */
       429: {
         content: {
           'application/json': components['schemas']['Error'];
@@ -19374,7 +19374,7 @@ export type operations = {
           'application/json': components['schemas']['Error'];
         };
       };
-      /** @description To many requests */
+      /** @description Too many requests */
       429: {
         content: {
           'application/json': components['schemas']['Error'];
@@ -19442,7 +19442,7 @@ export type operations = {
           'application/json': components['schemas']['Error'];
         };
       };
-      /** @description To many requests */
+      /** @description Too many requests */
       429: {
         content: {
           'application/json': components['schemas']['Error'];
@@ -19770,7 +19770,7 @@ export type operations = {
           'application/json': components['schemas']['Error'];
         };
       };
-      /** @description To many requests */
+      /** @description Too many requests */
       429: {
         content: {
           'application/json': components['schemas']['Error'];
@@ -20493,7 +20493,7 @@ export type operations = {
           'application/json': components['schemas']['Error'];
         };
       };
-      /** @description To many requests */
+      /** @description Too many requests */
       429: {
         content: {
           'application/json': components['schemas']['Error'];
@@ -20734,7 +20734,7 @@ export type operations = {
           'application/json': components['schemas']['Error'];
         };
       };
-      /** @description To many requests */
+      /** @description Too many requests */
       429: {
         content: {
           'application/json': components['schemas']['Error'];
@@ -20794,7 +20794,7 @@ export type operations = {
           'application/json': components['schemas']['Error'];
         };
       };
-      /** @description To many requests */
+      /** @description Too many requests */
       429: {
         content: {
           'application/json': components['schemas']['Error'];
@@ -21164,7 +21164,7 @@ export type operations = {
           'application/json': components['schemas']['Error'];
         };
       };
-      /** @description To many requests */
+      /** @description Too many requests */
       429: {
         content: {
           'application/json': components['schemas']['Error'];
@@ -21643,7 +21643,7 @@ export type operations = {
           'application/json': components['schemas']['Error'];
         };
       };
-      /** @description To many requests */
+      /** @description Too many requests */
       429: {
         content: {
           'application/json': components['schemas']['Error'];
@@ -21811,7 +21811,7 @@ export type operations = {
           'application/json': components['schemas']['Error'];
         };
       };
-      /** @description To many requests */
+      /** @description Too many requests */
       429: {
         content: {
           'application/json': components['schemas']['Error'];
@@ -22310,7 +22310,7 @@ export type operations = {
           'application/json': components['schemas']['Error'];
         };
       };
-      /** @description To many requests */
+      /** @description Too many requests */
       429: {
         content: {
           'application/json': components['schemas']['Error'];
@@ -22368,7 +22368,7 @@ export type operations = {
           'application/json': components['schemas']['Error'];
         };
       };
-      /** @description To many requests */
+      /** @description Too many requests */
       429: {
         content: {
           'application/json': components['schemas']['Error'];
@@ -22426,7 +22426,7 @@ export type operations = {
           'application/json': components['schemas']['Error'];
         };
       };
-      /** @description To many requests */
+      /** @description Too many requests */
       429: {
         content: {
           'application/json': components['schemas']['Error'];
@@ -23285,7 +23285,7 @@ export type operations = {
           'application/json': components['schemas']['Error'];
         };
       };
-      /** @description To many requests */
+      /** @description Too many requests */
       429: {
         content: {
           'application/json': components['schemas']['Error'];
@@ -23778,7 +23778,7 @@ export type operations = {
           'application/json': components['schemas']['Error'];
         };
       };
-      /** @description To many requests */
+      /** @description Too many requests */
       429: {
         content: {
           'application/json': components['schemas']['Error'];
@@ -24026,7 +24026,7 @@ export type operations = {
           'application/json': components['schemas']['Error'];
         };
       };
-      /** @description To many requests */
+      /** @description Too many requests */
       429: {
         content: {
           'application/json': components['schemas']['Error'];
@@ -24200,7 +24200,7 @@ export type operations = {
           'application/json': components['schemas']['Error'];
         };
       };
-      /** @description To many requests */
+      /** @description Too many requests */
       429: {
         content: {
           'application/json': components['schemas']['Error'];
@@ -24313,7 +24313,7 @@ export type operations = {
           'application/json': components['schemas']['Error'];
         };
       };
-      /** @description To many requests */
+      /** @description Too many requests */
       429: {
         content: {
           'application/json': components['schemas']['Error'];
@@ -24451,7 +24451,7 @@ export type operations = {
           'application/json': components['schemas']['Error'];
         };
       };
-      /** @description To many requests */
+      /** @description Too many requests */
       429: {
         content: {
           'application/json': components['schemas']['Error'];
@@ -24585,7 +24585,7 @@ export type operations = {
           'application/json': components['schemas']['Error'];
         };
       };
-      /** @description To many requests */
+      /** @description Too many requests */
       429: {
         content: {
           'application/json': components['schemas']['Error'];
@@ -24917,7 +24917,7 @@ export type operations = {
           'application/json': components['schemas']['Error'];
         };
       };
-      /** @description To many requests */
+      /** @description Too many requests */
       429: {
         content: {
           'application/json': components['schemas']['Error'];
@@ -24984,7 +24984,7 @@ export type operations = {
           'application/json': components['schemas']['Error'];
         };
       };
-      /** @description To many requests */
+      /** @description Too many requests */
       429: {
         content: {
           'application/json': components['schemas']['Error'];
@@ -25304,7 +25304,7 @@ export type operations = {
           'application/json': components['schemas']['Error'];
         };
       };
-      /** @description To many requests */
+      /** @description Too many requests */
       429: {
         content: {
           'application/json': components['schemas']['Error'];
@@ -25854,7 +25854,7 @@ export type operations = {
           'application/json': components['schemas']['Error'];
         };
       };
-      /** @description To many requests */
+      /** @description Too many requests */
       429: {
         content: {
           'application/json': components['schemas']['Error'];
@@ -27133,7 +27133,7 @@ export type operations = {
           'application/json': components['schemas']['Error'];
         };
       };
-      /** @description To many requests */
+      /** @description Too many requests */
       429: {
         content: {
           'application/json': components['schemas']['Error'];
@@ -28431,7 +28431,7 @@ export type operations = {
           'application/json': components['schemas']['Error'];
         };
       };
-      /** @description To many requests */
+      /** @description Too many requests */
       429: {
         content: {
           'application/json': components['schemas']['Error'];
@@ -28599,7 +28599,7 @@ export type operations = {
           'application/json': components['schemas']['Error'];
         };
       };
-      /** @description To many requests */
+      /** @description Too many requests */
       429: {
         content: {
           'application/json': components['schemas']['Error'];
-- 
cgit v1.2.3-freya


From c4334bff81de41564442ccd6c833a557e3d1cb57 Mon Sep 17 00:00:00 2001
From: dakkar <dakkar@thenautilus.net>
Date: Sat, 23 Nov 2024 12:37:15 +0000
Subject: honour blocks and "signing required" for note versions

---
 .../src/server/api/endpoints/notes/versions.ts      | 21 +++++++++++++++++----
 1 file changed, 17 insertions(+), 4 deletions(-)

(limited to 'packages/backend/src/server/api')

diff --git a/packages/backend/src/server/api/endpoints/notes/versions.ts b/packages/backend/src/server/api/endpoints/notes/versions.ts
index 2b774ae2b0..96715ce6b2 100644
--- a/packages/backend/src/server/api/endpoints/notes/versions.ts
+++ b/packages/backend/src/server/api/endpoints/notes/versions.ts
@@ -27,6 +27,12 @@ export const meta = {
 			code: 'NO_SUCH_NOTE',
 			id: '24fcbfc6-2e37-42b6-8388-c29b3861a08d',
 		},
+
+		signinRequired: {
+			message: 'Signin required.',
+			code: 'SIGNIN_REQUIRED',
+			id: '8e75455b-738c-471d-9f80-62693f33372e',
+		},
 	},
 } as const;
 
@@ -43,23 +49,30 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 	constructor(
 		@Inject(DI.notesRepository)
 		private notesRepository: NotesRepository,
-		
+
 		private getterService: GetterService,
 		private queryService: QueryService,
 	) {
 		super(meta, paramDef, async (ps, me) => {
 			const query = await this.notesRepository.createQueryBuilder('note')
-				.select('note.id')
-				.where('note.id = :noteId', { noteId: ps.noteId });
+				.where('note.id = :noteId', { noteId: ps.noteId })
+				.innerJoinAndSelect('note.user', 'user');
 
 			this.queryService.generateVisibilityQuery(query, me);
-			
+			if (me) {
+				this.queryService.generateBlockedUserQuery(query, me);
+			}
+
 			const note = await query.getOne();
 
 			if (note === null) {
 				throw new ApiError(meta.errors.noSuchNote);
 			}
 
+			if (note.user!.requireSigninToViewContents && me == null) {
+				throw new ApiError(meta.errors.signinRequired);
+			}
+
 			const edits = await this.getterService.getEdits(ps.noteId).catch(err => {
 				if (err.id === '9725d0ce-ba28-4dde-95a7-2cbb2c15de24') throw new ApiError(meta.errors.noSuchNote);
 				throw err;
-- 
cgit v1.2.3-freya


From fc277839b66bd919e2c0ca0c2e2840cd3484afb0 Mon Sep 17 00:00:00 2001
From: dakkar <dakkar@thenautilus.net>
Date: Wed, 27 Nov 2024 09:57:24 +0000
Subject: only "publish to followers" when things really change - fixes #733

---
 .../src/core/activitypub/ApRendererService.ts      |  1 +
 .../backend/src/server/api/endpoints/i/update.ts   | 52 +++++++++++++++++++++-
 2 files changed, 52 insertions(+), 1 deletion(-)

(limited to 'packages/backend/src/server/api')

diff --git a/packages/backend/src/core/activitypub/ApRendererService.ts b/packages/backend/src/core/activitypub/ApRendererService.ts
index 42ee5bc58a..e34872c714 100644
--- a/packages/backend/src/core/activitypub/ApRendererService.ts
+++ b/packages/backend/src/core/activitypub/ApRendererService.ts
@@ -469,6 +469,7 @@ export class ApRendererService {
 		};
 	}
 
+	// if you change this, also change `server/api/endpoints/i/update.ts`
 	@bindThis
 	public async renderPerson(user: MiLocalUser) {
 		const id = this.userEntityService.genLocalUserUri(user.id);
diff --git a/packages/backend/src/server/api/endpoints/i/update.ts b/packages/backend/src/server/api/endpoints/i/update.ts
index 8994c3fff6..f0e8dfc832 100644
--- a/packages/backend/src/server/api/endpoints/i/update.ts
+++ b/packages/backend/src/server/api/endpoints/i/update.ts
@@ -539,7 +539,9 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 			}
 
 			// フォロワーにUpdateを配信
-			this.accountUpdateService.publishToFollowers(user.id);
+			if (this.userNeedsPublishing(user, updates) || this.profileNeedsPublishing(profile, updatedProfile)) {
+				this.accountUpdateService.publishToFollowers(user.id);
+			}
 
 			const urls = updatedProfile.fields.filter(x => x.value.startsWith('https://'));
 			for (const url of urls) {
@@ -581,4 +583,52 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 			// なにもしない
 		}
 	}
+
+	// these two methods need to be kept in sync with
+	// `ApRendererService.renderPerson`
+	private userNeedsPublishing(oldUser: MiLocalUser, newUser: Partial<MiUser>): boolean {
+		for (const field of ['avatarId', 'bannerId', 'backgroundId', 'isBot', 'username', 'name', 'isLocked', 'isExplorable', 'isCat', 'noindex', 'speakAsCat', 'movedToUri', 'alsoKnownAs'] as (keyof MiUser)[]) {
+			if (newUser.hasOwnProperty(field) && oldUser[field] !== newUser[field]) {
+				return true;
+			}
+		}
+		for (const arrayField of ['emojis', 'tags'] as (keyof MiUser)[]) {
+			if (newUser.hasOwnProperty(arrayField) !== oldUser.hasOwnProperty(arrayField)) {
+				return true;
+			}
+
+			const oldArray = oldUser[arrayField] ?? [];
+			const newArray = newUser[arrayField] ?? [];
+			if (!Array.isArray(oldArray) || !Array.isArray(newArray)) {
+				return true;
+			}
+			if (oldArray.join("\0") !== newArray.join("\0")) {
+				return true;
+			}
+		}
+		return false;
+	}
+
+	private profileNeedsPublishing(oldProfile: MiUserProfile, newProfile: Partial<MiUserProfile>): boolean {
+		for (const field of ['description', 'followedMessage', 'birthday', 'location', 'listenbrainz'] as (keyof MiUserProfile)[]) {
+			if (newProfile.hasOwnProperty(field) && oldProfile[field] !== newProfile[field]) {
+				return true;
+			}
+		}
+		for (const arrayField of ['fields'] as (keyof MiUserProfile)[]) {
+			if (newProfile.hasOwnProperty(arrayField) !== oldProfile.hasOwnProperty(arrayField)) {
+				return true;
+			}
+
+			const oldArray = oldProfile[arrayField] ?? [];
+			const newArray = newProfile[arrayField] ?? [];
+			if (!Array.isArray(oldArray) || !Array.isArray(newArray)) {
+				return true;
+			}
+			if (oldArray.join("\0") !== newArray.join("\0")) {
+				return true;
+			}
+		}
+		return false;
+	}
 }
-- 
cgit v1.2.3-freya


From 3ea85b14a3f55d7f04b0d5c309572a83f2dea562 Mon Sep 17 00:00:00 2001
From: dakkar <dakkar@thenautilus.net>
Date: Wed, 27 Nov 2024 21:01:12 +0000
Subject: silence linter

those objects always have the normal prototype, and can't have
`hasOwnProperty` redefined, let me call it normally

(otherwise I'd have to write
`Object.prototype.hasOwnProperty.call(newUser, field)` and that's
ugly)
---
 packages/backend/src/server/api/endpoints/i/update.ts | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'packages/backend/src/server/api')

diff --git a/packages/backend/src/server/api/endpoints/i/update.ts b/packages/backend/src/server/api/endpoints/i/update.ts
index f0e8dfc832..0965f4bcf4 100644
--- a/packages/backend/src/server/api/endpoints/i/update.ts
+++ b/packages/backend/src/server/api/endpoints/i/update.ts
@@ -588,11 +588,13 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 	// `ApRendererService.renderPerson`
 	private userNeedsPublishing(oldUser: MiLocalUser, newUser: Partial<MiUser>): boolean {
 		for (const field of ['avatarId', 'bannerId', 'backgroundId', 'isBot', 'username', 'name', 'isLocked', 'isExplorable', 'isCat', 'noindex', 'speakAsCat', 'movedToUri', 'alsoKnownAs'] as (keyof MiUser)[]) {
+			/* eslint-disable-next-line no-prototype-builtins */
 			if (newUser.hasOwnProperty(field) && oldUser[field] !== newUser[field]) {
 				return true;
 			}
 		}
 		for (const arrayField of ['emojis', 'tags'] as (keyof MiUser)[]) {
+			/* eslint-disable-next-line no-prototype-builtins */
 			if (newUser.hasOwnProperty(arrayField) !== oldUser.hasOwnProperty(arrayField)) {
 				return true;
 			}
@@ -611,11 +613,13 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 
 	private profileNeedsPublishing(oldProfile: MiUserProfile, newProfile: Partial<MiUserProfile>): boolean {
 		for (const field of ['description', 'followedMessage', 'birthday', 'location', 'listenbrainz'] as (keyof MiUserProfile)[]) {
+			/* eslint-disable-next-line no-prototype-builtins */
 			if (newProfile.hasOwnProperty(field) && oldProfile[field] !== newProfile[field]) {
 				return true;
 			}
 		}
 		for (const arrayField of ['fields'] as (keyof MiUserProfile)[]) {
+			/* eslint-disable-next-line no-prototype-builtins */
 			if (newProfile.hasOwnProperty(arrayField) !== oldProfile.hasOwnProperty(arrayField)) {
 				return true;
 			}
-- 
cgit v1.2.3-freya


From 9309872cff349060ef82cf368c81f50a0932367b Mon Sep 17 00:00:00 2001
From: dakkar <dakkar@thenautilus.net>
Date: Wed, 27 Nov 2024 21:25:54 +0000
Subject: simpler check for "property present"

---
 packages/backend/src/server/api/endpoints/i/update.ts | 12 ++++--------
 1 file changed, 4 insertions(+), 8 deletions(-)

(limited to 'packages/backend/src/server/api')

diff --git a/packages/backend/src/server/api/endpoints/i/update.ts b/packages/backend/src/server/api/endpoints/i/update.ts
index 0965f4bcf4..8e61b8f784 100644
--- a/packages/backend/src/server/api/endpoints/i/update.ts
+++ b/packages/backend/src/server/api/endpoints/i/update.ts
@@ -588,14 +588,12 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 	// `ApRendererService.renderPerson`
 	private userNeedsPublishing(oldUser: MiLocalUser, newUser: Partial<MiUser>): boolean {
 		for (const field of ['avatarId', 'bannerId', 'backgroundId', 'isBot', 'username', 'name', 'isLocked', 'isExplorable', 'isCat', 'noindex', 'speakAsCat', 'movedToUri', 'alsoKnownAs'] as (keyof MiUser)[]) {
-			/* eslint-disable-next-line no-prototype-builtins */
-			if (newUser.hasOwnProperty(field) && oldUser[field] !== newUser[field]) {
+			if ((field in newUser) && oldUser[field] !== newUser[field]) {
 				return true;
 			}
 		}
 		for (const arrayField of ['emojis', 'tags'] as (keyof MiUser)[]) {
-			/* eslint-disable-next-line no-prototype-builtins */
-			if (newUser.hasOwnProperty(arrayField) !== oldUser.hasOwnProperty(arrayField)) {
+			if ((arrayField in newUser) !== (arrayField in oldUser)) {
 				return true;
 			}
 
@@ -613,14 +611,12 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 
 	private profileNeedsPublishing(oldProfile: MiUserProfile, newProfile: Partial<MiUserProfile>): boolean {
 		for (const field of ['description', 'followedMessage', 'birthday', 'location', 'listenbrainz'] as (keyof MiUserProfile)[]) {
-			/* eslint-disable-next-line no-prototype-builtins */
-			if (newProfile.hasOwnProperty(field) && oldProfile[field] !== newProfile[field]) {
+			if ((field in newProfile) && oldProfile[field] !== newProfile[field]) {
 				return true;
 			}
 		}
 		for (const arrayField of ['fields'] as (keyof MiUserProfile)[]) {
-			/* eslint-disable-next-line no-prototype-builtins */
-			if (newProfile.hasOwnProperty(arrayField) !== oldProfile.hasOwnProperty(arrayField)) {
+			if ((arrayField in newProfile) !== (arrayField in oldProfile)) {
 				return true;
 			}
 
-- 
cgit v1.2.3-freya


From ffc2737478c6f9efd5de9fbaf526b13164727f87 Mon Sep 17 00:00:00 2001
From: Hazelnoot <acomputerdog@gmail.com>
Date: Sat, 7 Dec 2024 10:22:45 -0500
Subject: implement SkRateLimiterService with Leaky Bucket rate limiting

---
 packages/backend/eslint.config.js                  |   7 +
 packages/backend/src/core/CoreModule.ts            |   6 +
 packages/backend/src/core/EnvService.ts            |  20 +
 packages/backend/src/core/TimeService.ts           |  27 +
 packages/backend/src/server/ServerModule.ts        |   6 +-
 packages/backend/src/server/api/ApiCallService.ts  |  64 +-
 .../backend/src/server/api/RateLimiterService.ts   |  16 +-
 .../backend/src/server/api/SkRateLimiterService.ts | 279 ++++++++
 .../unit/server/api/SkRateLimiterServiceTests.ts   | 703 +++++++++++++++++++++
 9 files changed, 1102 insertions(+), 26 deletions(-)
 create mode 100644 packages/backend/src/core/EnvService.ts
 create mode 100644 packages/backend/src/core/TimeService.ts
 create mode 100644 packages/backend/src/server/api/SkRateLimiterService.ts
 create mode 100644 packages/backend/test/unit/server/api/SkRateLimiterServiceTests.ts

(limited to 'packages/backend/src/server/api')

diff --git a/packages/backend/eslint.config.js b/packages/backend/eslint.config.js
index 452045bc3e..7ee9953478 100644
--- a/packages/backend/eslint.config.js
+++ b/packages/backend/eslint.config.js
@@ -42,6 +42,13 @@ export default [
 				name: '__filename',
 				message: 'Not in ESModule. Use `import.meta.url` instead.',
 			}],
+			// https://typescript-eslint.io/rules/prefer-nullish-coalescing/
+			'@typescript-eslint/prefer-nullish-coalescing': ['warn', {
+				ignorePrimitives: {
+					// Without this, the rule breaks for nullable booleans
+					boolean: true,
+				},
+			}],
 		},
 	},
 	{
diff --git a/packages/backend/src/core/CoreModule.ts b/packages/backend/src/core/CoreModule.ts
index c083068392..b18db7f366 100644
--- a/packages/backend/src/core/CoreModule.ts
+++ b/packages/backend/src/core/CoreModule.ts
@@ -14,6 +14,8 @@ import { AbuseReportNotificationService } from '@/core/AbuseReportNotificationSe
 import { SystemWebhookService } from '@/core/SystemWebhookService.js';
 import { UserSearchService } from '@/core/UserSearchService.js';
 import { WebhookTestService } from '@/core/WebhookTestService.js';
+import { TimeService } from '@/core/TimeService.js';
+import { EnvService } from '@/core/EnvService.js';
 import { AccountMoveService } from './AccountMoveService.js';
 import { AccountUpdateService } from './AccountUpdateService.js';
 import { AnnouncementService } from './AnnouncementService.js';
@@ -381,6 +383,8 @@ const $SponsorsService: Provider = { provide: 'SponsorsService', useExisting: Sp
 		ChannelFollowingService,
 		RegistryApiService,
 		ReversiService,
+		TimeService,
+		EnvService,
 
 		ChartLoggerService,
 		FederationChart,
@@ -680,6 +684,8 @@ const $SponsorsService: Provider = { provide: 'SponsorsService', useExisting: Sp
 		ChannelFollowingService,
 		RegistryApiService,
 		ReversiService,
+		TimeService,
+		EnvService,
 
 		FederationChart,
 		NotesChart,
diff --git a/packages/backend/src/core/EnvService.ts b/packages/backend/src/core/EnvService.ts
new file mode 100644
index 0000000000..8cc3b95735
--- /dev/null
+++ b/packages/backend/src/core/EnvService.ts
@@ -0,0 +1,20 @@
+/*
+ * SPDX-FileCopyrightText: hazelnoot and other Sharkey contributors
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+import { Injectable } from '@nestjs/common';
+
+/**
+ * Provides access to the process environment variables.
+ * This exists for testing purposes, so that a test can mock the environment without corrupting state for other tests.
+ */
+@Injectable()
+export class EnvService {
+	/**
+	 * Passthrough to process.env
+	 */
+	public get env() {
+		return process.env;
+	}
+}
diff --git a/packages/backend/src/core/TimeService.ts b/packages/backend/src/core/TimeService.ts
new file mode 100644
index 0000000000..59c3d4c12b
--- /dev/null
+++ b/packages/backend/src/core/TimeService.ts
@@ -0,0 +1,27 @@
+/*
+ * SPDX-FileCopyrightText: hazelnoot and other Sharkey contributors
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+import { Injectable } from '@nestjs/common';
+
+/**
+ * Provides abstractions to access the current time.
+ * Exists for unit testing purposes, so that tests can "simulate" any given time for consistency.
+ */
+@Injectable()
+export class TimeService {
+	/**
+	 * Returns Date.now()
+	 */
+	public get now() {
+		return Date.now();
+	}
+
+	/**
+	 * Returns a new Date instance.
+	 */
+	public get date() {
+		return new Date();
+	}
+}
diff --git a/packages/backend/src/server/ServerModule.ts b/packages/backend/src/server/ServerModule.ts
index 216e6b4fb8..890447a47f 100644
--- a/packages/backend/src/server/ServerModule.ts
+++ b/packages/backend/src/server/ServerModule.ts
@@ -6,6 +6,7 @@
 import { Module } from '@nestjs/common';
 import { EndpointsModule } from '@/server/api/EndpointsModule.js';
 import { CoreModule } from '@/core/CoreModule.js';
+import { SkRateLimiterService } from '@/server/api/SkRateLimiterService.js';
 import { ApiCallService } from './api/ApiCallService.js';
 import { FileServerService } from './FileServerService.js';
 import { HealthServerService } from './HealthServerService.js';
@@ -73,7 +74,10 @@ import { SigninWithPasskeyApiService } from './api/SigninWithPasskeyApiService.j
 		ApiLoggerService,
 		ApiServerService,
 		AuthenticateService,
-		RateLimiterService,
+		{
+			provide: RateLimiterService,
+			useClass: SkRateLimiterService,
+		},
 		SigninApiService,
 		SigninWithPasskeyApiService,
 		SigninService,
diff --git a/packages/backend/src/server/api/ApiCallService.ts b/packages/backend/src/server/api/ApiCallService.ts
index 6f51825494..14367e02bb 100644
--- a/packages/backend/src/server/api/ApiCallService.ts
+++ b/packages/backend/src/server/api/ApiCallService.ts
@@ -8,6 +8,7 @@ import * as fs from 'node:fs';
 import * as stream from 'node:stream/promises';
 import { Inject, Injectable } from '@nestjs/common';
 import * as Sentry from '@sentry/node';
+import { LimiterInfo } from 'ratelimiter';
 import { DI } from '@/di-symbols.js';
 import { getIpHash } from '@/misc/get-ip-hash.js';
 import type { MiLocalUser, MiUser } from '@/models/User.js';
@@ -18,6 +19,7 @@ import { createTemp } from '@/misc/create-temp.js';
 import { bindThis } from '@/decorators.js';
 import { RoleService } from '@/core/RoleService.js';
 import type { Config } from '@/config.js';
+import { isLimitInfo } from '@/server/api/SkRateLimiterService.js';
 import { ApiError } from './error.js';
 import { RateLimiterService } from './RateLimiterService.js';
 import { ApiLoggerService } from './ApiLoggerService.js';
@@ -68,12 +70,17 @@ export class ApiCallService implements OnApplicationShutdown {
 		} else if (err.code === 'RATE_LIMIT_EXCEEDED') {
 			const info: unknown = err.info;
 			const unixEpochInSeconds = Date.now();
-			if (typeof(info) === 'object' && info && 'resetMs' in info && typeof(info.resetMs) === 'number') {
+			if (isLimitInfo(info)) {
+				// Number of seconds to wait before trying again. Left for backwards compatibility.
+				reply.header('Retry-After', info.resetSec.toString());
+				// Number of milliseconds to wait before trying again.
+				reply.header('X-RateLimit-Reset', info.resetMs.toString());
+			} else if (typeof(info) === 'object' && info && 'resetMs' in info && typeof(info.resetMs) === 'number') {
 				const cooldownInSeconds = Math.ceil((info.resetMs - unixEpochInSeconds) / 1000);
 				// もしかするとマイナスになる可能性がなくはないのでマイナスだったら0にしておく
 				reply.header('Retry-After', Math.max(cooldownInSeconds, 0).toString(10));
 			} else {
-				this.logger.warn(`rate limit information has unexpected type ${typeof(err.info?.reset)}`);
+				this.logger.warn(`rate limit information has unexpected type: ${JSON.stringify(info)}`);
 			}
 		} else if (err.kind === 'client') {
 			reply.header('WWW-Authenticate', `Bearer realm="Misskey", error="invalid_request", error_description="${err.message}"`);
@@ -168,7 +175,7 @@ export class ApiCallService implements OnApplicationShutdown {
 			return;
 		}
 		this.authenticateService.authenticate(token).then(([user, app]) => {
-			this.call(endpoint, user, app, body, null, request).then((res) => {
+			this.call(endpoint, user, app, body, null, request, reply).then((res) => {
 				if (request.method === 'GET' && endpoint.meta.cacheSec && !token && !user) {
 					reply.header('Cache-Control', `public, max-age=${endpoint.meta.cacheSec}`);
 				}
@@ -229,7 +236,7 @@ export class ApiCallService implements OnApplicationShutdown {
 			this.call(endpoint, user, app, fields, {
 				name: multipartData.filename,
 				path: path,
-			}, request).then((res) => {
+			}, request, reply).then((res) => {
 				this.send(reply, res);
 			}).catch((err: ApiError) => {
 				this.#sendApiError(reply, err);
@@ -304,6 +311,7 @@ export class ApiCallService implements OnApplicationShutdown {
 			path: string;
 		} | null,
 		request: FastifyRequest<{ Body: Record<string, unknown> | undefined, Querystring: Record<string, unknown> }>,
+		reply: FastifyReply,
 	) {
 		const isSecure = user != null && token == null;
 
@@ -339,19 +347,41 @@ export class ApiCallService implements OnApplicationShutdown {
 
 			if (factor > 0) {
 				// Rate limit
-				await this.rateLimiterService.limit(limit as IEndpointMeta['limit'] & { key: NonNullable<string> }, limitActor, factor).catch(err => {
-					if ('info' in err) {
-						// errはLimiter.LimiterInfoであることが期待される
-						throw new ApiError({
-							message: 'Rate limit exceeded. Please try again later.',
-							code: 'RATE_LIMIT_EXCEEDED',
-							id: 'd5826d14-3982-4d2e-8011-b9e9f02499ef',
-							httpStatusCode: 429,
-						}, err.info);
-					} else {
-						throw new TypeError('information must be a rate-limiter information.');
-					}
-				});
+				const info = await this.rateLimiterService.limit(limit as IEndpointMeta['limit'] & { key: NonNullable<string> }, limitActor, factor)
+					.then(info => {
+						// We always want these headers, because clients need them for pacing.
+						// Conditional check in case we somehow revert to the old limiter, which does not return info.
+						if (info) {
+							// Number of seconds until the limit has fully reset.
+							reply.header('X-RateLimit-Clear', info.fullResetSec.toString());
+							// Number of calls that can be made before being limited.
+							reply.header('X-RateLimit-Remaining', info.remaining.toString());
+
+							// Only forward the info object if it's blocked, otherwise we'll reject *all* requests
+							if (info.blocked) {
+								return info;
+							}
+						}
+
+						return undefined;
+					})
+					.catch(err => {
+						// The old limiter throws info instead of returning it.
+						if ('info' in err) {
+							return err.info as LimiterInfo;
+						} else {
+							throw err;
+						}
+					});
+
+				if (info) {
+					throw new ApiError({
+						message: 'Rate limit exceeded. Please try again later.',
+						code: 'RATE_LIMIT_EXCEEDED',
+						id: 'd5826d14-3982-4d2e-8011-b9e9f02499ef',
+						httpStatusCode: 429,
+					}, info);
+				}
 			}
 		}
 
diff --git a/packages/backend/src/server/api/RateLimiterService.ts b/packages/backend/src/server/api/RateLimiterService.ts
index e9afb9d05a..33db016a7c 100644
--- a/packages/backend/src/server/api/RateLimiterService.ts
+++ b/packages/backend/src/server/api/RateLimiterService.ts
@@ -10,28 +10,28 @@ import { DI } from '@/di-symbols.js';
 import type Logger from '@/logger.js';
 import { LoggerService } from '@/core/LoggerService.js';
 import { bindThis } from '@/decorators.js';
+import type { LimitInfo } from '@/server/api/SkRateLimiterService.js';
+import { EnvService } from '@/core/EnvService.js';
 import type { IEndpointMeta } from './endpoints.js';
 
 @Injectable()
 export class RateLimiterService {
-	private logger: Logger;
-	private disabled = false;
+	protected readonly logger: Logger;
+	protected readonly disabled: boolean;
 
 	constructor(
 		@Inject(DI.redis)
-		private redisClient: Redis.Redis,
+		protected readonly redisClient: Redis.Redis,
 
 		private loggerService: LoggerService,
+		envService: EnvService,
 	) {
 		this.logger = this.loggerService.getLogger('limiter');
-
-		if (process.env.NODE_ENV !== 'production') {
-			this.disabled = true;
-		}
+		this.disabled = envService.env.NODE_ENV !== 'production';
 	}
 
 	@bindThis
-	public limit(limitation: IEndpointMeta['limit'] & { key: NonNullable<string> }, actor: string, factor = 1) {
+	public limit(limitation: IEndpointMeta['limit'] & { key: NonNullable<string> }, actor: string, factor = 1): Promise<LimitInfo | void> {
 		return new Promise<void>((ok, reject) => {
 			if (this.disabled) ok();
 
diff --git a/packages/backend/src/server/api/SkRateLimiterService.ts b/packages/backend/src/server/api/SkRateLimiterService.ts
new file mode 100644
index 0000000000..c44accdb09
--- /dev/null
+++ b/packages/backend/src/server/api/SkRateLimiterService.ts
@@ -0,0 +1,279 @@
+/*
+ * SPDX-FileCopyrightText: hazelnoot and other Sharkey contributors
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+import { Injectable } from '@nestjs/common';
+import Redis from 'ioredis';
+import type { IEndpointMeta } from '@/server/api/endpoints.js';
+import { LoggerService } from '@/core/LoggerService.js';
+import { TimeService } from '@/core/TimeService.js';
+import { EnvService } from '@/core/EnvService.js';
+import { RateLimiterService } from './RateLimiterService.js';
+
+/**
+ * Metadata about the current status of a rate limiter
+ */
+export interface LimitInfo {
+	/**
+	 * True if the limit has been reached, and the call should be blocked.
+	 */
+	blocked: boolean;
+
+	/**
+	 * Number of calls that can be made before the limit is triggered.
+	 */
+	remaining: number;
+
+	/**
+	 * Time in seconds until the next call can be made, or zero if the next call can be made immediately.
+	 * Rounded up to the nearest second.
+	 */
+	resetSec: number;
+
+	/**
+	 * Time in milliseconds until the next call can be made, or zero if the next call can be made immediately.
+	 * Rounded up to the nearest milliseconds.
+	 */
+	resetMs: number;
+
+	/**
+	 * Time in seconds until the limit has fully reset.
+	 * Rounded up to the nearest second.
+	 */
+	fullResetSec: number;
+
+	/**
+	 * Time in milliseconds until the limit has fully reset.
+	 * Rounded up to the nearest millisecond.
+	 */
+	fullResetMs: number;
+}
+
+export function isLimitInfo(info: unknown): info is LimitInfo {
+	if (info == null) return false;
+	if (typeof(info) !== 'object') return false;
+	if (!('blocked' in info) || typeof(info.blocked) !== 'boolean') return false;
+	if (!('remaining' in info) || typeof(info.remaining) !== 'number') return false;
+	if (!('resetSec' in info) || typeof(info.resetSec) !== 'number') return false;
+	if (!('resetMs' in info) || typeof(info.resetMs) !== 'number') return false;
+	if (!('fullResetSec' in info) || typeof(info.fullResetSec) !== 'number') return false;
+	if (!('fullResetMs' in info) || typeof(info.fullResetMs) !== 'number') return false;
+	return true;
+}
+
+/**
+ * Rate limit based on "leaky bucket" logic.
+ * The bucket count increases with each call, and decreases gradually at a given rate.
+ * The subject is blocked until the bucket count drops below the limit.
+ */
+export interface RateLimit {
+	/**
+	 * Unique key identifying the particular resource (or resource group) being limited.
+	 */
+	key: string;
+
+	/**
+	 * Constant value identifying the type of rate limit.
+	 */
+	type: 'bucket';
+
+	/**
+	 * Size of the bucket, in number of requests.
+	 * The subject will be blocked when the number of calls exceeds this size.
+	 */
+	size: number;
+
+	/**
+	 * How often the bucket should "drip" and reduce the counter, measured in milliseconds.
+	 * Defaults to 1000 (1 second).
+	 */
+	dripRate?: number;
+
+	/**
+	 * Amount to reduce the counter on each drip.
+	 * Defaults to 1.
+	 */
+	dripSize?: number;
+}
+
+export type SupportedRateLimit = RateLimit | LegacyRateLimit;
+export type LegacyRateLimit = IEndpointMeta['limit'] & { key: NonNullable<string>, type: undefined | 'legacy' };
+
+export function isLegacyRateLimit(limit: SupportedRateLimit): limit is LegacyRateLimit {
+	return limit.type === undefined || limit.type === 'legacy';
+}
+
+export function hasMinLimit(limit: LegacyRateLimit): limit is LegacyRateLimit & { minInterval: number } {
+	return !!limit.minInterval;
+}
+
+@Injectable()
+export class SkRateLimiterService extends RateLimiterService {
+	constructor(
+		private readonly timeService: TimeService,
+		redisClient: Redis.Redis,
+		loggerService: LoggerService,
+		envService: EnvService,
+	) {
+		super(redisClient, loggerService, envService);
+	}
+
+	public async limit(limit: SupportedRateLimit, actor: string, factor = 1): Promise<LimitInfo> {
+		if (this.disabled) {
+			return {
+				blocked: false,
+				remaining: Number.MAX_SAFE_INTEGER,
+				resetSec: 0,
+				resetMs: 0,
+				fullResetSec: 0,
+				fullResetMs: 0,
+			};
+		}
+
+		if (isLegacyRateLimit(limit)) {
+			return await this.limitLegacy(limit, actor, factor);
+		} else {
+			return await this.limitBucket(limit, actor, factor);
+		}
+	}
+
+	private async limitLegacy(limit: LegacyRateLimit, actor: string, factor: number): Promise<LimitInfo> {
+		const promises: Promise<LimitInfo | null>[] = [];
+
+		// The "min" limit - if present - is handled directly.
+		if (hasMinLimit(limit)) {
+			promises.push(
+				this.limitMin(limit, actor, factor),
+			);
+		}
+
+		// Convert the "max" limit into a leaky bucket with 1 drip / second rate.
+		if (limit.max && limit.duration) {
+			promises.push(
+				this.limitBucket({
+					type: 'bucket',
+					key: limit.key,
+					size: limit.max,
+					dripRate: Math.round(limit.duration / limit.max),
+				}, actor, factor),
+			);
+		}
+
+		const [lim1, lim2] = await Promise.all(promises);
+		return {
+			blocked: (lim1?.blocked || lim2?.blocked) ?? false,
+			remaining: Math.min(lim1?.remaining ?? 1, lim2?.remaining ?? 1),
+			resetSec: Math.max(lim1?.resetSec ?? 0, lim2?.resetSec ?? 0),
+			resetMs: Math.max(lim1?.resetMs ?? 0, lim2?.resetMs ?? 0),
+			fullResetSec: Math.max(lim1?.fullResetSec ?? 0, lim2?.fullResetSec ?? 0),
+			fullResetMs: Math.max(lim1?.fullResetMs ?? 0, lim2?.fullResetMs ?? 0),
+		};
+	}
+
+	private async limitMin(limit: LegacyRateLimit & { minInterval: number }, actor: string, factor: number): Promise<LimitInfo | null> {
+		const counter = await this.getLimitCounter(limit, actor, 'min');
+		const maxCalls = Math.max(Math.ceil(factor), 1);
+
+		// Update expiration
+		if (counter.c >= maxCalls) {
+			const isCleared = this.timeService.now - counter.t >= limit.minInterval;
+			if (isCleared) {
+				counter.c = 0;
+			}
+		}
+
+		const blocked = counter.c >= maxCalls;
+		if (!blocked) {
+			counter.c++;
+			counter.t = this.timeService.now;
+		}
+
+		// Calculate limit status
+		const remaining = Math.max(maxCalls - counter.c, 0);
+		const fullResetMs = Math.max(Math.ceil(limit.minInterval - (this.timeService.now - counter.t)), 0);
+		const fullResetSec = Math.ceil(fullResetMs / 1000);
+		const resetMs = remaining < 1 ? fullResetMs : 0;
+		const resetSec = remaining < 1 ? fullResetSec : 0;
+		const limitInfo: LimitInfo = { blocked, remaining, resetSec, resetMs, fullResetSec, fullResetMs,
+		};
+
+		// Update the limit counter, but not if blocked
+		if (!blocked) {
+			// Don't await, or we will slow down the API.
+			this.setLimitCounter(limit, actor, counter, resetMs, 'min')
+				.catch(err => this.logger.error(`Failed to update limit ${limit.key}:min for ${actor}:`, err));
+		}
+
+		return limitInfo;
+	}
+
+	private async limitBucket(limit: RateLimit, actor: string, factor: number): Promise<LimitInfo> {
+		const counter = await this.getLimitCounter(limit, actor);
+		const dripRate = (limit.dripRate ?? 1000);
+		const dripSize = (limit.dripSize ?? 1);
+		const bucketSize = (limit.size * factor);
+
+		// Update drips
+		if (counter.c > 0) {
+			const dripsSinceLastTick = Math.floor((this.timeService.now - counter.t) / dripRate) * dripSize;
+			counter.c = Math.max(counter.c - dripsSinceLastTick, 0);
+		}
+
+		const blocked = counter.c >= bucketSize;
+		if (!blocked) {
+			counter.c++;
+			counter.t = this.timeService.now;
+		}
+
+		// Calculate limit status
+		const remaining = Math.max(bucketSize - counter.c, 0);
+		const resetMs = remaining > 0 ? 0 : Math.max(dripRate - (this.timeService.now - counter.t), 0);
+		const resetSec = Math.ceil(resetMs / 1000);
+		const fullResetMs = Math.ceil(counter.c / dripSize) * dripRate;
+		const fullResetSec = Math.ceil(fullResetMs / 1000);
+		const limitInfo: LimitInfo = { blocked, remaining, resetSec, resetMs, fullResetSec, fullResetMs };
+
+		// Update the limit counter, but not if blocked
+		if (!blocked) {
+			// Don't await, or we will slow down the API.
+			this.setLimitCounter(limit, actor, counter, fullResetMs)
+				.catch(err => this.logger.error(`Failed to update limit ${limit.key} for ${actor}:`, err));
+		}
+
+		return limitInfo;
+	}
+
+	private async getLimitCounter(limit: SupportedRateLimit, actor: string, subject?: string): Promise<LimitCounter> {
+		const key = createLimitKey(limit, actor, subject);
+
+		const value = await this.redisClient.get(key);
+		if (value == null) {
+			return { t: 0, c: 0 };
+		}
+
+		return JSON.parse(value);
+	}
+
+	private async setLimitCounter(limit: SupportedRateLimit, actor: string, counter: LimitCounter, expirationMs: number, subject?: string): Promise<void> {
+		const key = createLimitKey(limit, actor, subject);
+		const value = JSON.stringify(counter);
+		await this.redisClient.set(key, value, 'PX', expirationMs);
+	}
+}
+
+function createLimitKey(limit: SupportedRateLimit, actor: string, subject?: string): string {
+	if (subject) {
+		return `rl_${actor}_${limit.key}_${subject}`;
+	} else {
+		return `rl_${actor}_${limit.key}`;
+	}
+}
+
+export interface LimitCounter {
+	/** Timestamp */
+	t: number;
+
+	/** Counter */
+	c: number;
+}
diff --git a/packages/backend/test/unit/server/api/SkRateLimiterServiceTests.ts b/packages/backend/test/unit/server/api/SkRateLimiterServiceTests.ts
new file mode 100644
index 0000000000..8554aa39ef
--- /dev/null
+++ b/packages/backend/test/unit/server/api/SkRateLimiterServiceTests.ts
@@ -0,0 +1,703 @@
+/*
+ * SPDX-FileCopyrightText: hazelnoot and other Sharkey contributors
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+import { KEYWORD } from 'color-convert/conversions.js';
+import type Redis from 'ioredis';
+import { LegacyRateLimit, LimitCounter, RateLimit, SkRateLimiterService } from '@/server/api/SkRateLimiterService.js';
+import { LoggerService } from '@/core/LoggerService.js';
+
+/* eslint-disable @typescript-eslint/no-non-null-assertion */
+/* eslint-disable @typescript-eslint/no-unnecessary-condition */
+
+describe(SkRateLimiterService, () => {
+	let mockTimeService: { now: number, date: Date } = null!;
+	let mockRedisGet: ((key: string) => string | null) | undefined = undefined;
+	let mockRedisSet: ((args: unknown[]) => void) | undefined = undefined;
+	let mockEnvironment: Record<string, string | undefined> = null!;
+	let serviceUnderTest: () => SkRateLimiterService = null!;
+
+	let loggedMessages: { level: string, data: unknown[] }[] = [];
+
+	beforeEach(() => {
+		mockTimeService = {
+			now: 0,
+			get date() {
+				return new Date(mockTimeService.now);
+			},
+		};
+
+		mockRedisGet = undefined;
+		mockRedisSet = undefined;
+		const mockRedisClient = {
+			get(key: string) {
+				if (mockRedisGet) return Promise.resolve(mockRedisGet(key));
+				else return Promise.resolve(null);
+			},
+			set(...args: unknown[]): Promise<void> {
+				if (mockRedisSet) mockRedisSet(args);
+				return Promise.resolve();
+			},
+		} as unknown as Redis.Redis;
+
+		mockEnvironment = Object.create(process.env);
+		mockEnvironment.NODE_ENV = 'production';
+		const mockEnvService = {
+			env: mockEnvironment,
+		};
+
+		loggedMessages = [];
+		const mockLogService = {
+			getLogger() {
+				return {
+					createSubLogger(context: string, color?: KEYWORD) {
+						return mockLogService.getLogger(context, color);
+					},
+					error(...data: unknown[]) {
+						loggedMessages.push({ level: 'error', data });
+					},
+					warn(...data: unknown[]) {
+						loggedMessages.push({ level: 'warn', data });
+					},
+					succ(...data: unknown[]) {
+						loggedMessages.push({ level: 'succ', data });
+					},
+					debug(...data: unknown[]) {
+						loggedMessages.push({ level: 'debug', data });
+					},
+					info(...data: unknown[]) {
+						loggedMessages.push({ level: 'info', data });
+					},
+				};
+			},
+		} as unknown as LoggerService;
+
+		let service: SkRateLimiterService | undefined = undefined;
+		serviceUnderTest = () => {
+			return service ??= new SkRateLimiterService(mockTimeService, mockRedisClient, mockLogService, mockEnvService);
+		};
+	});
+
+	function expectNoUnhandledErrors() {
+		const unhandledErrors = loggedMessages.filter(m => m.level === 'error');
+		if (unhandledErrors.length > 0) {
+			throw new Error(`Test failed: got unhandled errors ${unhandledErrors.join('\n')}`);
+		}
+	}
+
+	describe('limit', () => {
+		const actor = 'actor';
+		const key = 'test';
+
+		let counter: LimitCounter | undefined = undefined;
+		let minCounter: LimitCounter | undefined = undefined;
+
+		beforeEach(() => {
+			counter = undefined;
+			minCounter = undefined;
+
+			mockRedisGet = (key: string) => {
+				if (key === 'rl_actor_test' && counter) {
+					return JSON.stringify(counter);
+				}
+
+				if (key === 'rl_actor_test_min' && minCounter) {
+					return JSON.stringify(minCounter);
+				}
+
+				return null;
+			};
+
+			mockRedisSet = (args: unknown[]) => {
+				const [key, value] = args;
+
+				if (key === 'rl_actor_test') {
+					if (value == null) counter = undefined;
+					else if (typeof(value) === 'string') counter = JSON.parse(value);
+					else throw new Error('invalid redis call');
+				}
+
+				if (key === 'rl_actor_test_min') {
+					if (value == null) minCounter = undefined;
+					else if (typeof(value) === 'string') minCounter = JSON.parse(value);
+					else throw new Error('invalid redis call');
+				}
+			};
+		});
+
+		it('should bypass in non-production', async () => {
+			mockEnvironment.NODE_ENV = 'test';
+
+			const info = await serviceUnderTest().limit({ key: 'l', type: undefined, max: 0 }, 'actor');
+
+			expect(info.blocked).toBeFalsy();
+			expect(info.remaining).toBe(Number.MAX_SAFE_INTEGER);
+			expect(info.resetSec).toBe(0);
+			expect(info.resetMs).toBe(0);
+			expect(info.fullResetSec).toBe(0);
+			expect(info.fullResetMs).toBe(0);
+		});
+
+		describe('with bucket limit', () => {
+			let limit: RateLimit = null!;
+
+			beforeEach(() => {
+				limit = {
+					type: 'bucket',
+					key: 'test',
+					size: 1,
+				};
+			});
+
+			it('should allow when limit is not reached', async () => {
+				const info = await serviceUnderTest().limit(limit, actor);
+
+				expect(info.blocked).toBeFalsy();
+			});
+
+			it('should not error when allowed', async () => {
+				await serviceUnderTest().limit(limit, actor);
+
+				expectNoUnhandledErrors();
+			});
+
+			it('should return correct info when allowed', async () => {
+				limit.size = 2;
+				counter = { c: 1, t: 0 };
+
+				const info = await serviceUnderTest().limit(limit, actor);
+
+				expect(info.remaining).toBe(0);
+				expect(info.resetSec).toBe(1);
+				expect(info.resetMs).toBe(1000);
+				expect(info.fullResetSec).toBe(2);
+				expect(info.fullResetMs).toBe(2000);
+			});
+
+			it('should increment counter when called', async () => {
+				await serviceUnderTest().limit(limit, actor);
+
+				expect(counter).not.toBeUndefined();
+				expect(counter?.c).toBe(1);
+			});
+
+			it('should set timestamp when called', async () => {
+				mockTimeService.now = 1000;
+
+				await serviceUnderTest().limit(limit, actor);
+
+				expect(counter).not.toBeUndefined();
+				expect(counter?.t).toBe(1000);
+			});
+
+			it('should decrement counter when dripRate has passed', async () => {
+				counter = { c: 2, t: 0 };
+				mockTimeService.now = 2000;
+
+				await serviceUnderTest().limit(limit, actor);
+
+				expect(counter).not.toBeUndefined();
+				expect(counter?.c).toBe(1); // 2 (starting) - 2 (2x1 drip) + 1 (call) = 1
+			});
+
+			it('should decrement counter by dripSize', async () => {
+				counter = { c: 2, t: 0 };
+				limit.dripSize = 2;
+				mockTimeService.now = 1000;
+
+				await serviceUnderTest().limit(limit, actor);
+
+				expect(counter).not.toBeUndefined();
+				expect(counter?.c).toBe(1); // 2 (starting) - 2 (1x2 drip) + 1 (call) = 1
+			});
+
+			it('should maintain counter between calls over time', async () => {
+				limit.size = 5;
+
+				await serviceUnderTest().limit(limit, actor); // 0 + 1 = 1
+				mockTimeService.now += 1000; // 1 - 1 = 0
+				await serviceUnderTest().limit(limit, actor); // 0 + 1 = 1
+				await serviceUnderTest().limit(limit, actor); // 1 + 1 = 2
+				await serviceUnderTest().limit(limit, actor); // 2 + 1 = 3
+				mockTimeService.now += 1000; // 3 - 1 = 2
+				mockTimeService.now += 1000; // 2 - 1 = 1
+				await serviceUnderTest().limit(limit, actor); // 1 + 1 = 2
+
+				expect(counter?.c).toBe(2);
+				expect(counter?.t).toBe(3000);
+			});
+
+			it('should log error and continue when update fails', async () => {
+				mockRedisSet = () => {
+					throw new Error('test error');
+				};
+
+				await serviceUnderTest().limit(limit, actor);
+
+				const matchingError = loggedMessages
+					.find(m => m.level === 'error' && m.data
+						.some(d => typeof(d) === 'string' && d.includes('Failed to update limit')));
+				expect(matchingError).toBeTruthy();
+			});
+
+			it('should block when bucket is filled', async () => {
+				counter = { c: 1, t: 0 };
+
+				const info = await serviceUnderTest().limit(limit, actor);
+
+				expect(info.blocked).toBeTruthy();
+			});
+
+			it('should calculate correct info when blocked', async () => {
+				counter = { c: 1, t: 0 };
+
+				const info = await serviceUnderTest().limit(limit, actor);
+
+				expect(info.resetSec).toBe(1);
+				expect(info.resetMs).toBe(1000);
+				expect(info.fullResetSec).toBe(1);
+				expect(info.fullResetMs).toBe(1000);
+			});
+
+			it('should allow when bucket is filled but should drip', async () => {
+				counter = { c: 1, t: 0 };
+				mockTimeService.now = 1000;
+
+				const info = await serviceUnderTest().limit(limit, actor);
+
+				expect(info.blocked).toBeFalsy();
+			});
+
+			it('should scale limit by factor', async () => {
+				counter = { c: 1, t: 0 };
+
+				const i1 = await serviceUnderTest().limit(limit, actor, 2); // 1 + 1 = 2
+				const i2 = await serviceUnderTest().limit(limit, actor, 2); // 2 + 1 = 3
+
+				expect(i1.blocked).toBeFalsy();
+				expect(i2.blocked).toBeTruthy();
+			});
+
+			it('should set key expiration', async () => {
+				mockRedisSet = args => {
+					expect(args[2]).toBe('PX');
+					expect(args[3]).toBe(1000);
+				};
+
+				await serviceUnderTest().limit(limit, actor);
+			});
+
+			it('should not increment when already blocked', async () => {
+				counter = { c: 1, t: 0 };
+				mockTimeService.now += 100;
+
+				await serviceUnderTest().limit(limit, actor);
+
+				expect(counter?.c).toBe(1);
+				expect(counter?.t).toBe(0);
+			});
+		});
+
+		describe('with min interval', () => {
+			let limit: MutableLegacyRateLimit = null!;
+
+			beforeEach(() => {
+				limit = {
+					type: undefined,
+					key,
+					minInterval: 1000,
+				};
+			});
+
+			it('should allow when limit is not reached', async () => {
+				const info = await serviceUnderTest().limit(limit, actor);
+
+				expect(info.blocked).toBeFalsy();
+			});
+
+			it('should not error when allowed', async () => {
+				await serviceUnderTest().limit(limit, actor);
+
+				expectNoUnhandledErrors();
+			});
+
+			it('should calculate correct info when allowed', async () => {
+				const info = await serviceUnderTest().limit(limit, actor);
+
+				expect(info.remaining).toBe(0);
+				expect(info.resetSec).toBe(1);
+				expect(info.resetMs).toBe(1000);
+				expect(info.fullResetSec).toBe(1);
+				expect(info.fullResetMs).toBe(1000);
+			});
+
+			it('should increment counter when called', async () => {
+				await serviceUnderTest().limit(limit, actor);
+
+				expect(minCounter).not.toBeUndefined();
+				expect(minCounter?.c).toBe(1);
+			});
+
+			it('should set timestamp when called', async () => {
+				mockTimeService.now = 1000;
+
+				await serviceUnderTest().limit(limit, actor);
+
+				expect(minCounter).not.toBeUndefined();
+				expect(minCounter?.t).toBe(1000);
+			});
+
+			it('should decrement counter when minInterval has passed', async () => {
+				minCounter = { c: 1, t: 0 };
+				mockTimeService.now = 1000;
+
+				await serviceUnderTest().limit(limit, actor);
+
+				expect(minCounter).not.toBeUndefined();
+				expect(minCounter?.c).toBe(1); // 1 (starting) - 1 (interval) + 1 (call) = 1
+			});
+
+			it('should reset counter entirely', async () => {
+				minCounter = { c: 2, t: 0 };
+				mockTimeService.now = 1000;
+
+				await serviceUnderTest().limit(limit, actor);
+
+				expect(minCounter).not.toBeUndefined();
+				expect(minCounter?.c).toBe(1); // 2 (starting) - 2 (interval) + 1 (call) = 1
+			});
+
+			it('should maintain counter between calls over time', async () => {
+				await serviceUnderTest().limit(limit, actor); // 0 + 1 = 1
+				mockTimeService.now += 1000; // 1 - 1 = 0
+				await serviceUnderTest().limit(limit, actor); // 0 + 1 = 1
+				await serviceUnderTest().limit(limit, actor); // blocked
+				await serviceUnderTest().limit(limit, actor); // blocked
+				mockTimeService.now += 1000; // 1 - 1 = 0
+				mockTimeService.now += 1000; // 0 - 1 = 0
+				await serviceUnderTest().limit(limit, actor); // 0 + 1 = 1
+
+				expect(minCounter?.c).toBe(1);
+				expect(minCounter?.t).toBe(3000);
+			});
+
+			it('should log error and continue when update fails', async () => {
+				mockRedisSet = () => {
+					throw new Error('test error');
+				};
+
+				await serviceUnderTest().limit(limit, actor);
+
+				const matchingError = loggedMessages
+					.find(m => m.level === 'error' && m.data
+						.some(d => typeof(d) === 'string' && d.includes('Failed to update limit')));
+				expect(matchingError).toBeTruthy();
+			});
+
+			it('should block when interval exceeded', async () => {
+				minCounter = { c: 1, t: 0 };
+
+				const info = await serviceUnderTest().limit(limit, actor);
+
+				expect(info.blocked).toBeTruthy();
+			});
+
+			it('should calculate correct info when blocked', async () => {
+				minCounter = { c: 1, t: 0 };
+
+				const info = await serviceUnderTest().limit(limit, actor);
+
+				expect(info.resetSec).toBe(1);
+				expect(info.resetMs).toBe(1000);
+				expect(info.fullResetSec).toBe(1);
+				expect(info.fullResetMs).toBe(1000);
+			});
+
+			it('should allow when bucket is filled but interval has passed', async () => {
+				minCounter = { c: 1, t: 0 };
+				mockTimeService.now = 1000;
+
+				const info = await serviceUnderTest().limit(limit, actor);
+
+				expect(info.blocked).toBeFalsy();
+			});
+
+			it('should scale limit by factor', async () => {
+				minCounter = { c: 1, t: 0 };
+
+				const i1 = await serviceUnderTest().limit(limit, actor, 2); // 1 + 1 = 2
+				const i2 = await serviceUnderTest().limit(limit, actor, 2); // 2 + 1 = 3
+
+				expect(i1.blocked).toBeFalsy();
+				expect(i2.blocked).toBeTruthy();
+			});
+
+			it('should set key expiration', async () => {
+				mockRedisSet = args => {
+					expect(args[2]).toBe('PX');
+					expect(args[3]).toBe(1000);
+				};
+
+				await serviceUnderTest().limit(limit, actor);
+			});
+
+			it('should not increment when already blocked', async () => {
+				minCounter = { c: 1, t: 0 };
+				mockTimeService.now += 100;
+
+				await serviceUnderTest().limit(limit, actor);
+
+				expect(minCounter?.c).toBe(1);
+				expect(minCounter?.t).toBe(0);
+			});
+		});
+
+		describe('with legacy limit', () => {
+			let limit: MutableLegacyRateLimit = null!;
+
+			beforeEach(() => {
+				limit = {
+					type: undefined,
+					key,
+					max: 1,
+					duration: 1000,
+				};
+			});
+
+			it('should allow when limit is not reached', async () => {
+				const info = await serviceUnderTest().limit(limit, actor);
+
+				expect(info.blocked).toBeFalsy();
+			});
+
+			it('should not error when allowed', async () => {
+				await serviceUnderTest().limit(limit, actor);
+
+				expectNoUnhandledErrors();
+			});
+
+			it('should infer dripRate from duration', async () => {
+				limit.max = 10;
+				limit.duration = 10000;
+				counter = { c: 10, t: 0 };
+
+				const i1 = await serviceUnderTest().limit(limit, actor);
+				mockTimeService.now += 1000;
+				const i2 = await serviceUnderTest().limit(limit, actor);
+				mockTimeService.now += 2000;
+				const i3 = await serviceUnderTest().limit(limit, actor);
+				const i4 = await serviceUnderTest().limit(limit, actor);
+				const i5 = await serviceUnderTest().limit(limit, actor);
+				mockTimeService.now += 2000;
+				const i6 = await serviceUnderTest().limit(limit, actor);
+
+				expect(i1.blocked).toBeTruthy();
+				expect(i2.blocked).toBeFalsy();
+				expect(i3.blocked).toBeFalsy();
+				expect(i4.blocked).toBeFalsy();
+				expect(i5.blocked).toBeTruthy();
+				expect(i6.blocked).toBeFalsy();
+			});
+
+			it('should calculate correct info when allowed', async () => {
+				limit.max = 10;
+				limit.duration = 10000;
+				counter = { c: 10, t: 0 };
+				mockTimeService.now += 2000;
+
+				const info = await serviceUnderTest().limit(limit, actor);
+
+				expect(info.remaining).toBe(1);
+				expect(info.resetSec).toBe(0);
+				expect(info.resetMs).toBe(0);
+				expect(info.fullResetSec).toBe(9);
+				expect(info.fullResetMs).toBe(9000);
+			});
+
+			it('should calculate correct info when blocked', async () => {
+				limit.max = 10;
+				limit.duration = 10000;
+				counter = { c: 10, t: 0 };
+
+				const info = await serviceUnderTest().limit(limit, actor);
+
+				expect(info.remaining).toBe(0);
+				expect(info.resetSec).toBe(1);
+				expect(info.resetMs).toBe(1000);
+				expect(info.fullResetSec).toBe(10);
+				expect(info.fullResetMs).toBe(10000);
+			});
+
+			it('should allow when bucket is filled but interval has passed', async () => {
+				counter = { c: 10, t: 0 };
+				mockTimeService.now = 1000;
+
+				const info = await serviceUnderTest().limit(limit, actor);
+
+				expect(info.blocked).toBeTruthy();
+			});
+
+			it('should scale limit by factor', async () => {
+				counter = { c: 10, t: 0 };
+
+				const info = await serviceUnderTest().limit(limit, actor, 2); // 10 + 1 = 11
+
+				expect(info.blocked).toBeTruthy();
+			});
+
+			it('should set key expiration', async () => {
+				mockRedisSet = args => {
+					expect(args[2]).toBe('PX');
+					expect(args[3]).toBe(1000);
+				};
+
+				await serviceUnderTest().limit(limit, actor);
+			});
+
+			it('should not increment when already blocked', async () => {
+				counter = { c: 1, t: 0 };
+				mockTimeService.now += 100;
+
+				await serviceUnderTest().limit(limit, actor);
+
+				expect(counter?.c).toBe(1);
+				expect(counter?.t).toBe(0);
+			});
+		});
+
+		describe('with legacy limit and min interval', () => {
+			let limit: MutableLegacyRateLimit = null!;
+
+			beforeEach(() => {
+				limit = {
+					type: undefined,
+					key,
+					max: 5,
+					duration: 5000,
+					minInterval: 1000,
+				};
+			});
+
+			it('should allow when limit is not reached', async () => {
+				const info = await serviceUnderTest().limit(limit, actor);
+
+				expect(info.blocked).toBeFalsy();
+			});
+
+			it('should not error when allowed', async () => {
+				await serviceUnderTest().limit(limit, actor);
+
+				expectNoUnhandledErrors();
+			});
+
+			it('should block when limit exceeded', async () => {
+				counter = { c: 5, t: 0 };
+
+				const info = await serviceUnderTest().limit(limit, actor);
+
+				expect(info.blocked).toBeTruthy();
+			});
+
+			it('should block when minInterval exceeded', async () => {
+				minCounter = { c: 1, t: 0 };
+
+				const info = await serviceUnderTest().limit(limit, actor);
+
+				expect(info.blocked).toBeTruthy();
+			});
+
+			it('should calculate correct info when allowed', async () => {
+				counter = { c: 1, t: 0 };
+
+				const info = await serviceUnderTest().limit(limit, actor);
+
+				expect(info.remaining).toBe(0);
+				expect(info.resetSec).toBe(1);
+				expect(info.resetMs).toBe(1000);
+				expect(info.fullResetSec).toBe(2);
+				expect(info.fullResetMs).toBe(2000);
+			});
+
+			it('should calculate correct info when blocked by limit', async () => {
+				counter = { c: 5, t: 0 };
+
+				const info = await serviceUnderTest().limit(limit, actor);
+
+				expect(info.remaining).toBe(0);
+				expect(info.resetSec).toBe(1);
+				expect(info.resetMs).toBe(1000);
+				expect(info.fullResetSec).toBe(5);
+				expect(info.fullResetMs).toBe(5000);
+			});
+
+			it('should calculate correct info when blocked by minInterval', async () => {
+				minCounter = { c: 1, t: 0 };
+
+				const info = await serviceUnderTest().limit(limit, actor);
+
+				expect(info.remaining).toBe(0);
+				expect(info.resetSec).toBe(1);
+				expect(info.resetMs).toBe(1000);
+				expect(info.fullResetSec).toBe(1);
+				expect(info.fullResetMs).toBe(1000);
+			});
+
+			it('should allow when counter is filled but interval has passed', async () => {
+				counter = { c: 5, t: 0 };
+				mockTimeService.now = 1000;
+
+				const info = await serviceUnderTest().limit(limit, actor);
+
+				expect(info.blocked).toBeFalsy();
+			});
+
+			it('should allow when minCounter is filled but interval has passed', async () => {
+				minCounter = { c: 1, t: 0 };
+				mockTimeService.now = 1000;
+
+				const info = await serviceUnderTest().limit(limit, actor);
+
+				expect(info.blocked).toBeFalsy();
+			});
+
+			it('should scale limit by factor', async () => {
+				minCounter = { c: 5, t: 0 };
+
+				const info = await serviceUnderTest().limit(limit, actor, 2);
+
+				expect(info.blocked).toBeTruthy();
+			});
+
+			it('should set key expiration', async () => {
+				mockRedisSet = args => {
+					expect(args[2]).toBe('PX');
+					expect(args[3]).toBe(1000);
+				};
+
+				await serviceUnderTest().limit(limit, actor);
+			});
+
+			it('should not increment when already blocked', async () => {
+				counter = { c: 5, t: 0 };
+				minCounter = { c: 1, t: 0 };
+				mockTimeService.now += 100;
+
+				await serviceUnderTest().limit(limit, actor);
+
+				expect(counter?.c).toBe(5);
+				expect(counter?.t).toBe(0);
+				expect(minCounter?.c).toBe(1);
+				expect(minCounter?.t).toBe(0);
+			});
+		});
+	});
+});
+
+// The same thing, but mutable
+interface MutableLegacyRateLimit extends LegacyRateLimit {
+	key: string;
+	duration?: number;
+	max?: number;
+	minInterval?: number;
+}
-- 
cgit v1.2.3-freya


From 7698db88e519ccc9a96f16eeafa0a4b7200cc7d0 Mon Sep 17 00:00:00 2001
From: Hazelnoot <acomputerdog@gmail.com>
Date: Sat, 7 Dec 2024 11:05:26 -0500
Subject: fix DI in SkRateLimiterService

---
 packages/backend/src/server/api/SkRateLimiterService.ts | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

(limited to 'packages/backend/src/server/api')

diff --git a/packages/backend/src/server/api/SkRateLimiterService.ts b/packages/backend/src/server/api/SkRateLimiterService.ts
index c44accdb09..5d865a3c07 100644
--- a/packages/backend/src/server/api/SkRateLimiterService.ts
+++ b/packages/backend/src/server/api/SkRateLimiterService.ts
@@ -3,12 +3,13 @@
  * SPDX-License-Identifier: AGPL-3.0-only
  */
 
-import { Injectable } from '@nestjs/common';
+import { Inject, Injectable } from '@nestjs/common';
 import Redis from 'ioredis';
 import type { IEndpointMeta } from '@/server/api/endpoints.js';
 import { LoggerService } from '@/core/LoggerService.js';
 import { TimeService } from '@/core/TimeService.js';
 import { EnvService } from '@/core/EnvService.js';
+import { DI } from '@/di-symbols.js';
 import { RateLimiterService } from './RateLimiterService.js';
 
 /**
@@ -111,9 +112,16 @@ export function hasMinLimit(limit: LegacyRateLimit): limit is LegacyRateLimit &
 @Injectable()
 export class SkRateLimiterService extends RateLimiterService {
 	constructor(
+		@Inject(TimeService)
 		private readonly timeService: TimeService,
+
+		@Inject(DI.redis)
 		redisClient: Redis.Redis,
+
+		@Inject(LoggerService)
 		loggerService: LoggerService,
+
+		@Inject(EnvService)
 		envService: EnvService,
 	) {
 		super(redisClient, loggerService, envService);
-- 
cgit v1.2.3-freya


From 8239ce42827cf17eb4bb0d32dc5011ae3b758df2 Mon Sep 17 00:00:00 2001
From: Hazelnoot <acomputerdog@gmail.com>
Date: Sat, 7 Dec 2024 12:14:42 -0500
Subject: fix incorrect X-RateLimit-Remaining header

---
 packages/backend/src/server/api/SkRateLimiterService.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'packages/backend/src/server/api')

diff --git a/packages/backend/src/server/api/SkRateLimiterService.ts b/packages/backend/src/server/api/SkRateLimiterService.ts
index 5d865a3c07..3e4b125e79 100644
--- a/packages/backend/src/server/api/SkRateLimiterService.ts
+++ b/packages/backend/src/server/api/SkRateLimiterService.ts
@@ -171,7 +171,7 @@ export class SkRateLimiterService extends RateLimiterService {
 		const [lim1, lim2] = await Promise.all(promises);
 		return {
 			blocked: (lim1?.blocked || lim2?.blocked) ?? false,
-			remaining: Math.min(lim1?.remaining ?? 1, lim2?.remaining ?? 1),
+			remaining: Math.min(lim1?.remaining ?? Number.MAX_SAFE_INTEGER, lim2?.remaining ?? Number.MAX_SAFE_INTEGER),
 			resetSec: Math.max(lim1?.resetSec ?? 0, lim2?.resetSec ?? 0),
 			resetMs: Math.max(lim1?.resetMs ?? 0, lim2?.resetMs ?? 0),
 			fullResetSec: Math.max(lim1?.fullResetSec ?? 0, lim2?.fullResetSec ?? 0),
-- 
cgit v1.2.3-freya


From 32635ecc25d328314988db3c3f91e3d1c7d9d6c2 Mon Sep 17 00:00:00 2001
From: Hazelnoot <acomputerdog@gmail.com>
Date: Sat, 7 Dec 2024 12:15:38 -0500
Subject: fix rate limit storage in redis

---
 .../backend/src/server/api/SkRateLimiterService.ts | 21 +++++-------
 .../unit/server/api/SkRateLimiterServiceTests.ts   | 38 ++++++++++++----------
 2 files changed, 29 insertions(+), 30 deletions(-)

(limited to 'packages/backend/src/server/api')

diff --git a/packages/backend/src/server/api/SkRateLimiterService.ts b/packages/backend/src/server/api/SkRateLimiterService.ts
index 3e4b125e79..763de0029b 100644
--- a/packages/backend/src/server/api/SkRateLimiterService.ts
+++ b/packages/backend/src/server/api/SkRateLimiterService.ts
@@ -209,7 +209,7 @@ export class SkRateLimiterService extends RateLimiterService {
 		// Update the limit counter, but not if blocked
 		if (!blocked) {
 			// Don't await, or we will slow down the API.
-			this.setLimitCounter(limit, actor, counter, resetMs, 'min')
+			this.setLimitCounter(limit, actor, counter, fullResetSec, 'min')
 				.catch(err => this.logger.error(`Failed to update limit ${limit.key}:min for ${actor}:`, err));
 		}
 
@@ -217,7 +217,7 @@ export class SkRateLimiterService extends RateLimiterService {
 	}
 
 	private async limitBucket(limit: RateLimit, actor: string, factor: number): Promise<LimitInfo> {
-		const counter = await this.getLimitCounter(limit, actor);
+		const counter = await this.getLimitCounter(limit, actor, 'bucket');
 		const dripRate = (limit.dripRate ?? 1000);
 		const dripSize = (limit.dripSize ?? 1);
 		const bucketSize = (limit.size * factor);
@@ -245,14 +245,14 @@ export class SkRateLimiterService extends RateLimiterService {
 		// Update the limit counter, but not if blocked
 		if (!blocked) {
 			// Don't await, or we will slow down the API.
-			this.setLimitCounter(limit, actor, counter, fullResetMs)
+			this.setLimitCounter(limit, actor, counter, fullResetSec, 'bucket')
 				.catch(err => this.logger.error(`Failed to update limit ${limit.key} for ${actor}:`, err));
 		}
 
 		return limitInfo;
 	}
 
-	private async getLimitCounter(limit: SupportedRateLimit, actor: string, subject?: string): Promise<LimitCounter> {
+	private async getLimitCounter(limit: SupportedRateLimit, actor: string, subject: string): Promise<LimitCounter> {
 		const key = createLimitKey(limit, actor, subject);
 
 		const value = await this.redisClient.get(key);
@@ -263,19 +263,16 @@ export class SkRateLimiterService extends RateLimiterService {
 		return JSON.parse(value);
 	}
 
-	private async setLimitCounter(limit: SupportedRateLimit, actor: string, counter: LimitCounter, expirationMs: number, subject?: string): Promise<void> {
+	private async setLimitCounter(limit: SupportedRateLimit, actor: string, counter: LimitCounter, expiration: number, subject: string): Promise<void> {
 		const key = createLimitKey(limit, actor, subject);
 		const value = JSON.stringify(counter);
-		await this.redisClient.set(key, value, 'PX', expirationMs);
+		const expirationSec = Math.max(expiration, 1);
+		await this.redisClient.set(key, value, 'EX', expirationSec);
 	}
 }
 
-function createLimitKey(limit: SupportedRateLimit, actor: string, subject?: string): string {
-	if (subject) {
-		return `rl_${actor}_${limit.key}_${subject}`;
-	} else {
-		return `rl_${actor}_${limit.key}`;
-	}
+function createLimitKey(limit: SupportedRateLimit, actor: string, subject: string): string {
+	return `rl_${actor}_${limit.key}_${subject}`;
 }
 
 export interface LimitCounter {
diff --git a/packages/backend/test/unit/server/api/SkRateLimiterServiceTests.ts b/packages/backend/test/unit/server/api/SkRateLimiterServiceTests.ts
index 8554aa39ef..711894095d 100644
--- a/packages/backend/test/unit/server/api/SkRateLimiterServiceTests.ts
+++ b/packages/backend/test/unit/server/api/SkRateLimiterServiceTests.ts
@@ -4,6 +4,7 @@
  */
 
 import { KEYWORD } from 'color-convert/conversions.js';
+import { jest } from '@jest/globals';
 import type Redis from 'ioredis';
 import { LegacyRateLimit, LimitCounter, RateLimit, SkRateLimiterService } from '@/server/api/SkRateLimiterService.js';
 import { LoggerService } from '@/core/LoggerService.js';
@@ -98,7 +99,7 @@ describe(SkRateLimiterService, () => {
 			minCounter = undefined;
 
 			mockRedisGet = (key: string) => {
-				if (key === 'rl_actor_test' && counter) {
+				if (key === 'rl_actor_test_bucket' && counter) {
 					return JSON.stringify(counter);
 				}
 
@@ -112,7 +113,7 @@ describe(SkRateLimiterService, () => {
 			mockRedisSet = (args: unknown[]) => {
 				const [key, value] = args;
 
-				if (key === 'rl_actor_test') {
+				if (key === 'rl_actor_test_bucket') {
 					if (value == null) counter = undefined;
 					else if (typeof(value) === 'string') counter = JSON.parse(value);
 					else throw new Error('invalid redis call');
@@ -280,12 +281,12 @@ describe(SkRateLimiterService, () => {
 			});
 
 			it('should set key expiration', async () => {
-				mockRedisSet = args => {
-					expect(args[2]).toBe('PX');
-					expect(args[3]).toBe(1000);
-				};
+				const mock = jest.fn(mockRedisSet);
+				mockRedisSet = mock;
 
 				await serviceUnderTest().limit(limit, actor);
+
+				expect(mock).toHaveBeenCalledWith(['rl_actor_test_bucket', '{"t":0,"c":1}', 'EX', 1]);
 			});
 
 			it('should not increment when already blocked', async () => {
@@ -434,12 +435,12 @@ describe(SkRateLimiterService, () => {
 			});
 
 			it('should set key expiration', async () => {
-				mockRedisSet = args => {
-					expect(args[2]).toBe('PX');
-					expect(args[3]).toBe(1000);
-				};
+				const mock = jest.fn(mockRedisSet);
+				mockRedisSet = mock;
 
 				await serviceUnderTest().limit(limit, actor);
+
+				expect(mock).toHaveBeenCalledWith(['rl_actor_test_min', '{"t":0,"c":1}', 'EX', 1]);
 			});
 
 			it('should not increment when already blocked', async () => {
@@ -547,12 +548,12 @@ describe(SkRateLimiterService, () => {
 			});
 
 			it('should set key expiration', async () => {
-				mockRedisSet = args => {
-					expect(args[2]).toBe('PX');
-					expect(args[3]).toBe(1000);
-				};
+				const mock = jest.fn(mockRedisSet);
+				mockRedisSet = mock;
 
 				await serviceUnderTest().limit(limit, actor);
+
+				expect(mock).toHaveBeenCalledWith(['rl_actor_test_bucket', '{"t":0,"c":1}', 'EX', 1]);
 			});
 
 			it('should not increment when already blocked', async () => {
@@ -670,12 +671,13 @@ describe(SkRateLimiterService, () => {
 			});
 
 			it('should set key expiration', async () => {
-				mockRedisSet = args => {
-					expect(args[2]).toBe('PX');
-					expect(args[3]).toBe(1000);
-				};
+				const mock = jest.fn(mockRedisSet);
+				mockRedisSet = mock;
 
 				await serviceUnderTest().limit(limit, actor);
+
+				expect(mock).toHaveBeenCalledWith(['rl_actor_test_bucket', '{"t":0,"c":1}', 'EX', 1]);
+				expect(mock).toHaveBeenCalledWith(['rl_actor_test_min', '{"t":0,"c":1}', 'EX', 1]);
 			});
 
 			it('should not increment when already blocked', async () => {
-- 
cgit v1.2.3-freya


From f6b256620b9637ffe4bd29a07cfba1a7880c9bb1 Mon Sep 17 00:00:00 2001
From: Hazelnoot <acomputerdog@gmail.com>
Date: Sat, 7 Dec 2024 13:13:19 -0500
Subject: separate SkRateLimiterService from RateLimiterService and update all
 usages

---
 packages/backend/src/misc/rate-limit-utils.ts      | 21 +++++++++
 packages/backend/src/server/FileServerService.ts   | 45 ++++++++----------
 packages/backend/src/server/ServerModule.ts        |  7 ++-
 packages/backend/src/server/api/ApiCallService.ts  | 55 ++++------------------
 .../backend/src/server/api/RateLimiterService.ts   |  1 +
 .../backend/src/server/api/SigninApiService.ts     | 17 ++++---
 .../src/server/api/SigninWithPasskeyApiService.ts  | 17 ++++---
 .../backend/src/server/api/SkRateLimiterService.ts | 28 ++++-------
 .../src/server/api/StreamingApiServerService.ts    | 20 ++++----
 .../test/unit/SigninWithPasskeyApiService.ts       | 15 ++++--
 10 files changed, 102 insertions(+), 124 deletions(-)
 create mode 100644 packages/backend/src/misc/rate-limit-utils.ts

(limited to 'packages/backend/src/server/api')

diff --git a/packages/backend/src/misc/rate-limit-utils.ts b/packages/backend/src/misc/rate-limit-utils.ts
new file mode 100644
index 0000000000..0f38755502
--- /dev/null
+++ b/packages/backend/src/misc/rate-limit-utils.ts
@@ -0,0 +1,21 @@
+/*
+ * SPDX-FileCopyrightText: hazelnoot and other Sharkey contributors
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+import { FastifyReply } from 'fastify';
+import { LimitInfo } from '@/server/api/SkRateLimiterService.js';
+
+export function sendRateLimitHeaders(reply: FastifyReply, info: LimitInfo): void {
+	// Number of seconds until the limit has fully reset.
+	reply.header('X-RateLimit-Clear', info.fullResetSec.toString());
+	// Number of calls that can be made before being limited.
+	reply.header('X-RateLimit-Remaining', info.remaining.toString());
+
+	if (info.blocked) {
+		// Number of seconds to wait before trying again. Left for backwards compatibility.
+		reply.header('Retry-After', info.resetSec.toString());
+		// Number of milliseconds to wait before trying again.
+		reply.header('X-RateLimit-Reset', info.resetMs.toString());
+	}
+}
diff --git a/packages/backend/src/server/FileServerService.ts b/packages/backend/src/server/FileServerService.ts
index ca1a6ebe2e..9903113f43 100644
--- a/packages/backend/src/server/FileServerService.ts
+++ b/packages/backend/src/server/FileServerService.ts
@@ -28,13 +28,12 @@ import { bindThis } from '@/decorators.js';
 import { isMimeImage } from '@/misc/is-mime-image.js';
 import { correctFilename } from '@/misc/correct-filename.js';
 import { handleRequestRedirectToOmitSearch } from '@/misc/fastify-hook-handlers.js';
-import { RateLimiterService } from '@/server/api/RateLimiterService.js';
 import { getIpHash } from '@/misc/get-ip-hash.js';
 import { AuthenticateService } from '@/server/api/AuthenticateService.js';
-import type { IEndpointMeta } from '@/server/api/endpoints.js';
 import { RoleService } from '@/core/RoleService.js';
+import { RateLimit, SkRateLimiterService } from '@/server/api/SkRateLimiterService.js';
+import { sendRateLimitHeaders } from '@/misc/rate-limit-utils.js';
 import type { FastifyInstance, FastifyRequest, FastifyReply, FastifyPluginOptions } from 'fastify';
-import type Limiter from 'ratelimiter';
 
 const _filename = fileURLToPath(import.meta.url);
 const _dirname = dirname(_filename);
@@ -59,7 +58,7 @@ export class FileServerService {
 		private internalStorageService: InternalStorageService,
 		private loggerService: LoggerService,
 		private authenticateService: AuthenticateService,
-		private rateLimiterService: RateLimiterService,
+		private rateLimiterService: SkRateLimiterService,
 		private roleService: RoleService,
 	) {
 		this.logger = this.loggerService.getLogger('server', 'gray');
@@ -634,42 +633,37 @@ export class FileServerService {
 	}
 
 	private async checkResourceLimit(reply: FastifyReply, actor: string, group: string, resource: string, factor = 1): Promise<boolean> {
-		const limit = {
+		const limit: RateLimit = {
 			// Group by resource
 			key: `${group}${resource}`,
+			type: 'bucket',
 
-			// Maximum of 10 requests / 10 minutes
-			max: 10,
-			duration: 1000 * 60 * 10,
+			// Maximum of 10 requests, average rate of 1 per minute
+			size: 10,
+			dripRate: 1000 * 60,
 		};
 
 		return await this.checkLimit(reply, actor, limit, factor);
 	}
 
 	private async checkSharedLimit(reply: FastifyReply, actor: string, group: string, factor = 1): Promise<boolean> {
-		const limit = {
+		const limit: RateLimit = {
 			key: group,
+			type: 'bucket',
 
-			// Maximum of 3600 requests per hour, which is an average of 1 per second.
-			max: 3600,
-			duration: 1000 * 60 * 60,
+			// Maximum of 3600 requests, average rate of 1 per second.
+			size: 3600,
 		};
 
 		return await this.checkLimit(reply, actor, limit, factor);
 	}
 
-	private async checkLimit(reply: FastifyReply, actor: string, limit: IEndpointMeta['limit'] & { key: NonNullable<string> }, factor = 1): Promise<boolean> {
-		try {
-			await this.rateLimiterService.limit(limit, actor, factor);
-			return true;
-		} catch (err) {
-			// errはLimiter.LimiterInfoであることが期待される
-			if (hasRateLimitInfo(err)) {
-				const cooldownInSeconds = Math.ceil((err.info.resetMs - Date.now()) / 1000);
-				// もしかするとマイナスになる可能性がなくはないのでマイナスだったら0にしておく
-				reply.header('Retry-After', Math.max(cooldownInSeconds, 0).toString(10));
-			}
+	private async checkLimit(reply: FastifyReply, actor: string, limit: RateLimit, factor = 1): Promise<boolean> {
+		const info = await this.rateLimiterService.limit(limit, actor, factor);
+
+		sendRateLimitHeaders(reply, info);
 
+		if (info.blocked) {
 			reply.code(429);
 			reply.send({
 				message: 'Rate limit exceeded. Please try again later.',
@@ -679,9 +673,8 @@ export class FileServerService {
 
 			return false;
 		}
+
+		return true;
 	}
 }
 
-function hasRateLimitInfo(err: unknown): err is { info: Limiter.LimiterInfo } {
-	return err != null && typeof(err) === 'object' && 'info' in err;
-}
diff --git a/packages/backend/src/server/ServerModule.ts b/packages/backend/src/server/ServerModule.ts
index 890447a47f..c1d7c088f1 100644
--- a/packages/backend/src/server/ServerModule.ts
+++ b/packages/backend/src/server/ServerModule.ts
@@ -74,10 +74,9 @@ import { SigninWithPasskeyApiService } from './api/SigninWithPasskeyApiService.j
 		ApiLoggerService,
 		ApiServerService,
 		AuthenticateService,
-		{
-			provide: RateLimiterService,
-			useClass: SkRateLimiterService,
-		},
+		SkRateLimiterService,
+		// No longer used, but kept for backwards compatibility
+		RateLimiterService,
 		SigninApiService,
 		SigninWithPasskeyApiService,
 		SigninService,
diff --git a/packages/backend/src/server/api/ApiCallService.ts b/packages/backend/src/server/api/ApiCallService.ts
index 14367e02bb..38d33c761d 100644
--- a/packages/backend/src/server/api/ApiCallService.ts
+++ b/packages/backend/src/server/api/ApiCallService.ts
@@ -8,7 +8,6 @@ import * as fs from 'node:fs';
 import * as stream from 'node:stream/promises';
 import { Inject, Injectable } from '@nestjs/common';
 import * as Sentry from '@sentry/node';
-import { LimiterInfo } from 'ratelimiter';
 import { DI } from '@/di-symbols.js';
 import { getIpHash } from '@/misc/get-ip-hash.js';
 import type { MiLocalUser, MiUser } from '@/models/User.js';
@@ -19,9 +18,9 @@ import { createTemp } from '@/misc/create-temp.js';
 import { bindThis } from '@/decorators.js';
 import { RoleService } from '@/core/RoleService.js';
 import type { Config } from '@/config.js';
-import { isLimitInfo } from '@/server/api/SkRateLimiterService.js';
+import { sendRateLimitHeaders } from '@/misc/rate-limit-utils.js';
+import { LegacyRateLimit, SkRateLimiterService } from '@/server/api/SkRateLimiterService.js';
 import { ApiError } from './error.js';
-import { RateLimiterService } from './RateLimiterService.js';
 import { ApiLoggerService } from './ApiLoggerService.js';
 import { AuthenticateService, AuthenticationError } from './AuthenticateService.js';
 import type { FastifyRequest, FastifyReply } from 'fastify';
@@ -51,7 +50,7 @@ export class ApiCallService implements OnApplicationShutdown {
 		private userIpsRepository: UserIpsRepository,
 
 		private authenticateService: AuthenticateService,
-		private rateLimiterService: RateLimiterService,
+		private rateLimiterService: SkRateLimiterService,
 		private roleService: RoleService,
 		private apiLoggerService: ApiLoggerService,
 	) {
@@ -67,21 +66,6 @@ export class ApiCallService implements OnApplicationShutdown {
 		let statusCode = err.httpStatusCode;
 		if (err.httpStatusCode === 401) {
 			reply.header('WWW-Authenticate', 'Bearer realm="Misskey"');
-		} else if (err.code === 'RATE_LIMIT_EXCEEDED') {
-			const info: unknown = err.info;
-			const unixEpochInSeconds = Date.now();
-			if (isLimitInfo(info)) {
-				// Number of seconds to wait before trying again. Left for backwards compatibility.
-				reply.header('Retry-After', info.resetSec.toString());
-				// Number of milliseconds to wait before trying again.
-				reply.header('X-RateLimit-Reset', info.resetMs.toString());
-			} else if (typeof(info) === 'object' && info && 'resetMs' in info && typeof(info.resetMs) === 'number') {
-				const cooldownInSeconds = Math.ceil((info.resetMs - unixEpochInSeconds) / 1000);
-				// もしかするとマイナスになる可能性がなくはないのでマイナスだったら0にしておく
-				reply.header('Retry-After', Math.max(cooldownInSeconds, 0).toString(10));
-			} else {
-				this.logger.warn(`rate limit information has unexpected type: ${JSON.stringify(info)}`);
-			}
 		} else if (err.kind === 'client') {
 			reply.header('WWW-Authenticate', `Bearer realm="Misskey", error="invalid_request", error_description="${err.message}"`);
 			statusCode = statusCode ?? 400;
@@ -347,40 +331,17 @@ export class ApiCallService implements OnApplicationShutdown {
 
 			if (factor > 0) {
 				// Rate limit
-				const info = await this.rateLimiterService.limit(limit as IEndpointMeta['limit'] & { key: NonNullable<string> }, limitActor, factor)
-					.then(info => {
-						// We always want these headers, because clients need them for pacing.
-						// Conditional check in case we somehow revert to the old limiter, which does not return info.
-						if (info) {
-							// Number of seconds until the limit has fully reset.
-							reply.header('X-RateLimit-Clear', info.fullResetSec.toString());
-							// Number of calls that can be made before being limited.
-							reply.header('X-RateLimit-Remaining', info.remaining.toString());
-
-							// Only forward the info object if it's blocked, otherwise we'll reject *all* requests
-							if (info.blocked) {
-								return info;
-							}
-						}
-
-						return undefined;
-					})
-					.catch(err => {
-						// The old limiter throws info instead of returning it.
-						if ('info' in err) {
-							return err.info as LimiterInfo;
-						} else {
-							throw err;
-						}
-					});
+				const info = await this.rateLimiterService.limit(limit as LegacyRateLimit, limitActor, factor);
 
-				if (info) {
+				sendRateLimitHeaders(reply, info);
+
+				if (info.blocked) {
 					throw new ApiError({
 						message: 'Rate limit exceeded. Please try again later.',
 						code: 'RATE_LIMIT_EXCEEDED',
 						id: 'd5826d14-3982-4d2e-8011-b9e9f02499ef',
 						httpStatusCode: 429,
-					}, info);
+					});
 				}
 			}
 		}
diff --git a/packages/backend/src/server/api/RateLimiterService.ts b/packages/backend/src/server/api/RateLimiterService.ts
index 33db016a7c..6037f9bf92 100644
--- a/packages/backend/src/server/api/RateLimiterService.ts
+++ b/packages/backend/src/server/api/RateLimiterService.ts
@@ -14,6 +14,7 @@ import type { LimitInfo } from '@/server/api/SkRateLimiterService.js';
 import { EnvService } from '@/core/EnvService.js';
 import type { IEndpointMeta } from './endpoints.js';
 
+/** @deprecated Use SkRateLimiterService instead */
 @Injectable()
 export class RateLimiterService {
 	protected readonly logger: Logger;
diff --git a/packages/backend/src/server/api/SigninApiService.ts b/packages/backend/src/server/api/SigninApiService.ts
index 64af7da7a6..1a4ce0a54c 100644
--- a/packages/backend/src/server/api/SigninApiService.ts
+++ b/packages/backend/src/server/api/SigninApiService.ts
@@ -21,12 +21,13 @@ import { IdService } from '@/core/IdService.js';
 import { bindThis } from '@/decorators.js';
 import { WebAuthnService } from '@/core/WebAuthnService.js';
 import { UserAuthService } from '@/core/UserAuthService.js';
-import { RateLimiterService } from './RateLimiterService.js';
+import { isSystemAccount } from '@/misc/is-system-account.js';
+import type { MiMeta } from '@/models/_.js';
+import { SkRateLimiterService } from '@/server/api/SkRateLimiterService.js';
+import { sendRateLimitHeaders } from '@/misc/rate-limit-utils.js';
 import { SigninService } from './SigninService.js';
 import type { AuthenticationResponseJSON } from '@simplewebauthn/types';
 import type { FastifyReply, FastifyRequest } from 'fastify';
-import { isSystemAccount } from '@/misc/is-system-account.js';
-import type { MiMeta } from '@/models/_.js';
 
 @Injectable()
 export class SigninApiService {
@@ -47,7 +48,7 @@ export class SigninApiService {
 		private signinsRepository: SigninsRepository,
 
 		private idService: IdService,
-		private rateLimiterService: RateLimiterService,
+		private rateLimiterService: SkRateLimiterService,
 		private signinService: SigninService,
 		private userAuthService: UserAuthService,
 		private webAuthnService: WebAuthnService,
@@ -79,10 +80,12 @@ export class SigninApiService {
 			return { error };
 		}
 
-		try {
 		// not more than 1 attempt per second and not more than 10 attempts per hour
-			await this.rateLimiterService.limit({ key: 'signin', duration: 60 * 60 * 1000, max: 10, minInterval: 1000 }, getIpHash(request.ip));
-		} catch (err) {
+		const rateLimit = await this.rateLimiterService.limit({ key: 'signin', duration: 60 * 60 * 1000, max: 10, minInterval: 1000 }, getIpHash(request.ip));
+
+		sendRateLimitHeaders(reply, rateLimit);
+
+		if (rateLimit.blocked) {
 			reply.code(429);
 			return {
 				error: {
diff --git a/packages/backend/src/server/api/SigninWithPasskeyApiService.ts b/packages/backend/src/server/api/SigninWithPasskeyApiService.ts
index 9ba23c54e2..ad08dad79c 100644
--- a/packages/backend/src/server/api/SigninWithPasskeyApiService.ts
+++ b/packages/backend/src/server/api/SigninWithPasskeyApiService.ts
@@ -21,10 +21,11 @@ import { WebAuthnService } from '@/core/WebAuthnService.js';
 import Logger from '@/logger.js';
 import { LoggerService } from '@/core/LoggerService.js';
 import type { IdentifiableError } from '@/misc/identifiable-error.js';
-import { RateLimiterService } from './RateLimiterService.js';
+import { SkRateLimiterService } from '@/server/api/SkRateLimiterService.js';
 import { SigninService } from './SigninService.js';
 import type { AuthenticationResponseJSON } from '@simplewebauthn/types';
 import type { FastifyReply, FastifyRequest } from 'fastify';
+import { sendRateLimitHeaders } from '@/misc/rate-limit-utils.js';
 
 @Injectable()
 export class SigninWithPasskeyApiService {
@@ -43,7 +44,7 @@ export class SigninWithPasskeyApiService {
 		private signinsRepository: SigninsRepository,
 
 		private idService: IdService,
-		private rateLimiterService: RateLimiterService,
+		private rateLimiterService: SkRateLimiterService,
 		private signinService: SigninService,
 		private webAuthnService: WebAuthnService,
 		private loggerService: LoggerService,
@@ -84,11 +85,13 @@ export class SigninWithPasskeyApiService {
 			return error(status ?? 500, failure ?? { id: '4e30e80c-e338-45a0-8c8f-44455efa3b76' });
 		};
 
-		try {
-			// Not more than 1 API call per 250ms and not more than 100 attempts per 30min
-			// NOTE: 1 Sign-in require 2 API calls
-			await this.rateLimiterService.limit({ key: 'signin-with-passkey', duration: 60 * 30 * 1000, max: 200, minInterval: 250 }, getIpHash(request.ip));
-		} catch (err) {
+		// Not more than 1 API call per 250ms and not more than 100 attempts per 30min
+		// NOTE: 1 Sign-in require 2 API calls
+		const rateLimit = await this.rateLimiterService.limit({ key: 'signin-with-passkey', duration: 60 * 30 * 1000, max: 200, minInterval: 250 }, getIpHash(request.ip));
+
+		sendRateLimitHeaders(reply, rateLimit);
+
+		if (rateLimit.blocked) {
 			reply.code(429);
 			return {
 				error: {
diff --git a/packages/backend/src/server/api/SkRateLimiterService.ts b/packages/backend/src/server/api/SkRateLimiterService.ts
index 763de0029b..943348c41d 100644
--- a/packages/backend/src/server/api/SkRateLimiterService.ts
+++ b/packages/backend/src/server/api/SkRateLimiterService.ts
@@ -10,7 +10,7 @@ import { LoggerService } from '@/core/LoggerService.js';
 import { TimeService } from '@/core/TimeService.js';
 import { EnvService } from '@/core/EnvService.js';
 import { DI } from '@/di-symbols.js';
-import { RateLimiterService } from './RateLimiterService.js';
+import type Logger from '@/logger.js';
 
 /**
  * Metadata about the current status of a rate limiter
@@ -51,18 +51,6 @@ export interface LimitInfo {
 	fullResetMs: number;
 }
 
-export function isLimitInfo(info: unknown): info is LimitInfo {
-	if (info == null) return false;
-	if (typeof(info) !== 'object') return false;
-	if (!('blocked' in info) || typeof(info.blocked) !== 'boolean') return false;
-	if (!('remaining' in info) || typeof(info.remaining) !== 'number') return false;
-	if (!('resetSec' in info) || typeof(info.resetSec) !== 'number') return false;
-	if (!('resetMs' in info) || typeof(info.resetMs) !== 'number') return false;
-	if (!('fullResetSec' in info) || typeof(info.fullResetSec) !== 'number') return false;
-	if (!('fullResetMs' in info) || typeof(info.fullResetMs) !== 'number') return false;
-	return true;
-}
-
 /**
  * Rate limit based on "leaky bucket" logic.
  * The bucket count increases with each call, and decreases gradually at a given rate.
@@ -99,10 +87,10 @@ export interface RateLimit {
 }
 
 export type SupportedRateLimit = RateLimit | LegacyRateLimit;
-export type LegacyRateLimit = IEndpointMeta['limit'] & { key: NonNullable<string>, type: undefined | 'legacy' };
+export type LegacyRateLimit = IEndpointMeta['limit'] & { key: NonNullable<string>, type?: undefined };
 
 export function isLegacyRateLimit(limit: SupportedRateLimit): limit is LegacyRateLimit {
-	return limit.type === undefined || limit.type === 'legacy';
+	return limit.type === undefined;
 }
 
 export function hasMinLimit(limit: LegacyRateLimit): limit is LegacyRateLimit & { minInterval: number } {
@@ -110,13 +98,16 @@ export function hasMinLimit(limit: LegacyRateLimit): limit is LegacyRateLimit &
 }
 
 @Injectable()
-export class SkRateLimiterService extends RateLimiterService {
+export class SkRateLimiterService {
+	private readonly logger: Logger;
+	private readonly disabled: boolean;
+
 	constructor(
 		@Inject(TimeService)
 		private readonly timeService: TimeService,
 
 		@Inject(DI.redis)
-		redisClient: Redis.Redis,
+		private readonly redisClient: Redis.Redis,
 
 		@Inject(LoggerService)
 		loggerService: LoggerService,
@@ -124,7 +115,8 @@ export class SkRateLimiterService extends RateLimiterService {
 		@Inject(EnvService)
 		envService: EnvService,
 	) {
-		super(redisClient, loggerService, envService);
+		this.logger = loggerService.getLogger('limiter');
+		this.disabled = envService.env.NODE_ENV !== 'production';
 	}
 
 	public async limit(limit: SupportedRateLimit, actor: string, factor = 1): Promise<LimitInfo> {
diff --git a/packages/backend/src/server/api/StreamingApiServerService.ts b/packages/backend/src/server/api/StreamingApiServerService.ts
index 9b8464f705..e3fd1312ae 100644
--- a/packages/backend/src/server/api/StreamingApiServerService.ts
+++ b/packages/backend/src/server/api/StreamingApiServerService.ts
@@ -7,6 +7,8 @@ import { EventEmitter } from 'events';
 import { Inject, Injectable } from '@nestjs/common';
 import * as Redis from 'ioredis';
 import * as WebSocket from 'ws';
+import proxyAddr from 'proxy-addr';
+import ms from 'ms';
 import { DI } from '@/di-symbols.js';
 import type { UsersRepository, MiAccessToken } from '@/models/_.js';
 import { NoteReadService } from '@/core/NoteReadService.js';
@@ -16,18 +18,15 @@ import { CacheService } from '@/core/CacheService.js';
 import { MiLocalUser } from '@/models/User.js';
 import { UserService } from '@/core/UserService.js';
 import { ChannelFollowingService } from '@/core/ChannelFollowingService.js';
+import { RoleService } from '@/core/RoleService.js';
+import { getIpHash } from '@/misc/get-ip-hash.js';
+import { LoggerService } from '@/core/LoggerService.js';
+import { SkRateLimiterService } from '@/server/api/SkRateLimiterService.js';
 import { AuthenticateService, AuthenticationError } from './AuthenticateService.js';
 import MainStreamConnection from './stream/Connection.js';
 import { ChannelsService } from './stream/ChannelsService.js';
-import { RateLimiterService } from './RateLimiterService.js';
-import { RoleService } from '@/core/RoleService.js';
-import { getIpHash } from '@/misc/get-ip-hash.js';
-import proxyAddr from 'proxy-addr';
-import ms from 'ms';
 import type * as http from 'node:http';
 import type { IEndpointMeta } from './endpoints.js';
-import { LoggerService } from '@/core/LoggerService.js';
-import type Logger from '@/logger.js';
 
 @Injectable()
 export class StreamingApiServerService {
@@ -49,7 +48,7 @@ export class StreamingApiServerService {
 		private notificationService: NotificationService,
 		private usersService: UserService,
 		private channelFollowingService: ChannelFollowingService,
-		private rateLimiterService: RateLimiterService,
+		private rateLimiterService: SkRateLimiterService,
 		private roleService: RoleService,
 		private loggerService: LoggerService,
 	) {
@@ -73,9 +72,8 @@ export class StreamingApiServerService {
 		if (factor <= 0) return false;
 
 		// Rate limit
-		return await this.rateLimiterService.limit(limit, limitActor, factor)
-			.then(() => { return false; })
-			.catch(err => { return true; });
+		const rateLimit = await this.rateLimiterService.limit(limit, limitActor, factor);
+		return rateLimit.blocked;
 	}
 
 	@bindThis
diff --git a/packages/backend/test/unit/SigninWithPasskeyApiService.ts b/packages/backend/test/unit/SigninWithPasskeyApiService.ts
index 4d73ba5af1..f0630f2d2b 100644
--- a/packages/backend/test/unit/SigninWithPasskeyApiService.ts
+++ b/packages/backend/test/unit/SigninWithPasskeyApiService.ts
@@ -17,16 +17,23 @@ import { GlobalModule } from '@/GlobalModule.js';
 import { DI } from '@/di-symbols.js';
 import { CoreModule } from '@/core/CoreModule.js';
 import { SigninWithPasskeyApiService } from '@/server/api/SigninWithPasskeyApiService.js';
-import { RateLimiterService } from '@/server/api/RateLimiterService.js';
 import { WebAuthnService } from '@/core/WebAuthnService.js';
 import { SigninService } from '@/server/api/SigninService.js';
 import { IdentifiableError } from '@/misc/identifiable-error.js';
+import { LimitInfo, SkRateLimiterService } from '@/server/api/SkRateLimiterService.js';
 
 const moduleMocker = new ModuleMocker(global);
 
 class FakeLimiter {
-	public async limit() {
-		return;
+	public async limit(): Promise<LimitInfo> {
+		return {
+			blocked: false,
+			remaining: Number.MAX_SAFE_INTEGER,
+			resetMs: 0,
+			resetSec: 0,
+			fullResetMs: 0,
+			fullResetSec: 0,
+		};
 	}
 }
 
@@ -90,7 +97,7 @@ describe('SigninWithPasskeyApiService', () => {
 			imports: [GlobalModule, CoreModule],
 			providers: [
 				SigninWithPasskeyApiService,
-				{ provide: RateLimiterService, useClass: FakeLimiter },
+				{ provide: SkRateLimiterService, useClass: FakeLimiter },
 				{ provide: SigninService, useClass: FakeSigninService },
 			],
 		}).useMocker((token) => {
-- 
cgit v1.2.3-freya


From fc5399a67d64df4098b8cc4a6b13e2834b424e0d Mon Sep 17 00:00:00 2001
From: Hazelnoot <acomputerdog@gmail.com>
Date: Sun, 8 Dec 2024 07:47:52 -0500
Subject: revert un-needed changes to RateLimiterService

---
 packages/backend/src/server/api/RateLimiterService.ts | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

(limited to 'packages/backend/src/server/api')

diff --git a/packages/backend/src/server/api/RateLimiterService.ts b/packages/backend/src/server/api/RateLimiterService.ts
index 6037f9bf92..305dcc1d6d 100644
--- a/packages/backend/src/server/api/RateLimiterService.ts
+++ b/packages/backend/src/server/api/RateLimiterService.ts
@@ -10,29 +10,29 @@ import { DI } from '@/di-symbols.js';
 import type Logger from '@/logger.js';
 import { LoggerService } from '@/core/LoggerService.js';
 import { bindThis } from '@/decorators.js';
-import type { LimitInfo } from '@/server/api/SkRateLimiterService.js';
-import { EnvService } from '@/core/EnvService.js';
 import type { IEndpointMeta } from './endpoints.js';
 
 /** @deprecated Use SkRateLimiterService instead */
 @Injectable()
 export class RateLimiterService {
-	protected readonly logger: Logger;
-	protected readonly disabled: boolean;
+	private logger: Logger;
+	private disabled = false;
 
 	constructor(
 		@Inject(DI.redis)
-		protected readonly redisClient: Redis.Redis,
+		private redisClient: Redis.Redis,
 
 		private loggerService: LoggerService,
-		envService: EnvService,
 	) {
 		this.logger = this.loggerService.getLogger('limiter');
-		this.disabled = envService.env.NODE_ENV !== 'production';
+
+		if (process.env.NODE_ENV !== 'production') {
+			this.disabled = true;
+		}
 	}
 
 	@bindThis
-	public limit(limitation: IEndpointMeta['limit'] & { key: NonNullable<string> }, actor: string, factor = 1): Promise<LimitInfo | void> {
+	public limit(limitation: IEndpointMeta['limit'] & { key: NonNullable<string> }, actor: string, factor = 1) {
 		return new Promise<void>((ok, reject) => {
 			if (this.disabled) ok();
 
-- 
cgit v1.2.3-freya


From afb026ebea58704835c84835f9f566aba6529c50 Mon Sep 17 00:00:00 2001
From: Hazelnoot <acomputerdog@gmail.com>
Date: Sun, 8 Dec 2024 07:49:06 -0500
Subject: fix import order in SigninWithPasskeyApiService

---
 packages/backend/src/server/api/SigninWithPasskeyApiService.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'packages/backend/src/server/api')

diff --git a/packages/backend/src/server/api/SigninWithPasskeyApiService.ts b/packages/backend/src/server/api/SigninWithPasskeyApiService.ts
index ad08dad79c..e94d2b6b68 100644
--- a/packages/backend/src/server/api/SigninWithPasskeyApiService.ts
+++ b/packages/backend/src/server/api/SigninWithPasskeyApiService.ts
@@ -22,10 +22,10 @@ import Logger from '@/logger.js';
 import { LoggerService } from '@/core/LoggerService.js';
 import type { IdentifiableError } from '@/misc/identifiable-error.js';
 import { SkRateLimiterService } from '@/server/api/SkRateLimiterService.js';
+import { sendRateLimitHeaders } from '@/misc/rate-limit-utils.js';
 import { SigninService } from './SigninService.js';
 import type { AuthenticationResponseJSON } from '@simplewebauthn/types';
 import type { FastifyReply, FastifyRequest } from 'fastify';
-import { sendRateLimitHeaders } from '@/misc/rate-limit-utils.js';
 
 @Injectable()
 export class SigninWithPasskeyApiService {
-- 
cgit v1.2.3-freya


From 2781f53d6b60fdb45ddc4344aefd3b39fb7a8bfd Mon Sep 17 00:00:00 2001
From: Hazelnoot <acomputerdog@gmail.com>
Date: Sun, 8 Dec 2024 08:32:05 -0500
Subject: support fractional rate limit scaling

---
 .../backend/src/server/api/SkRateLimiterService.ts | 22 +++++++++-------------
 .../unit/server/api/SkRateLimiterServiceTests.ts   | 17 +++++++++--------
 2 files changed, 18 insertions(+), 21 deletions(-)

(limited to 'packages/backend/src/server/api')

diff --git a/packages/backend/src/server/api/SkRateLimiterService.ts b/packages/backend/src/server/api/SkRateLimiterService.ts
index 943348c41d..fb100be286 100644
--- a/packages/backend/src/server/api/SkRateLimiterService.ts
+++ b/packages/backend/src/server/api/SkRateLimiterService.ts
@@ -173,35 +173,31 @@ export class SkRateLimiterService {
 
 	private async limitMin(limit: LegacyRateLimit & { minInterval: number }, actor: string, factor: number): Promise<LimitInfo | null> {
 		const counter = await this.getLimitCounter(limit, actor, 'min');
-		const maxCalls = Math.max(Math.ceil(factor), 1);
+		const minInterval = Math.max(Math.ceil(limit.minInterval / factor), 0);
 
 		// Update expiration
-		if (counter.c >= maxCalls) {
-			const isCleared = this.timeService.now - counter.t >= limit.minInterval;
+		if (counter.c > 0) {
+			const isCleared = this.timeService.now - counter.t >= minInterval;
 			if (isCleared) {
 				counter.c = 0;
 			}
 		}
 
-		const blocked = counter.c >= maxCalls;
+		const blocked = counter.c > 0;
 		if (!blocked) {
 			counter.c++;
 			counter.t = this.timeService.now;
 		}
 
 		// Calculate limit status
-		const remaining = Math.max(maxCalls - counter.c, 0);
-		const fullResetMs = Math.max(Math.ceil(limit.minInterval - (this.timeService.now - counter.t)), 0);
-		const fullResetSec = Math.ceil(fullResetMs / 1000);
-		const resetMs = remaining < 1 ? fullResetMs : 0;
-		const resetSec = remaining < 1 ? fullResetSec : 0;
-		const limitInfo: LimitInfo = { blocked, remaining, resetSec, resetMs, fullResetSec, fullResetMs,
-		};
+		const resetMs = Math.max(Math.ceil(minInterval - (this.timeService.now - counter.t)), 0);
+		const resetSec = Math.ceil(resetMs / 1000);
+		const limitInfo: LimitInfo = { blocked, remaining: 0, resetSec, resetMs, fullResetSec: resetSec, fullResetMs: resetMs };
 
 		// Update the limit counter, but not if blocked
 		if (!blocked) {
 			// Don't await, or we will slow down the API.
-			this.setLimitCounter(limit, actor, counter, fullResetSec, 'min')
+			this.setLimitCounter(limit, actor, counter, resetSec, 'min')
 				.catch(err => this.logger.error(`Failed to update limit ${limit.key}:min for ${actor}:`, err));
 		}
 
@@ -210,9 +206,9 @@ export class SkRateLimiterService {
 
 	private async limitBucket(limit: RateLimit, actor: string, factor: number): Promise<LimitInfo> {
 		const counter = await this.getLimitCounter(limit, actor, 'bucket');
+		const bucketSize = Math.max(Math.ceil(limit.size * factor), 1);
 		const dripRate = (limit.dripRate ?? 1000);
 		const dripSize = (limit.dripSize ?? 1);
-		const bucketSize = (limit.size * factor);
 
 		// Update drips
 		if (counter.c > 0) {
diff --git a/packages/backend/test/unit/server/api/SkRateLimiterServiceTests.ts b/packages/backend/test/unit/server/api/SkRateLimiterServiceTests.ts
index 711894095d..07bcfb6309 100644
--- a/packages/backend/test/unit/server/api/SkRateLimiterServiceTests.ts
+++ b/packages/backend/test/unit/server/api/SkRateLimiterServiceTests.ts
@@ -424,14 +424,13 @@ describe(SkRateLimiterService, () => {
 				expect(info.blocked).toBeFalsy();
 			});
 
-			it('should scale limit by factor', async () => {
+			it('should scale interval by factor', async () => {
 				minCounter = { c: 1, t: 0 };
+				mockTimeService.now += 500;
 
-				const i1 = await serviceUnderTest().limit(limit, actor, 2); // 1 + 1 = 2
-				const i2 = await serviceUnderTest().limit(limit, actor, 2); // 2 + 1 = 3
+				const info = await serviceUnderTest().limit(limit, actor, 2);
 
-				expect(i1.blocked).toBeFalsy();
-				expect(i2.blocked).toBeTruthy();
+				expect(info.blocked).toBeFalsy();
 			});
 
 			it('should set key expiration', async () => {
@@ -662,12 +661,14 @@ describe(SkRateLimiterService, () => {
 				expect(info.blocked).toBeFalsy();
 			});
 
-			it('should scale limit by factor', async () => {
-				minCounter = { c: 5, t: 0 };
+			it('should scale limit and interval by factor', async () => {
+				counter = { c: 5, t: 0 };
+				minCounter = { c: 1, t: 0 };
+				mockTimeService.now += 500;
 
 				const info = await serviceUnderTest().limit(limit, actor, 2);
 
-				expect(info.blocked).toBeTruthy();
+				expect(info.blocked).toBeFalsy();
 			});
 
 			it('should set key expiration', async () => {
-- 
cgit v1.2.3-freya


From a7a1edc92ea2c40ddaacf804c268e31f383816c5 Mon Sep 17 00:00:00 2001
From: Hazelnoot <acomputerdog@gmail.com>
Date: Sun, 8 Dec 2024 09:22:38 -0500
Subject: fix NaN from extremely high rate limits

---
 packages/backend/src/server/api/SkRateLimiterService.ts    |  2 +-
 .../test/unit/server/api/SkRateLimiterServiceTests.ts      | 14 ++++++++++++++
 2 files changed, 15 insertions(+), 1 deletion(-)

(limited to 'packages/backend/src/server/api')

diff --git a/packages/backend/src/server/api/SkRateLimiterService.ts b/packages/backend/src/server/api/SkRateLimiterService.ts
index fb100be286..7726edfb31 100644
--- a/packages/backend/src/server/api/SkRateLimiterService.ts
+++ b/packages/backend/src/server/api/SkRateLimiterService.ts
@@ -155,7 +155,7 @@ export class SkRateLimiterService {
 					type: 'bucket',
 					key: limit.key,
 					size: limit.max,
-					dripRate: Math.round(limit.duration / limit.max),
+					dripRate: Math.max(Math.round(limit.duration / limit.max), 1),
 				}, actor, factor),
 			);
 		}
diff --git a/packages/backend/test/unit/server/api/SkRateLimiterServiceTests.ts b/packages/backend/test/unit/server/api/SkRateLimiterServiceTests.ts
index 07bcfb6309..7e0c01f849 100644
--- a/packages/backend/test/unit/server/api/SkRateLimiterServiceTests.ts
+++ b/packages/backend/test/unit/server/api/SkRateLimiterServiceTests.ts
@@ -564,6 +564,20 @@ describe(SkRateLimiterService, () => {
 				expect(counter?.c).toBe(1);
 				expect(counter?.t).toBe(0);
 			});
+
+			it('should not allow dripRate to be lower than 0', async () => {
+				// real-world case; taken from StreamingApiServerService
+				limit.max = 4096;
+				limit.duration = 2000;
+				counter = { c: 4096, t: 0 };
+
+				const i1 = await serviceUnderTest().limit(limit, actor);
+				mockTimeService.now = 1;
+				const i2 = await serviceUnderTest().limit(limit, actor);
+
+				expect(i1.blocked).toBeTruthy();
+				expect(i2.blocked).toBeFalsy();
+			});
 		});
 
 		describe('with legacy limit and min interval', () => {
-- 
cgit v1.2.3-freya


From 8b091f77ca776c9c7c5279c2f9fa3c41f2958dc3 Mon Sep 17 00:00:00 2001
From: Hazelnoot <acomputerdog@gmail.com>
Date: Sun, 8 Dec 2024 09:46:49 -0500
Subject: check for invalid rate limit inputs

---
 .../backend/src/server/api/SkRateLimiterService.ts |  17 ++-
 .../unit/server/api/SkRateLimiterServiceTests.ts   | 141 +++++++++++++++++++++
 2 files changed, 155 insertions(+), 3 deletions(-)

(limited to 'packages/backend/src/server/api')

diff --git a/packages/backend/src/server/api/SkRateLimiterService.ts b/packages/backend/src/server/api/SkRateLimiterService.ts
index 7726edfb31..b3c09d01c2 100644
--- a/packages/backend/src/server/api/SkRateLimiterService.ts
+++ b/packages/backend/src/server/api/SkRateLimiterService.ts
@@ -131,6 +131,10 @@ export class SkRateLimiterService {
 			};
 		}
 
+		if (factor <= 0) {
+			throw new Error(`Rate limit factor is zero or negative: ${factor}`);
+		}
+
 		if (isLegacyRateLimit(limit)) {
 			return await this.limitLegacy(limit, actor, factor);
 		} else {
@@ -149,7 +153,7 @@ export class SkRateLimiterService {
 		}
 
 		// Convert the "max" limit into a leaky bucket with 1 drip / second rate.
-		if (limit.max && limit.duration) {
+		if (limit.max != null && limit.duration != null) {
 			promises.push(
 				this.limitBucket({
 					type: 'bucket',
@@ -172,6 +176,9 @@ export class SkRateLimiterService {
 	}
 
 	private async limitMin(limit: LegacyRateLimit & { minInterval: number }, actor: string, factor: number): Promise<LimitInfo | null> {
+		if (limit.minInterval === 0) return null;
+		if (limit.minInterval < 0) throw new Error(`Invalid rate limit ${limit.key}: minInterval is negative (${limit.minInterval})`);
+
 		const counter = await this.getLimitCounter(limit, actor, 'min');
 		const minInterval = Math.max(Math.ceil(limit.minInterval / factor), 0);
 
@@ -205,10 +212,14 @@ export class SkRateLimiterService {
 	}
 
 	private async limitBucket(limit: RateLimit, actor: string, factor: number): Promise<LimitInfo> {
+		if (limit.size < 1) throw new Error(`Invalid rate limit ${limit.key}: size is less than 1 (${limit.size})`);
+		if (limit.dripRate != null && limit.dripRate < 1) throw new Error(`Invalid rate limit ${limit.key}: dripRate is less than 1 (${limit.dripRate})`);
+		if (limit.dripSize != null && limit.dripSize < 1) throw new Error(`Invalid rate limit ${limit.key}: dripSize is less than 1 (${limit.dripSize})`);
+
 		const counter = await this.getLimitCounter(limit, actor, 'bucket');
 		const bucketSize = Math.max(Math.ceil(limit.size * factor), 1);
-		const dripRate = (limit.dripRate ?? 1000);
-		const dripSize = (limit.dripSize ?? 1);
+		const dripRate = Math.ceil(limit.dripRate ?? 1000);
+		const dripSize = Math.ceil(limit.dripSize ?? 1);
 
 		// Update drips
 		if (counter.c > 0) {
diff --git a/packages/backend/test/unit/server/api/SkRateLimiterServiceTests.ts b/packages/backend/test/unit/server/api/SkRateLimiterServiceTests.ts
index 7e0c01f849..2297c2bc03 100644
--- a/packages/backend/test/unit/server/api/SkRateLimiterServiceTests.ts
+++ b/packages/backend/test/unit/server/api/SkRateLimiterServiceTests.ts
@@ -298,6 +298,90 @@ describe(SkRateLimiterService, () => {
 				expect(counter?.c).toBe(1);
 				expect(counter?.t).toBe(0);
 			});
+
+			it('should throw if factor is zero', async () => {
+				const promise = serviceUnderTest().limit(limit, actor, 0);
+
+				await expect(promise).rejects.toThrow(/factor is zero or negative/);
+			});
+
+			it('should throw if factor is negative', async () => {
+				const promise = serviceUnderTest().limit(limit, actor, -1);
+
+				await expect(promise).rejects.toThrow(/factor is zero or negative/);
+			});
+
+			it('should throw if size is zero', async () => {
+				limit.size = 0;
+
+				const promise = serviceUnderTest().limit(limit, actor);
+
+				await expect(promise).rejects.toThrow(/size is less than 1/);
+			});
+
+			it('should throw if size is negative', async () => {
+				limit.size = -1;
+
+				const promise = serviceUnderTest().limit(limit, actor);
+
+				await expect(promise).rejects.toThrow(/size is less than 1/);
+			});
+
+			it('should throw if size is fraction', async () => {
+				limit.size = 0.5;
+
+				const promise = serviceUnderTest().limit(limit, actor);
+
+				await expect(promise).rejects.toThrow(/size is less than 1/);
+			});
+
+			it('should throw if dripRate is zero', async () => {
+				limit.dripRate = 0;
+
+				const promise = serviceUnderTest().limit(limit, actor);
+
+				await expect(promise).rejects.toThrow(/dripRate is less than 1/);
+			});
+
+			it('should throw if dripRate is negative', async () => {
+				limit.dripRate = -1;
+
+				const promise = serviceUnderTest().limit(limit, actor);
+
+				await expect(promise).rejects.toThrow(/dripRate is less than 1/);
+			});
+
+			it('should throw if dripRate is fraction', async () => {
+				limit.dripRate = 0.5;
+
+				const promise = serviceUnderTest().limit(limit, actor);
+
+				await expect(promise).rejects.toThrow(/dripRate is less than 1/);
+			});
+
+			it('should throw if dripSize is zero', async () => {
+				limit.dripSize = 0;
+
+				const promise = serviceUnderTest().limit(limit, actor);
+
+				await expect(promise).rejects.toThrow(/dripSize is less than 1/);
+			});
+
+			it('should throw if dripSize is negative', async () => {
+				limit.dripSize = -1;
+
+				const promise = serviceUnderTest().limit(limit, actor);
+
+				await expect(promise).rejects.toThrow(/dripSize is less than 1/);
+			});
+
+			it('should throw if dripSize is fraction', async () => {
+				limit.dripSize = 0.5;
+
+				const promise = serviceUnderTest().limit(limit, actor);
+
+				await expect(promise).rejects.toThrow(/dripSize is less than 1/);
+			});
 		});
 
 		describe('with min interval', () => {
@@ -451,6 +535,35 @@ describe(SkRateLimiterService, () => {
 				expect(minCounter?.c).toBe(1);
 				expect(minCounter?.t).toBe(0);
 			});
+
+			it('should throw if factor is zero', async () => {
+				const promise = serviceUnderTest().limit(limit, actor, 0);
+
+				await expect(promise).rejects.toThrow(/factor is zero or negative/);
+			});
+
+			it('should throw if factor is negative', async () => {
+				const promise = serviceUnderTest().limit(limit, actor, -1);
+
+				await expect(promise).rejects.toThrow(/factor is zero or negative/);
+			});
+
+			it('should skip if minInterval is zero', async () => {
+				limit.minInterval = 0;
+
+				const info = await serviceUnderTest().limit(limit, actor);
+
+				expect(info.blocked).toBeFalsy();
+				expect(info.remaining).toBe(Number.MAX_SAFE_INTEGER);
+			});
+
+			it('should throw if minInterval is negative', async () => {
+				limit.minInterval = -1;
+
+				const promise = serviceUnderTest().limit(limit, actor);
+
+				await expect(promise).rejects.toThrow(/minInterval is negative/);
+			});
 		});
 
 		describe('with legacy limit', () => {
@@ -578,6 +691,34 @@ describe(SkRateLimiterService, () => {
 				expect(i1.blocked).toBeTruthy();
 				expect(i2.blocked).toBeFalsy();
 			});
+
+			it('should throw if factor is zero', async () => {
+				const promise = serviceUnderTest().limit(limit, actor, 0);
+
+				await expect(promise).rejects.toThrow(/factor is zero or negative/);
+			});
+
+			it('should throw if factor is negative', async () => {
+				const promise = serviceUnderTest().limit(limit, actor, -1);
+
+				await expect(promise).rejects.toThrow(/factor is zero or negative/);
+			});
+
+			it('should throw if max is zero', async () => {
+				limit.max = 0;
+
+				const promise = serviceUnderTest().limit(limit, actor);
+
+				await expect(promise).rejects.toThrow(/size is less than 1/);
+			});
+
+			it('should throw if max is negative', async () => {
+				limit.max = -1;
+
+				const promise = serviceUnderTest().limit(limit, actor);
+
+				await expect(promise).rejects.toThrow(/size is less than 1/);
+			});
 		});
 
 		describe('with legacy limit and min interval', () => {
-- 
cgit v1.2.3-freya


From 7c002ce56ef86f8a375275a78c0bda38d540c131 Mon Sep 17 00:00:00 2001
From: Hazelnoot <acomputerdog@gmail.com>
Date: Sun, 8 Dec 2024 11:33:57 -0500
Subject: move all Rate Limit type defs to rate-limit-utils.ts

---
 packages/backend/src/misc/rate-limit-utils.ts      | 120 ++++++++++++++++++++-
 packages/backend/src/server/FileServerService.ts   |   4 +-
 packages/backend/src/server/api/ApiCallService.ts  |  19 ++--
 .../backend/src/server/api/SkRateLimiterService.ts |  99 ++---------------
 packages/backend/src/server/api/endpoints.ts       |  26 +----
 .../test/unit/SigninWithPasskeyApiService.ts       |   3 +-
 .../unit/server/api/SkRateLimiterServiceTests.ts   |   5 +-
 7 files changed, 144 insertions(+), 132 deletions(-)

(limited to 'packages/backend/src/server/api')

diff --git a/packages/backend/src/misc/rate-limit-utils.ts b/packages/backend/src/misc/rate-limit-utils.ts
index 0f38755502..00c0701ad6 100644
--- a/packages/backend/src/misc/rate-limit-utils.ts
+++ b/packages/backend/src/misc/rate-limit-utils.ts
@@ -4,7 +4,125 @@
  */
 
 import { FastifyReply } from 'fastify';
-import { LimitInfo } from '@/server/api/SkRateLimiterService.js';
+
+export type RateLimit = BucketRateLimit | LegacyRateLimit;
+
+/**
+ * Rate limit based on "leaky bucket" logic.
+ * The bucket count increases with each call, and decreases gradually at a given rate.
+ * The subject is blocked until the bucket count drops below the limit.
+ */
+export interface BucketRateLimit {
+	/**
+	 * Unique key identifying the particular resource (or resource group) being limited.
+	 */
+	key: string;
+
+	/**
+	 * Constant value identifying the type of rate limit.
+	 */
+	type: 'bucket';
+
+	/**
+	 * Size of the bucket, in number of requests.
+	 * The subject will be blocked when the number of calls exceeds this size.
+	 */
+	size: number;
+
+	/**
+	 * How often the bucket should "drip" and reduce the counter, measured in milliseconds.
+	 * Defaults to 1000 (1 second).
+	 */
+	dripRate?: number;
+
+	/**
+	 * Amount to reduce the counter on each drip.
+	 * Defaults to 1.
+	 */
+	dripSize?: number;
+}
+
+/**
+ * Legacy rate limit based on a "request window" with a maximum number of requests within a given time box.
+ * These will be translated into a bucket with linear drip rate.
+ */
+export interface LegacyRateLimit {
+	/**
+	 * Unique key identifying the particular resource (or resource group) being limited.
+	 */
+	key: string;
+
+	/**
+	 * Constant value identifying the type of rate limit.
+	 * Must be excluded or explicitly set to undefined
+	 */
+	type?: undefined;
+
+	/**
+	 * Duration of the request window, in milliseconds.
+	 * If present, then "max" must also be included.
+	 */
+	duration?: number;
+
+	/**
+	 * Maximum number of requests allowed in the request window.
+	 * If present, then "duration" must also be included.
+	 */
+	max?: number;
+
+	/**
+	 * Optional minimum interval between consecutive requests.
+	 * Will apply in addition to the primary rate limit.
+	 */
+	minInterval?: number;
+}
+
+/**
+ * Metadata about the current status of a rate limiter
+ */
+export interface LimitInfo {
+	/**
+	 * True if the limit has been reached, and the call should be blocked.
+	 */
+	blocked: boolean;
+
+	/**
+	 * Number of calls that can be made before the limit is triggered.
+	 */
+	remaining: number;
+
+	/**
+	 * Time in seconds until the next call can be made, or zero if the next call can be made immediately.
+	 * Rounded up to the nearest second.
+	 */
+	resetSec: number;
+
+	/**
+	 * Time in milliseconds until the next call can be made, or zero if the next call can be made immediately.
+	 * Rounded up to the nearest milliseconds.
+	 */
+	resetMs: number;
+
+	/**
+	 * Time in seconds until the limit has fully reset.
+	 * Rounded up to the nearest second.
+	 */
+	fullResetSec: number;
+
+	/**
+	 * Time in milliseconds until the limit has fully reset.
+	 * Rounded up to the nearest millisecond.
+	 */
+	fullResetMs: number;
+}
+
+export function isLegacyRateLimit(limit: RateLimit): limit is LegacyRateLimit {
+	return limit.type === undefined;
+}
+
+export function hasMinLimit(limit: LegacyRateLimit): limit is LegacyRateLimit & { minInterval: number } {
+	return !!limit.minInterval;
+}
 
 export function sendRateLimitHeaders(reply: FastifyReply, info: LimitInfo): void {
 	// Number of seconds until the limit has fully reset.
diff --git a/packages/backend/src/server/FileServerService.ts b/packages/backend/src/server/FileServerService.ts
index 9903113f43..3a03cd8c00 100644
--- a/packages/backend/src/server/FileServerService.ts
+++ b/packages/backend/src/server/FileServerService.ts
@@ -31,8 +31,8 @@ import { handleRequestRedirectToOmitSearch } from '@/misc/fastify-hook-handlers.
 import { getIpHash } from '@/misc/get-ip-hash.js';
 import { AuthenticateService } from '@/server/api/AuthenticateService.js';
 import { RoleService } from '@/core/RoleService.js';
-import { RateLimit, SkRateLimiterService } from '@/server/api/SkRateLimiterService.js';
-import { sendRateLimitHeaders } from '@/misc/rate-limit-utils.js';
+import { SkRateLimiterService } from '@/server/api/SkRateLimiterService.js';
+import { RateLimit, sendRateLimitHeaders } from '@/misc/rate-limit-utils.js';
 import type { FastifyInstance, FastifyRequest, FastifyReply, FastifyPluginOptions } from 'fastify';
 
 const _filename = fileURLToPath(import.meta.url);
diff --git a/packages/backend/src/server/api/ApiCallService.ts b/packages/backend/src/server/api/ApiCallService.ts
index 38d33c761d..6ad4bc8cb5 100644
--- a/packages/backend/src/server/api/ApiCallService.ts
+++ b/packages/backend/src/server/api/ApiCallService.ts
@@ -18,8 +18,8 @@ import { createTemp } from '@/misc/create-temp.js';
 import { bindThis } from '@/decorators.js';
 import { RoleService } from '@/core/RoleService.js';
 import type { Config } from '@/config.js';
-import { sendRateLimitHeaders } from '@/misc/rate-limit-utils.js';
-import { LegacyRateLimit, SkRateLimiterService } from '@/server/api/SkRateLimiterService.js';
+import { RateLimit, sendRateLimitHeaders } from '@/misc/rate-limit-utils.js';
+import { SkRateLimiterService } from '@/server/api/SkRateLimiterService.js';
 import { ApiError } from './error.js';
 import { ApiLoggerService } from './ApiLoggerService.js';
 import { AuthenticateService, AuthenticationError } from './AuthenticateService.js';
@@ -304,7 +304,7 @@ export class ApiCallService implements OnApplicationShutdown {
 		}
 
 		// For endpoints without a limit, the default is 10 calls per second
-		const endpointLimit: IEndpointMeta['limit'] = ep.meta.limit ?? {
+		const endpointLimit = ep.meta.limit ?? {
 			duration: 1000,
 			max: 10,
 		};
@@ -320,18 +320,17 @@ export class ApiCallService implements OnApplicationShutdown {
 				limitActor = getIpHash(request.ip);
 			}
 
-			const limit = Object.assign({}, endpointLimit);
-
-			if (limit.key == null) {
-				(limit as any).key = ep.name;
-			}
-
 			// TODO: 毎リクエスト計算するのもあれだしキャッシュしたい
 			const factor = user ? (await this.roleService.getUserPolicies(user.id)).rateLimitFactor : 1;
 
 			if (factor > 0) {
+				const limit = {
+					key: ep.name,
+					...endpointLimit,
+				} as RateLimit;
+
 				// Rate limit
-				const info = await this.rateLimiterService.limit(limit as LegacyRateLimit, limitActor, factor);
+				const info = await this.rateLimiterService.limit(limit, limitActor, factor);
 
 				sendRateLimitHeaders(reply, info);
 
diff --git a/packages/backend/src/server/api/SkRateLimiterService.ts b/packages/backend/src/server/api/SkRateLimiterService.ts
index b3c09d01c2..027d05310b 100644
--- a/packages/backend/src/server/api/SkRateLimiterService.ts
+++ b/packages/backend/src/server/api/SkRateLimiterService.ts
@@ -5,97 +5,12 @@
 
 import { Inject, Injectable } from '@nestjs/common';
 import Redis from 'ioredis';
-import type { IEndpointMeta } from '@/server/api/endpoints.js';
 import { LoggerService } from '@/core/LoggerService.js';
 import { TimeService } from '@/core/TimeService.js';
 import { EnvService } from '@/core/EnvService.js';
 import { DI } from '@/di-symbols.js';
 import type Logger from '@/logger.js';
-
-/**
- * Metadata about the current status of a rate limiter
- */
-export interface LimitInfo {
-	/**
-	 * True if the limit has been reached, and the call should be blocked.
-	 */
-	blocked: boolean;
-
-	/**
-	 * Number of calls that can be made before the limit is triggered.
-	 */
-	remaining: number;
-
-	/**
-	 * Time in seconds until the next call can be made, or zero if the next call can be made immediately.
-	 * Rounded up to the nearest second.
-	 */
-	resetSec: number;
-
-	/**
-	 * Time in milliseconds until the next call can be made, or zero if the next call can be made immediately.
-	 * Rounded up to the nearest milliseconds.
-	 */
-	resetMs: number;
-
-	/**
-	 * Time in seconds until the limit has fully reset.
-	 * Rounded up to the nearest second.
-	 */
-	fullResetSec: number;
-
-	/**
-	 * Time in milliseconds until the limit has fully reset.
-	 * Rounded up to the nearest millisecond.
-	 */
-	fullResetMs: number;
-}
-
-/**
- * Rate limit based on "leaky bucket" logic.
- * The bucket count increases with each call, and decreases gradually at a given rate.
- * The subject is blocked until the bucket count drops below the limit.
- */
-export interface RateLimit {
-	/**
-	 * Unique key identifying the particular resource (or resource group) being limited.
-	 */
-	key: string;
-
-	/**
-	 * Constant value identifying the type of rate limit.
-	 */
-	type: 'bucket';
-
-	/**
-	 * Size of the bucket, in number of requests.
-	 * The subject will be blocked when the number of calls exceeds this size.
-	 */
-	size: number;
-
-	/**
-	 * How often the bucket should "drip" and reduce the counter, measured in milliseconds.
-	 * Defaults to 1000 (1 second).
-	 */
-	dripRate?: number;
-
-	/**
-	 * Amount to reduce the counter on each drip.
-	 * Defaults to 1.
-	 */
-	dripSize?: number;
-}
-
-export type SupportedRateLimit = RateLimit | LegacyRateLimit;
-export type LegacyRateLimit = IEndpointMeta['limit'] & { key: NonNullable<string>, type?: undefined };
-
-export function isLegacyRateLimit(limit: SupportedRateLimit): limit is LegacyRateLimit {
-	return limit.type === undefined;
-}
-
-export function hasMinLimit(limit: LegacyRateLimit): limit is LegacyRateLimit & { minInterval: number } {
-	return !!limit.minInterval;
-}
+import { BucketRateLimit, LegacyRateLimit, LimitInfo, RateLimit, hasMinLimit, isLegacyRateLimit } from '@/misc/rate-limit-utils.js';
 
 @Injectable()
 export class SkRateLimiterService {
@@ -116,10 +31,10 @@ export class SkRateLimiterService {
 		envService: EnvService,
 	) {
 		this.logger = loggerService.getLogger('limiter');
-		this.disabled = envService.env.NODE_ENV !== 'production';
+		this.disabled = envService.env.NODE_ENV !== 'production'; // TODO disable in TEST *only*
 	}
 
-	public async limit(limit: SupportedRateLimit, actor: string, factor = 1): Promise<LimitInfo> {
+	public async limit(limit: RateLimit, actor: string, factor = 1): Promise<LimitInfo> {
 		if (this.disabled) {
 			return {
 				blocked: false,
@@ -211,7 +126,7 @@ export class SkRateLimiterService {
 		return limitInfo;
 	}
 
-	private async limitBucket(limit: RateLimit, actor: string, factor: number): Promise<LimitInfo> {
+	private async limitBucket(limit: BucketRateLimit, actor: string, factor: number): Promise<LimitInfo> {
 		if (limit.size < 1) throw new Error(`Invalid rate limit ${limit.key}: size is less than 1 (${limit.size})`);
 		if (limit.dripRate != null && limit.dripRate < 1) throw new Error(`Invalid rate limit ${limit.key}: dripRate is less than 1 (${limit.dripRate})`);
 		if (limit.dripSize != null && limit.dripSize < 1) throw new Error(`Invalid rate limit ${limit.key}: dripSize is less than 1 (${limit.dripSize})`);
@@ -251,7 +166,7 @@ export class SkRateLimiterService {
 		return limitInfo;
 	}
 
-	private async getLimitCounter(limit: SupportedRateLimit, actor: string, subject: string): Promise<LimitCounter> {
+	private async getLimitCounter(limit: RateLimit, actor: string, subject: string): Promise<LimitCounter> {
 		const key = createLimitKey(limit, actor, subject);
 
 		const value = await this.redisClient.get(key);
@@ -262,7 +177,7 @@ export class SkRateLimiterService {
 		return JSON.parse(value);
 	}
 
-	private async setLimitCounter(limit: SupportedRateLimit, actor: string, counter: LimitCounter, expiration: number, subject: string): Promise<void> {
+	private async setLimitCounter(limit: RateLimit, actor: string, counter: LimitCounter, expiration: number, subject: string): Promise<void> {
 		const key = createLimitKey(limit, actor, subject);
 		const value = JSON.stringify(counter);
 		const expirationSec = Math.max(expiration, 1);
@@ -270,7 +185,7 @@ export class SkRateLimiterService {
 	}
 }
 
-function createLimitKey(limit: SupportedRateLimit, actor: string, subject: string): string {
+function createLimitKey(limit: RateLimit, actor: string, subject: string): string {
 	return `rl_${actor}_${limit.key}_${subject}`;
 }
 
diff --git a/packages/backend/src/server/api/endpoints.ts b/packages/backend/src/server/api/endpoints.ts
index 14e002929a..a4193a64ec 100644
--- a/packages/backend/src/server/api/endpoints.ts
+++ b/packages/backend/src/server/api/endpoints.ts
@@ -5,6 +5,7 @@
 
 import { permissions } from 'misskey-js';
 import type { KeyOf, Schema } from '@/misc/json-schema.js';
+import type { RateLimit } from '@/misc/rate-limit-utils.js';
 
 import * as ep___admin_abuseReport_notificationRecipient_list
 	from '@/server/api/endpoints/admin/abuse-report/notification-recipient/list.js';
@@ -855,30 +856,7 @@ interface IEndpointMetaBase {
 	 * エンドポイントのリミテーションに関するやつ
 	 * 省略した場合はリミテーションは無いものとして解釈されます。
 	 */
-	readonly limit?: {
-
-		/**
-		 * 複数のエンドポイントでリミットを共有したい場合に指定するキー
-		 */
-		readonly key?: string;
-
-		/**
-		 * リミットを適用する期間(ms)
-		 * このプロパティを設定する場合、max プロパティも設定する必要があります。
-		 */
-		readonly duration?: number;
-
-		/**
-		 * durationで指定した期間内にいくつまでリクエストできるのか
-		 * このプロパティを設定する場合、duration プロパティも設定する必要があります。
-		 */
-		readonly max?: number;
-
-		/**
-		 * 最低でもどれくらいの間隔を開けてリクエストしなければならないか(ms)
-		 */
-		readonly minInterval?: number;
-	};
+	readonly limit?: Readonly<RateLimit | Omit<RateLimit, 'key'>>;
 
 	/**
 	 * ファイルの添付を必要とするか否か
diff --git a/packages/backend/test/unit/SigninWithPasskeyApiService.ts b/packages/backend/test/unit/SigninWithPasskeyApiService.ts
index f0630f2d2b..7df991c15c 100644
--- a/packages/backend/test/unit/SigninWithPasskeyApiService.ts
+++ b/packages/backend/test/unit/SigninWithPasskeyApiService.ts
@@ -20,7 +20,8 @@ import { SigninWithPasskeyApiService } from '@/server/api/SigninWithPasskeyApiSe
 import { WebAuthnService } from '@/core/WebAuthnService.js';
 import { SigninService } from '@/server/api/SigninService.js';
 import { IdentifiableError } from '@/misc/identifiable-error.js';
-import { LimitInfo, SkRateLimiterService } from '@/server/api/SkRateLimiterService.js';
+import { SkRateLimiterService } from '@/server/api/SkRateLimiterService.js';
+import { LimitInfo } from '@/misc/rate-limit-utils.js';
 
 const moduleMocker = new ModuleMocker(global);
 
diff --git a/packages/backend/test/unit/server/api/SkRateLimiterServiceTests.ts b/packages/backend/test/unit/server/api/SkRateLimiterServiceTests.ts
index 2297c2bc03..215b83b53f 100644
--- a/packages/backend/test/unit/server/api/SkRateLimiterServiceTests.ts
+++ b/packages/backend/test/unit/server/api/SkRateLimiterServiceTests.ts
@@ -6,8 +6,9 @@
 import { KEYWORD } from 'color-convert/conversions.js';
 import { jest } from '@jest/globals';
 import type Redis from 'ioredis';
-import { LegacyRateLimit, LimitCounter, RateLimit, SkRateLimiterService } from '@/server/api/SkRateLimiterService.js';
+import { LimitCounter, SkRateLimiterService } from '@/server/api/SkRateLimiterService.js';
 import { LoggerService } from '@/core/LoggerService.js';
+import { BucketRateLimit, LegacyRateLimit } from '@/misc/rate-limit-utils.js';
 
 /* eslint-disable @typescript-eslint/no-non-null-assertion */
 /* eslint-disable @typescript-eslint/no-unnecessary-condition */
@@ -141,7 +142,7 @@ describe(SkRateLimiterService, () => {
 		});
 
 		describe('with bucket limit', () => {
-			let limit: RateLimit = null!;
+			let limit: BucketRateLimit = null!;
 
 			beforeEach(() => {
 				limit = {
-- 
cgit v1.2.3-freya


From 6fa0f2230eeb64760f6d1a05f039fa575a781e04 Mon Sep 17 00:00:00 2001
From: Hazelnoot <acomputerdog@gmail.com>
Date: Sun, 8 Dec 2024 11:56:48 -0500
Subject: increase rate limit for `/api/endpoint` based on real-world testing

---
 packages/backend/src/server/api/endpoints/endpoint.ts | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

(limited to 'packages/backend/src/server/api')

diff --git a/packages/backend/src/server/api/endpoints/endpoint.ts b/packages/backend/src/server/api/endpoints/endpoint.ts
index 7629cd7a67..a1dbb26431 100644
--- a/packages/backend/src/server/api/endpoints/endpoint.ts
+++ b/packages/backend/src/server/api/endpoints/endpoint.ts
@@ -29,10 +29,13 @@ export const meta = {
 		},
 	},
 
-	// 5 calls per second
+	// 1000 max @ 1/10ms drip = 10/sec average.
+	// Large bucket is ok because this is a fairly lightweight endpoint.
 	limit: {
-		duration: 1000,
-		max: 5,
+		type: 'bucket',
+
+		size: 1000,
+		dripRate: 10,
 	},
 } as const;
 
-- 
cgit v1.2.3-freya


From 91c9b67cb08094fc00eab685c0f24b2668a9d8fc Mon Sep 17 00:00:00 2001
From: Hazelnoot <acomputerdog@gmail.com>
Date: Sun, 8 Dec 2024 11:58:57 -0500
Subject: bypass rate limits when factor is 0

---
 .../backend/src/server/api/SkRateLimiterService.ts  |  4 ++--
 .../unit/server/api/SkRateLimiterServiceTests.ts    | 21 ++++++++++++---------
 2 files changed, 14 insertions(+), 11 deletions(-)

(limited to 'packages/backend/src/server/api')

diff --git a/packages/backend/src/server/api/SkRateLimiterService.ts b/packages/backend/src/server/api/SkRateLimiterService.ts
index 027d05310b..d9abbfd406 100644
--- a/packages/backend/src/server/api/SkRateLimiterService.ts
+++ b/packages/backend/src/server/api/SkRateLimiterService.ts
@@ -35,7 +35,7 @@ export class SkRateLimiterService {
 	}
 
 	public async limit(limit: RateLimit, actor: string, factor = 1): Promise<LimitInfo> {
-		if (this.disabled) {
+		if (this.disabled || factor === 0) {
 			return {
 				blocked: false,
 				remaining: Number.MAX_SAFE_INTEGER,
@@ -46,7 +46,7 @@ export class SkRateLimiterService {
 			};
 		}
 
-		if (factor <= 0) {
+		if (factor < 0) {
 			throw new Error(`Rate limit factor is zero or negative: ${factor}`);
 		}
 
diff --git a/packages/backend/test/unit/server/api/SkRateLimiterServiceTests.ts b/packages/backend/test/unit/server/api/SkRateLimiterServiceTests.ts
index 215b83b53f..c7fac85706 100644
--- a/packages/backend/test/unit/server/api/SkRateLimiterServiceTests.ts
+++ b/packages/backend/test/unit/server/api/SkRateLimiterServiceTests.ts
@@ -300,10 +300,11 @@ describe(SkRateLimiterService, () => {
 				expect(counter?.t).toBe(0);
 			});
 
-			it('should throw if factor is zero', async () => {
-				const promise = serviceUnderTest().limit(limit, actor, 0);
+			it('should skip if factor is zero', async () => {
+				const info = await serviceUnderTest().limit(limit, actor, 0);
 
-				await expect(promise).rejects.toThrow(/factor is zero or negative/);
+				expect(info.blocked).toBeFalsy();
+				expect(info.remaining).toBe(Number.MAX_SAFE_INTEGER);
 			});
 
 			it('should throw if factor is negative', async () => {
@@ -537,10 +538,11 @@ describe(SkRateLimiterService, () => {
 				expect(minCounter?.t).toBe(0);
 			});
 
-			it('should throw if factor is zero', async () => {
-				const promise = serviceUnderTest().limit(limit, actor, 0);
+			it('should skip if factor is zero', async () => {
+				const info = await serviceUnderTest().limit(limit, actor, 0);
 
-				await expect(promise).rejects.toThrow(/factor is zero or negative/);
+				expect(info.blocked).toBeFalsy();
+				expect(info.remaining).toBe(Number.MAX_SAFE_INTEGER);
 			});
 
 			it('should throw if factor is negative', async () => {
@@ -693,10 +695,11 @@ describe(SkRateLimiterService, () => {
 				expect(i2.blocked).toBeFalsy();
 			});
 
-			it('should throw if factor is zero', async () => {
-				const promise = serviceUnderTest().limit(limit, actor, 0);
+			it('should skip if factor is zero', async () => {
+				const info = await serviceUnderTest().limit(limit, actor, 0);
 
-				await expect(promise).rejects.toThrow(/factor is zero or negative/);
+				expect(info.blocked).toBeFalsy();
+				expect(info.remaining).toBe(Number.MAX_SAFE_INTEGER);
 			});
 
 			it('should throw if factor is negative', async () => {
-- 
cgit v1.2.3-freya


From fc4599ec07bb8def91fedf5afa9bb469bb54362a Mon Sep 17 00:00:00 2001
From: Hazelnoot <acomputerdog@gmail.com>
Date: Sun, 8 Dec 2024 12:02:58 -0500
Subject: fix rate limit scaling (it's no longer inverted)

---
 packages/backend/src/server/api/SkRateLimiterService.ts        |  4 ++--
 .../backend/test/unit/server/api/SkRateLimiterServiceTests.ts  | 10 +++++-----
 2 files changed, 7 insertions(+), 7 deletions(-)

(limited to 'packages/backend/src/server/api')

diff --git a/packages/backend/src/server/api/SkRateLimiterService.ts b/packages/backend/src/server/api/SkRateLimiterService.ts
index d9abbfd406..1aee8aa799 100644
--- a/packages/backend/src/server/api/SkRateLimiterService.ts
+++ b/packages/backend/src/server/api/SkRateLimiterService.ts
@@ -95,7 +95,7 @@ export class SkRateLimiterService {
 		if (limit.minInterval < 0) throw new Error(`Invalid rate limit ${limit.key}: minInterval is negative (${limit.minInterval})`);
 
 		const counter = await this.getLimitCounter(limit, actor, 'min');
-		const minInterval = Math.max(Math.ceil(limit.minInterval / factor), 0);
+		const minInterval = Math.max(Math.ceil(limit.minInterval * factor), 0);
 
 		// Update expiration
 		if (counter.c > 0) {
@@ -132,7 +132,7 @@ export class SkRateLimiterService {
 		if (limit.dripSize != null && limit.dripSize < 1) throw new Error(`Invalid rate limit ${limit.key}: dripSize is less than 1 (${limit.dripSize})`);
 
 		const counter = await this.getLimitCounter(limit, actor, 'bucket');
-		const bucketSize = Math.max(Math.ceil(limit.size * factor), 1);
+		const bucketSize = Math.max(Math.ceil(limit.size / factor), 1);
 		const dripRate = Math.ceil(limit.dripRate ?? 1000);
 		const dripSize = Math.ceil(limit.dripSize ?? 1);
 
diff --git a/packages/backend/test/unit/server/api/SkRateLimiterServiceTests.ts b/packages/backend/test/unit/server/api/SkRateLimiterServiceTests.ts
index c7fac85706..910a3e5582 100644
--- a/packages/backend/test/unit/server/api/SkRateLimiterServiceTests.ts
+++ b/packages/backend/test/unit/server/api/SkRateLimiterServiceTests.ts
@@ -274,8 +274,8 @@ describe(SkRateLimiterService, () => {
 			it('should scale limit by factor', async () => {
 				counter = { c: 1, t: 0 };
 
-				const i1 = await serviceUnderTest().limit(limit, actor, 2); // 1 + 1 = 2
-				const i2 = await serviceUnderTest().limit(limit, actor, 2); // 2 + 1 = 3
+				const i1 = await serviceUnderTest().limit(limit, actor, 0.5); // 1 + 1 = 2
+				const i2 = await serviceUnderTest().limit(limit, actor, 0.5); // 2 + 1 = 3
 
 				expect(i1.blocked).toBeFalsy();
 				expect(i2.blocked).toBeTruthy();
@@ -514,7 +514,7 @@ describe(SkRateLimiterService, () => {
 				minCounter = { c: 1, t: 0 };
 				mockTimeService.now += 500;
 
-				const info = await serviceUnderTest().limit(limit, actor, 2);
+				const info = await serviceUnderTest().limit(limit, actor, 0.5);
 
 				expect(info.blocked).toBeFalsy();
 			});
@@ -657,7 +657,7 @@ describe(SkRateLimiterService, () => {
 			it('should scale limit by factor', async () => {
 				counter = { c: 10, t: 0 };
 
-				const info = await serviceUnderTest().limit(limit, actor, 2); // 10 + 1 = 11
+				const info = await serviceUnderTest().limit(limit, actor, 0.5); // 10 + 1 = 11
 
 				expect(info.blocked).toBeTruthy();
 			});
@@ -825,7 +825,7 @@ describe(SkRateLimiterService, () => {
 				minCounter = { c: 1, t: 0 };
 				mockTimeService.now += 500;
 
-				const info = await serviceUnderTest().limit(limit, actor, 2);
+				const info = await serviceUnderTest().limit(limit, actor, 0.5);
 
 				expect(info.blocked).toBeFalsy();
 			});
-- 
cgit v1.2.3-freya


From 2946f85592022f5aaa490d3f40d6e3068957d33f Mon Sep 17 00:00:00 2001
From: Hazelnoot <acomputerdog@gmail.com>
Date: Sun, 8 Dec 2024 13:07:55 -0500
Subject: fix type errors from new rate limit definitions

---
 packages/backend/src/misc/rate-limit-utils.ts          |  5 +++--
 packages/backend/src/server/FileServerService.ts       |  8 ++++----
 packages/backend/src/server/api/ApiCallService.ts      |  4 ++--
 packages/backend/src/server/api/RateLimiterService.ts  |  3 ++-
 .../backend/src/server/api/SkRateLimiterService.ts     | 16 ++++++++--------
 packages/backend/src/server/api/endpoints.ts           |  2 +-
 .../test/unit/server/api/SkRateLimiterServiceTests.ts  | 18 +++++-------------
 7 files changed, 25 insertions(+), 31 deletions(-)

(limited to 'packages/backend/src/server/api')

diff --git a/packages/backend/src/misc/rate-limit-utils.ts b/packages/backend/src/misc/rate-limit-utils.ts
index 6336f29cb7..9909bb97fa 100644
--- a/packages/backend/src/misc/rate-limit-utils.ts
+++ b/packages/backend/src/misc/rate-limit-utils.ts
@@ -6,6 +6,7 @@
 import { FastifyReply } from 'fastify';
 
 export type RateLimit = BucketRateLimit | LegacyRateLimit;
+export type Keyed<T> = T & { key: string };
 
 /**
  * Rate limit based on "leaky bucket" logic.
@@ -16,7 +17,7 @@ export interface BucketRateLimit {
 	/**
 	 * Unique key identifying the particular resource (or resource group) being limited.
 	 */
-	key: string;
+	key?: string;
 
 	/**
 	 * Constant value identifying the type of rate limit.
@@ -50,7 +51,7 @@ export interface LegacyRateLimit {
 	/**
 	 * Unique key identifying the particular resource (or resource group) being limited.
 	 */
-	key: string;
+	key?: string;
 
 	/**
 	 * Constant value identifying the type of rate limit.
diff --git a/packages/backend/src/server/FileServerService.ts b/packages/backend/src/server/FileServerService.ts
index 3a03cd8c00..5293d529ad 100644
--- a/packages/backend/src/server/FileServerService.ts
+++ b/packages/backend/src/server/FileServerService.ts
@@ -32,7 +32,7 @@ import { getIpHash } from '@/misc/get-ip-hash.js';
 import { AuthenticateService } from '@/server/api/AuthenticateService.js';
 import { RoleService } from '@/core/RoleService.js';
 import { SkRateLimiterService } from '@/server/api/SkRateLimiterService.js';
-import { RateLimit, sendRateLimitHeaders } from '@/misc/rate-limit-utils.js';
+import { Keyed, RateLimit, sendRateLimitHeaders } from '@/misc/rate-limit-utils.js';
 import type { FastifyInstance, FastifyRequest, FastifyReply, FastifyPluginOptions } from 'fastify';
 
 const _filename = fileURLToPath(import.meta.url);
@@ -633,7 +633,7 @@ export class FileServerService {
 	}
 
 	private async checkResourceLimit(reply: FastifyReply, actor: string, group: string, resource: string, factor = 1): Promise<boolean> {
-		const limit: RateLimit = {
+		const limit: Keyed<RateLimit> = {
 			// Group by resource
 			key: `${group}${resource}`,
 			type: 'bucket',
@@ -647,7 +647,7 @@ export class FileServerService {
 	}
 
 	private async checkSharedLimit(reply: FastifyReply, actor: string, group: string, factor = 1): Promise<boolean> {
-		const limit: RateLimit = {
+		const limit: Keyed<RateLimit> = {
 			key: group,
 			type: 'bucket',
 
@@ -658,7 +658,7 @@ export class FileServerService {
 		return await this.checkLimit(reply, actor, limit, factor);
 	}
 
-	private async checkLimit(reply: FastifyReply, actor: string, limit: RateLimit, factor = 1): Promise<boolean> {
+	private async checkLimit(reply: FastifyReply, actor: string, limit: Keyed<RateLimit>, factor = 1): Promise<boolean> {
 		const info = await this.rateLimiterService.limit(limit, actor, factor);
 
 		sendRateLimitHeaders(reply, info);
diff --git a/packages/backend/src/server/api/ApiCallService.ts b/packages/backend/src/server/api/ApiCallService.ts
index 6ad4bc8cb5..c6c33f7303 100644
--- a/packages/backend/src/server/api/ApiCallService.ts
+++ b/packages/backend/src/server/api/ApiCallService.ts
@@ -18,7 +18,7 @@ import { createTemp } from '@/misc/create-temp.js';
 import { bindThis } from '@/decorators.js';
 import { RoleService } from '@/core/RoleService.js';
 import type { Config } from '@/config.js';
-import { RateLimit, sendRateLimitHeaders } from '@/misc/rate-limit-utils.js';
+import { sendRateLimitHeaders } from '@/misc/rate-limit-utils.js';
 import { SkRateLimiterService } from '@/server/api/SkRateLimiterService.js';
 import { ApiError } from './error.js';
 import { ApiLoggerService } from './ApiLoggerService.js';
@@ -327,7 +327,7 @@ export class ApiCallService implements OnApplicationShutdown {
 				const limit = {
 					key: ep.name,
 					...endpointLimit,
-				} as RateLimit;
+				};
 
 				// Rate limit
 				const info = await this.rateLimiterService.limit(limit, limitActor, factor);
diff --git a/packages/backend/src/server/api/RateLimiterService.ts b/packages/backend/src/server/api/RateLimiterService.ts
index 305dcc1d6d..879529090f 100644
--- a/packages/backend/src/server/api/RateLimiterService.ts
+++ b/packages/backend/src/server/api/RateLimiterService.ts
@@ -10,6 +10,7 @@ import { DI } from '@/di-symbols.js';
 import type Logger from '@/logger.js';
 import { LoggerService } from '@/core/LoggerService.js';
 import { bindThis } from '@/decorators.js';
+import { LegacyRateLimit } from '@/misc/rate-limit-utils.js';
 import type { IEndpointMeta } from './endpoints.js';
 
 /** @deprecated Use SkRateLimiterService instead */
@@ -32,7 +33,7 @@ export class RateLimiterService {
 	}
 
 	@bindThis
-	public limit(limitation: IEndpointMeta['limit'] & { key: NonNullable<string> }, actor: string, factor = 1) {
+	public limit(limitation: LegacyRateLimit & { key: NonNullable<string> }, actor: string, factor = 1) {
 		return new Promise<void>((ok, reject) => {
 			if (this.disabled) ok();
 
diff --git a/packages/backend/src/server/api/SkRateLimiterService.ts b/packages/backend/src/server/api/SkRateLimiterService.ts
index 1aee8aa799..6415ee905c 100644
--- a/packages/backend/src/server/api/SkRateLimiterService.ts
+++ b/packages/backend/src/server/api/SkRateLimiterService.ts
@@ -10,7 +10,7 @@ import { TimeService } from '@/core/TimeService.js';
 import { EnvService } from '@/core/EnvService.js';
 import { DI } from '@/di-symbols.js';
 import type Logger from '@/logger.js';
-import { BucketRateLimit, LegacyRateLimit, LimitInfo, RateLimit, hasMinLimit, isLegacyRateLimit } from '@/misc/rate-limit-utils.js';
+import { BucketRateLimit, LegacyRateLimit, LimitInfo, RateLimit, hasMinLimit, isLegacyRateLimit, Keyed } from '@/misc/rate-limit-utils.js';
 
 @Injectable()
 export class SkRateLimiterService {
@@ -34,7 +34,7 @@ export class SkRateLimiterService {
 		this.disabled = envService.env.NODE_ENV !== 'production'; // TODO disable in TEST *only*
 	}
 
-	public async limit(limit: RateLimit, actor: string, factor = 1): Promise<LimitInfo> {
+	public async limit(limit: Keyed<RateLimit>, actor: string, factor = 1): Promise<LimitInfo> {
 		if (this.disabled || factor === 0) {
 			return {
 				blocked: false,
@@ -57,7 +57,7 @@ export class SkRateLimiterService {
 		}
 	}
 
-	private async limitLegacy(limit: LegacyRateLimit, actor: string, factor: number): Promise<LimitInfo> {
+	private async limitLegacy(limit: Keyed<LegacyRateLimit>, actor: string, factor: number): Promise<LimitInfo> {
 		const promises: Promise<LimitInfo | null>[] = [];
 
 		// The "min" limit - if present - is handled directly.
@@ -90,7 +90,7 @@ export class SkRateLimiterService {
 		};
 	}
 
-	private async limitMin(limit: LegacyRateLimit & { minInterval: number }, actor: string, factor: number): Promise<LimitInfo | null> {
+	private async limitMin(limit: Keyed<LegacyRateLimit> & { minInterval: number }, actor: string, factor: number): Promise<LimitInfo | null> {
 		if (limit.minInterval === 0) return null;
 		if (limit.minInterval < 0) throw new Error(`Invalid rate limit ${limit.key}: minInterval is negative (${limit.minInterval})`);
 
@@ -126,7 +126,7 @@ export class SkRateLimiterService {
 		return limitInfo;
 	}
 
-	private async limitBucket(limit: BucketRateLimit, actor: string, factor: number): Promise<LimitInfo> {
+	private async limitBucket(limit: Keyed<BucketRateLimit>, actor: string, factor: number): Promise<LimitInfo> {
 		if (limit.size < 1) throw new Error(`Invalid rate limit ${limit.key}: size is less than 1 (${limit.size})`);
 		if (limit.dripRate != null && limit.dripRate < 1) throw new Error(`Invalid rate limit ${limit.key}: dripRate is less than 1 (${limit.dripRate})`);
 		if (limit.dripSize != null && limit.dripSize < 1) throw new Error(`Invalid rate limit ${limit.key}: dripSize is less than 1 (${limit.dripSize})`);
@@ -166,7 +166,7 @@ export class SkRateLimiterService {
 		return limitInfo;
 	}
 
-	private async getLimitCounter(limit: RateLimit, actor: string, subject: string): Promise<LimitCounter> {
+	private async getLimitCounter(limit: Keyed<RateLimit>, actor: string, subject: string): Promise<LimitCounter> {
 		const key = createLimitKey(limit, actor, subject);
 
 		const value = await this.redisClient.get(key);
@@ -177,7 +177,7 @@ export class SkRateLimiterService {
 		return JSON.parse(value);
 	}
 
-	private async setLimitCounter(limit: RateLimit, actor: string, counter: LimitCounter, expiration: number, subject: string): Promise<void> {
+	private async setLimitCounter(limit: Keyed<RateLimit>, actor: string, counter: LimitCounter, expiration: number, subject: string): Promise<void> {
 		const key = createLimitKey(limit, actor, subject);
 		const value = JSON.stringify(counter);
 		const expirationSec = Math.max(expiration, 1);
@@ -185,7 +185,7 @@ export class SkRateLimiterService {
 	}
 }
 
-function createLimitKey(limit: RateLimit, actor: string, subject: string): string {
+function createLimitKey(limit: Keyed<RateLimit>, actor: string, subject: string): string {
 	return `rl_${actor}_${limit.key}_${subject}`;
 }
 
diff --git a/packages/backend/src/server/api/endpoints.ts b/packages/backend/src/server/api/endpoints.ts
index a4193a64ec..7eb18fbfe2 100644
--- a/packages/backend/src/server/api/endpoints.ts
+++ b/packages/backend/src/server/api/endpoints.ts
@@ -856,7 +856,7 @@ interface IEndpointMetaBase {
 	 * エンドポイントのリミテーションに関するやつ
 	 * 省略した場合はリミテーションは無いものとして解釈されます。
 	 */
-	readonly limit?: Readonly<RateLimit | Omit<RateLimit, 'key'>>;
+	readonly limit?: Readonly<RateLimit>;
 
 	/**
 	 * ファイルの添付を必要とするか否か
diff --git a/packages/backend/test/unit/server/api/SkRateLimiterServiceTests.ts b/packages/backend/test/unit/server/api/SkRateLimiterServiceTests.ts
index 910a3e5582..dbf7795fc6 100644
--- a/packages/backend/test/unit/server/api/SkRateLimiterServiceTests.ts
+++ b/packages/backend/test/unit/server/api/SkRateLimiterServiceTests.ts
@@ -8,7 +8,7 @@ import { jest } from '@jest/globals';
 import type Redis from 'ioredis';
 import { LimitCounter, SkRateLimiterService } from '@/server/api/SkRateLimiterService.js';
 import { LoggerService } from '@/core/LoggerService.js';
-import { BucketRateLimit, LegacyRateLimit } from '@/misc/rate-limit-utils.js';
+import { BucketRateLimit, Keyed, LegacyRateLimit } from '@/misc/rate-limit-utils.js';
 
 /* eslint-disable @typescript-eslint/no-non-null-assertion */
 /* eslint-disable @typescript-eslint/no-unnecessary-condition */
@@ -142,7 +142,7 @@ describe(SkRateLimiterService, () => {
 		});
 
 		describe('with bucket limit', () => {
-			let limit: BucketRateLimit = null!;
+			let limit: Keyed<BucketRateLimit> = null!;
 
 			beforeEach(() => {
 				limit = {
@@ -387,7 +387,7 @@ describe(SkRateLimiterService, () => {
 		});
 
 		describe('with min interval', () => {
-			let limit: MutableLegacyRateLimit = null!;
+			let limit: Keyed<LegacyRateLimit> = null!;
 
 			beforeEach(() => {
 				limit = {
@@ -570,7 +570,7 @@ describe(SkRateLimiterService, () => {
 		});
 
 		describe('with legacy limit', () => {
-			let limit: MutableLegacyRateLimit = null!;
+			let limit: Keyed<LegacyRateLimit> = null!;
 
 			beforeEach(() => {
 				limit = {
@@ -726,7 +726,7 @@ describe(SkRateLimiterService, () => {
 		});
 
 		describe('with legacy limit and min interval', () => {
-			let limit: MutableLegacyRateLimit = null!;
+			let limit: Keyed<LegacyRateLimit> = null!;
 
 			beforeEach(() => {
 				limit = {
@@ -855,11 +855,3 @@ describe(SkRateLimiterService, () => {
 		});
 	});
 });
-
-// The same thing, but mutable
-interface MutableLegacyRateLimit extends LegacyRateLimit {
-	key: string;
-	duration?: number;
-	max?: number;
-	minInterval?: number;
-}
-- 
cgit v1.2.3-freya


From 2528508cff9d8c90abd33e46b15220a49a00e2e2 Mon Sep 17 00:00:00 2001
From: NoriDev <m1nthing2322@gmail.com>
Date: Thu, 31 Oct 2024 13:52:01 +0900
Subject: feat: 노트 게시를 예약할 수 있음 (yojo-art/cherrypick#483,
 [Type4ny-Project/Type4ny@271c872c](https://github.com/Type4ny-Project/Type4ny/commit/271c872c97f215ef5d8e0be62251dd422a52e5b1))
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 locales/en-US.yml                                  |   2 +
 locales/index.d.ts                                 |   8 +
 locales/ja-JP.yml                                  |   2 +
 locales/ko-KR.yml                                  |   2 +
 .../migration/1699437894737-scheduleNote.js        |  17 +
 packages/backend/src/core/QueueModule.ts           |  12 +
 packages/backend/src/core/QueueService.ts          |   2 +
 packages/backend/src/core/RoleService.ts           |   3 +
 packages/backend/src/di-symbols.ts                 |   1 +
 packages/backend/src/models/NoteSchedule.ts        |  60 ++++
 packages/backend/src/models/RepositoryModule.ts    |   9 +
 packages/backend/src/models/_.ts                   |   3 +
 packages/backend/src/models/json-schema/role.ts    |   4 +
 packages/backend/src/postgres.ts                   |   2 +
 packages/backend/src/queue/QueueProcessorModule.ts |   2 +
 .../backend/src/queue/QueueProcessorService.ts     |  14 +
 packages/backend/src/queue/const.ts                |   1 +
 .../processors/ScheduleNotePostProcessorService.ts |  94 +++++
 packages/backend/src/queue/types.ts                |   4 +
 packages/backend/src/server/api/EndpointsModule.ts |  12 +
 packages/backend/src/server/api/endpoints.ts       |   6 +
 .../src/server/api/endpoints/admin/queue/stats.ts  |   3 +-
 .../server/api/endpoints/notes/schedule/create.ts  | 393 +++++++++++++++++++++
 .../server/api/endpoints/notes/schedule/delete.ts  |  67 ++++
 .../server/api/endpoints/notes/schedule/list.ts    | 128 +++++++
 .../backend/src/server/web/ClientServerService.ts  |   3 +
 packages/frontend-shared/js/const.ts               |   1 +
 packages/frontend/src/components/MkNoteHeader.vue  |   5 +-
 packages/frontend/src/components/MkNoteSimple.vue  |  55 ++-
 packages/frontend/src/components/MkPostForm.vue    |  59 +++-
 .../frontend/src/components/MkScheduleEditor.vue   |  69 ++++
 .../src/components/MkSchedulePostListDialog.vue    |  60 ++++
 packages/frontend/src/os.ts                        |   1 +
 packages/frontend/src/pages/admin/roles.editor.vue |  19 +
 packages/frontend/src/pages/admin/roles.vue        |   7 +
 packages/misskey-js/etc/misskey-js.api.md          |  16 +
 packages/misskey-js/src/autogen/apiClientJSDoc.ts  |  33 ++
 packages/misskey-js/src/autogen/endpoint.ts        |   7 +
 packages/misskey-js/src/autogen/entities.ts        |   4 +
 packages/misskey-js/src/autogen/types.ts           | 269 ++++++++++++++
 packages/misskey-js/src/consts.ts                  |   2 +
 41 files changed, 1455 insertions(+), 6 deletions(-)
 create mode 100644 packages/backend/migration/1699437894737-scheduleNote.js
 create mode 100644 packages/backend/src/models/NoteSchedule.ts
 create mode 100644 packages/backend/src/queue/processors/ScheduleNotePostProcessorService.ts
 create mode 100644 packages/backend/src/server/api/endpoints/notes/schedule/create.ts
 create mode 100644 packages/backend/src/server/api/endpoints/notes/schedule/delete.ts
 create mode 100644 packages/backend/src/server/api/endpoints/notes/schedule/list.ts
 create mode 100644 packages/frontend/src/components/MkScheduleEditor.vue
 create mode 100644 packages/frontend/src/components/MkSchedulePostListDialog.vue

(limited to 'packages/backend/src/server/api')

diff --git a/locales/en-US.yml b/locales/en-US.yml
index 6ea7fb4f8d..38e9b03acb 100644
--- a/locales/en-US.yml
+++ b/locales/en-US.yml
@@ -2073,6 +2073,8 @@ _permissions:
   "read:mutes": "View your list of muted users"
   "write:mutes": "Edit your list of muted users"
   "write:notes": "Compose or delete notes"
+  "read:notes-schedule": "View your list of scheduled notes"
+  "write:notes-schedule": "Compose or delete scheduled notes"
   "read:notifications": "View your notifications"
   "write:notifications": "Manage your notifications"
   "read:reactions": "View your reactions"
diff --git a/locales/index.d.ts b/locales/index.d.ts
index 5caebcfa02..92c09ffe12 100644
--- a/locales/index.d.ts
+++ b/locales/index.d.ts
@@ -8140,6 +8140,14 @@ export interface Locale extends ILocale {
          * ノートを作成・削除する
          */
         "write:notes": string;
+        /**
+         * 予約投稿を見る
+         */
+        "read:notes-schedule": string;
+        /**
+         * 予約投稿を作成・削除する
+         */
+        "write:notes-schedule": string;
         /**
          * 通知を見る
          */
diff --git a/locales/ja-JP.yml b/locales/ja-JP.yml
index c448d4d50a..0d2229ac20 100644
--- a/locales/ja-JP.yml
+++ b/locales/ja-JP.yml
@@ -2121,6 +2121,8 @@ _permissions:
   "read:mutes": "ミュートを見る"
   "write:mutes": "ミュートを操作する"
   "write:notes": "ノートを作成・削除する"
+  "read:notes-schedule": "予約投稿を見る"
+  "write:notes-schedule": "予約投稿を作成・削除する"
   "read:notifications": "通知を見る"
   "write:notifications": "通知を操作する"
   "read:reactions": "リアクションを見る"
diff --git a/locales/ko-KR.yml b/locales/ko-KR.yml
index 414202adab..351d5a23ce 100644
--- a/locales/ko-KR.yml
+++ b/locales/ko-KR.yml
@@ -2080,6 +2080,8 @@ _permissions:
   "read:mutes": "뮤트 여부를 확인합니다"
   "write:mutes": "뮤트를 하거나 해제합니다"
   "write:notes": "노트를 작성하거나 삭제합니다"
+  "read:notes-schedule": "게시를 예약한 노트를 봅니다"
+  "write:notes-schedule": "노트 게시를 예약하거나 삭제합니다"
   "read:notifications": "알림을 확인합니다"
   "write:notifications": "알림을 모두 읽음 처리합니다"
   "read:reactions": "리액션을 확인합니다"
diff --git a/packages/backend/migration/1699437894737-scheduleNote.js b/packages/backend/migration/1699437894737-scheduleNote.js
new file mode 100644
index 0000000000..28dc290f25
--- /dev/null
+++ b/packages/backend/migration/1699437894737-scheduleNote.js
@@ -0,0 +1,17 @@
+/*
+ * SPDX-FileCopyrightText: syuilo and misskey-project
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+export class ScheduleNote1699437894737 {
+    name = 'ScheduleNote1699437894737'
+
+    async up(queryRunner) {
+        await queryRunner.query(`CREATE TABLE "note_schedule" ("id" character varying(32) NOT NULL, "note" jsonb NOT NULL, "userId" character varying(260) NOT NULL, "scheduledAt" TIMESTAMP WITH TIME ZONE NOT NULL, CONSTRAINT "PK_3a1ae2db41988f4994268218436" PRIMARY KEY ("id"))`);
+        await queryRunner.query(`CREATE INDEX "IDX_e798958c40009bf0cdef4f28b5" ON "note_schedule" ("userId") `);
+		}
+
+    async down(queryRunner) {
+        await queryRunner.query(`DROP TABLE "note_schedule"`);
+    }
+}
diff --git a/packages/backend/src/core/QueueModule.ts b/packages/backend/src/core/QueueModule.ts
index b10b8e5899..6dd48927c1 100644
--- a/packages/backend/src/core/QueueModule.ts
+++ b/packages/backend/src/core/QueueModule.ts
@@ -16,6 +16,7 @@ import {
 	RelationshipJobData,
 	UserWebhookDeliverJobData,
 	SystemWebhookDeliverJobData,
+	ScheduleNotePostJobData,
 } from '../queue/types.js';
 import type { Provider } from '@nestjs/common';
 
@@ -28,6 +29,7 @@ export type RelationshipQueue = Bull.Queue<RelationshipJobData>;
 export type ObjectStorageQueue = Bull.Queue;
 export type UserWebhookDeliverQueue = Bull.Queue<UserWebhookDeliverJobData>;
 export type SystemWebhookDeliverQueue = Bull.Queue<SystemWebhookDeliverJobData>;
+export type ScheduleNotePostQueue = Bull.Queue<ScheduleNotePostJobData>;
 
 const $system: Provider = {
 	provide: 'queue:system',
@@ -83,6 +85,12 @@ const $systemWebhookDeliver: Provider = {
 	inject: [DI.config],
 };
 
+const $scheduleNotePost: Provider = {
+	provide: 'queue:scheduleNotePost',
+	useFactory: (config: Config) => new Bull.Queue(QUEUE.SCHEDULE_NOTE_POST, baseQueueOptions(config, QUEUE.SCHEDULE_NOTE_POST)),
+	inject: [DI.config],
+};
+
 @Module({
 	imports: [
 	],
@@ -96,6 +104,7 @@ const $systemWebhookDeliver: Provider = {
 		$objectStorage,
 		$userWebhookDeliver,
 		$systemWebhookDeliver,
+		$scheduleNotePost,
 	],
 	exports: [
 		$system,
@@ -107,6 +116,7 @@ const $systemWebhookDeliver: Provider = {
 		$objectStorage,
 		$userWebhookDeliver,
 		$systemWebhookDeliver,
+		$scheduleNotePost,
 	],
 })
 export class QueueModule implements OnApplicationShutdown {
@@ -120,6 +130,7 @@ export class QueueModule implements OnApplicationShutdown {
 		@Inject('queue:objectStorage') public objectStorageQueue: ObjectStorageQueue,
 		@Inject('queue:userWebhookDeliver') public userWebhookDeliverQueue: UserWebhookDeliverQueue,
 		@Inject('queue:systemWebhookDeliver') public systemWebhookDeliverQueue: SystemWebhookDeliverQueue,
+		@Inject('queue:scheduleNotePost') public scheduleNotePostQueue: ScheduleNotePostQueue,
 	) {}
 
 	public async dispose(): Promise<void> {
@@ -136,6 +147,7 @@ export class QueueModule implements OnApplicationShutdown {
 			this.objectStorageQueue.close(),
 			this.userWebhookDeliverQueue.close(),
 			this.systemWebhookDeliverQueue.close(),
+			this.scheduleNotePostQueue.close(),
 		]);
 	}
 
diff --git a/packages/backend/src/core/QueueService.ts b/packages/backend/src/core/QueueService.ts
index dc13aa21bf..d9d282a168 100644
--- a/packages/backend/src/core/QueueService.ts
+++ b/packages/backend/src/core/QueueService.ts
@@ -32,6 +32,7 @@ import type {
 	SystemQueue,
 	UserWebhookDeliverQueue,
 	SystemWebhookDeliverQueue,
+	ScheduleNotePostQueue,
 } from './QueueModule.js';
 import type httpSignature from '@peertube/http-signature';
 import type * as Bull from 'bullmq';
@@ -52,6 +53,7 @@ export class QueueService {
 		@Inject('queue:objectStorage') public objectStorageQueue: ObjectStorageQueue,
 		@Inject('queue:userWebhookDeliver') public userWebhookDeliverQueue: UserWebhookDeliverQueue,
 		@Inject('queue:systemWebhookDeliver') public systemWebhookDeliverQueue: SystemWebhookDeliverQueue,
+		@Inject('queue:scheduleNotePost') public ScheduleNotePostQueue: ScheduleNotePostQueue,
 	) {
 		this.systemQueue.add('tickCharts', {
 		}, {
diff --git a/packages/backend/src/core/RoleService.ts b/packages/backend/src/core/RoleService.ts
index 64f7539031..5651b04ac2 100644
--- a/packages/backend/src/core/RoleService.ts
+++ b/packages/backend/src/core/RoleService.ts
@@ -36,6 +36,7 @@ export type RolePolicies = {
 	ltlAvailable: boolean;
 	btlAvailable: boolean;
 	canPublicNote: boolean;
+	scheduleNoteMax: number;
 	mentionLimit: number;
 	canInvite: boolean;
 	inviteLimit: number;
@@ -72,6 +73,7 @@ export const DEFAULT_POLICIES: RolePolicies = {
 	ltlAvailable: true,
 	btlAvailable: false,
 	canPublicNote: true,
+	scheduleNoteMax: 5,
 	mentionLimit: 20,
 	canInvite: false,
 	inviteLimit: 0,
@@ -377,6 +379,7 @@ export class RoleService implements OnApplicationShutdown, OnModuleInit {
 			btlAvailable: calc('btlAvailable', vs => vs.some(v => v === true)),
 			ltlAvailable: calc('ltlAvailable', vs => vs.some(v => v === true)),
 			canPublicNote: calc('canPublicNote', vs => vs.some(v => v === true)),
+			scheduleNoteMax: calc('scheduleNoteMax', vs => Math.max(...vs)),
 			mentionLimit: calc('mentionLimit', vs => Math.max(...vs)),
 			canInvite: calc('canInvite', vs => vs.some(v => v === true)),
 			inviteLimit: calc('inviteLimit', vs => Math.max(...vs)),
diff --git a/packages/backend/src/di-symbols.ts b/packages/backend/src/di-symbols.ts
index 5ea500ac77..296cc4815b 100644
--- a/packages/backend/src/di-symbols.ts
+++ b/packages/backend/src/di-symbols.ts
@@ -86,5 +86,6 @@ export const DI = {
 	noteEditRepository: Symbol('noteEditRepository'),
 	bubbleGameRecordsRepository: Symbol('bubbleGameRecordsRepository'),
 	reversiGamesRepository: Symbol('reversiGamesRepository'),
+	noteScheduleRepository: Symbol('noteScheduleRepository'),
 	//#endregion
 };
diff --git a/packages/backend/src/models/NoteSchedule.ts b/packages/backend/src/models/NoteSchedule.ts
new file mode 100644
index 0000000000..97ffe32ffa
--- /dev/null
+++ b/packages/backend/src/models/NoteSchedule.ts
@@ -0,0 +1,60 @@
+/*
+ * SPDX-FileCopyrightText: syuilo and other misskey contributors
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+import { Entity, Index, Column, PrimaryColumn } from 'typeorm';
+import { MiNote } from '@/models/Note.js';
+import { id } from './util/id.js';
+import { MiUser } from './User.js';
+import { MiChannel } from './Channel.js';
+import type { MiDriveFile } from './DriveFile.js';
+
+type MinimumUser = {
+	id: MiUser['id'];
+	host: MiUser['host'];
+	username: MiUser['username'];
+	uri: MiUser['uri'];
+};
+
+export type MiScheduleNoteType={
+	/** Date.toISOString() */
+	createdAt: string;
+	visibility: 'public' | 'home' | 'followers' | 'specified';
+	visibleUsers: MinimumUser[];
+	channel?: MiChannel['id'];
+	poll: {
+		multiple: boolean;
+		choices: string[];
+		/** Date.toISOString() */
+		expiresAt: string | null
+	} | undefined;
+	renote?: MiNote['id'];
+	localOnly: boolean;
+	cw?: string | null;
+	reactionAcceptance: 'likeOnly' | 'likeOnlyForRemote' | 'nonSensitiveOnly' | 'nonSensitiveOnlyForLocalLikeOnlyForRemote' | null;
+	files: MiDriveFile['id'][];
+	text?: string | null;
+	reply?: MiNote['id'];
+	apMentions?: MinimumUser[] | null;
+	apHashtags?: string[] | null;
+	apEmojis?: string[] | null;
+}
+
+@Entity('note_schedule')
+export class MiNoteSchedule {
+	@PrimaryColumn(id())
+	public id: string;
+
+	@Column('jsonb')
+	public note: MiScheduleNoteType;
+
+	@Index()
+	@Column('varchar', {
+		length: 260,
+	})
+	public userId: MiUser['id'];
+
+	@Column('timestamp with time zone')
+	public scheduledAt: Date;
+}
diff --git a/packages/backend/src/models/RepositoryModule.ts b/packages/backend/src/models/RepositoryModule.ts
index eb45b9a631..3a1158a42a 100644
--- a/packages/backend/src/models/RepositoryModule.ts
+++ b/packages/backend/src/models/RepositoryModule.ts
@@ -43,6 +43,7 @@ import {
 	MiNote,
 	MiNoteFavorite,
 	MiNoteReaction,
+	MiNoteSchedule,
 	MiNoteThreadMuting,
 	MiNoteUnread,
 	MiPage,
@@ -509,6 +510,12 @@ const $reversiGamesRepository: Provider = {
 	inject: [DI.db],
 };
 
+const $noteScheduleRepository: Provider = {
+	provide: DI.noteScheduleRepository,
+	useFactory: (db: DataSource) => db.getRepository(MiNoteSchedule).extend(miRepository as MiRepository<MiNoteSchedule>),
+	inject: [DI.db],
+};
+
 @Module({
 	imports: [],
 	providers: [
@@ -583,6 +590,7 @@ const $reversiGamesRepository: Provider = {
 		$noteEditRepository,
 		$bubbleGameRecordsRepository,
 		$reversiGamesRepository,
+		$noteScheduleRepository,
 	],
 	exports: [
 		$usersRepository,
@@ -656,6 +664,7 @@ const $reversiGamesRepository: Provider = {
 		$noteEditRepository,
 		$bubbleGameRecordsRepository,
 		$reversiGamesRepository,
+		$noteScheduleRepository,
 	],
 })
 export class RepositoryModule {
diff --git a/packages/backend/src/models/_.ts b/packages/backend/src/models/_.ts
index ac2dd62aa2..9a4ebfc90f 100644
--- a/packages/backend/src/models/_.ts
+++ b/packages/backend/src/models/_.ts
@@ -81,6 +81,7 @@ import { MiUserListFavorite } from '@/models/UserListFavorite.js';
 import { NoteEdit } from '@/models/NoteEdit.js';
 import { MiBubbleGameRecord } from '@/models/BubbleGameRecord.js';
 import { MiReversiGame } from '@/models/ReversiGame.js';
+import { MiNoteSchedule } from '@/models/NoteSchedule.js';
 import type { QueryDeepPartialEntity } from 'typeorm/query-builder/QueryPartialEntity.js';
 
 export interface MiRepository<T extends ObjectLiteral> {
@@ -160,6 +161,7 @@ export {
 	MiNote,
 	MiNoteFavorite,
 	MiNoteReaction,
+	MiNoteSchedule,
 	MiNoteThreadMuting,
 	MiNoteUnread,
 	MiPage,
@@ -271,3 +273,4 @@ export type UserMemoRepository = Repository<MiUserMemo> & MiRepository<MiUserMem
 export type BubbleGameRecordsRepository = Repository<MiBubbleGameRecord> & MiRepository<MiBubbleGameRecord>;
 export type ReversiGamesRepository = Repository<MiReversiGame> & MiRepository<MiReversiGame>;
 export type NoteEditRepository = Repository<NoteEdit> & MiRepository<NoteEdit>;
+export type NoteScheduleRepository = Repository<MiNoteSchedule>;
diff --git a/packages/backend/src/models/json-schema/role.ts b/packages/backend/src/models/json-schema/role.ts
index 19ea6263c9..ef0bb9f141 100644
--- a/packages/backend/src/models/json-schema/role.ts
+++ b/packages/backend/src/models/json-schema/role.ts
@@ -296,6 +296,10 @@ export const packedRolePoliciesSchema = {
 			type: 'boolean',
 			optional: false, nullable: false,
 		},
+		scheduleNoteMax: {
+			type: 'integer',
+			optional: false, nullable: false,
+		},
 	},
 } as const;
 
diff --git a/packages/backend/src/postgres.ts b/packages/backend/src/postgres.ts
index 2d66e6e445..c964c3ffee 100644
--- a/packages/backend/src/postgres.ts
+++ b/packages/backend/src/postgres.ts
@@ -79,6 +79,7 @@ import { MiUserMemo } from '@/models/UserMemo.js';
 import { NoteEdit } from '@/models/NoteEdit.js';
 import { MiBubbleGameRecord } from '@/models/BubbleGameRecord.js';
 import { MiReversiGame } from '@/models/ReversiGame.js';
+import { MiNoteSchedule } from '@/models/NoteSchedule.js';
 
 import { Config } from '@/config.js';
 import MisskeyLogger from '@/logger.js';
@@ -158,6 +159,7 @@ export const entities = [
 	MiNote,
 	MiNoteFavorite,
 	MiNoteReaction,
+	MiNoteSchedule,
 	MiNoteThreadMuting,
 	MiNoteUnread,
 	MiPage,
diff --git a/packages/backend/src/queue/QueueProcessorModule.ts b/packages/backend/src/queue/QueueProcessorModule.ts
index 7c6675b15d..dd588e0115 100644
--- a/packages/backend/src/queue/QueueProcessorModule.ts
+++ b/packages/backend/src/queue/QueueProcessorModule.ts
@@ -42,6 +42,7 @@ import { TickChartsProcessorService } from './processors/TickChartsProcessorServ
 import { AggregateRetentionProcessorService } from './processors/AggregateRetentionProcessorService.js';
 import { ExportFavoritesProcessorService } from './processors/ExportFavoritesProcessorService.js';
 import { RelationshipProcessorService } from './processors/RelationshipProcessorService.js';
+import { ScheduleNotePostProcessorService } from './processors/ScheduleNotePostProcessorService.js';
 
 @Module({
 	imports: [
@@ -85,6 +86,7 @@ import { RelationshipProcessorService } from './processors/RelationshipProcessor
 		InboxProcessorService,
 		AggregateRetentionProcessorService,
 		QueueProcessorService,
+		ScheduleNotePostProcessorService,
 	],
 	exports: [
 		QueueProcessorService,
diff --git a/packages/backend/src/queue/QueueProcessorService.ts b/packages/backend/src/queue/QueueProcessorService.ts
index f130314e74..4cc5446062 100644
--- a/packages/backend/src/queue/QueueProcessorService.ts
+++ b/packages/backend/src/queue/QueueProcessorService.ts
@@ -44,6 +44,7 @@ import { CheckExpiredMutingsProcessorService } from './processors/CheckExpiredMu
 import { BakeBufferedReactionsProcessorService } from './processors/BakeBufferedReactionsProcessorService.js';
 import { CleanProcessorService } from './processors/CleanProcessorService.js';
 import { AggregateRetentionProcessorService } from './processors/AggregateRetentionProcessorService.js';
+import { ScheduleNotePostProcessorService } from './processors/ScheduleNotePostProcessorService.js';
 import { QueueLoggerService } from './QueueLoggerService.js';
 import { QUEUE, baseQueueOptions } from './const.js';
 import { ImportNotesProcessorService } from './processors/ImportNotesProcessorService.js';
@@ -86,6 +87,7 @@ export class QueueProcessorService implements OnApplicationShutdown {
 	private relationshipQueueWorker: Bull.Worker;
 	private objectStorageQueueWorker: Bull.Worker;
 	private endedPollNotificationQueueWorker: Bull.Worker;
+	private schedulerNotePostQueueWorker: Bull.Worker;
 
 	constructor(
 		@Inject(DI.config)
@@ -126,6 +128,7 @@ export class QueueProcessorService implements OnApplicationShutdown {
 		private checkExpiredMutingsProcessorService: CheckExpiredMutingsProcessorService,
 		private bakeBufferedReactionsProcessorService: BakeBufferedReactionsProcessorService,
 		private cleanProcessorService: CleanProcessorService,
+		private scheduleNotePostProcessorService: ScheduleNotePostProcessorService,
 	) {
 		this.logger = this.queueLoggerService.logger;
 
@@ -530,6 +533,15 @@ export class QueueProcessorService implements OnApplicationShutdown {
 			});
 		}
 		//#endregion
+
+		//#region schedule note post
+		{
+			this.schedulerNotePostQueueWorker = new Bull.Worker(QUEUE.SCHEDULE_NOTE_POST, (job) => this.scheduleNotePostProcessorService.process(job), {
+				...baseQueueOptions(this.config, QUEUE.SCHEDULE_NOTE_POST),
+				autorun: false,
+			});
+		}
+		//#endregion
 	}
 
 	@bindThis
@@ -544,6 +556,7 @@ export class QueueProcessorService implements OnApplicationShutdown {
 			this.relationshipQueueWorker.run(),
 			this.objectStorageQueueWorker.run(),
 			this.endedPollNotificationQueueWorker.run(),
+			this.schedulerNotePostQueueWorker.run(),
 		]);
 	}
 
@@ -559,6 +572,7 @@ export class QueueProcessorService implements OnApplicationShutdown {
 			this.relationshipQueueWorker.close(),
 			this.objectStorageQueueWorker.close(),
 			this.endedPollNotificationQueueWorker.close(),
+			this.schedulerNotePostQueueWorker.close(),
 		]);
 	}
 
diff --git a/packages/backend/src/queue/const.ts b/packages/backend/src/queue/const.ts
index 67f689b618..fdf012f149 100644
--- a/packages/backend/src/queue/const.ts
+++ b/packages/backend/src/queue/const.ts
@@ -16,6 +16,7 @@ export const QUEUE = {
 	OBJECT_STORAGE: 'objectStorage',
 	USER_WEBHOOK_DELIVER: 'userWebhookDeliver',
 	SYSTEM_WEBHOOK_DELIVER: 'systemWebhookDeliver',
+	SCHEDULE_NOTE_POST: 'scheduleNotePost',
 };
 
 export function baseQueueOptions(config: Config, queueName: typeof QUEUE[keyof typeof QUEUE]): Bull.QueueOptions {
diff --git a/packages/backend/src/queue/processors/ScheduleNotePostProcessorService.ts b/packages/backend/src/queue/processors/ScheduleNotePostProcessorService.ts
new file mode 100644
index 0000000000..62d527953d
--- /dev/null
+++ b/packages/backend/src/queue/processors/ScheduleNotePostProcessorService.ts
@@ -0,0 +1,94 @@
+/*
+ * SPDX-FileCopyrightText: syuilo and other misskey contributors
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+import { Inject, Injectable } from '@nestjs/common';
+import type Logger from '@/logger.js';
+import { bindThis } from '@/decorators.js';
+import { NoteCreateService } from '@/core/NoteCreateService.js';
+import type { ChannelsRepository, DriveFilesRepository, MiDriveFile, NoteScheduleRepository, NotesRepository, UsersRepository } from '@/models/_.js';
+import { DI } from '@/di-symbols.js';
+import { QueueLoggerService } from '../QueueLoggerService.js';
+import type * as Bull from 'bullmq';
+import type { ScheduleNotePostJobData } from '../types.js';
+
+@Injectable()
+export class ScheduleNotePostProcessorService {
+	private logger: Logger;
+
+	constructor(
+		@Inject(DI.noteScheduleRepository)
+		private noteScheduleRepository: NoteScheduleRepository,
+
+		@Inject(DI.usersRepository)
+		private usersRepository: UsersRepository,
+		@Inject(DI.driveFilesRepository)
+		private driveFilesRepository: DriveFilesRepository,
+		@Inject(DI.notesRepository)
+		private notesRepository: NotesRepository,
+		@Inject(DI.channelsRepository)
+		private channelsRepository: ChannelsRepository,
+
+		private noteCreateService: NoteCreateService,
+		private queueLoggerService: QueueLoggerService,
+	) {
+		this.logger = this.queueLoggerService.logger.createSubLogger('schedule-note-post');
+	}
+
+    @bindThis
+	public async process(job: Bull.Job<ScheduleNotePostJobData>): Promise<void> {
+		this.noteScheduleRepository.findOneBy({ id: job.data.scheduleNoteId }).then(async (data) => {
+			if (!data) {
+				this.logger.warn(`Schedule note ${job.data.scheduleNoteId} not found`);
+			} else {
+				const me = await this.usersRepository.findOneBy({ id: data.userId });
+				const note = data.note;
+
+				//idの形式でキューに積んであったのをDBから取り寄せる
+				const reply = note.reply ? await this.notesRepository.findOneBy({ id: note.reply }) : undefined;
+				const renote = note.reply ? await this.notesRepository.findOneBy({ id: note.renote }) : undefined;
+				const channel = note.channel ? await this.channelsRepository.findOneBy({ id: note.channel, isArchived: false }) : undefined;
+				let files: MiDriveFile[] = [];
+				const fileIds = note.files ?? null;
+				if (fileIds != null && fileIds.length > 0 && me) {
+					files = await this.driveFilesRepository.createQueryBuilder('file')
+						.where('file.userId = :userId AND file.id IN (:...fileIds)', {
+							userId: me.id,
+							fileIds,
+						})
+						.orderBy('array_position(ARRAY[:...fileIds], "id"::text)')
+						.setParameters({ fileIds })
+						.getMany();
+				}
+				if (
+					!data.userId ||
+					!me ||
+					(note.reply && !reply) ||
+					(note.renote && !renote) ||
+					(note.channel && !channel) ||
+					(note.files.length !== files.length)
+				) {
+					//キューに積んだときは有った物が消滅してたら予約投稿をキャンセルする
+					this.logger.warn('cancel schedule note');
+					await this.noteScheduleRepository.remove(data);
+					return;
+				}
+				await this.noteCreateService.create(me, {
+					...note,
+					createdAt: new Date(note.createdAt), //typeORMのjsonbで何故かstringにされるから戻す
+					files,
+					poll: note.poll ? {
+						choices: note.poll.choices,
+						multiple: note.poll.multiple,
+						expiresAt: note.poll.expiresAt ? new Date(note.poll.expiresAt) : null,
+					} : undefined,
+					reply,
+					renote,
+					channel,
+				});
+				await this.noteScheduleRepository.remove(data);
+			}
+		});
+	}
+}
diff --git a/packages/backend/src/queue/types.ts b/packages/backend/src/queue/types.ts
index c0d246ebbc..9433392df5 100644
--- a/packages/backend/src/queue/types.ts
+++ b/packages/backend/src/queue/types.ts
@@ -155,3 +155,7 @@ export type UserWebhookDeliverJobData = {
 export type ThinUser = {
 	id: MiUser['id'];
 };
+
+export type ScheduleNotePostJobData = {
+	scheduleNoteId: MiNote['id'];
+}
diff --git a/packages/backend/src/server/api/EndpointsModule.ts b/packages/backend/src/server/api/EndpointsModule.ts
index 5bdd7cf650..c478bebdaf 100644
--- a/packages/backend/src/server/api/EndpointsModule.ts
+++ b/packages/backend/src/server/api/EndpointsModule.ts
@@ -311,6 +311,9 @@ import * as ep___notes_renotes from './endpoints/notes/renotes.js';
 import * as ep___notes_replies from './endpoints/notes/replies.js';
 import * as ep___notes_edit from './endpoints/notes/edit.js';
 import * as ep___notes_versions from './endpoints/notes/versions.js';
+import * as ep___notes_schedule_create from './endpoints/notes/schedule/create.js';
+import * as ep___notes_schedule_delete from './endpoints/notes/schedule/delete.js';
+import * as ep___notes_schedule_list from './endpoints/notes/schedule/list.js';
 import * as ep___notes_searchByTag from './endpoints/notes/search-by-tag.js';
 import * as ep___notes_search from './endpoints/notes/search.js';
 import * as ep___notes_show from './endpoints/notes/show.js';
@@ -711,6 +714,9 @@ const $notes_reactions_delete: Provider = { provide: 'ep:notes/reactions/delete'
 const $notes_like: Provider = { provide: 'ep:notes/like', useClass: ep___notes_like.default };
 const $notes_renotes: Provider = { provide: 'ep:notes/renotes', useClass: ep___notes_renotes.default };
 const $notes_replies: Provider = { provide: 'ep:notes/replies', useClass: ep___notes_replies.default };
+const $notes_schedule_create: Provider = { provide: 'ep:notes/schedule/create', useClass: ep___notes_schedule_create.default };
+const $notes_schedule_delete: Provider = { provide: 'ep:notes/schedule/delete', useClass: ep___notes_schedule_delete.default };
+const $notes_schedule_list: Provider = { provide: 'ep:notes/schedule/list', useClass: ep___notes_schedule_list.default };
 const $notes_searchByTag: Provider = { provide: 'ep:notes/search-by-tag', useClass: ep___notes_searchByTag.default };
 const $notes_search: Provider = { provide: 'ep:notes/search', useClass: ep___notes_search.default };
 const $notes_show: Provider = { provide: 'ep:notes/show', useClass: ep___notes_show.default };
@@ -1117,6 +1123,9 @@ const $reversi_verify: Provider = { provide: 'ep:reversi/verify', useClass: ep__
 		$notes_like,
 		$notes_renotes,
 		$notes_replies,
+		$notes_schedule_create,
+		$notes_schedule_delete,
+		$notes_schedule_list,
 		$notes_searchByTag,
 		$notes_search,
 		$notes_show,
@@ -1516,6 +1525,9 @@ const $reversi_verify: Provider = { provide: 'ep:reversi/verify', useClass: ep__
 		$notes_like,
 		$notes_renotes,
 		$notes_replies,
+		$notes_schedule_create,
+		$notes_schedule_delete,
+		$notes_schedule_list,
 		$notes_searchByTag,
 		$notes_search,
 		$notes_show,
diff --git a/packages/backend/src/server/api/endpoints.ts b/packages/backend/src/server/api/endpoints.ts
index 7eb18fbfe2..269afbf14b 100644
--- a/packages/backend/src/server/api/endpoints.ts
+++ b/packages/backend/src/server/api/endpoints.ts
@@ -316,6 +316,9 @@ import * as ep___notes_reactions_delete from './endpoints/notes/reactions/delete
 import * as ep___notes_like from './endpoints/notes/like.js';
 import * as ep___notes_renotes from './endpoints/notes/renotes.js';
 import * as ep___notes_replies from './endpoints/notes/replies.js';
+import * as ep___notes_schedule_create from './endpoints/notes/schedule/create.js';
+import * as ep___notes_schedule_delete from './endpoints/notes/schedule/delete.js';
+import * as ep___notes_schedule_list from './endpoints/notes/schedule/list.js';
 import * as ep___notes_searchByTag from './endpoints/notes/search-by-tag.js';
 import * as ep___notes_search from './endpoints/notes/search.js';
 import * as ep___notes_show from './endpoints/notes/show.js';
@@ -716,6 +719,9 @@ const eps = [
 	['notes/like', ep___notes_like],
 	['notes/renotes', ep___notes_renotes],
 	['notes/replies', ep___notes_replies],
+	['notes/schedule/create', ep___notes_schedule_create],
+	['notes/schedule/delete', ep___notes_schedule_delete],
+	['notes/schedule/list', ep___notes_schedule_list],
 	['notes/search-by-tag', ep___notes_searchByTag],
 	['notes/search', ep___notes_search],
 	['notes/show', ep___notes_show],
diff --git a/packages/backend/src/server/api/endpoints/admin/queue/stats.ts b/packages/backend/src/server/api/endpoints/admin/queue/stats.ts
index d7f9e4eaa3..e2bd38aac6 100644
--- a/packages/backend/src/server/api/endpoints/admin/queue/stats.ts
+++ b/packages/backend/src/server/api/endpoints/admin/queue/stats.ts
@@ -5,7 +5,7 @@
 
 import { Inject, Injectable } from '@nestjs/common';
 import { Endpoint } from '@/server/api/endpoint-base.js';
-import type { DbQueue, DeliverQueue, EndedPollNotificationQueue, InboxQueue, ObjectStorageQueue, SystemQueue, UserWebhookDeliverQueue, SystemWebhookDeliverQueue } from '@/core/QueueModule.js';
+import type { DbQueue, DeliverQueue, EndedPollNotificationQueue, InboxQueue, ObjectStorageQueue, SystemQueue, UserWebhookDeliverQueue, SystemWebhookDeliverQueue, ScheduleNotePostQueue } from '@/core/QueueModule.js';
 
 export const meta = {
 	tags: ['admin'],
@@ -55,6 +55,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 		@Inject('queue:objectStorage') public objectStorageQueue: ObjectStorageQueue,
 		@Inject('queue:userWebhookDeliver') public userWebhookDeliverQueue: UserWebhookDeliverQueue,
 		@Inject('queue:systemWebhookDeliver') public systemWebhookDeliverQueue: SystemWebhookDeliverQueue,
+		@Inject('queue:scheduleNotePost') public scheduleNotePostQueue: ScheduleNotePostQueue,
 	) {
 		super(meta, paramDef, async (ps, me) => {
 			const deliverJobCounts = await this.deliverQueue.getJobCounts();
diff --git a/packages/backend/src/server/api/endpoints/notes/schedule/create.ts b/packages/backend/src/server/api/endpoints/notes/schedule/create.ts
new file mode 100644
index 0000000000..ecdfa4bf2e
--- /dev/null
+++ b/packages/backend/src/server/api/endpoints/notes/schedule/create.ts
@@ -0,0 +1,393 @@
+/*
+ * SPDX-FileCopyrightText: syuilo and other misskey contributors
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+import ms from 'ms';
+import { In } from 'typeorm';
+import { Inject, Injectable } from '@nestjs/common';
+import { isPureRenote } from 'cherrypick-js/note.js';
+import type { MiUser } from '@/models/User.js';
+import type {
+	UsersRepository,
+	NotesRepository,
+	BlockingsRepository,
+	DriveFilesRepository,
+	ChannelsRepository,
+	NoteScheduleRepository,
+} from '@/models/_.js';
+import type { MiDriveFile } from '@/models/DriveFile.js';
+import type { MiNote } from '@/models/Note.js';
+import type { MiChannel } from '@/models/Channel.js';
+import { MAX_NOTE_TEXT_LENGTH } from '@/const.js';
+import { Endpoint } from '@/server/api/endpoint-base.js';
+import { DI } from '@/di-symbols.js';
+import { QueueService } from '@/core/QueueService.js';
+import { IdService } from '@/core/IdService.js';
+import { MiScheduleNoteType } from '@/models/NoteSchedule.js';
+import { RoleService } from '@/core/RoleService.js';
+import { ApiError } from '../../../error.js';
+
+export const meta = {
+	tags: ['notes'],
+
+	requireCredential: true,
+
+	prohibitMoved: true,
+
+	limit: {
+		duration: ms('1hour'),
+		max: 300,
+	},
+
+	kind: 'write:notes-schedule',
+
+	errors: {
+		scheduleNoteMax: {
+			message: 'Schedule note max.',
+			code: 'SCHEDULE_NOTE_MAX',
+			id: '168707c3-e7da-4031-989e-f42aa3a274b2',
+		},
+		noSuchRenoteTarget: {
+			message: 'No such renote target.',
+			code: 'NO_SUCH_RENOTE_TARGET',
+			id: 'b5c90186-4ab0-49c8-9bba-a1f76c282ba4',
+		},
+
+		cannotReRenote: {
+			message: 'You can not Renote a pure Renote.',
+			code: 'CANNOT_RENOTE_TO_A_PURE_RENOTE',
+			id: 'fd4cc33e-2a37-48dd-99cc-9b806eb2031a',
+		},
+
+		cannotRenoteDueToVisibility: {
+			message: 'You can not Renote due to target visibility.',
+			code: 'CANNOT_RENOTE_DUE_TO_VISIBILITY',
+			id: 'be9529e9-fe72-4de0-ae43-0b363c4938af',
+		},
+
+		noSuchReplyTarget: {
+			message: 'No such reply target.',
+			code: 'NO_SUCH_REPLY_TARGET',
+			id: '749ee0f6-d3da-459a-bf02-282e2da4292c',
+		},
+
+		cannotReplyToPureRenote: {
+			message: 'You can not reply to a pure Renote.',
+			code: 'CANNOT_REPLY_TO_A_PURE_RENOTE',
+			id: '3ac74a84-8fd5-4bb0-870f-01804f82ce15',
+		},
+
+		cannotCreateAlreadyExpiredPoll: {
+			message: 'Poll is already expired.',
+			code: 'CANNOT_CREATE_ALREADY_EXPIRED_POLL',
+			id: '04da457d-b083-4055-9082-955525eda5a5',
+		},
+
+		cannotCreateAlreadyExpiredSchedule: {
+			message: 'Schedule is already expired.',
+			code: 'CANNOT_CREATE_ALREADY_EXPIRED_SCHEDULE',
+			id: '8a9bfb90-fc7e-4878-a3e8-d97faaf5fb07',
+		},
+
+		noSuchChannel: {
+			message: 'No such channel.',
+			code: 'NO_SUCH_CHANNEL',
+			id: 'b1653923-5453-4edc-b786-7c4f39bb0bbb',
+		},
+		noSuchSchedule: {
+			message: 'No such schedule.',
+			code: 'NO_SUCH_SCHEDULE',
+			id: '44dee229-8da1-4a61-856d-e3a4bbc12032',
+		},
+		youHaveBeenBlocked: {
+			message: 'You have been blocked by this user.',
+			code: 'YOU_HAVE_BEEN_BLOCKED',
+			id: 'b390d7e1-8a5e-46ed-b625-06271cafd3d3',
+		},
+
+		noSuchFile: {
+			message: 'Some files are not found.',
+			code: 'NO_SUCH_FILE',
+			id: 'b6992544-63e7-67f0-fa7f-32444b1b5306',
+		},
+
+		cannotRenoteOutsideOfChannel: {
+			message: 'Cannot renote outside of channel.',
+			code: 'CANNOT_RENOTE_OUTSIDE_OF_CHANNEL',
+			id: '33510210-8452-094c-6227-4a6c05d99f00',
+		},
+	},
+} as const;
+
+export const paramDef = {
+	type: 'object',
+	properties: {
+		visibility: { type: 'string', enum: ['public', 'home', 'followers', 'specified'], default: 'public' },
+		visibleUserIds: { type: 'array', uniqueItems: true, items: {
+			type: 'string', format: 'misskey:id',
+		} },
+		cw: { type: 'string', nullable: true, minLength: 1, maxLength: 100 },
+		reactionAcceptance: { type: 'string', nullable: true, enum: [null, 'likeOnly', 'likeOnlyForRemote', 'nonSensitiveOnly', 'nonSensitiveOnlyForLocalLikeOnlyForRemote'], default: null },
+		disableRightClick: { type: 'boolean', default: false },
+		noExtractMentions: { type: 'boolean', default: false },
+		noExtractHashtags: { type: 'boolean', default: false },
+		noExtractEmojis: { type: 'boolean', default: false },
+		replyId: { type: 'string', format: 'misskey:id', nullable: true },
+		renoteId: { type: 'string', format: 'misskey:id', nullable: true },
+
+		// anyOf内にバリデーションを書いても最初の一つしかチェックされない
+		// See https://github.com/misskey-dev/misskey/pull/10082
+		text: {
+			type: 'string',
+			minLength: 1,
+			maxLength: MAX_NOTE_TEXT_LENGTH,
+			nullable: true,
+		},
+		fileIds: {
+			type: 'array',
+			uniqueItems: true,
+			minItems: 1,
+			maxItems: 16,
+			items: { type: 'string', format: 'misskey:id' },
+		},
+		mediaIds: {
+			type: 'array',
+			uniqueItems: true,
+			minItems: 1,
+			maxItems: 16,
+			items: { type: 'string', format: 'misskey:id' },
+		},
+		poll: {
+			type: 'object',
+			nullable: true,
+			properties: {
+				choices: {
+					type: 'array',
+					uniqueItems: true,
+					minItems: 2,
+					maxItems: 10,
+					items: { type: 'string', minLength: 1, maxLength: 50 },
+				},
+				multiple: { type: 'boolean' },
+				expiresAt: { type: 'integer', nullable: true },
+				expiredAfter: { type: 'integer', nullable: true, minimum: 1 },
+			},
+			required: ['choices'],
+		},
+		event: {
+			type: 'object',
+			nullable: true,
+			properties: {
+				title: { type: 'string', minLength: 1, maxLength: 128, nullable: false },
+				start: { type: 'integer', nullable: false },
+				end: { type: 'integer', nullable: true },
+				metadata: { type: 'object' },
+			},
+		},
+		scheduleNote: {
+			type: 'object',
+			nullable: false,
+			properties: {
+				scheduledAt: { type: 'integer', nullable: false },
+			},
+		},
+	},
+	// (re)note with text, files and poll are optional
+	anyOf: [
+		{ required: ['text'] },
+		{ required: ['renoteId'] },
+		{ required: ['fileIds'] },
+		{ required: ['mediaIds'] },
+		{ required: ['poll'] },
+	],
+	required: ['scheduleNote'],
+} as const;
+
+@Injectable()
+export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-disable-line import/no-default-export
+	constructor(
+		@Inject(DI.usersRepository)
+		private usersRepository: UsersRepository,
+
+		@Inject(DI.notesRepository)
+		private notesRepository: NotesRepository,
+
+		@Inject(DI.noteScheduleRepository)
+		private noteScheduleRepository: NoteScheduleRepository,
+
+		@Inject(DI.blockingsRepository)
+		private blockingsRepository: BlockingsRepository,
+
+		@Inject(DI.driveFilesRepository)
+		private driveFilesRepository: DriveFilesRepository,
+
+		@Inject(DI.channelsRepository)
+		private channelsRepository: ChannelsRepository,
+
+		private queueService: QueueService,
+		private roleService: RoleService,
+    private idService: IdService,
+	) {
+		super({
+			...meta,
+		}, paramDef, async (ps, me) => {
+			const scheduleNoteCount = await this.noteScheduleRepository.countBy({ userId: me.id });
+			const scheduleNoteMax = (await this.roleService.getUserPolicies(me.id)).scheduleNoteMax;
+			if (scheduleNoteCount >= scheduleNoteMax) {
+				throw new ApiError(meta.errors.scheduleNoteMax);
+			}
+			let visibleUsers: MiUser[] = [];
+			if (ps.visibleUserIds) {
+				visibleUsers = await this.usersRepository.findBy({
+					id: In(ps.visibleUserIds),
+				});
+			}
+
+			let files: MiDriveFile[] = [];
+			const fileIds = ps.fileIds ?? ps.mediaIds ?? null;
+			if (fileIds != null) {
+				files = await this.driveFilesRepository.createQueryBuilder('file')
+					.where('file.userId = :userId AND file.id IN (:...fileIds)', {
+						userId: me.id,
+						fileIds,
+					})
+					.orderBy('array_position(ARRAY[:...fileIds], "id"::text)')
+					.setParameters({ fileIds })
+					.getMany();
+
+				if (files.length !== fileIds.length) {
+					throw new ApiError(meta.errors.noSuchFile);
+				}
+			}
+
+			let renote: MiNote | null = null;
+			if (ps.renoteId != null) {
+				// Fetch renote to note
+				renote = await this.notesRepository.findOneBy({ id: ps.renoteId });
+
+				if (renote == null) {
+					throw new ApiError(meta.errors.noSuchRenoteTarget);
+				} else if (isPureRenote(renote)) {
+					throw new ApiError(meta.errors.cannotReRenote);
+				}
+
+				// Check blocking
+				if (renote.userId !== me.id) {
+					const blockExist = await this.blockingsRepository.exist({
+						where: {
+							blockerId: renote.userId,
+							blockeeId: me.id,
+						},
+					});
+					if (blockExist) {
+						throw new ApiError(meta.errors.youHaveBeenBlocked);
+					}
+				}
+
+				if (renote.visibility === 'followers' && renote.userId !== me.id) {
+					// 他人のfollowers noteはreject
+					throw new ApiError(meta.errors.cannotRenoteDueToVisibility);
+				} else if (renote.visibility === 'specified') {
+					// specified / direct noteはreject
+					throw new ApiError(meta.errors.cannotRenoteDueToVisibility);
+				}
+			}
+
+			let reply: MiNote | null = null;
+			if (ps.replyId != null) {
+				// Fetch reply
+				reply = await this.notesRepository.findOneBy({ id: ps.replyId });
+
+				if (reply == null) {
+					throw new ApiError(meta.errors.noSuchReplyTarget);
+				} else if (isPureRenote(reply)) {
+					throw new ApiError(meta.errors.cannotReplyToPureRenote);
+				}
+
+				// Check blocking
+				if (reply.userId !== me.id) {
+					const blockExist = await this.blockingsRepository.exist({
+						where: {
+							blockerId: reply.userId,
+							blockeeId: me.id,
+						},
+					});
+					if (blockExist) {
+						throw new ApiError(meta.errors.youHaveBeenBlocked);
+					}
+				}
+			}
+
+			if (ps.poll) {
+				let scheduleNote_scheduledAt = Date.now();
+				if (typeof ps.scheduleNote.scheduledAt === 'number') {
+					scheduleNote_scheduledAt = ps.scheduleNote.scheduledAt;
+				}
+				if (typeof ps.poll.expiresAt === 'number') {
+					if (ps.poll.expiresAt < scheduleNote_scheduledAt) {
+						throw new ApiError(meta.errors.cannotCreateAlreadyExpiredPoll);
+					}
+				} else if (typeof ps.poll.expiredAfter === 'number') {
+					ps.poll.expiresAt = scheduleNote_scheduledAt + ps.poll.expiredAfter;
+				}
+			}
+			if (typeof ps.scheduleNote.scheduledAt === 'number') {
+				if (ps.scheduleNote.scheduledAt < Date.now()) {
+					throw new ApiError(meta.errors.cannotCreateAlreadyExpiredSchedule);
+				}
+			} else {
+				throw new ApiError(meta.errors.cannotCreateAlreadyExpiredSchedule);
+			}
+			const note:MiScheduleNoteType = {
+				createdAt: new Date(ps.scheduleNote.scheduledAt!).toISOString(),
+				files: files.map(f => f.id),
+				poll: ps.poll ? {
+					choices: ps.poll.choices,
+					multiple: ps.poll.multiple ?? false,
+					expiresAt: ps.poll.expiresAt ? new Date(ps.poll.expiresAt).toISOString() : null,
+				} : undefined,
+				text: ps.text ?? undefined,
+				reply: reply?.id,
+				renote: renote?.id,
+				cw: ps.cw,
+				localOnly: false,
+				reactionAcceptance: ps.reactionAcceptance,
+				visibility: ps.visibility,
+				visibleUsers,
+				apMentions: ps.noExtractMentions ? [] : undefined,
+				apHashtags: ps.noExtractHashtags ? [] : undefined,
+				apEmojis: ps.noExtractEmojis ? [] : undefined,
+				event: ps.event ? {
+					start: new Date(ps.event.start!).toISOString(),
+					end: ps.event.end ? new Date(ps.event.end).toISOString() : null,
+					title: ps.event.title!,
+					metadata: ps.event.metadata ?? {},
+				} : undefined,
+				disableRightClick: ps.disableRightClick,
+			};
+
+			if (ps.scheduleNote.scheduledAt) {
+				me.token = null;
+				const noteId = this.idService.gen(new Date().getTime());
+				await this.noteScheduleRepository.insert({
+					id: noteId,
+					note: note,
+					userId: me.id,
+					scheduledAt: new Date(ps.scheduleNote.scheduledAt),
+				});
+
+				const delay = new Date(ps.scheduleNote.scheduledAt).getTime() - Date.now();
+				await this.queueService.ScheduleNotePostQueue.add(String(delay), {
+					scheduleNoteId: noteId,
+				}, {
+					delay,
+					removeOnComplete: true,
+					jobId: noteId,
+				});
+			}
+
+			return '';
+		});
+	}
+}
diff --git a/packages/backend/src/server/api/endpoints/notes/schedule/delete.ts b/packages/backend/src/server/api/endpoints/notes/schedule/delete.ts
new file mode 100644
index 0000000000..df406f99f0
--- /dev/null
+++ b/packages/backend/src/server/api/endpoints/notes/schedule/delete.ts
@@ -0,0 +1,67 @@
+/*
+ * SPDX-FileCopyrightText: syuilo and other misskey contributors
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+import ms from 'ms';
+import { Inject, Injectable } from '@nestjs/common';
+import type { NoteScheduleRepository } from '@/models/_.js';
+import { Endpoint } from '@/server/api/endpoint-base.js';
+import { DI } from '@/di-symbols.js';
+import { ApiError } from '@/server/api/error.js';
+import { QueueService } from '@/core/QueueService.js';
+
+export const meta = {
+	tags: ['notes'],
+
+	requireCredential: true,
+	kind: 'write:notes-schedule',
+
+	limit: {
+		duration: ms('1hour'),
+		max: 300,
+	},
+
+	errors: {
+		noSuchNote: {
+			message: 'No such note.',
+			code: 'NO_SUCH_NOTE',
+			id: 'a58056ba-8ba1-4323-8ebf-e0b585bc244f',
+		},
+		permissionDenied: {
+			message: 'Permission denied.',
+			code: 'PERMISSION_DENIED',
+			id: 'c0da2fed-8f61-4c47-a41d-431992607b5c',
+			httpStatusCode: 403,
+		},
+	},
+} as const;
+
+export const paramDef = {
+	type: 'object',
+	properties: {
+		noteId: { type: 'string', format: 'misskey:id' },
+	},
+	required: ['noteId'],
+} as const;
+
+@Injectable()
+export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-disable-line import/no-default-export
+	constructor(
+		@Inject(DI.noteScheduleRepository)
+		private noteScheduleRepository: NoteScheduleRepository,
+		private queueService: QueueService,
+	) {
+		super(meta, paramDef, async (ps, me) => {
+			const note = await this.noteScheduleRepository.findOneBy({ id: ps.noteId });
+			if (note === null) {
+				throw new ApiError(meta.errors.noSuchNote);
+			}
+			if (note.userId !== me.id) {
+				throw new ApiError(meta.errors.permissionDenied);
+			}
+			await this.noteScheduleRepository.delete({ id: ps.noteId });
+			await this.queueService.ScheduleNotePostQueue.remove(ps.noteId);
+		});
+	}
+}
diff --git a/packages/backend/src/server/api/endpoints/notes/schedule/list.ts b/packages/backend/src/server/api/endpoints/notes/schedule/list.ts
new file mode 100644
index 0000000000..88da4f4043
--- /dev/null
+++ b/packages/backend/src/server/api/endpoints/notes/schedule/list.ts
@@ -0,0 +1,128 @@
+/*
+ * SPDX-FileCopyrightText: syuilo and other misskey contributors
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+import ms from 'ms';
+import { Inject, Injectable } from '@nestjs/common';
+import { Endpoint } from '@/server/api/endpoint-base.js';
+import { DI } from '@/di-symbols.js';
+import type { MiNote, MiNoteSchedule, NoteScheduleRepository } from '@/models/_.js';
+import { UserEntityService } from '@/core/entities/UserEntityService.js';
+import { QueryService } from '@/core/QueryService.js';
+import { Packed } from '@/misc/json-schema.js';
+import { noteVisibilities } from '@/types.js';
+
+export const meta = {
+	tags: ['notes'],
+
+	requireCredential: true,
+	kind: 'read:notes-schedule',
+	res: {
+		type: 'array',
+		optional: false, nullable: false,
+		items: {
+			type: 'object',
+			optional: false, nullable: false,
+			properties: {
+				id: { type: 'string', format: 'misskey:id', optional: false, nullable: false },
+				note: {
+					type: 'object',
+					optional: false, nullable: false,
+					properties: {
+						createdAt: { type: 'string', optional: false, nullable: false },
+						text: { type: 'string', optional: true, nullable: false },
+						cw: { type: 'string', optional: true, nullable: true },
+						fileIds: { type: 'array', optional: false, nullable: false, items: { type: 'string', format: 'misskey:id', optional: false, nullable: false } },
+						visibility: { type: 'string', enum: ['public', 'home', 'followers', 'specified'], optional: false, nullable: false },
+						visibleUsers: {
+							type: 'array', optional: false, nullable: false, items: {
+								type: 'object',
+								optional: false, nullable: false,
+								ref: 'UserLite',
+							},
+						},
+						user: {
+							type: 'object',
+							optional: false, nullable: false,
+							ref: 'User',
+						},
+						reactionAcceptance: { type: 'string', nullable: true, enum: [null, 'likeOnly', 'likeOnlyForRemote', 'nonSensitiveOnly', 'nonSensitiveOnlyForLocalLikeOnlyForRemote'], default: null },
+						isSchedule: { type: 'boolean', optional: false, nullable: false },
+					},
+				},
+				userId: { type: 'string', optional: false, nullable: false },
+				scheduledAt: { type: 'string', optional: false, nullable: false },
+			},
+		},
+	},
+	limit: {
+		duration: ms('1hour'),
+		max: 300,
+	},
+
+	errors: {
+	},
+} as const;
+
+export const paramDef = {
+	type: 'object',
+	properties: {
+		sinceId: { type: 'string', format: 'misskey:id' },
+		untilId: { type: 'string', format: 'misskey:id' },
+		limit: { type: 'integer', minimum: 1, maximum: 100, default: 10 },
+	},
+} as const;
+
+@Injectable()
+export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-disable-line import/no-default-export
+	constructor(
+		@Inject(DI.noteScheduleRepository)
+		private noteScheduleRepository: NoteScheduleRepository,
+
+		private userEntityService: UserEntityService,
+		private queryService: QueryService,
+	) {
+		super(meta, paramDef, async (ps, me) => {
+			const query = this.queryService.makePaginationQuery(this.noteScheduleRepository.createQueryBuilder('note'), ps.sinceId, ps.untilId)
+				.andWhere('note.userId = :userId', { userId: me.id });
+			const scheduleNotes = await query.limit(ps.limit).getMany();
+			const user = await this.userEntityService.pack(me, me);
+			const scheduleNotesPack: {
+				id: string;
+				note: {
+					text?: string;
+					cw?: string|null;
+					fileIds: string[];
+					visibility: typeof noteVisibilities[number];
+					visibleUsers: Packed<'UserLite'>[];
+					reactionAcceptance: MiNote['reactionAcceptance'];
+					user: Packed<'User'>;
+					createdAt: string;
+					isSchedule: boolean;
+				};
+				userId: string;
+				scheduledAt: string;
+			}[] = await Promise.all(scheduleNotes.map(async (item: MiNoteSchedule) => {
+				return {
+					...item,
+					scheduledAt: item.scheduledAt.toISOString(),
+					note: {
+						...item.note,
+						text: item.note.text ?? '',
+						user: user,
+						visibility: item.note.visibility ?? 'public',
+						reactionAcceptance: item.note.reactionAcceptance ?? null,
+						visibleUsers: item.note.visibleUsers ? await userEntityService.packMany(item.note.visibleUsers.map(u => u.id), me) : [],
+						fileIds: item.note.files ? item.note.files : [],
+						createdAt: item.scheduledAt.toISOString(),
+						isSchedule: true,
+						id: item.id,
+					},
+				};
+			}));
+
+			return scheduleNotesPack;
+		});
+	}
+}
diff --git a/packages/backend/src/server/web/ClientServerService.ts b/packages/backend/src/server/web/ClientServerService.ts
index fbb8321730..aca98c4d37 100644
--- a/packages/backend/src/server/web/ClientServerService.ts
+++ b/packages/backend/src/server/web/ClientServerService.ts
@@ -33,6 +33,7 @@ import type {
 	SystemQueue,
 	UserWebhookDeliverQueue,
 	SystemWebhookDeliverQueue,
+	ScheduleNotePostQueue,
 } from '@/core/QueueModule.js';
 import { UserEntityService } from '@/core/entities/UserEntityService.js';
 import { NoteEntityService } from '@/core/entities/NoteEntityService.js';
@@ -124,6 +125,7 @@ export class ClientServerService {
 		@Inject('queue:objectStorage') public objectStorageQueue: ObjectStorageQueue,
 		@Inject('queue:userWebhookDeliver') public userWebhookDeliverQueue: UserWebhookDeliverQueue,
 		@Inject('queue:systemWebhookDeliver') public systemWebhookDeliverQueue: SystemWebhookDeliverQueue,
+		@Inject('queue:scheduleNotePost') public scheduleNotePostQueue: ScheduleNotePostQueue,
 	) {
 		//this.createServer = this.createServer.bind(this);
 	}
@@ -254,6 +256,7 @@ export class ClientServerService {
 				this.objectStorageQueue,
 				this.userWebhookDeliverQueue,
 				this.systemWebhookDeliverQueue,
+				this.scheduleNotePostQueue,
 			].map(q => new BullMQAdapter(q)),
 			serverAdapter: bullBoardServerAdapter,
 		});
diff --git a/packages/frontend-shared/js/const.ts b/packages/frontend-shared/js/const.ts
index 42cbf081e8..882f19c7fd 100644
--- a/packages/frontend-shared/js/const.ts
+++ b/packages/frontend-shared/js/const.ts
@@ -140,6 +140,7 @@ export const ROLE_POLICIES = [
 	'btlAvailable',
 	'canPublicNote',
 	'canImportNotes',
+	'scheduleNoteMax',
 	'mentionLimit',
 	'canInvite',
 	'inviteLimit',
diff --git a/packages/frontend/src/components/MkNoteHeader.vue b/packages/frontend/src/components/MkNoteHeader.vue
index cd6fdf576c..2c69048ec5 100644
--- a/packages/frontend/src/components/MkNoteHeader.vue
+++ b/packages/frontend/src/components/MkNoteHeader.vue
@@ -50,7 +50,10 @@ import { popupMenu } from '@/os.js';
 import { defaultStore } from '@/store.js';
 
 const props = defineProps<{
-	note: Misskey.entities.Note;
+	note: Misskey.entities.Note & {
+		isSchedule?: boolean
+	};
+	scheduled?: boolean;
 }>();
 
 const menuVersionsButton = shallowRef<HTMLElement>();
diff --git a/packages/frontend/src/components/MkNoteSimple.vue b/packages/frontend/src/components/MkNoteSimple.vue
index 542e3e79ea..7d2bbb31d3 100644
--- a/packages/frontend/src/components/MkNoteSimple.vue
+++ b/packages/frontend/src/components/MkNoteSimple.vue
@@ -4,7 +4,7 @@ SPDX-License-Identifier: AGPL-3.0-only
 -->
 
 <template>
-<div :class="$style.root">
+<div v-show="!isDeleted" :class="$style.root" :tabindex="!isDeleted ? '-1' : undefined">
 	<MkAvatar :class="$style.avatar" :user="note.user" link preview/>
 	<div :class="$style.main">
 		<MkNoteHeader :class="$style.header" :note="note" :mini="true"/>
@@ -15,6 +15,10 @@ SPDX-License-Identifier: AGPL-3.0-only
 			</p>
 			<div v-show="note.cw == null || showContent">
 				<MkSubNoteContent :hideFiles="hideFiles" :class="$style.text" :note="note" :expandAllCws="props.expandAllCws"/>
+				<div v-if="note.isSchedule" style="margin-top: 10px;">
+					<MkButton :class="$style.button" inline @click.stop.prevent="editScheduleNote()"><i class="ti ti-eraser"></i> {{ i18n.ts.deleteAndEdit }}</MkButton>
+					<MkButton :class="$style.button" inline danger @click.stop.prevent="deleteScheduleNote()"><i class="ti ti-trash"></i> {{ i18n.ts.delete }}</MkButton>
+				</div>
 			</div>
 		</div>
 	</div>
@@ -24,18 +28,60 @@ SPDX-License-Identifier: AGPL-3.0-only
 <script lang="ts" setup>
 import { ref, watch } from 'vue';
 import * as Misskey from 'misskey-js';
+import * as os from '@/os.js';
 import MkNoteHeader from '@/components/MkNoteHeader.vue';
 import MkSubNoteContent from '@/components/MkSubNoteContent.vue';
 import MkCwButton from '@/components/MkCwButton.vue';
 import { defaultStore } from '@/store.js';
 
 const props = defineProps<{
-	note: Misskey.entities.Note;
+	note: Misskey.entities.Note & {
+		isSchedule? : boolean,
+		scheduledNoteId?: string
+	};
 	expandAllCws?: boolean;
 	hideFiles?: boolean;
 }>();
 
 let showContent = ref(defaultStore.state.uncollapseCW);
+const isDeleted = ref(false);
+
+const emit = defineEmits<{
+	(ev: 'editScheduleNote'): void;
+}>();
+
+async function deleteScheduleNote() {
+	const { canceled } = await os.confirm({
+		type: 'warning',
+		text: i18n.ts.deleteConfirm,
+		okText: i18n.ts.delete,
+		cancelText: i18n.ts.cancel,
+	});
+	if (canceled) return;
+	await os.apiWithDialog('notes/schedule/delete', { noteId: props.note.id })
+		.then(() => {
+			isDeleted.value = true;
+		});
+}
+
+async function editScheduleNote() {
+	try {
+		await misskeyApi('notes/schedule/delete', { noteId: props.note.id })
+			.then(() => {
+				isDeleted.value = true;
+			});
+	} catch (err) {
+		console.error(err);
+	}
+
+	await os.post({
+		initialNote: props.note,
+		renote: props.note.renote,
+		reply: props.note.reply,
+		channel: props.note.channel,
+	});
+	emit('editScheduleNote');
+}
 
 watch(() => props.expandAllCws, (expandAllCws) => {
 	if (expandAllCws !== showContent.value) showContent.value = expandAllCws;
@@ -50,6 +96,11 @@ watch(() => props.expandAllCws, (expandAllCws) => {
 	font-size: 0.95em;
 }
 
+.button{
+	margin-right: var(--margin);
+	margin-bottom: var(--margin);
+}
+
 .avatar {
 	flex-shrink: 0;
 	display: block;
diff --git a/packages/frontend/src/components/MkPostForm.vue b/packages/frontend/src/components/MkPostForm.vue
index 4a29b27ac4..443e9e7ee9 100644
--- a/packages/frontend/src/components/MkPostForm.vue
+++ b/packages/frontend/src/components/MkPostForm.vue
@@ -77,6 +77,7 @@ SPDX-License-Identifier: AGPL-3.0-only
 	<input v-show="withHashtags" ref="hashtagsInputEl" v-model="hashtags" :class="$style.hashtags" :placeholder="i18n.ts.hashtags" list="hashtags">
 	<XPostFormAttaches v-model="files" @detach="detachFile" @changeSensitive="updateFileSensitive" @changeName="updateFileName" @replaceFile="replaceFile"/>
 	<MkPollEditor v-if="poll" v-model="poll" @destroyed="poll = null"/>
+	<MkScheduleEditor v-if="scheduleNote" v-model="scheduleNote" @destroyed="scheduleNote = null"/>
 	<MkNotePreview v-if="showPreview" :class="$style.preview" :text="text" :files="files" :poll="poll ?? undefined" :useCw="useCw" :cw="cw" :user="postAccount ?? $i"/>
 	<div v-if="showingOptions" style="padding: 8px 16px;">
 	</div>
@@ -90,6 +91,7 @@ SPDX-License-Identifier: AGPL-3.0-only
 			<button v-if="postFormActions.length > 0" v-tooltip="i18n.ts.plugins" class="_button" :class="$style.footerButton" @click="showActions"><i class="ti ti-plug"></i></button>
 			<button v-tooltip="i18n.ts.emoji" :class="['_button', $style.footerButton]" @click="insertEmoji"><i class="ti ti-mood-happy"></i></button>
 			<button v-if="showAddMfmFunction" v-tooltip="i18n.ts.addMfmFunction" :class="['_button', $style.footerButton]" @click="insertMfmFunction"><i class="ti ti-palette"></i></button>
+			<button v-tooltip="i18n.ts.otherSettings" :class="['_button', $style.footerButton]" @click="showOtherMenu"><i class="ti ti-dots"></i></button>
 		</div>
 		<div :class="$style.footerRight">
 			<button v-tooltip="i18n.ts.previewNoteText" class="_button" :class="[$style.footerButton, { [$style.previewButtonActive]: showPreview }]" @click="showPreview = !showPreview"><i class="ti ti-eye"></i></button>
@@ -110,6 +112,7 @@ import * as Misskey from 'misskey-js';
 import insertTextAtCursor from 'insert-text-at-cursor';
 import { toASCII } from 'punycode/';
 import { host, url } from '@@/js/config.js';
+import type { MenuItem } from '@/types/menu.js';
 import MkNoteSimple from '@/components/MkNoteSimple.vue';
 import MkNotePreview from '@/components/MkNotePreview.vue';
 import XPostFormAttaches from '@/components/MkPostFormAttaches.vue';
@@ -133,6 +136,7 @@ import { miLocalStorage } from '@/local-storage.js';
 import { claimAchievement } from '@/scripts/achievements.js';
 import { emojiPicker } from '@/scripts/emoji-picker.js';
 import { mfmFunctionPicker } from '@/scripts/mfm-function-picker.js';
+import MkScheduleEditor from '@/components/MkScheduleEditor.vue';
 
 const $i = signinRequired();
 
@@ -150,7 +154,9 @@ const props = withDefaults(defineProps<{
 	initialFiles?: Misskey.entities.DriveFile[];
 	initialLocalOnly?: boolean;
 	initialVisibleUsers?: Misskey.entities.UserDetailed[];
-	initialNote?: Misskey.entities.Note;
+	initialNote?: Misskey.entities.Note & {
+		isSchedule?: boolean,
+	};
 	instant?: boolean;
 	fixed?: boolean;
 	autofocus?: boolean;
@@ -206,6 +212,9 @@ const recentHashtags = ref(JSON.parse(miLocalStorage.getItem('hashtags') ?? '[]'
 const imeText = ref('');
 const showingOptions = ref(false);
 const textAreaReadOnly = ref(false);
+const scheduleNote = ref<{
+	scheduledAt: number | null;
+} | null>(null);
 
 const draftKey = computed((): string => {
 	let key = props.channel ? `channel:${props.channel.id}` : '';
@@ -378,6 +387,7 @@ function watchForDraft() {
 	watch(localOnly, () => saveDraft());
 	watch(quoteId, () => saveDraft());
 	watch(reactionAcceptance, () => saveDraft());
+	watch(scheduleNote, () => saveDraft());
 }
 
 function MFMWindow() {
@@ -586,6 +596,7 @@ function clear() {
 	files.value = [];
 	poll.value = null;
 	quoteId.value = null;
+	scheduleNote.value = null;
 }
 
 function onKeydown(ev: KeyboardEvent) {
@@ -736,6 +747,7 @@ function saveDraft() {
 			visibleUserIds: visibility.value === 'specified' ? visibleUsers.value.map(x => x.id) : undefined,
 			quoteId: quoteId.value,
 			reactionAcceptance: reactionAcceptance.value,
+			scheduleNote: scheduleNote.value,
 		},
 	};
 
@@ -843,6 +855,7 @@ async function post(ev?: MouseEvent) {
 		visibleUserIds: visibility.value === 'specified' ? visibleUsers.value.map(u => u.id) : undefined,
 		reactionAcceptance: reactionAcceptance.value,
 		editId: props.editId ? props.editId : undefined,
+		scheduleNote: scheduleNote.value ?? undefined,
 	};
 
 	if (withHashtags.value && hashtags.value && hashtags.value.trim() !== '') {
@@ -879,7 +892,7 @@ async function post(ev?: MouseEvent) {
 	}
 
 	posting.value = true;
-	misskeyApi(postData.editId ? 'notes/edit' : 'notes/create', postData, token).then(() => {
+	misskeyApi(postData.editId ? 'notes/edit' : (postData.scheduleNote ? 'notes/schedule/create' : 'notes/create'), postData, token).then(() => {
 		if (props.freezeAfterPosted) {
 			posted.value = true;
 		} else {
@@ -901,6 +914,8 @@ async function post(ev?: MouseEvent) {
 				claimAchievement('notes1');
 			}
 
+			poll.value = null;
+
 			const text = postData.text ?? '';
 			const lowerCase = text.toLowerCase();
 			if ((lowerCase.includes('love') || lowerCase.includes('❤')) && lowerCase.includes('sharkey')) {
@@ -1030,6 +1045,41 @@ function openAccountMenu(ev: MouseEvent) {
 	}, ev);
 }
 
+function toggleScheduleNote() {
+	if (scheduleNote.value) scheduleNote.value = null;
+	else {
+		scheduleNote.value = {
+			scheduledAt: null,
+		};
+	}
+}
+
+function showOtherMenu(ev: MouseEvent) {
+	const menuItems: MenuItem[] = [];
+
+	if ($i.policies.scheduleNoteMax > 0) {
+		menuItems.push({
+			type: 'button',
+			text: i18n.ts.schedulePost,
+			icon: 'ti ti-calendar-time',
+			action: toggleScheduleNote,
+		}, {
+			type: 'button',
+			text: i18n.ts.schedulePostList,
+			icon: 'ti ti-calendar-event',
+			action: () => {
+				const { dispose } = os.popup(defineAsyncComponent(() => import('@/components/MkSchedulePostListDialog.vue')), {}, {
+					closed: () => {
+						dispose();
+					},
+				});
+			},
+		});
+	}
+
+	os.popupMenu(menuItems, ev.currentTarget ?? ev.target);
+}
+
 onMounted(() => {
 	if (props.autofocus) {
 		focus();
@@ -1099,6 +1149,11 @@ onMounted(() => {
 			}
 			quoteId.value = init.renote ? init.renote.id : null;
 			reactionAcceptance.value = init.reactionAcceptance;
+			if (init.isSchedule) {
+				scheduleNote.value = {
+					scheduledAt: new Date(init.createdAt).getTime(),
+				};
+			}
 		}
 
 		nextTick(() => watchForDraft());
diff --git a/packages/frontend/src/components/MkScheduleEditor.vue b/packages/frontend/src/components/MkScheduleEditor.vue
new file mode 100644
index 0000000000..8f18f620ae
--- /dev/null
+++ b/packages/frontend/src/components/MkScheduleEditor.vue
@@ -0,0 +1,69 @@
+<!--
+SPDX-FileCopyrightText: syuilo and other misskey contributors
+SPDX-License-Identifier: AGPL-3.0-only
+-->
+
+<template>
+<div style="padding: 8px 16px;">
+	<section>
+		<MkInput v-model="atDate" small type="date" class="input">
+			<template #label>{{ i18n.ts._poll.deadlineDate }}</template>
+		</MkInput>
+		<MkInput v-model="atTime" small type="time" class="input">
+			<template #label>{{ i18n.ts._poll.deadlineTime }}</template>
+		</MkInput>
+	</section>
+</div>
+</template>
+
+<script lang="ts" setup>
+import { onMounted, ref, watch } from 'vue';
+import MkInput from '@/components/MkInput.vue';
+import { formatDateTimeString } from '@/scripts/format-time-string.js';
+import { addTime } from '@/scripts/time.js';
+import { i18n } from '@/i18n.js';
+
+const props = defineProps<{
+  modelValue: {
+		scheduledAt: number | null;
+  };
+}>();
+
+const emit = defineEmits<{
+  (ev: 'update:modelValue', v: {
+		scheduledAt: number | null;
+  }): void;
+}>();
+
+const atDate = ref(formatDateTimeString(addTime(new Date(), 1, 'day'), 'yyyy-MM-dd'));
+const atTime = ref('00:00');
+
+if (props.modelValue.scheduledAt) {
+	const date = new Date(props.modelValue.scheduledAt);
+	atDate.value = formatDateTimeString(date, 'yyyy-MM-dd');
+	atTime.value = formatDateTimeString(date, 'HH:mm');
+}
+
+function get() {
+	const calcAt = () => {
+		return new Date(`${ atDate.value } ${ atTime.value }`).getTime();
+	};
+
+	return {
+		...(
+			{ scheduledAt: calcAt() }
+		),
+	};
+}
+
+watch([
+	atDate,
+	atTime,
+], () => emit('update:modelValue', get()), {
+	deep: true,
+});
+
+onMounted(() => {
+	emit('update:modelValue', get());
+});
+</script>
diff --git a/packages/frontend/src/components/MkSchedulePostListDialog.vue b/packages/frontend/src/components/MkSchedulePostListDialog.vue
new file mode 100644
index 0000000000..cf793c7110
--- /dev/null
+++ b/packages/frontend/src/components/MkSchedulePostListDialog.vue
@@ -0,0 +1,60 @@
+<!--
+SPDX-FileCopyrightText: syuilo and other misskey contributors
+SPDX-License-Identifier: AGPL-3.0-only
+-->
+
+<template>
+<MkModalWindow
+	ref="dialogEl"
+	:withOkButton="false"
+	@click="cancel()"
+	@close="cancel()"
+>
+	<template #header>{{ i18n.ts.schedulePostList }}</template>
+	<MkSpacer :marginMin="14" :marginMax="16">
+		<MkPagination ref="paginationEl" :pagination="pagination">
+			<template #empty>
+				<div class="_fullinfo">
+					<img :src="infoImageUrl" class="_ghost"/>
+					<div>{{ i18n.ts.nothing }}</div>
+				</div>
+			</template>
+
+			<template #default="{ items }">
+				<div class="_gaps">
+					<MkNoteSimple v-for="item in items" :key="item.id" :scheduled="true" :note="item.note" @editScheduleNote="listUpdate"/>
+				</div>
+			</template>
+		</MkPagination>
+	</MkSpacer>
+</MkModalWindow>
+</template>
+
+<script lang="ts" setup>
+import { ref } from 'vue';
+import type { Paging } from '@/components/MkPagination.vue';
+import MkModalWindow from '@/components/MkModalWindow.vue';
+import MkPagination from '@/components/MkPagination.vue';
+import MkNoteSimple from '@/components/MkNoteSimple.vue';
+import { i18n } from '@/i18n.js';
+import { infoImageUrl } from '@/instance.js';
+
+const emit = defineEmits<{
+	(ev: 'cancel'): void;
+}>();
+
+const dialogEl = ref();
+const cancel = () => {
+	emit('cancel');
+	dialogEl.value.close();
+};
+const paginationEl = ref();
+const pagination: Paging = {
+	endpoint: 'notes/schedule/list',
+	limit: 10,
+};
+
+function listUpdate() {
+	paginationEl.value.reload();
+}
+</script>
diff --git a/packages/frontend/src/os.ts b/packages/frontend/src/os.ts
index e73aa77a3c..deb629d534 100644
--- a/packages/frontend/src/os.ts
+++ b/packages/frontend/src/os.ts
@@ -733,3 +733,4 @@ export function checkExistence(fileData: ArrayBuffer): Promise<any> {
 		});
 	});
 }*/
+
diff --git a/packages/frontend/src/pages/admin/roles.editor.vue b/packages/frontend/src/pages/admin/roles.editor.vue
index 1763db2323..5d896db98c 100644
--- a/packages/frontend/src/pages/admin/roles.editor.vue
+++ b/packages/frontend/src/pages/admin/roles.editor.vue
@@ -200,6 +200,25 @@ SPDX-License-Identifier: AGPL-3.0-only
 				</div>
 			</MkFolder>
 
+			<MkFolder v-if="matchQuery([i18n.ts._role._options.scheduleNoteMax, 'scheduleNoteMax'])">
+				<template #label>{{ i18n.ts._role._options.scheduleNoteMax }}</template>
+				<template #suffix>
+					<span v-if="role.policies.scheduleNoteMax.useDefault" :class="$style.useDefaultLabel">{{ i18n.ts._role.useBaseValue }}</span>
+					<span v-else>{{ role.policies.scheduleNoteMax.value }}</span>
+					<span :class="$style.priorityIndicator"><i :class="getPriorityIcon(role.policies.scheduleNoteMax)"></i></span>
+				</template>
+				<div class="_gaps">
+					<MkSwitch v-model="role.policies.scheduleNoteMax.useDefault" :readonly="readonly">
+						<template #label>{{ i18n.ts._role.useBaseValue }}</template>
+					</MkSwitch>
+					<MkInput v-model="role.policies.scheduleNoteMax.value" :disabled="role.policies.scheduleNoteMax.useDefault" type="number" :readonly="readonly">
+					</MkInput>
+					<MkRange v-model="role.policies.scheduleNoteMax.priority" :min="0" :max="2" :step="1" easing :textConverter="(v) => v === 0 ? i18n.ts._role._priority.low : v === 1 ? i18n.ts._role._priority.middle : v === 2 ? i18n.ts._role._priority.high : ''">
+						<template #label>{{ i18n.ts._role.priority }}</template>
+					</MkRange>
+				</div>
+			</MkFolder>
+
 			<MkFolder v-if="matchQuery([i18n.ts._role._options.mentionMax, 'mentionLimit'])">
 				<template #label>{{ i18n.ts._role._options.mentionMax }}</template>
 				<template #suffix>
diff --git a/packages/frontend/src/pages/admin/roles.vue b/packages/frontend/src/pages/admin/roles.vue
index 00a25446ab..036f18fe0d 100644
--- a/packages/frontend/src/pages/admin/roles.vue
+++ b/packages/frontend/src/pages/admin/roles.vue
@@ -70,6 +70,13 @@ SPDX-License-Identifier: AGPL-3.0-only
 							</MkSwitch>
 						</MkFolder>
 
+						<MkFolder v-if="matchQuery([i18n.ts._role._options.scheduleNoteMax, 'scheduleNoteMax'])">
+							<template #label>{{ i18n.ts._role._options.scheduleNoteMax }}</template>
+							<template #suffix>{{ policies.scheduleNoteMax }}</template>
+							<MkInput v-model="policies.scheduleNoteMax" type="number">
+							</MkInput>
+						</MkFolder>
+
 						<MkFolder v-if="matchQuery([i18n.ts._role._options.mentionMax, 'mentionLimit'])">
 							<template #label>{{ i18n.ts._role._options.mentionMax }}</template>
 							<template #suffix>{{ policies.mentionLimit }}</template>
diff --git a/packages/misskey-js/etc/misskey-js.api.md b/packages/misskey-js/etc/misskey-js.api.md
index 5af1a4112f..a74a4521e7 100644
--- a/packages/misskey-js/etc/misskey-js.api.md
+++ b/packages/misskey-js/etc/misskey-js.api.md
@@ -1684,6 +1684,10 @@ declare namespace entities {
         NotesRenotesResponse,
         NotesRepliesRequest,
         NotesRepliesResponse,
+        NotesScheduleCreateRequest,
+        NotesScheduleDeleteRequest,
+        NotesScheduleListRequest,
+        NotesScheduleListResponse,
         NotesSearchByTagRequest,
         NotesSearchByTagResponse,
         NotesSearchRequest,
@@ -2807,6 +2811,18 @@ type NotesRequest = operations['notes']['requestBody']['content']['application/j
 // @public (undocumented)
 type NotesResponse = operations['notes']['responses']['200']['content']['application/json'];
 
+// @public (undocumented)
+type NotesScheduleCreateRequest = operations['notes___schedule___create']['requestBody']['content']['application/json'];
+
+// @public (undocumented)
+type NotesScheduleDeleteRequest = operations['notes___schedule___delete']['requestBody']['content']['application/json'];
+
+// @public (undocumented)
+type NotesScheduleListRequest = operations['notes___schedule___list']['requestBody']['content']['application/json'];
+
+// @public (undocumented)
+type NotesScheduleListResponse = operations['notes___schedule___list']['responses']['200']['content']['application/json'];
+
 // @public (undocumented)
 type NotesSearchByTagRequest = operations['notes___search-by-tag']['requestBody']['content']['application/json'];
 
diff --git a/packages/misskey-js/src/autogen/apiClientJSDoc.ts b/packages/misskey-js/src/autogen/apiClientJSDoc.ts
index 3fa67b7990..4b0e8173f8 100644
--- a/packages/misskey-js/src/autogen/apiClientJSDoc.ts
+++ b/packages/misskey-js/src/autogen/apiClientJSDoc.ts
@@ -3385,6 +3385,39 @@ declare module '../api.js' {
       credential?: string | null,
     ): Promise<SwitchCaseResponseType<E, P>>;
 
+    /**
+     * No description provided.
+     * 
+     * **Credential required**: *Yes* / **Permission**: *write:notes-schedule*
+     */
+    request<E extends 'notes/schedule/create', P extends Endpoints[E]['req']>(
+      endpoint: E,
+      params: P,
+      credential?: string | null,
+    ): Promise<SwitchCaseResponseType<E, P>>;
+
+    /**
+     * No description provided.
+     * 
+     * **Credential required**: *Yes* / **Permission**: *write:notes-schedule*
+     */
+    request<E extends 'notes/schedule/delete', P extends Endpoints[E]['req']>(
+      endpoint: E,
+      params: P,
+      credential?: string | null,
+    ): Promise<SwitchCaseResponseType<E, P>>;
+
+    /**
+     * No description provided.
+     * 
+     * **Credential required**: *Yes* / **Permission**: *read:notes-schedule*
+     */
+    request<E extends 'notes/schedule/list', P extends Endpoints[E]['req']>(
+      endpoint: E,
+      params: P,
+      credential?: string | null,
+    ): Promise<SwitchCaseResponseType<E, P>>;
+
     /**
      * No description provided.
      * 
diff --git a/packages/misskey-js/src/autogen/endpoint.ts b/packages/misskey-js/src/autogen/endpoint.ts
index 609c9f99d8..5caddb602b 100644
--- a/packages/misskey-js/src/autogen/endpoint.ts
+++ b/packages/misskey-js/src/autogen/endpoint.ts
@@ -450,6 +450,10 @@ import type {
 	NotesRenotesResponse,
 	NotesRepliesRequest,
 	NotesRepliesResponse,
+	NotesScheduleCreateRequest,
+	NotesScheduleDeleteRequest,
+	NotesScheduleListRequest,
+	NotesScheduleListResponse,
 	NotesSearchByTagRequest,
 	NotesSearchByTagResponse,
 	NotesSearchRequest,
@@ -900,6 +904,9 @@ export type Endpoints = {
 	'notes/like': { req: NotesLikeRequest; res: EmptyResponse };
 	'notes/renotes': { req: NotesRenotesRequest; res: NotesRenotesResponse };
 	'notes/replies': { req: NotesRepliesRequest; res: NotesRepliesResponse };
+	'notes/schedule/create': { req: NotesScheduleCreateRequest; res: EmptyResponse };
+	'notes/schedule/delete': { req: NotesScheduleDeleteRequest; res: EmptyResponse };
+	'notes/schedule/list': { req: NotesScheduleListRequest; res: NotesScheduleListResponse };
 	'notes/search-by-tag': { req: NotesSearchByTagRequest; res: NotesSearchByTagResponse };
 	'notes/search': { req: NotesSearchRequest; res: NotesSearchResponse };
 	'notes/show': { req: NotesShowRequest; res: NotesShowResponse };
diff --git a/packages/misskey-js/src/autogen/entities.ts b/packages/misskey-js/src/autogen/entities.ts
index 999dd4dd54..2da78f6a50 100644
--- a/packages/misskey-js/src/autogen/entities.ts
+++ b/packages/misskey-js/src/autogen/entities.ts
@@ -453,6 +453,10 @@ export type NotesRenotesRequest = operations['notes___renotes']['requestBody']['
 export type NotesRenotesResponse = operations['notes___renotes']['responses']['200']['content']['application/json'];
 export type NotesRepliesRequest = operations['notes___replies']['requestBody']['content']['application/json'];
 export type NotesRepliesResponse = operations['notes___replies']['responses']['200']['content']['application/json'];
+export type NotesScheduleCreateRequest = operations['notes___schedule___create']['requestBody']['content']['application/json'];
+export type NotesScheduleDeleteRequest = operations['notes___schedule___delete']['requestBody']['content']['application/json'];
+export type NotesScheduleListRequest = operations['notes___schedule___list']['requestBody']['content']['application/json'];
+export type NotesScheduleListResponse = operations['notes___schedule___list']['responses']['200']['content']['application/json'];
 export type NotesSearchByTagRequest = operations['notes___search-by-tag']['requestBody']['content']['application/json'];
 export type NotesSearchByTagResponse = operations['notes___search-by-tag']['responses']['200']['content']['application/json'];
 export type NotesSearchRequest = operations['notes___search']['requestBody']['content']['application/json'];
diff --git a/packages/misskey-js/src/autogen/types.ts b/packages/misskey-js/src/autogen/types.ts
index ad30f47f2e..2e6320c5be 100644
--- a/packages/misskey-js/src/autogen/types.ts
+++ b/packages/misskey-js/src/autogen/types.ts
@@ -2935,6 +2935,33 @@ export type paths = {
      */
     post: operations['notes___replies'];
   };
+  '/notes/schedule/create': {
+    /**
+     * notes/schedule/create
+     * @description No description provided.
+     *
+     * **Credential required**: *Yes* / **Permission**: *write:notes-schedule*
+     */
+    post: operations['notes___schedule___create'];
+  };
+  '/notes/schedule/delete': {
+    /**
+     * notes/schedule/delete
+     * @description No description provided.
+     *
+     * **Credential required**: *Yes* / **Permission**: *write:notes-schedule*
+     */
+    post: operations['notes___schedule___delete'];
+  };
+  '/notes/schedule/list': {
+    /**
+     * notes/schedule/list
+     * @description No description provided.
+     *
+     * **Credential required**: *Yes* / **Permission**: *read:notes-schedule*
+     */
+    post: operations['notes___schedule___list'];
+  };
   '/notes/search-by-tag': {
     /**
      * notes/search-by-tag
@@ -5036,6 +5063,7 @@ export type components = {
       canImportFollowing: boolean;
       canImportMuting: boolean;
       canImportUserLists: boolean;
+      scheduleNoteMax: number;
     };
     ReversiGameLite: {
       /** Format: id */
@@ -24424,6 +24452,247 @@ export type operations = {
       };
     };
   };
+  /**
+   * notes/schedule/create
+   * @description No description provided.
+   *
+   * **Credential required**: *Yes* / **Permission**: *write:notes-schedule*
+   */
+  notes___schedule___create: {
+    requestBody: {
+      content: {
+        'application/json': {
+          /**
+           * @default public
+           * @enum {string}
+           */
+          visibility?: 'public' | 'home' | 'followers' | 'specified';
+          visibleUserIds?: string[];
+          cw?: string | null;
+          /**
+           * @default null
+           * @enum {string|null}
+           */
+          reactionAcceptance?: null | 'likeOnly' | 'likeOnlyForRemote' | 'nonSensitiveOnly' | 'nonSensitiveOnlyForLocalLikeOnlyForRemote';
+          /** @default false */
+          disableRightClick?: boolean;
+          /** @default false */
+          noExtractMentions?: boolean;
+          /** @default false */
+          noExtractHashtags?: boolean;
+          /** @default false */
+          noExtractEmojis?: boolean;
+          /** Format: misskey:id */
+          replyId?: string | null;
+          /** Format: misskey:id */
+          renoteId?: string | null;
+          text?: string | null;
+          fileIds?: string[];
+          mediaIds?: string[];
+          poll?: ({
+            choices: string[];
+            multiple?: boolean;
+            expiresAt?: number | null;
+            expiredAfter?: number | null;
+          }) | null;
+          event?: ({
+            title?: string;
+            start?: number;
+            end?: number | null;
+            metadata?: Record<string, never>;
+          }) | null;
+          scheduleNote: {
+            scheduledAt?: number;
+          };
+        };
+      };
+    };
+    responses: {
+      /** @description OK (without any results) */
+      204: {
+        content: never;
+      };
+      /** @description Client error */
+      400: {
+        content: {
+          'application/json': components['schemas']['Error'];
+        };
+      };
+      /** @description Authentication error */
+      401: {
+        content: {
+          'application/json': components['schemas']['Error'];
+        };
+      };
+      /** @description Forbidden error */
+      403: {
+        content: {
+          'application/json': components['schemas']['Error'];
+        };
+      };
+      /** @description I'm Ai */
+      418: {
+        content: {
+          'application/json': components['schemas']['Error'];
+        };
+      };
+      /** @description To many requests */
+      429: {
+        content: {
+          'application/json': components['schemas']['Error'];
+        };
+      };
+      /** @description Internal server error */
+      500: {
+        content: {
+          'application/json': components['schemas']['Error'];
+        };
+      };
+    };
+  };
+  /**
+   * notes/schedule/delete
+   * @description No description provided.
+   *
+   * **Credential required**: *Yes* / **Permission**: *write:notes-schedule*
+   */
+  notes___schedule___delete: {
+    requestBody: {
+      content: {
+        'application/json': {
+          /** Format: misskey:id */
+          noteId: string;
+        };
+      };
+    };
+    responses: {
+      /** @description OK (without any results) */
+      204: {
+        content: never;
+      };
+      /** @description Client error */
+      400: {
+        content: {
+          'application/json': components['schemas']['Error'];
+        };
+      };
+      /** @description Authentication error */
+      401: {
+        content: {
+          'application/json': components['schemas']['Error'];
+        };
+      };
+      /** @description Forbidden error */
+      403: {
+        content: {
+          'application/json': components['schemas']['Error'];
+        };
+      };
+      /** @description I'm Ai */
+      418: {
+        content: {
+          'application/json': components['schemas']['Error'];
+        };
+      };
+      /** @description To many requests */
+      429: {
+        content: {
+          'application/json': components['schemas']['Error'];
+        };
+      };
+      /** @description Internal server error */
+      500: {
+        content: {
+          'application/json': components['schemas']['Error'];
+        };
+      };
+    };
+  };
+  /**
+   * notes/schedule/list
+   * @description No description provided.
+   *
+   * **Credential required**: *Yes* / **Permission**: *read:notes-schedule*
+   */
+  notes___schedule___list: {
+    requestBody: {
+      content: {
+        'application/json': {
+          /** Format: misskey:id */
+          sinceId?: string;
+          /** Format: misskey:id */
+          untilId?: string;
+          /** @default 10 */
+          limit?: number;
+        };
+      };
+    };
+    responses: {
+      /** @description OK (with results) */
+      200: {
+        content: {
+          'application/json': ({
+              /** Format: misskey:id */
+              id: string;
+              note: {
+                createdAt: string;
+                text?: string;
+                cw?: string | null;
+                fileIds: string[];
+                /** @enum {string} */
+                visibility: 'public' | 'home' | 'followers' | 'specified';
+                visibleUsers: components['schemas']['UserLite'][];
+                user: components['schemas']['User'];
+                /**
+                 * @default null
+                 * @enum {string|null}
+                 */
+                reactionAcceptance: null | 'likeOnly' | 'likeOnlyForRemote' | 'nonSensitiveOnly' | 'nonSensitiveOnlyForLocalLikeOnlyForRemote';
+                isSchedule: boolean;
+              };
+              userId: string;
+              scheduledAt: string;
+            })[];
+        };
+      };
+      /** @description Client error */
+      400: {
+        content: {
+          'application/json': components['schemas']['Error'];
+        };
+      };
+      /** @description Authentication error */
+      401: {
+        content: {
+          'application/json': components['schemas']['Error'];
+        };
+      };
+      /** @description Forbidden error */
+      403: {
+        content: {
+          'application/json': components['schemas']['Error'];
+        };
+      };
+      /** @description I'm Ai */
+      418: {
+        content: {
+          'application/json': components['schemas']['Error'];
+        };
+      };
+      /** @description To many requests */
+      429: {
+        content: {
+          'application/json': components['schemas']['Error'];
+        };
+      };
+      /** @description Internal server error */
+      500: {
+        content: {
+          'application/json': components['schemas']['Error'];
+        };
+      };
+    };
+  };
   /**
    * notes/search-by-tag
    * @description No description provided.
diff --git a/packages/misskey-js/src/consts.ts b/packages/misskey-js/src/consts.ts
index c99b8f5570..d090a6b46f 100644
--- a/packages/misskey-js/src/consts.ts
+++ b/packages/misskey-js/src/consts.ts
@@ -42,6 +42,8 @@ export const permissions = [
 	'read:mutes',
 	'write:mutes',
 	'write:notes',
+	'read:notes-schedule',
+	'write:notes-schedule',
 	'read:notifications',
 	'write:notifications',
 	'read:reactions',
-- 
cgit v1.2.3-freya


From 4f58b8de20625da577a2b7a8055d065bbddb94d1 Mon Sep 17 00:00:00 2001
From: Marie <github@yuugi.dev>
Date: Sun, 3 Nov 2024 03:39:19 +0100
Subject: fix: drive content not being loaded

---
 .../server/api/endpoints/notes/schedule/create.ts  | 28 +++-------------------
 .../server/api/endpoints/notes/schedule/list.ts    |  3 +++
 packages/frontend/src/components/MkMediaList.vue   |  2 +-
 packages/frontend/src/components/MkNoteSimple.vue  |  2 ++
 .../src/components/MkSchedulePostListDialog.vue    |  3 +++
 packages/misskey-js/etc/misskey-js.api.md          |  2 +-
 packages/misskey-js/src/autogen/types.ts           |  8 -------
 7 files changed, 13 insertions(+), 35 deletions(-)

(limited to 'packages/backend/src/server/api')

diff --git a/packages/backend/src/server/api/endpoints/notes/schedule/create.ts b/packages/backend/src/server/api/endpoints/notes/schedule/create.ts
index ecdfa4bf2e..c22c29ae31 100644
--- a/packages/backend/src/server/api/endpoints/notes/schedule/create.ts
+++ b/packages/backend/src/server/api/endpoints/notes/schedule/create.ts
@@ -6,7 +6,7 @@
 import ms from 'ms';
 import { In } from 'typeorm';
 import { Inject, Injectable } from '@nestjs/common';
-import { isPureRenote } from 'cherrypick-js/note.js';
+import { isPureRenote } from '@/misc/is-renote.js';
 import type { MiUser } from '@/models/User.js';
 import type {
 	UsersRepository,
@@ -19,7 +19,6 @@ import type {
 import type { MiDriveFile } from '@/models/DriveFile.js';
 import type { MiNote } from '@/models/Note.js';
 import type { MiChannel } from '@/models/Channel.js';
-import { MAX_NOTE_TEXT_LENGTH } from '@/const.js';
 import { Endpoint } from '@/server/api/endpoint-base.js';
 import { DI } from '@/di-symbols.js';
 import { QueueService } from '@/core/QueueService.js';
@@ -129,7 +128,6 @@ export const paramDef = {
 		} },
 		cw: { type: 'string', nullable: true, minLength: 1, maxLength: 100 },
 		reactionAcceptance: { type: 'string', nullable: true, enum: [null, 'likeOnly', 'likeOnlyForRemote', 'nonSensitiveOnly', 'nonSensitiveOnlyForLocalLikeOnlyForRemote'], default: null },
-		disableRightClick: { type: 'boolean', default: false },
 		noExtractMentions: { type: 'boolean', default: false },
 		noExtractHashtags: { type: 'boolean', default: false },
 		noExtractEmojis: { type: 'boolean', default: false },
@@ -141,7 +139,6 @@ export const paramDef = {
 		text: {
 			type: 'string',
 			minLength: 1,
-			maxLength: MAX_NOTE_TEXT_LENGTH,
 			nullable: true,
 		},
 		fileIds: {
@@ -175,16 +172,6 @@ export const paramDef = {
 			},
 			required: ['choices'],
 		},
-		event: {
-			type: 'object',
-			nullable: true,
-			properties: {
-				title: { type: 'string', minLength: 1, maxLength: 128, nullable: false },
-				start: { type: 'integer', nullable: false },
-				end: { type: 'integer', nullable: true },
-				metadata: { type: 'object' },
-			},
-		},
 		scheduleNote: {
 			type: 'object',
 			nullable: false,
@@ -227,11 +214,9 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 
 		private queueService: QueueService,
 		private roleService: RoleService,
-    private idService: IdService,
+		private idService: IdService,
 	) {
-		super({
-			...meta,
-		}, paramDef, async (ps, me) => {
+		super(meta, paramDef, async (ps, me) => {
 			const scheduleNoteCount = await this.noteScheduleRepository.countBy({ userId: me.id });
 			const scheduleNoteMax = (await this.roleService.getUserPolicies(me.id)).scheduleNoteMax;
 			if (scheduleNoteCount >= scheduleNoteMax) {
@@ -358,13 +343,6 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 				apMentions: ps.noExtractMentions ? [] : undefined,
 				apHashtags: ps.noExtractHashtags ? [] : undefined,
 				apEmojis: ps.noExtractEmojis ? [] : undefined,
-				event: ps.event ? {
-					start: new Date(ps.event.start!).toISOString(),
-					end: ps.event.end ? new Date(ps.event.end).toISOString() : null,
-					title: ps.event.title!,
-					metadata: ps.event.metadata ?? {},
-				} : undefined,
-				disableRightClick: ps.disableRightClick,
 			};
 
 			if (ps.scheduleNote.scheduledAt) {
diff --git a/packages/backend/src/server/api/endpoints/notes/schedule/list.ts b/packages/backend/src/server/api/endpoints/notes/schedule/list.ts
index 88da4f4043..4895733d4e 100644
--- a/packages/backend/src/server/api/endpoints/notes/schedule/list.ts
+++ b/packages/backend/src/server/api/endpoints/notes/schedule/list.ts
@@ -9,6 +9,7 @@ import { Endpoint } from '@/server/api/endpoint-base.js';
 import { DI } from '@/di-symbols.js';
 import type { MiNote, MiNoteSchedule, NoteScheduleRepository } from '@/models/_.js';
 import { UserEntityService } from '@/core/entities/UserEntityService.js';
+import { DriveFileEntityService } from '@/core/entities/DriveFileEntityService.js';
 import { QueryService } from '@/core/QueryService.js';
 import { Packed } from '@/misc/json-schema.js';
 import { noteVisibilities } from '@/types.js';
@@ -81,6 +82,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 		private noteScheduleRepository: NoteScheduleRepository,
 
 		private userEntityService: UserEntityService,
+		private driveFileEntityService: DriveFileEntityService,
 		private queryService: QueryService,
 	) {
 		super(meta, paramDef, async (ps, me) => {
@@ -115,6 +117,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 						reactionAcceptance: item.note.reactionAcceptance ?? null,
 						visibleUsers: item.note.visibleUsers ? await userEntityService.packMany(item.note.visibleUsers.map(u => u.id), me) : [],
 						fileIds: item.note.files ? item.note.files : [],
+						files: await this.driveFileEntityService.packManyByIds(item.note.files),
 						createdAt: item.scheduledAt.toISOString(),
 						isSchedule: true,
 						id: item.id,
diff --git a/packages/frontend/src/components/MkMediaList.vue b/packages/frontend/src/components/MkMediaList.vue
index 5209489046..4ef929e81f 100644
--- a/packages/frontend/src/components/MkMediaList.vue
+++ b/packages/frontend/src/components/MkMediaList.vue
@@ -35,13 +35,13 @@ import * as Misskey from 'misskey-js';
 import PhotoSwipeLightbox from 'photoswipe/lightbox';
 import PhotoSwipe from 'photoswipe';
 import 'photoswipe/style.css';
+import { FILE_TYPE_BROWSERSAFE, FILE_EXT_TRACKER_MODULES, FILE_TYPE_TRACKER_MODULES } from '@@/js/const.js';
 import XBanner from '@/components/MkMediaBanner.vue';
 import XImage from '@/components/MkMediaImage.vue';
 import XVideo from '@/components/MkMediaVideo.vue';
 import XModPlayer from '@/components/SkModPlayer.vue';
 import XFlashPlayer from '@/components/SkFlashPlayer.vue';
 import * as os from '@/os.js';
-import { FILE_TYPE_BROWSERSAFE, FILE_EXT_TRACKER_MODULES, FILE_TYPE_TRACKER_MODULES, FILE_TYPE_FLASH_CONTENT, FILE_EXT_FLASH_CONTENT } from '@@/js/const.js';
 import { defaultStore } from '@/store.js';
 import { focusParent } from '@/scripts/focus.js';
 
diff --git a/packages/frontend/src/components/MkNoteSimple.vue b/packages/frontend/src/components/MkNoteSimple.vue
index 7d2bbb31d3..48bf53fab5 100644
--- a/packages/frontend/src/components/MkNoteSimple.vue
+++ b/packages/frontend/src/components/MkNoteSimple.vue
@@ -33,6 +33,8 @@ import MkNoteHeader from '@/components/MkNoteHeader.vue';
 import MkSubNoteContent from '@/components/MkSubNoteContent.vue';
 import MkCwButton from '@/components/MkCwButton.vue';
 import { defaultStore } from '@/store.js';
+import { misskeyApi } from '@/scripts/misskey-api.js';
+import { i18n } from '@/i18n.js';
 
 const props = defineProps<{
 	note: Misskey.entities.Note & {
diff --git a/packages/frontend/src/components/MkSchedulePostListDialog.vue b/packages/frontend/src/components/MkSchedulePostListDialog.vue
index cf793c7110..8311981a75 100644
--- a/packages/frontend/src/components/MkSchedulePostListDialog.vue
+++ b/packages/frontend/src/components/MkSchedulePostListDialog.vue
@@ -52,8 +52,11 @@ const paginationEl = ref();
 const pagination: Paging = {
 	endpoint: 'notes/schedule/list',
 	limit: 10,
+	offsetMode: true,
 };
 
+console.log(pagination);
+
 function listUpdate() {
 	paginationEl.value.reload();
 }
diff --git a/packages/misskey-js/etc/misskey-js.api.md b/packages/misskey-js/etc/misskey-js.api.md
index a74a4521e7..ca7a374a67 100644
--- a/packages/misskey-js/etc/misskey-js.api.md
+++ b/packages/misskey-js/etc/misskey-js.api.md
@@ -2953,7 +2953,7 @@ type PartialRolePolicyOverride = Partial<{
 }>;
 
 // @public (undocumented)
-export const permissions: readonly ["read:account", "write:account", "read:blocks", "write:blocks", "read:drive", "write:drive", "read:favorites", "write:favorites", "read:following", "write:following", "read:messaging", "write:messaging", "read:mutes", "write:mutes", "write:notes", "read:notifications", "write:notifications", "read:reactions", "write:reactions", "write:votes", "read:pages", "write:pages", "write:page-likes", "read:page-likes", "read:user-groups", "write:user-groups", "read:channels", "write:channels", "read:gallery", "write:gallery", "read:gallery-likes", "write:gallery-likes", "read:flash", "write:flash", "read:flash-likes", "write:flash-likes", "read:admin:abuse-user-reports", "write:admin:delete-account", "write:admin:delete-all-files-of-a-user", "read:admin:index-stats", "read:admin:table-stats", "read:admin:user-ips", "read:admin:meta", "write:admin:reset-password", "write:admin:resolve-abuse-user-report", "write:admin:send-email", "read:admin:server-info", "read:admin:show-moderation-log", "read:admin:show-user", "write:admin:suspend-user", "write:admin:approve-user", "write:admin:decline-user", "write:admin:nsfw-user", "write:admin:unnsfw-user", "write:admin:silence-user", "write:admin:unsilence-user", "write:admin:unset-user-avatar", "write:admin:unset-user-banner", "write:admin:unsuspend-user", "write:admin:meta", "write:admin:user-note", "write:admin:roles", "read:admin:roles", "write:admin:relays", "read:admin:relays", "write:admin:invite-codes", "read:admin:invite-codes", "write:admin:announcements", "read:admin:announcements", "write:admin:avatar-decorations", "read:admin:avatar-decorations", "write:admin:federation", "write:admin:account", "read:admin:account", "write:admin:emoji", "read:admin:emoji", "write:admin:queue", "read:admin:queue", "write:admin:promo", "write:admin:drive", "read:admin:drive", "write:admin:ad", "read:admin:ad", "write:invite-codes", "read:invite-codes", "write:clip-favorite", "read:clip-favorite", "read:federation", "write:report-abuse"];
+export const permissions: readonly ["read:account", "write:account", "read:blocks", "write:blocks", "read:drive", "write:drive", "read:favorites", "write:favorites", "read:following", "write:following", "read:messaging", "write:messaging", "read:mutes", "write:mutes", "write:notes", "read:notes-schedule", "write:notes-schedule", "read:notifications", "write:notifications", "read:reactions", "write:reactions", "write:votes", "read:pages", "write:pages", "write:page-likes", "read:page-likes", "read:user-groups", "write:user-groups", "read:channels", "write:channels", "read:gallery", "write:gallery", "read:gallery-likes", "write:gallery-likes", "read:flash", "write:flash", "read:flash-likes", "write:flash-likes", "read:admin:abuse-user-reports", "write:admin:delete-account", "write:admin:delete-all-files-of-a-user", "read:admin:index-stats", "read:admin:table-stats", "read:admin:user-ips", "read:admin:meta", "write:admin:reset-password", "write:admin:resolve-abuse-user-report", "write:admin:send-email", "read:admin:server-info", "read:admin:show-moderation-log", "read:admin:show-user", "write:admin:suspend-user", "write:admin:approve-user", "write:admin:decline-user", "write:admin:nsfw-user", "write:admin:unnsfw-user", "write:admin:silence-user", "write:admin:unsilence-user", "write:admin:unset-user-avatar", "write:admin:unset-user-banner", "write:admin:unsuspend-user", "write:admin:meta", "write:admin:user-note", "write:admin:roles", "read:admin:roles", "write:admin:relays", "read:admin:relays", "write:admin:invite-codes", "read:admin:invite-codes", "write:admin:announcements", "read:admin:announcements", "write:admin:avatar-decorations", "read:admin:avatar-decorations", "write:admin:federation", "write:admin:account", "read:admin:account", "write:admin:emoji", "read:admin:emoji", "write:admin:queue", "read:admin:queue", "write:admin:promo", "write:admin:drive", "read:admin:drive", "write:admin:ad", "read:admin:ad", "write:invite-codes", "read:invite-codes", "write:clip-favorite", "read:clip-favorite", "read:federation", "write:report-abuse"];
 
 // @public (undocumented)
 type PingResponse = operations['ping']['responses']['200']['content']['application/json'];
diff --git a/packages/misskey-js/src/autogen/types.ts b/packages/misskey-js/src/autogen/types.ts
index 2e6320c5be..c8d7194405 100644
--- a/packages/misskey-js/src/autogen/types.ts
+++ b/packages/misskey-js/src/autogen/types.ts
@@ -24475,8 +24475,6 @@ export type operations = {
            */
           reactionAcceptance?: null | 'likeOnly' | 'likeOnlyForRemote' | 'nonSensitiveOnly' | 'nonSensitiveOnlyForLocalLikeOnlyForRemote';
           /** @default false */
-          disableRightClick?: boolean;
-          /** @default false */
           noExtractMentions?: boolean;
           /** @default false */
           noExtractHashtags?: boolean;
@@ -24495,12 +24493,6 @@ export type operations = {
             expiresAt?: number | null;
             expiredAfter?: number | null;
           }) | null;
-          event?: ({
-            title?: string;
-            start?: number;
-            end?: number | null;
-            metadata?: Record<string, never>;
-          }) | null;
           scheduleNote: {
             scheduledAt?: number;
           };
-- 
cgit v1.2.3-freya


From fc9d777dc3161b40c5c62bb65cb03e2c7d8f4380 Mon Sep 17 00:00:00 2001
From: Marie <github@yuugi.dev>
Date: Sun, 3 Nov 2024 17:59:50 +0100
Subject: upd: add notification for failures, add reasons for failure, apply
 suggestions

---
 locales/index.d.ts                                 |  4 ++
 .../src/core/entities/NotificationEntityService.ts |  5 +-
 packages/backend/src/models/NoteSchedule.ts        |  2 -
 packages/backend/src/models/Notification.ts        |  5 ++
 .../backend/src/models/json-schema/notification.ts | 14 +++++
 .../processors/ScheduleNotePostProcessorService.ts | 59 +++++++++++++++++-----
 .../server/api/endpoints/notes/schedule/create.ts  |  5 +-
 packages/backend/src/types.ts                      |  1 +
 packages/frontend-shared/js/const.ts               |  1 +
 .../frontend/src/components/MkNotification.vue     |  8 ++-
 packages/frontend/src/components/MkPostForm.vue    |  5 +-
 .../src/components/MkSchedulePostListDialog.vue    |  1 +
 packages/misskey-js/etc/misskey-js.api.md          |  2 +-
 packages/misskey-js/src/autogen/types.ts           | 16 ++++--
 packages/misskey-js/src/consts.ts                  |  2 +-
 packages/sw/src/scripts/create-notification.ts     |  7 +++
 sharkey-locales/en-US.yml                          |  1 +
 17 files changed, 110 insertions(+), 28 deletions(-)

(limited to 'packages/backend/src/server/api')

diff --git a/locales/index.d.ts b/locales/index.d.ts
index e181b13f33..4cfc220731 100644
--- a/locales/index.d.ts
+++ b/locales/index.d.ts
@@ -9558,6 +9558,10 @@ export interface Locale extends ILocale {
          * Note got edited
          */
         "edited": string;
+        /**
+         * Posting scheduled note failed
+         */
+        "scheduledNoteFailed": string;
     };
     "_deck": {
         /**
diff --git a/packages/backend/src/core/entities/NotificationEntityService.ts b/packages/backend/src/core/entities/NotificationEntityService.ts
index bbaf0cb7c8..27b8231854 100644
--- a/packages/backend/src/core/entities/NotificationEntityService.ts
+++ b/packages/backend/src/core/entities/NotificationEntityService.ts
@@ -20,7 +20,7 @@ import type { OnModuleInit } from '@nestjs/common';
 import type { UserEntityService } from './UserEntityService.js';
 import type { NoteEntityService } from './NoteEntityService.js';
 
-const NOTE_REQUIRED_NOTIFICATION_TYPES = new Set(['note', 'mention', 'reply', 'renote', 'renote:grouped', 'quote', 'reaction', 'reaction:grouped', 'pollEnded', 'edited'] as (typeof groupedNotificationTypes[number])[]);
+const NOTE_REQUIRED_NOTIFICATION_TYPES = new Set(['note', 'mention', 'reply', 'renote', 'renote:grouped', 'quote', 'reaction', 'reaction:grouped', 'pollEnded', 'edited', 'scheduledNoteFailed'] as (typeof groupedNotificationTypes[number])[]);
 
 @Injectable()
 export class NotificationEntityService implements OnModuleInit {
@@ -169,6 +169,9 @@ export class NotificationEntityService implements OnModuleInit {
 				exportedEntity: notification.exportedEntity,
 				fileId: notification.fileId,
 			} : {}),
+			...(notification.type === 'scheduledNoteFailed' ? {
+				reason: notification.reason,
+			} : {}),
 			...(notification.type === 'app' ? {
 				body: notification.customBody,
 				header: notification.customHeader,
diff --git a/packages/backend/src/models/NoteSchedule.ts b/packages/backend/src/models/NoteSchedule.ts
index 97ffe32ffa..dde0af6ad7 100644
--- a/packages/backend/src/models/NoteSchedule.ts
+++ b/packages/backend/src/models/NoteSchedule.ts
@@ -18,8 +18,6 @@ type MinimumUser = {
 };
 
 export type MiScheduleNoteType={
-	/** Date.toISOString() */
-	createdAt: string;
 	visibility: 'public' | 'home' | 'followers' | 'specified';
 	visibleUsers: MinimumUser[];
 	channel?: MiChannel['id'];
diff --git a/packages/backend/src/models/Notification.ts b/packages/backend/src/models/Notification.ts
index c4f046c565..5003e02d96 100644
--- a/packages/backend/src/models/Notification.ts
+++ b/packages/backend/src/models/Notification.ts
@@ -122,6 +122,11 @@ export type MiNotification = {
 	createdAt: string;
 	notifierId: MiUser['id'];
 	noteId: MiNote['id'];
+} | {
+	type: 'scheduledNoteFailed';
+	id: string;
+	createdAt: string;
+	reason: string;
 };
 
 export type MiGroupedNotification = MiNotification | {
diff --git a/packages/backend/src/models/json-schema/notification.ts b/packages/backend/src/models/json-schema/notification.ts
index 990e8957cf..69bd9531ec 100644
--- a/packages/backend/src/models/json-schema/notification.ts
+++ b/packages/backend/src/models/json-schema/notification.ts
@@ -369,6 +369,20 @@ export const packedNotificationSchema = {
 				optional: false, nullable: false,
 			},
 		},
+	}, {
+		type: 'object',
+		properties: {
+			...baseSchema.properties,
+			type: {
+				type: 'string',
+				optional: false, nullable: false,
+				enum: ['scheduledNoteFailed'],
+			},
+			reason: {
+				type: 'string',
+				optional: false, nullable: false,
+			},
+		},
 	}, {
 		type: 'object',
 		properties: {
diff --git a/packages/backend/src/queue/processors/ScheduleNotePostProcessorService.ts b/packages/backend/src/queue/processors/ScheduleNotePostProcessorService.ts
index 62d527953d..59e23b865e 100644
--- a/packages/backend/src/queue/processors/ScheduleNotePostProcessorService.ts
+++ b/packages/backend/src/queue/processors/ScheduleNotePostProcessorService.ts
@@ -9,6 +9,7 @@ import { bindThis } from '@/decorators.js';
 import { NoteCreateService } from '@/core/NoteCreateService.js';
 import type { ChannelsRepository, DriveFilesRepository, MiDriveFile, NoteScheduleRepository, NotesRepository, UsersRepository } from '@/models/_.js';
 import { DI } from '@/di-symbols.js';
+import { NotificationService } from '@/core/NotificationService.js';
 import { QueueLoggerService } from '../QueueLoggerService.js';
 import type * as Bull from 'bullmq';
 import type { ScheduleNotePostJobData } from '../types.js';
@@ -32,6 +33,7 @@ export class ScheduleNotePostProcessorService {
 
 		private noteCreateService: NoteCreateService,
 		private queueLoggerService: QueueLoggerService,
+		private notificationService: NotificationService,
 	) {
 		this.logger = this.queueLoggerService.logger.createSubLogger('schedule-note-post');
 	}
@@ -50,8 +52,9 @@ export class ScheduleNotePostProcessorService {
 				const renote = note.reply ? await this.notesRepository.findOneBy({ id: note.renote }) : undefined;
 				const channel = note.channel ? await this.channelsRepository.findOneBy({ id: note.channel, isArchived: false }) : undefined;
 				let files: MiDriveFile[] = [];
-				const fileIds = note.files ?? null;
-				if (fileIds != null && fileIds.length > 0 && me) {
+				const fileIds = note.files;
+
+				if (fileIds.length > 0 && me) {
 					files = await this.driveFilesRepository.createQueryBuilder('file')
 						.where('file.userId = :userId AND file.id IN (:...fileIds)', {
 							userId: me.id,
@@ -61,22 +64,52 @@ export class ScheduleNotePostProcessorService {
 						.setParameters({ fileIds })
 						.getMany();
 				}
-				if (
-					!data.userId ||
-					!me ||
-					(note.reply && !reply) ||
-					(note.renote && !renote) ||
-					(note.channel && !channel) ||
-					(note.files.length !== files.length)
-				) {
-					//キューに積んだときは有った物が消滅してたら予約投稿をキャンセルする
-					this.logger.warn('cancel schedule note');
+
+				if (!data.userId || !me) {
+					this.logger.warn('Schedule Note Failed Reason: User Not Found');
+					await this.noteScheduleRepository.remove(data);
+					return;
+				}
+
+				if (note.files.length !== files.length) {
+					this.logger.warn('Schedule Note Failed Reason: files are missing in the user\'s drive');
+					this.notificationService.createNotification(me.id, 'scheduledNoteFailed', {
+						reason: 'Some attached files on your scheduled note no longer exist',
+					});
+					await this.noteScheduleRepository.remove(data);
+					return;
+				}
+
+				if (note.reply && !reply) {
+					this.logger.warn('Schedule Note Failed Reason: parent note to reply does not exist');
+					this.notificationService.createNotification(me.id, 'scheduledNoteFailed', {
+						reason: 'Replied to note on your scheduled note no longer exists',
+					});
 					await this.noteScheduleRepository.remove(data);
 					return;
 				}
+
+				if (note.renote && !renote) {
+					this.logger.warn('Schedule Note Failed Reason: attached quote note no longer exists');
+					this.notificationService.createNotification(me.id, 'scheduledNoteFailed', {
+						reason: 'A quoted note from one of your scheduled notes no longer exists',
+					});
+					await this.noteScheduleRepository.remove(data);
+					return;
+				}
+
+				if (note.channel && !channel) {
+					this.logger.warn('Schedule Note Failed Reason: Channel does not exist');
+					this.notificationService.createNotification(me.id, 'scheduledNoteFailed', {
+						reason: 'An attached channel on your scheduled note no longer exists',
+					});
+					await this.noteScheduleRepository.remove(data);
+					return;
+				}
+
 				await this.noteCreateService.create(me, {
 					...note,
-					createdAt: new Date(note.createdAt), //typeORMのjsonbで何故かstringにされるから戻す
+					createdAt: new Date(),
 					files,
 					poll: note.poll ? {
 						choices: note.poll.choices,
diff --git a/packages/backend/src/server/api/endpoints/notes/schedule/create.ts b/packages/backend/src/server/api/endpoints/notes/schedule/create.ts
index c22c29ae31..b8ae3f44a3 100644
--- a/packages/backend/src/server/api/endpoints/notes/schedule/create.ts
+++ b/packages/backend/src/server/api/endpoints/notes/schedule/create.ts
@@ -292,7 +292,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 
 				// Check blocking
 				if (reply.userId !== me.id) {
-					const blockExist = await this.blockingsRepository.exist({
+					const blockExist = await this.blockingsRepository.exists({
 						where: {
 							blockerId: reply.userId,
 							blockeeId: me.id,
@@ -324,8 +324,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 			} else {
 				throw new ApiError(meta.errors.cannotCreateAlreadyExpiredSchedule);
 			}
-			const note:MiScheduleNoteType = {
-				createdAt: new Date(ps.scheduleNote.scheduledAt!).toISOString(),
+			const note: MiScheduleNoteType = {
 				files: files.map(f => f.id),
 				poll: ps.poll ? {
 					choices: ps.poll.choices,
diff --git a/packages/backend/src/types.ts b/packages/backend/src/types.ts
index 2aa4f279ea..7930129002 100644
--- a/packages/backend/src/types.ts
+++ b/packages/backend/src/types.ts
@@ -35,6 +35,7 @@ export const notificationTypes = [
 	'roleAssigned',
 	'achievementEarned',
 	'exportCompleted',
+	'scheduledNoteFailed',
 	'app',
 	'test',
 ] as const;
diff --git a/packages/frontend-shared/js/const.ts b/packages/frontend-shared/js/const.ts
index 882f19c7fd..5bc75db908 100644
--- a/packages/frontend-shared/js/const.ts
+++ b/packages/frontend-shared/js/const.ts
@@ -131,6 +131,7 @@ export const notificationTypes = [
 	'test',
 	'app',
 	'edited',
+	'scheduledNoteFailed',
 ] as const;
 export const obsoleteNotificationTypes = ['pollVote', 'groupInvited'] as const;
 
diff --git a/packages/frontend/src/components/MkNotification.vue b/packages/frontend/src/components/MkNotification.vue
index 7bec9bdc65..3c4f56b537 100644
--- a/packages/frontend/src/components/MkNotification.vue
+++ b/packages/frontend/src/components/MkNotification.vue
@@ -7,7 +7,7 @@ SPDX-License-Identifier: AGPL-3.0-only
 <div :class="$style.root">
 	<div :class="$style.head">
 		<MkAvatar v-if="['pollEnded', 'note', 'edited'].includes(notification.type) && 'note' in notification" :class="$style.icon" :user="notification.note.user" link preview/>
-		<MkAvatar v-else-if="['roleAssigned', 'achievementEarned'].includes(notification.type)" :class="$style.icon" :user="$i" link preview/>
+		<MkAvatar v-else-if="['roleAssigned', 'achievementEarned', 'scheduledNoteFailed'].includes(notification.type)" :class="$style.icon" :user="$i" link preview/>
 		<div v-else-if="notification.type === 'reaction:grouped' && notification.note.reactionAcceptance === 'likeOnly'" :class="[$style.icon, $style.icon_reactionGroup]"><i class="ph-smiley ph-bold ph-lg" style="line-height: 1;"></i></div>
 		<div v-else-if="notification.type === 'reaction:grouped'" :class="[$style.icon, $style.icon_reactionGroup]"><i class="ph-smiley ph-bold ph-lg" style="line-height: 1;"></i></div>
 		<div v-else-if="notification.type === 'renote:grouped'" :class="[$style.icon, $style.icon_renoteGroup]"><i class="ti ti-repeat" style="line-height: 1;"></i></div>
@@ -29,6 +29,7 @@ SPDX-License-Identifier: AGPL-3.0-only
 				[$style.t_exportCompleted]: notification.type === 'exportCompleted',
 				[$style.t_roleAssigned]: notification.type === 'roleAssigned' && notification.role.iconUrl == null,
 				[$style.t_pollEnded]: notification.type === 'edited',
+				[$style.t_roleAssigned]: notification.type === 'scheduledNoteFailed',
 			}]"
 		> <!-- we re-use t_pollEnded for "edited" instead of making an identical style -->
 			<i v-if="notification.type === 'follow'" class="ti ti-plus"></i>
@@ -46,6 +47,7 @@ SPDX-License-Identifier: AGPL-3.0-only
 				<i v-else class="ti ti-badges"></i>
 			</template>
 			<i v-else-if="notification.type === 'edited'" class="ph-pencil ph-bold ph-lg"></i>
+			<i v-else-if="notification.type === 'scheduledNoteFailed'" class="ti ti-calendar-event"></i>
 			<!-- notification.reaction が null になることはまずないが、ここでoptional chaining使うと一部ブラウザで刺さるので念の為 -->
 			<MkReactionIcon
 				v-else-if="notification.type === 'reaction'"
@@ -70,6 +72,7 @@ SPDX-License-Identifier: AGPL-3.0-only
 			<span v-else-if="notification.type === 'renote:grouped'">{{ i18n.tsx._notification.renotedBySomeUsers({ n: notification.users.length }) }}</span>
 			<span v-else-if="notification.type === 'app'">{{ notification.header }}</span>
 			<span v-else-if="notification.type === 'edited'">{{ i18n.ts._notification.edited }}</span>
+			<span v-else-if="notification.type === 'scheduledNoteFailed'">{{ i18n.ts._notification.scheduledNoteFailed }}</span>
 			<MkTime v-if="withTime" :time="notification.createdAt" :class="$style.headerTime"/>
 		</header>
 		<div>
@@ -109,6 +112,9 @@ SPDX-License-Identifier: AGPL-3.0-only
 			<MkA v-else-if="notification.type === 'exportCompleted'" :class="$style.text" :to="`/my/drive/file/${notification.fileId}`">
 				{{ i18n.ts.showFile }}
 			</MkA>
+			<div v-else-if="notification.type === 'scheduledNoteFailed'" :class="$style.text">
+				{{ notification.reason }}
+			</div>
 			<template v-else-if="notification.type === 'follow'">
 				<span :class="$style.text" style="opacity: 0.6;">{{ i18n.ts.youGotNewFollower }}</span>
 			</template>
diff --git a/packages/frontend/src/components/MkPostForm.vue b/packages/frontend/src/components/MkPostForm.vue
index 443e9e7ee9..bbde7c65f9 100644
--- a/packages/frontend/src/components/MkPostForm.vue
+++ b/packages/frontend/src/components/MkPostForm.vue
@@ -1046,8 +1046,9 @@ function openAccountMenu(ev: MouseEvent) {
 }
 
 function toggleScheduleNote() {
-	if (scheduleNote.value) scheduleNote.value = null;
-	else {
+	if (scheduleNote.value) {
+		scheduleNote.value = null;
+	} else {
 		scheduleNote.value = {
 			scheduledAt: null,
 		};
diff --git a/packages/frontend/src/components/MkSchedulePostListDialog.vue b/packages/frontend/src/components/MkSchedulePostListDialog.vue
index cfae94951b..d0716ead79 100644
--- a/packages/frontend/src/components/MkSchedulePostListDialog.vue
+++ b/packages/frontend/src/components/MkSchedulePostListDialog.vue
@@ -48,6 +48,7 @@ const cancel = () => {
 	emit('cancel');
 	dialogEl.value.close();
 };
+
 const paginationEl = ref();
 const pagination: Paging = {
 	endpoint: 'notes/schedule/list',
diff --git a/packages/misskey-js/etc/misskey-js.api.md b/packages/misskey-js/etc/misskey-js.api.md
index ca7a374a67..880be518fa 100644
--- a/packages/misskey-js/etc/misskey-js.api.md
+++ b/packages/misskey-js/etc/misskey-js.api.md
@@ -2890,7 +2890,7 @@ type Notification_2 = components['schemas']['Notification'];
 type NotificationsCreateRequest = operations['notifications___create']['requestBody']['content']['application/json'];
 
 // @public (undocumented)
-export const notificationTypes: readonly ["note", "follow", "mention", "reply", "renote", "quote", "reaction", "pollVote", "pollEnded", "receiveFollowRequest", "followRequestAccepted", "groupInvited", "app", "roleAssigned", "achievementEarned", "edited"];
+export const notificationTypes: readonly ["note", "follow", "mention", "reply", "renote", "quote", "reaction", "pollVote", "pollEnded", "receiveFollowRequest", "followRequestAccepted", "groupInvited", "app", "roleAssigned", "achievementEarned", "edited", "scheduledNoteFailed"];
 
 // @public (undocumented)
 export function nyaize(text: string): string;
diff --git a/packages/misskey-js/src/autogen/types.ts b/packages/misskey-js/src/autogen/types.ts
index c8d7194405..6eb1819037 100644
--- a/packages/misskey-js/src/autogen/types.ts
+++ b/packages/misskey-js/src/autogen/types.ts
@@ -4517,6 +4517,14 @@ export type components = {
       /** Format: id */
       userId: string;
       note: components['schemas']['Note'];
+    } | {
+      /** Format: id */
+      id: string;
+      /** Format: date-time */
+      createdAt: string;
+      /** @enum {string} */
+      type: 'scheduledNoteFailed';
+      reason: string;
     } | {
       /** Format: id */
       id: string;
@@ -19984,8 +19992,8 @@ export type operations = {
           untilId?: string;
           /** @default true */
           markAsRead?: boolean;
-          includeTypes?: ('note' | 'follow' | 'mention' | 'reply' | 'renote' | 'quote' | 'reaction' | 'pollEnded' | 'edited' | 'receiveFollowRequest' | 'followRequestAccepted' | 'roleAssigned' | 'achievementEarned' | 'exportCompleted' | 'app' | 'test' | 'pollVote' | 'groupInvited')[];
-          excludeTypes?: ('note' | 'follow' | 'mention' | 'reply' | 'renote' | 'quote' | 'reaction' | 'pollEnded' | 'edited' | 'receiveFollowRequest' | 'followRequestAccepted' | 'roleAssigned' | 'achievementEarned' | 'exportCompleted' | 'app' | 'test' | 'pollVote' | 'groupInvited')[];
+          includeTypes?: ('note' | 'follow' | 'mention' | 'reply' | 'renote' | 'quote' | 'reaction' | 'pollEnded' | 'edited' | 'receiveFollowRequest' | 'followRequestAccepted' | 'roleAssigned' | 'achievementEarned' | 'exportCompleted' | 'scheduledNoteFailed' | 'app' | 'test' | 'pollVote' | 'groupInvited')[];
+          excludeTypes?: ('note' | 'follow' | 'mention' | 'reply' | 'renote' | 'quote' | 'reaction' | 'pollEnded' | 'edited' | 'receiveFollowRequest' | 'followRequestAccepted' | 'roleAssigned' | 'achievementEarned' | 'exportCompleted' | 'scheduledNoteFailed' | 'app' | 'test' | 'pollVote' | 'groupInvited')[];
         };
       };
     };
@@ -20052,8 +20060,8 @@ export type operations = {
           untilId?: string;
           /** @default true */
           markAsRead?: boolean;
-          includeTypes?: ('note' | 'follow' | 'mention' | 'reply' | 'renote' | 'quote' | 'reaction' | 'pollEnded' | 'edited' | 'receiveFollowRequest' | 'followRequestAccepted' | 'roleAssigned' | 'achievementEarned' | 'exportCompleted' | 'app' | 'test' | 'reaction:grouped' | 'renote:grouped' | 'pollVote' | 'groupInvited')[];
-          excludeTypes?: ('note' | 'follow' | 'mention' | 'reply' | 'renote' | 'quote' | 'reaction' | 'pollEnded' | 'edited' | 'receiveFollowRequest' | 'followRequestAccepted' | 'roleAssigned' | 'achievementEarned' | 'exportCompleted' | 'app' | 'test' | 'reaction:grouped' | 'renote:grouped' | 'pollVote' | 'groupInvited')[];
+          includeTypes?: ('note' | 'follow' | 'mention' | 'reply' | 'renote' | 'quote' | 'reaction' | 'pollEnded' | 'edited' | 'receiveFollowRequest' | 'followRequestAccepted' | 'roleAssigned' | 'achievementEarned' | 'exportCompleted' | 'scheduledNoteFailed' | 'app' | 'test' | 'reaction:grouped' | 'renote:grouped' | 'pollVote' | 'groupInvited')[];
+          excludeTypes?: ('note' | 'follow' | 'mention' | 'reply' | 'renote' | 'quote' | 'reaction' | 'pollEnded' | 'edited' | 'receiveFollowRequest' | 'followRequestAccepted' | 'roleAssigned' | 'achievementEarned' | 'exportCompleted' | 'scheduledNoteFailed' | 'app' | 'test' | 'reaction:grouped' | 'renote:grouped' | 'pollVote' | 'groupInvited')[];
         };
       };
     };
diff --git a/packages/misskey-js/src/consts.ts b/packages/misskey-js/src/consts.ts
index d090a6b46f..34fc7c1a03 100644
--- a/packages/misskey-js/src/consts.ts
+++ b/packages/misskey-js/src/consts.ts
@@ -16,7 +16,7 @@ import type {
 	UserLite,
 } from './autogen/models.js';
 
-export const notificationTypes = ['note', 'follow', 'mention', 'reply', 'renote', 'quote', 'reaction', 'pollVote', 'pollEnded', 'receiveFollowRequest', 'followRequestAccepted', 'groupInvited', 'app', 'roleAssigned', 'achievementEarned', 'edited'] as const;
+export const notificationTypes = ['note', 'follow', 'mention', 'reply', 'renote', 'quote', 'reaction', 'pollVote', 'pollEnded', 'receiveFollowRequest', 'followRequestAccepted', 'groupInvited', 'app', 'roleAssigned', 'achievementEarned', 'edited', 'scheduledNoteFailed'] as const;
 
 export const noteVisibilities = ['public', 'home', 'followers', 'specified'] as const;
 
diff --git a/packages/sw/src/scripts/create-notification.ts b/packages/sw/src/scripts/create-notification.ts
index 9c56e338c7..8442552e3b 100644
--- a/packages/sw/src/scripts/create-notification.ts
+++ b/packages/sw/src/scripts/create-notification.ts
@@ -258,6 +258,13 @@ async function composeNotification(data: PushNotificationDataMap[keyof PushNotif
 						data,
 					}];
 
+				case 'scheduledNoteFailed':
+					return [i18n.ts._notification.scheduledNoteFailed, {
+						body: data.body.reason,
+						badge: iconUrl('bell'),
+						data,
+					}];
+
 				default:
 					return null;
 			}
diff --git a/sharkey-locales/en-US.yml b/sharkey-locales/en-US.yml
index 79c362cfd8..582f4eda0a 100644
--- a/sharkey-locales/en-US.yml
+++ b/sharkey-locales/en-US.yml
@@ -277,6 +277,7 @@ _notification:
   youRenoted: "Boost from {name}"
   renotedBySomeUsers: "Boosted by {n} users"
   edited: "Note got edited"
+  scheduledNoteFailed: "Posting scheduled note failed"
   _types:
     renote: "Boosts"
     edited: "Edits"
-- 
cgit v1.2.3-freya


From 152cc074831b784bb1e12267587184cea293a186 Mon Sep 17 00:00:00 2001
From: Marie <github@yuugi.dev>
Date: Mon, 9 Dec 2024 05:58:25 +0100
Subject: Apply suggestions

---
 .../src/queue/processors/ScheduleNotePostProcessorService.ts       | 7 +++++++
 packages/backend/src/server/api/endpoints/notes/schedule/create.ts | 2 +-
 packages/frontend/src/components/MkPostForm.vue                    | 4 +---
 3 files changed, 9 insertions(+), 4 deletions(-)

(limited to 'packages/backend/src/server/api')

diff --git a/packages/backend/src/queue/processors/ScheduleNotePostProcessorService.ts b/packages/backend/src/queue/processors/ScheduleNotePostProcessorService.ts
index f281b0ed7b..ea43448ed0 100644
--- a/packages/backend/src/queue/processors/ScheduleNotePostProcessorService.ts
+++ b/packages/backend/src/queue/processors/ScheduleNotePostProcessorService.ts
@@ -10,6 +10,7 @@ import { NoteCreateService } from '@/core/NoteCreateService.js';
 import type { ChannelsRepository, DriveFilesRepository, MiDriveFile, NoteScheduleRepository, NotesRepository, UsersRepository } from '@/models/_.js';
 import { DI } from '@/di-symbols.js';
 import { NotificationService } from '@/core/NotificationService.js';
+import { IdentifiableError } from '@/misc/identifiable-error.js';
 import { QueueLoggerService } from '../QueueLoggerService.js';
 import type * as Bull from 'bullmq';
 import type { ScheduleNotePostJobData } from '../types.js';
@@ -119,6 +120,12 @@ export class ScheduleNotePostProcessorService {
 					reply,
 					renote,
 					channel,
+				}).catch(async (err: IdentifiableError) => {
+					this.notificationService.createNotification(me.id, 'scheduledNoteFailed', {
+						reason: err.message,
+					});
+					await this.noteScheduleRepository.remove(data);
+					throw this.logger.error(`Schedule Note Failed Reason: ${err.message}`);
 				});
 				await this.noteScheduleRepository.remove(data);
 				this.notificationService.createNotification(me.id, 'scheduledNotePosted', {
diff --git a/packages/backend/src/server/api/endpoints/notes/schedule/create.ts b/packages/backend/src/server/api/endpoints/notes/schedule/create.ts
index b8ae3f44a3..7d20b6b82a 100644
--- a/packages/backend/src/server/api/endpoints/notes/schedule/create.ts
+++ b/packages/backend/src/server/api/endpoints/notes/schedule/create.ts
@@ -360,7 +360,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 				}, {
 					delay,
 					removeOnComplete: true,
-					jobId: noteId,
+					jobId: `schedNote:${noteId}`,
 				});
 			}
 
diff --git a/packages/frontend/src/components/MkPostForm.vue b/packages/frontend/src/components/MkPostForm.vue
index bbde7c65f9..c7d5611847 100644
--- a/packages/frontend/src/components/MkPostForm.vue
+++ b/packages/frontend/src/components/MkPostForm.vue
@@ -821,7 +821,7 @@ async function post(ev?: MouseEvent) {
 		const filesData = toRaw(files.value);
 
 		const isMissingAltText = filesData.filter(
-			file => file.type.startsWith('image/') || file.type.startsWith('video/') || file.type.startsWith('audio/')
+			file => file.type.startsWith('image/') || file.type.startsWith('video/') || file.type.startsWith('audio/'),
 		).some(file => !file.comment);
 
 		if (isMissingAltText) {
@@ -914,8 +914,6 @@ async function post(ev?: MouseEvent) {
 				claimAchievement('notes1');
 			}
 
-			poll.value = null;
-
 			const text = postData.text ?? '';
 			const lowerCase = text.toLowerCase();
 			if ((lowerCase.includes('love') || lowerCase.includes('❤')) && lowerCase.includes('sharkey')) {
-- 
cgit v1.2.3-freya


From f02d0994132c5774f3adf0d4a993f4ecca549b77 Mon Sep 17 00:00:00 2001
From: Marie <github@yuugi.dev>
Date: Mon, 9 Dec 2024 06:10:32 +0100
Subject: fix deletion of scheduled note

---
 packages/backend/src/server/api/endpoints/notes/schedule/delete.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'packages/backend/src/server/api')

diff --git a/packages/backend/src/server/api/endpoints/notes/schedule/delete.ts b/packages/backend/src/server/api/endpoints/notes/schedule/delete.ts
index df406f99f0..628fd89926 100644
--- a/packages/backend/src/server/api/endpoints/notes/schedule/delete.ts
+++ b/packages/backend/src/server/api/endpoints/notes/schedule/delete.ts
@@ -61,7 +61,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 				throw new ApiError(meta.errors.permissionDenied);
 			}
 			await this.noteScheduleRepository.delete({ id: ps.noteId });
-			await this.queueService.ScheduleNotePostQueue.remove(ps.noteId);
+			await this.queueService.ScheduleNotePostQueue.remove(`schedNote:${ps.noteId}`);
 		});
 	}
 }
-- 
cgit v1.2.3-freya


From c9f588276c90232e00d672e9e253e0f05e6e37e0 Mon Sep 17 00:00:00 2001
From: dakkar <dakkar@thenautilus.net>
Date: Mon, 9 Dec 2024 10:01:48 +0000
Subject: remove duplicate import

---
 packages/backend/src/server/api/SigninApiService.ts | 1 -
 1 file changed, 1 deletion(-)

(limited to 'packages/backend/src/server/api')

diff --git a/packages/backend/src/server/api/SigninApiService.ts b/packages/backend/src/server/api/SigninApiService.ts
index d1e58fb536..fa9155d82d 100644
--- a/packages/backend/src/server/api/SigninApiService.ts
+++ b/packages/backend/src/server/api/SigninApiService.ts
@@ -26,7 +26,6 @@ import { UserAuthService } from '@/core/UserAuthService.js';
 import { CaptchaService } from '@/core/CaptchaService.js';
 import { FastifyReplyError } from '@/misc/fastify-reply-error.js';
 import { isSystemAccount } from '@/misc/is-system-account.js';
-import type { MiMeta } from '@/models/_.js';
 import { SkRateLimiterService } from '@/server/api/SkRateLimiterService.js';
 import { sendRateLimitHeaders } from '@/misc/rate-limit-utils.js';
 import { SigninService } from './SigninService.js';
-- 
cgit v1.2.3-freya


From 9daafca155682281f567c9b4da8f3af3564aa281 Mon Sep 17 00:00:00 2001
From: Hazelnoot <acomputerdog@gmail.com>
Date: Mon, 9 Dec 2024 19:04:06 -0500
Subject: fix rate limits under multi-node environments

---
 .../backend/src/server/api/SkRateLimiterService.ts | 185 ++++---
 .../unit/server/api/SkRateLimiterServiceTests.ts   | 544 +++++++++++++--------
 2 files changed, 456 insertions(+), 273 deletions(-)

(limited to 'packages/backend/src/server/api')

diff --git a/packages/backend/src/server/api/SkRateLimiterService.ts b/packages/backend/src/server/api/SkRateLimiterService.ts
index 6415ee905c..05166ed93c 100644
--- a/packages/backend/src/server/api/SkRateLimiterService.ts
+++ b/packages/backend/src/server/api/SkRateLimiterService.ts
@@ -5,16 +5,13 @@
 
 import { Inject, Injectable } from '@nestjs/common';
 import Redis from 'ioredis';
-import { LoggerService } from '@/core/LoggerService.js';
 import { TimeService } from '@/core/TimeService.js';
 import { EnvService } from '@/core/EnvService.js';
 import { DI } from '@/di-symbols.js';
-import type Logger from '@/logger.js';
 import { BucketRateLimit, LegacyRateLimit, LimitInfo, RateLimit, hasMinLimit, isLegacyRateLimit, Keyed } from '@/misc/rate-limit-utils.js';
 
 @Injectable()
 export class SkRateLimiterService {
-	private readonly logger: Logger;
 	private readonly disabled: boolean;
 
 	constructor(
@@ -24,14 +21,10 @@ export class SkRateLimiterService {
 		@Inject(DI.redis)
 		private readonly redisClient: Redis.Redis,
 
-		@Inject(LoggerService)
-		loggerService: LoggerService,
-
 		@Inject(EnvService)
 		envService: EnvService,
 	) {
-		this.logger = loggerService.getLogger('limiter');
-		this.disabled = envService.env.NODE_ENV !== 'production'; // TODO disable in TEST *only*
+		this.disabled = envService.env.NODE_ENV !== 'production';
 	}
 
 	public async limit(limit: Keyed<RateLimit>, actor: string, factor = 1): Promise<LimitInfo> {
@@ -50,10 +43,25 @@ export class SkRateLimiterService {
 			throw new Error(`Rate limit factor is zero or negative: ${factor}`);
 		}
 
-		if (isLegacyRateLimit(limit)) {
-			return await this.limitLegacy(limit, actor, factor);
-		} else {
-			return await this.limitBucket(limit, actor, factor);
+		return await this.tryLimit(limit, actor, factor);
+	}
+
+	private async tryLimit(limit: Keyed<RateLimit>, actor: string, factor: number, retry = 1): Promise<LimitInfo> {
+		try {
+			if (isLegacyRateLimit(limit)) {
+				return await this.limitLegacy(limit, actor, factor);
+			} else {
+				return await this.limitBucket(limit, actor, factor);
+			}
+		} catch (err) {
+			// We may experience collision errors from optimistic locking.
+			// This is expected, so we should retry a few times before giving up.
+			// https://redis.io/docs/latest/develop/interact/transactions/#optimistic-locking-using-check-and-set
+			if (err instanceof TransactionError && retry < 3) {
+				return await this.tryLimit(limit, actor, factor, retry + 1);
+			}
+
+			throw err;
 		}
 	}
 
@@ -94,36 +102,30 @@ export class SkRateLimiterService {
 		if (limit.minInterval === 0) return null;
 		if (limit.minInterval < 0) throw new Error(`Invalid rate limit ${limit.key}: minInterval is negative (${limit.minInterval})`);
 
-		const counter = await this.getLimitCounter(limit, actor, 'min');
 		const minInterval = Math.max(Math.ceil(limit.minInterval * factor), 0);
+		const expirationSec = Math.max(Math.ceil(minInterval / 1000), 1);
 
-		// Update expiration
-		if (counter.c > 0) {
-			const isCleared = this.timeService.now - counter.t >= minInterval;
+		// Check for window clear
+		const counter = await this.getLimitCounter(limit, actor, 'min');
+		if (counter.counter > 0) {
+			const isCleared = this.timeService.now - counter.timestamp >= minInterval;
 			if (isCleared) {
-				counter.c = 0;
+				counter.counter = 0;
 			}
 		}
 
-		const blocked = counter.c > 0;
+		// Increment the limit, then synchronize with redis
+		const blocked = counter.counter > 0;
 		if (!blocked) {
-			counter.c++;
-			counter.t = this.timeService.now;
+			counter.counter++;
+			counter.timestamp = this.timeService.now;
+			await this.updateLimitCounter(limit, actor, 'min', expirationSec, counter);
 		}
 
 		// Calculate limit status
-		const resetMs = Math.max(Math.ceil(minInterval - (this.timeService.now - counter.t)), 0);
+		const resetMs = Math.max(minInterval - (this.timeService.now - counter.timestamp), 0);
 		const resetSec = Math.ceil(resetMs / 1000);
-		const limitInfo: LimitInfo = { blocked, remaining: 0, resetSec, resetMs, fullResetSec: resetSec, fullResetMs: resetMs };
-
-		// Update the limit counter, but not if blocked
-		if (!blocked) {
-			// Don't await, or we will slow down the API.
-			this.setLimitCounter(limit, actor, counter, resetSec, 'min')
-				.catch(err => this.logger.error(`Failed to update limit ${limit.key}:min for ${actor}:`, err));
-		}
-
-		return limitInfo;
+		return { blocked, remaining: 0, resetSec, resetMs, fullResetSec: resetSec, fullResetMs: resetMs };
 	}
 
 	private async limitBucket(limit: Keyed<BucketRateLimit>, actor: string, factor: number): Promise<LimitInfo> {
@@ -131,68 +133,113 @@ export class SkRateLimiterService {
 		if (limit.dripRate != null && limit.dripRate < 1) throw new Error(`Invalid rate limit ${limit.key}: dripRate is less than 1 (${limit.dripRate})`);
 		if (limit.dripSize != null && limit.dripSize < 1) throw new Error(`Invalid rate limit ${limit.key}: dripSize is less than 1 (${limit.dripSize})`);
 
-		const counter = await this.getLimitCounter(limit, actor, 'bucket');
 		const bucketSize = Math.max(Math.ceil(limit.size / factor), 1);
 		const dripRate = Math.ceil(limit.dripRate ?? 1000);
 		const dripSize = Math.ceil(limit.dripSize ?? 1);
+		const expirationSec = Math.max(Math.ceil(bucketSize / dripRate), 1);
 
-		// Update drips
-		if (counter.c > 0) {
-			const dripsSinceLastTick = Math.floor((this.timeService.now - counter.t) / dripRate) * dripSize;
-			counter.c = Math.max(counter.c - dripsSinceLastTick, 0);
+		// Simulate bucket drips
+		const counter = await this.getLimitCounter(limit, actor, 'bucket');
+		if (counter.counter > 0) {
+			const dripsSinceLastTick = Math.floor((this.timeService.now - counter.timestamp) / dripRate) * dripSize;
+			counter.counter = Math.max(counter.counter - dripsSinceLastTick, 0);
 		}
 
-		const blocked = counter.c >= bucketSize;
+		// Increment the limit, then synchronize with redis
+		const blocked = counter.counter >= bucketSize;
 		if (!blocked) {
-			counter.c++;
-			counter.t = this.timeService.now;
+			counter.counter++;
+			counter.timestamp = this.timeService.now;
+			await this.updateLimitCounter(limit, actor, 'bucket', expirationSec, counter);
 		}
 
+		// Calculate how much time is needed to free up a bucket slot
+		const overflow = Math.max((counter.counter + 1) - bucketSize, 0);
+		const dripsNeeded = Math.ceil(overflow / dripSize);
+		const timeNeeded = Math.max((dripRate * dripsNeeded) - (this.timeService.now - counter.timestamp), 0);
+
 		// Calculate limit status
-		const remaining = Math.max(bucketSize - counter.c, 0);
-		const resetMs = remaining > 0 ? 0 : Math.max(dripRate - (this.timeService.now - counter.t), 0);
+		const remaining = Math.max(bucketSize - counter.counter, 0);
+		const resetMs = timeNeeded;
 		const resetSec = Math.ceil(resetMs / 1000);
-		const fullResetMs = Math.ceil(counter.c / dripSize) * dripRate;
+		const fullResetMs = Math.ceil(counter.counter / dripSize) * dripRate;
 		const fullResetSec = Math.ceil(fullResetMs / 1000);
-		const limitInfo: LimitInfo = { blocked, remaining, resetSec, resetMs, fullResetSec, fullResetMs };
+		return { blocked, remaining, resetSec, resetMs, fullResetSec, fullResetMs };
+	}
 
-		// Update the limit counter, but not if blocked
-		if (!blocked) {
-			// Don't await, or we will slow down the API.
-			this.setLimitCounter(limit, actor, counter, fullResetSec, 'bucket')
-				.catch(err => this.logger.error(`Failed to update limit ${limit.key} for ${actor}:`, err));
-		}
+	private async getLimitCounter(limit: Keyed<RateLimit>, actor: string, subject: string): Promise<LimitCounter> {
+		const timestampKey = createLimitKey(limit, actor, subject, 't');
+		const counterKey = createLimitKey(limit, actor, subject, 'c');
+
+		const [timestamp, counter] = await this.executeRedis(
+			[
+				['get', timestampKey],
+				['get', counterKey],
+			],
+			[
+				timestampKey,
+				counterKey,
+			],
+		);
 
-		return limitInfo;
+		return {
+			timestamp: timestamp ? parseInt(timestamp) : 0,
+			counter: counter ? parseInt(counter) : 0,
+		};
 	}
 
-	private async getLimitCounter(limit: Keyed<RateLimit>, actor: string, subject: string): Promise<LimitCounter> {
-		const key = createLimitKey(limit, actor, subject);
+	private async updateLimitCounter(limit: Keyed<RateLimit>, actor: string, subject: string, expirationSec: number, counter: LimitCounter): Promise<void> {
+		const timestampKey = createLimitKey(limit, actor, subject, 't');
+		const counterKey = createLimitKey(limit, actor, subject, 'c');
+
+		await this.executeRedis(
+			[
+				['set', timestampKey, counter.timestamp.toString(), 'EX', expirationSec],
+				['set', counterKey, counter.counter.toString(), 'EX', expirationSec],
+			],
+			[
+				timestampKey,
+				counterKey,
+			],
+		);
+	}
+
+	private async executeRedis<Num extends number>(batch: RedisBatch<Num>, watch: string[]): Promise<RedisResults<Num>> {
+		const results = await this.redisClient
+			.multi(batch)
+			.watch(watch)
+			.exec();
 
-		const value = await this.redisClient.get(key);
-		if (value == null) {
-			return { t: 0, c: 0 };
+		// Transaction error
+		if (!results) {
+			throw new TransactionError('Redis error: transaction conflict');
 		}
 
-		return JSON.parse(value);
-	}
+		// The entire call failed
+		if (results.length !== batch.length) {
+			throw new Error('Redis error: failed to execute batch');
+		}
 
-	private async setLimitCounter(limit: Keyed<RateLimit>, actor: string, counter: LimitCounter, expiration: number, subject: string): Promise<void> {
-		const key = createLimitKey(limit, actor, subject);
-		const value = JSON.stringify(counter);
-		const expirationSec = Math.max(expiration, 1);
-		await this.redisClient.set(key, value, 'EX', expirationSec);
+		// A particular command failed
+		const errors = results.map(r => r[0]).filter(e => e != null);
+		if (errors.length > 0) {
+			throw new AggregateError(errors, `Redis error: failed to execute command(s): '${errors.join('\', \'')}'`);
+		}
+
+		return results.map(r => r[1]) as RedisResults<Num>;
 	}
 }
 
-function createLimitKey(limit: Keyed<RateLimit>, actor: string, subject: string): string {
-	return `rl_${actor}_${limit.key}_${subject}`;
+type RedisBatch<Num extends number> = [string, ...unknown[]][] & { length: Num };
+type RedisResults<Num extends number> = (string | null)[] & { length: Num };
+
+function createLimitKey(limit: Keyed<RateLimit>, actor: string, subject: string, value: string): string {
+	return `rl_${actor}_${limit.key}_${subject}_${value}`;
 }
 
-export interface LimitCounter {
-	/** Timestamp */
-	t: number;
+class TransactionError extends Error {}
 
-	/** Counter */
-	c: number;
+interface LimitCounter {
+	timestamp: number;
+	counter: number;
 }
diff --git a/packages/backend/test/unit/server/api/SkRateLimiterServiceTests.ts b/packages/backend/test/unit/server/api/SkRateLimiterServiceTests.ts
index dbf7795fc6..871c9afa64 100644
--- a/packages/backend/test/unit/server/api/SkRateLimiterServiceTests.ts
+++ b/packages/backend/test/unit/server/api/SkRateLimiterServiceTests.ts
@@ -3,25 +3,19 @@
  * SPDX-License-Identifier: AGPL-3.0-only
  */
 
-import { KEYWORD } from 'color-convert/conversions.js';
-import { jest } from '@jest/globals';
 import type Redis from 'ioredis';
-import { LimitCounter, SkRateLimiterService } from '@/server/api/SkRateLimiterService.js';
-import { LoggerService } from '@/core/LoggerService.js';
+import { SkRateLimiterService } from '@/server/api/SkRateLimiterService.js';
 import { BucketRateLimit, Keyed, LegacyRateLimit } from '@/misc/rate-limit-utils.js';
 
 /* eslint-disable @typescript-eslint/no-non-null-assertion */
-/* eslint-disable @typescript-eslint/no-unnecessary-condition */
 
 describe(SkRateLimiterService, () => {
 	let mockTimeService: { now: number, date: Date } = null!;
-	let mockRedisGet: ((key: string) => string | null) | undefined = undefined;
-	let mockRedisSet: ((args: unknown[]) => void) | undefined = undefined;
+	let mockRedis: Array<(command: [string, ...unknown[]]) => [Error | null, unknown] | null> = null!;
+	let mockRedisExec: (batch: [string, ...unknown[]][]) => Promise<[Error | null, unknown][] | null> = null!;
 	let mockEnvironment: Record<string, string | undefined> = null!;
 	let serviceUnderTest: () => SkRateLimiterService = null!;
 
-	let loggedMessages: { level: string, data: unknown[] }[] = [];
-
 	beforeEach(() => {
 		mockTimeService = {
 			now: 0,
@@ -30,16 +24,26 @@ describe(SkRateLimiterService, () => {
 			},
 		};
 
-		mockRedisGet = undefined;
-		mockRedisSet = undefined;
+		mockRedis = [];
+		mockRedisExec = (batch) => {
+			const results: [Error | null, unknown][] = batch.map(command => {
+				const handlerResults = mockRedis.map(handler => handler(command));
+				const finalResult = handlerResults.findLast(result => result != null);
+				return finalResult ?? [new Error('test error: no handler'), null];
+			});
+			return Promise.resolve(results);
+		};
 		const mockRedisClient = {
-			get(key: string) {
-				if (mockRedisGet) return Promise.resolve(mockRedisGet(key));
-				else return Promise.resolve(null);
-			},
-			set(...args: unknown[]): Promise<void> {
-				if (mockRedisSet) mockRedisSet(args);
-				return Promise.resolve();
+			multi(batch: [string, ...unknown[]][]) {
+				return {
+					watch() {
+						return {
+							exec() {
+								return mockRedisExec(batch);
+							},
+						};
+					},
+				};
 			},
 		} as unknown as Redis.Redis;
 
@@ -49,89 +53,77 @@ describe(SkRateLimiterService, () => {
 			env: mockEnvironment,
 		};
 
-		loggedMessages = [];
-		const mockLogService = {
-			getLogger() {
-				return {
-					createSubLogger(context: string, color?: KEYWORD) {
-						return mockLogService.getLogger(context, color);
-					},
-					error(...data: unknown[]) {
-						loggedMessages.push({ level: 'error', data });
-					},
-					warn(...data: unknown[]) {
-						loggedMessages.push({ level: 'warn', data });
-					},
-					succ(...data: unknown[]) {
-						loggedMessages.push({ level: 'succ', data });
-					},
-					debug(...data: unknown[]) {
-						loggedMessages.push({ level: 'debug', data });
-					},
-					info(...data: unknown[]) {
-						loggedMessages.push({ level: 'info', data });
-					},
-				};
-			},
-		} as unknown as LoggerService;
-
 		let service: SkRateLimiterService | undefined = undefined;
 		serviceUnderTest = () => {
-			return service ??= new SkRateLimiterService(mockTimeService, mockRedisClient, mockLogService, mockEnvService);
+			return service ??= new SkRateLimiterService(mockTimeService, mockRedisClient, mockEnvService);
 		};
 	});
 
-	function expectNoUnhandledErrors() {
-		const unhandledErrors = loggedMessages.filter(m => m.level === 'error');
-		if (unhandledErrors.length > 0) {
-			throw new Error(`Test failed: got unhandled errors ${unhandledErrors.join('\n')}`);
-		}
-	}
-
 	describe('limit', () => {
 		const actor = 'actor';
 		const key = 'test';
 
-		let counter: LimitCounter | undefined = undefined;
-		let minCounter: LimitCounter | undefined = undefined;
+		let limitCounter: number | undefined = undefined;
+		let limitTimestamp: number | undefined = undefined;
+		let minCounter: number | undefined = undefined;
+		let minTimestamp: number | undefined = undefined;
 
 		beforeEach(() => {
-			counter = undefined;
+			limitCounter = undefined;
+			limitTimestamp = undefined;
 			minCounter = undefined;
+			minTimestamp = undefined;
 
-			mockRedisGet = (key: string) => {
-				if (key === 'rl_actor_test_bucket' && counter) {
-					return JSON.stringify(counter);
+			mockRedis.push(([command, ...args]) => {
+				if (command === 'set' && args[0] === 'rl_actor_test_bucket_t') {
+					limitTimestamp = parseInt(args[1] as string);
+					return [null, args[1]];
 				}
-
-				if (key === 'rl_actor_test_min' && minCounter) {
-					return JSON.stringify(minCounter);
+				if (command === 'get' && args[0] === 'rl_actor_test_bucket_t') {
+					return [null, limitTimestamp?.toString() ?? null];
 				}
-
-				return null;
-			};
-
-			mockRedisSet = (args: unknown[]) => {
-				const [key, value] = args;
-
-				if (key === 'rl_actor_test_bucket') {
-					if (value == null) counter = undefined;
-					else if (typeof(value) === 'string') counter = JSON.parse(value);
-					else throw new Error('invalid redis call');
+				// if (command === 'incr' && args[0] === 'rl_actor_test_bucket_c') {
+				// 	limitCounter = (limitCounter ?? 0) + 1;
+				// 	return [null, null];
+				// }
+				if (command === 'set' && args[0] === 'rl_actor_test_bucket_c') {
+					limitCounter = parseInt(args[1] as string);
+					return [null, args[1]];
+				}
+				if (command === 'get' && args[0] === 'rl_actor_test_bucket_c') {
+					return [null, limitCounter?.toString() ?? null];
 				}
 
-				if (key === 'rl_actor_test_min') {
-					if (value == null) minCounter = undefined;
-					else if (typeof(value) === 'string') minCounter = JSON.parse(value);
-					else throw new Error('invalid redis call');
+				if (command === 'set' && args[0] === 'rl_actor_test_min_t') {
+					minTimestamp = parseInt(args[1] as string);
+					return [null, args[1]];
+				}
+				if (command === 'get' && args[0] === 'rl_actor_test_min_t') {
+					return [null, minTimestamp?.toString() ?? null];
+				}
+				// if (command === 'incr' && args[0] === 'rl_actor_test_min_c') {
+				// 	minCounter = (minCounter ?? 0) + 1;
+				// 	return [null, null];
+				// }
+				if (command === 'set' && args[0] === 'rl_actor_test_min_c') {
+					minCounter = parseInt(args[1] as string);
+					return [null, args[1]];
 				}
-			};
+				if (command === 'get' && args[0] === 'rl_actor_test_min_c') {
+					return [null, minCounter?.toString() ?? null];
+				}
+				// if (command === 'expire') {
+				// 	return [null, null];
+				// }
+
+				return null;
+			});
 		});
 
 		it('should bypass in non-production', async () => {
 			mockEnvironment.NODE_ENV = 'test';
 
-			const info = await serviceUnderTest().limit({ key: 'l', type: undefined, max: 0 }, 'actor');
+			const info = await serviceUnderTest().limit({ key: 'l', type: undefined, max: 0 }, actor);
 
 			expect(info.blocked).toBeFalsy();
 			expect(info.remaining).toBe(Number.MAX_SAFE_INTEGER);
@@ -158,15 +150,10 @@ describe(SkRateLimiterService, () => {
 				expect(info.blocked).toBeFalsy();
 			});
 
-			it('should not error when allowed', async () => {
-				await serviceUnderTest().limit(limit, actor);
-
-				expectNoUnhandledErrors();
-			});
-
 			it('should return correct info when allowed', async () => {
 				limit.size = 2;
-				counter = { c: 1, t: 0 };
+				limitCounter = 1;
+				limitTimestamp = 0;
 
 				const info = await serviceUnderTest().limit(limit, actor);
 
@@ -180,8 +167,7 @@ describe(SkRateLimiterService, () => {
 			it('should increment counter when called', async () => {
 				await serviceUnderTest().limit(limit, actor);
 
-				expect(counter).not.toBeUndefined();
-				expect(counter?.c).toBe(1);
+				expect(limitCounter).toBe(1);
 			});
 
 			it('should set timestamp when called', async () => {
@@ -189,29 +175,28 @@ describe(SkRateLimiterService, () => {
 
 				await serviceUnderTest().limit(limit, actor);
 
-				expect(counter).not.toBeUndefined();
-				expect(counter?.t).toBe(1000);
+				expect(limitTimestamp).toBe(1000);
 			});
 
 			it('should decrement counter when dripRate has passed', async () => {
-				counter = { c: 2, t: 0 };
+				limitCounter = 2;
+				limitTimestamp = 0;
 				mockTimeService.now = 2000;
 
 				await serviceUnderTest().limit(limit, actor);
 
-				expect(counter).not.toBeUndefined();
-				expect(counter?.c).toBe(1); // 2 (starting) - 2 (2x1 drip) + 1 (call) = 1
+				expect(limitCounter).toBe(1); // 2 (starting) - 2 (2x1 drip) + 1 (call) = 1
 			});
 
 			it('should decrement counter by dripSize', async () => {
-				counter = { c: 2, t: 0 };
+				limitCounter = 2;
+				limitTimestamp = 0;
 				limit.dripSize = 2;
 				mockTimeService.now = 1000;
 
 				await serviceUnderTest().limit(limit, actor);
 
-				expect(counter).not.toBeUndefined();
-				expect(counter?.c).toBe(1); // 2 (starting) - 2 (1x2 drip) + 1 (call) = 1
+				expect(limitCounter).toBe(1); // 2 (starting) - 2 (1x2 drip) + 1 (call) = 1
 			});
 
 			it('should maintain counter between calls over time', async () => {
@@ -226,25 +211,13 @@ describe(SkRateLimiterService, () => {
 				mockTimeService.now += 1000; // 2 - 1 = 1
 				await serviceUnderTest().limit(limit, actor); // 1 + 1 = 2
 
-				expect(counter?.c).toBe(2);
-				expect(counter?.t).toBe(3000);
-			});
-
-			it('should log error and continue when update fails', async () => {
-				mockRedisSet = () => {
-					throw new Error('test error');
-				};
-
-				await serviceUnderTest().limit(limit, actor);
-
-				const matchingError = loggedMessages
-					.find(m => m.level === 'error' && m.data
-						.some(d => typeof(d) === 'string' && d.includes('Failed to update limit')));
-				expect(matchingError).toBeTruthy();
+				expect(limitCounter).toBe(2);
+				expect(limitTimestamp).toBe(3000);
 			});
 
 			it('should block when bucket is filled', async () => {
-				counter = { c: 1, t: 0 };
+				limitCounter = 1;
+				limitTimestamp = 0;
 
 				const info = await serviceUnderTest().limit(limit, actor);
 
@@ -252,7 +225,8 @@ describe(SkRateLimiterService, () => {
 			});
 
 			it('should calculate correct info when blocked', async () => {
-				counter = { c: 1, t: 0 };
+				limitCounter = 1;
+				limitTimestamp = 0;
 
 				const info = await serviceUnderTest().limit(limit, actor);
 
@@ -263,7 +237,8 @@ describe(SkRateLimiterService, () => {
 			});
 
 			it('should allow when bucket is filled but should drip', async () => {
-				counter = { c: 1, t: 0 };
+				limitCounter = 1;
+				limitTimestamp = 0;
 				mockTimeService.now = 1000;
 
 				const info = await serviceUnderTest().limit(limit, actor);
@@ -272,7 +247,8 @@ describe(SkRateLimiterService, () => {
 			});
 
 			it('should scale limit by factor', async () => {
-				counter = { c: 1, t: 0 };
+				limitCounter = 1;
+				limitTimestamp = 0;
 
 				const i1 = await serviceUnderTest().limit(limit, actor, 0.5); // 1 + 1 = 2
 				const i2 = await serviceUnderTest().limit(limit, actor, 0.5); // 2 + 1 = 3
@@ -281,23 +257,39 @@ describe(SkRateLimiterService, () => {
 				expect(i2.blocked).toBeTruthy();
 			});
 
-			it('should set key expiration', async () => {
-				const mock = jest.fn(mockRedisSet);
-				mockRedisSet = mock;
+			it('should set counter expiration', async () => {
+				const commands: unknown[][] = [];
+				mockRedis.push(command => {
+					commands.push(command);
+					return null;
+				});
 
 				await serviceUnderTest().limit(limit, actor);
 
-				expect(mock).toHaveBeenCalledWith(['rl_actor_test_bucket', '{"t":0,"c":1}', 'EX', 1]);
+				expect(commands).toContainEqual(['set', 'rl_actor_test_bucket_c', '1', 'EX', 1]);
+			});
+
+			it('should set timestamp expiration', async () => {
+				const commands: unknown[][] = [];
+				mockRedis.push(command => {
+					commands.push(command);
+					return null;
+				});
+
+				await serviceUnderTest().limit(limit, actor);
+
+				expect(commands).toContainEqual(['set', 'rl_actor_test_bucket_t', '0', 'EX', 1]);
 			});
 
 			it('should not increment when already blocked', async () => {
-				counter = { c: 1, t: 0 };
+				limitCounter = 1;
+				limitTimestamp = 0;
 				mockTimeService.now += 100;
 
 				await serviceUnderTest().limit(limit, actor);
 
-				expect(counter?.c).toBe(1);
-				expect(counter?.t).toBe(0);
+				expect(limitCounter).toBe(1);
+				expect(limitTimestamp).toBe(0);
 			});
 
 			it('should skip if factor is zero', async () => {
@@ -384,6 +376,48 @@ describe(SkRateLimiterService, () => {
 
 				await expect(promise).rejects.toThrow(/dripSize is less than 1/);
 			});
+
+			it('should retry when redis conflicts', async () => {
+				let numCalls = 0;
+				const realMockRedisExec = mockRedisExec;
+				mockRedisExec = () => {
+					if (numCalls > 0) {
+						mockRedisExec = realMockRedisExec;
+					}
+					numCalls++;
+					return Promise.resolve(null);
+				};
+
+				await serviceUnderTest().limit(limit, actor);
+
+				expect(numCalls).toBe(2);
+			});
+
+			it('should bail out after 3 tries', async () => {
+				let numCalls = 0;
+				mockRedisExec = () => {
+					numCalls++;
+					return Promise.resolve(null);
+				};
+
+				const promise = serviceUnderTest().limit(limit, actor);
+
+				await expect(promise).rejects.toThrow(/transaction conflict/);
+				expect(numCalls).toBe(3);
+			});
+
+			it('should apply correction if extra calls slip through', async () => {
+				limitCounter = 2;
+
+				const info = await serviceUnderTest().limit(limit, actor);
+
+				expect(info.blocked).toBeTruthy();
+				expect(info.remaining).toBe(0);
+				expect(info.resetMs).toBe(2000);
+				expect(info.resetSec).toBe(2);
+				expect(info.fullResetMs).toBe(2000);
+				expect(info.fullResetSec).toBe(2);
+			});
 		});
 
 		describe('with min interval', () => {
@@ -403,12 +437,6 @@ describe(SkRateLimiterService, () => {
 				expect(info.blocked).toBeFalsy();
 			});
 
-			it('should not error when allowed', async () => {
-				await serviceUnderTest().limit(limit, actor);
-
-				expectNoUnhandledErrors();
-			});
-
 			it('should calculate correct info when allowed', async () => {
 				const info = await serviceUnderTest().limit(limit, actor);
 
@@ -423,7 +451,7 @@ describe(SkRateLimiterService, () => {
 				await serviceUnderTest().limit(limit, actor);
 
 				expect(minCounter).not.toBeUndefined();
-				expect(minCounter?.c).toBe(1);
+				expect(minCounter).toBe(1);
 			});
 
 			it('should set timestamp when called', async () => {
@@ -432,27 +460,29 @@ describe(SkRateLimiterService, () => {
 				await serviceUnderTest().limit(limit, actor);
 
 				expect(minCounter).not.toBeUndefined();
-				expect(minCounter?.t).toBe(1000);
+				expect(minTimestamp).toBe(1000);
 			});
 
 			it('should decrement counter when minInterval has passed', async () => {
-				minCounter = { c: 1, t: 0 };
+				minCounter = 1;
+				minTimestamp = 0;
 				mockTimeService.now = 1000;
 
 				await serviceUnderTest().limit(limit, actor);
 
 				expect(minCounter).not.toBeUndefined();
-				expect(minCounter?.c).toBe(1); // 1 (starting) - 1 (interval) + 1 (call) = 1
+				expect(minCounter).toBe(1); // 1 (starting) - 1 (interval) + 1 (call) = 1
 			});
 
 			it('should reset counter entirely', async () => {
-				minCounter = { c: 2, t: 0 };
+				minCounter = 2;
+				minTimestamp = 0;
 				mockTimeService.now = 1000;
 
 				await serviceUnderTest().limit(limit, actor);
 
 				expect(minCounter).not.toBeUndefined();
-				expect(minCounter?.c).toBe(1); // 2 (starting) - 2 (interval) + 1 (call) = 1
+				expect(minCounter).toBe(1); // 2 (starting) - 2 (interval) + 1 (call) = 1
 			});
 
 			it('should maintain counter between calls over time', async () => {
@@ -465,25 +495,13 @@ describe(SkRateLimiterService, () => {
 				mockTimeService.now += 1000; // 0 - 1 = 0
 				await serviceUnderTest().limit(limit, actor); // 0 + 1 = 1
 
-				expect(minCounter?.c).toBe(1);
-				expect(minCounter?.t).toBe(3000);
-			});
-
-			it('should log error and continue when update fails', async () => {
-				mockRedisSet = () => {
-					throw new Error('test error');
-				};
-
-				await serviceUnderTest().limit(limit, actor);
-
-				const matchingError = loggedMessages
-					.find(m => m.level === 'error' && m.data
-						.some(d => typeof(d) === 'string' && d.includes('Failed to update limit')));
-				expect(matchingError).toBeTruthy();
+				expect(minCounter).toBe(1);
+				expect(minTimestamp).toBe(3000);
 			});
 
 			it('should block when interval exceeded', async () => {
-				minCounter = { c: 1, t: 0 };
+				minCounter = 1;
+				minTimestamp = 0;
 
 				const info = await serviceUnderTest().limit(limit, actor);
 
@@ -491,7 +509,8 @@ describe(SkRateLimiterService, () => {
 			});
 
 			it('should calculate correct info when blocked', async () => {
-				minCounter = { c: 1, t: 0 };
+				minCounter = 1;
+				minTimestamp = 0;
 
 				const info = await serviceUnderTest().limit(limit, actor);
 
@@ -502,7 +521,8 @@ describe(SkRateLimiterService, () => {
 			});
 
 			it('should allow when bucket is filled but interval has passed', async () => {
-				minCounter = { c: 1, t: 0 };
+				minCounter = 1;
+				minTimestamp = 0;
 				mockTimeService.now = 1000;
 
 				const info = await serviceUnderTest().limit(limit, actor);
@@ -511,7 +531,8 @@ describe(SkRateLimiterService, () => {
 			});
 
 			it('should scale interval by factor', async () => {
-				minCounter = { c: 1, t: 0 };
+				minCounter = 1;
+				minTimestamp = 0;
 				mockTimeService.now += 500;
 
 				const info = await serviceUnderTest().limit(limit, actor, 0.5);
@@ -519,23 +540,39 @@ describe(SkRateLimiterService, () => {
 				expect(info.blocked).toBeFalsy();
 			});
 
-			it('should set key expiration', async () => {
-				const mock = jest.fn(mockRedisSet);
-				mockRedisSet = mock;
+			it('should set counter expiration', async () => {
+				const commands: unknown[][] = [];
+				mockRedis.push(command => {
+					commands.push(command);
+					return null;
+				});
 
 				await serviceUnderTest().limit(limit, actor);
 
-				expect(mock).toHaveBeenCalledWith(['rl_actor_test_min', '{"t":0,"c":1}', 'EX', 1]);
+				expect(commands).toContainEqual(['set', 'rl_actor_test_min_c', '1', 'EX', 1]);
+			});
+
+			it('should set timestamp expiration', async () => {
+				const commands: unknown[][] = [];
+				mockRedis.push(command => {
+					commands.push(command);
+					return null;
+				});
+
+				await serviceUnderTest().limit(limit, actor);
+
+				expect(commands).toContainEqual(['set', 'rl_actor_test_min_t', '0', 'EX', 1]);
 			});
 
 			it('should not increment when already blocked', async () => {
-				minCounter = { c: 1, t: 0 };
+				minCounter = 1;
+				minTimestamp = 0;
 				mockTimeService.now += 100;
 
 				await serviceUnderTest().limit(limit, actor);
 
-				expect(minCounter?.c).toBe(1);
-				expect(minCounter?.t).toBe(0);
+				expect(minCounter).toBe(1);
+				expect(minTimestamp).toBe(0);
 			});
 
 			it('should skip if factor is zero', async () => {
@@ -567,6 +604,19 @@ describe(SkRateLimiterService, () => {
 
 				await expect(promise).rejects.toThrow(/minInterval is negative/);
 			});
+
+			it('should not apply correction to extra calls', async () => {
+				minCounter = 2;
+
+				const info = await serviceUnderTest().limit(limit, actor);
+
+				expect(info.blocked).toBeTruthy();
+				expect(info.remaining).toBe(0);
+				expect(info.resetMs).toBe(1000);
+				expect(info.resetSec).toBe(1);
+				expect(info.fullResetMs).toBe(1000);
+				expect(info.fullResetSec).toBe(1);
+			});
 		});
 
 		describe('with legacy limit', () => {
@@ -587,16 +637,11 @@ describe(SkRateLimiterService, () => {
 				expect(info.blocked).toBeFalsy();
 			});
 
-			it('should not error when allowed', async () => {
-				await serviceUnderTest().limit(limit, actor);
-
-				expectNoUnhandledErrors();
-			});
-
 			it('should infer dripRate from duration', async () => {
 				limit.max = 10;
 				limit.duration = 10000;
-				counter = { c: 10, t: 0 };
+				limitCounter = 10;
+				limitTimestamp = 0;
 
 				const i1 = await serviceUnderTest().limit(limit, actor);
 				mockTimeService.now += 1000;
@@ -619,7 +664,8 @@ describe(SkRateLimiterService, () => {
 			it('should calculate correct info when allowed', async () => {
 				limit.max = 10;
 				limit.duration = 10000;
-				counter = { c: 10, t: 0 };
+				limitCounter = 10;
+				limitTimestamp = 0;
 				mockTimeService.now += 2000;
 
 				const info = await serviceUnderTest().limit(limit, actor);
@@ -634,7 +680,8 @@ describe(SkRateLimiterService, () => {
 			it('should calculate correct info when blocked', async () => {
 				limit.max = 10;
 				limit.duration = 10000;
-				counter = { c: 10, t: 0 };
+				limitCounter = 10;
+				limitTimestamp = 0;
 
 				const info = await serviceUnderTest().limit(limit, actor);
 
@@ -646,7 +693,8 @@ describe(SkRateLimiterService, () => {
 			});
 
 			it('should allow when bucket is filled but interval has passed', async () => {
-				counter = { c: 10, t: 0 };
+				limitCounter = 10;
+				limitTimestamp = 0;
 				mockTimeService.now = 1000;
 
 				const info = await serviceUnderTest().limit(limit, actor);
@@ -655,37 +703,55 @@ describe(SkRateLimiterService, () => {
 			});
 
 			it('should scale limit by factor', async () => {
-				counter = { c: 10, t: 0 };
+				limitCounter = 10;
+				limitTimestamp = 0;
 
 				const info = await serviceUnderTest().limit(limit, actor, 0.5); // 10 + 1 = 11
 
 				expect(info.blocked).toBeTruthy();
 			});
 
-			it('should set key expiration', async () => {
-				const mock = jest.fn(mockRedisSet);
-				mockRedisSet = mock;
+			it('should set counter expiration', async () => {
+				const commands: unknown[][] = [];
+				mockRedis.push(command => {
+					commands.push(command);
+					return null;
+				});
+
+				await serviceUnderTest().limit(limit, actor);
+
+				expect(commands).toContainEqual(['set', 'rl_actor_test_bucket_c', '1', 'EX', 1]);
+			});
+
+			it('should set timestamp expiration', async () => {
+				const commands: unknown[][] = [];
+				mockRedis.push(command => {
+					commands.push(command);
+					return null;
+				});
 
 				await serviceUnderTest().limit(limit, actor);
 
-				expect(mock).toHaveBeenCalledWith(['rl_actor_test_bucket', '{"t":0,"c":1}', 'EX', 1]);
+				expect(commands).toContainEqual(['set', 'rl_actor_test_bucket_t', '0', 'EX', 1]);
 			});
 
 			it('should not increment when already blocked', async () => {
-				counter = { c: 1, t: 0 };
+				limitCounter = 1;
+				limitTimestamp = 0;
 				mockTimeService.now += 100;
 
 				await serviceUnderTest().limit(limit, actor);
 
-				expect(counter?.c).toBe(1);
-				expect(counter?.t).toBe(0);
+				expect(limitCounter).toBe(1);
+				expect(limitTimestamp).toBe(0);
 			});
 
 			it('should not allow dripRate to be lower than 0', async () => {
 				// real-world case; taken from StreamingApiServerService
 				limit.max = 4096;
 				limit.duration = 2000;
-				counter = { c: 4096, t: 0 };
+				limitCounter = 4096;
+				limitTimestamp = 0;
 
 				const i1 = await serviceUnderTest().limit(limit, actor);
 				mockTimeService.now = 1;
@@ -723,6 +789,19 @@ describe(SkRateLimiterService, () => {
 
 				await expect(promise).rejects.toThrow(/size is less than 1/);
 			});
+
+			it('should apply correction if extra calls slip through', async () => {
+				limitCounter = 2;
+
+				const info = await serviceUnderTest().limit(limit, actor);
+
+				expect(info.blocked).toBeTruthy();
+				expect(info.remaining).toBe(0);
+				expect(info.resetMs).toBe(2000);
+				expect(info.resetSec).toBe(2);
+				expect(info.fullResetMs).toBe(2000);
+				expect(info.fullResetSec).toBe(2);
+			});
 		});
 
 		describe('with legacy limit and min interval', () => {
@@ -744,14 +823,9 @@ describe(SkRateLimiterService, () => {
 				expect(info.blocked).toBeFalsy();
 			});
 
-			it('should not error when allowed', async () => {
-				await serviceUnderTest().limit(limit, actor);
-
-				expectNoUnhandledErrors();
-			});
-
 			it('should block when limit exceeded', async () => {
-				counter = { c: 5, t: 0 };
+				limitCounter = 5;
+				limitTimestamp = 0;
 
 				const info = await serviceUnderTest().limit(limit, actor);
 
@@ -759,7 +833,8 @@ describe(SkRateLimiterService, () => {
 			});
 
 			it('should block when minInterval exceeded', async () => {
-				minCounter = { c: 1, t: 0 };
+				minCounter = 1;
+				minTimestamp = 0;
 
 				const info = await serviceUnderTest().limit(limit, actor);
 
@@ -767,7 +842,8 @@ describe(SkRateLimiterService, () => {
 			});
 
 			it('should calculate correct info when allowed', async () => {
-				counter = { c: 1, t: 0 };
+				limitCounter = 1;
+				limitTimestamp = 0;
 
 				const info = await serviceUnderTest().limit(limit, actor);
 
@@ -779,7 +855,8 @@ describe(SkRateLimiterService, () => {
 			});
 
 			it('should calculate correct info when blocked by limit', async () => {
-				counter = { c: 5, t: 0 };
+				limitCounter = 5;
+				limitTimestamp = 0;
 
 				const info = await serviceUnderTest().limit(limit, actor);
 
@@ -791,7 +868,8 @@ describe(SkRateLimiterService, () => {
 			});
 
 			it('should calculate correct info when blocked by minInterval', async () => {
-				minCounter = { c: 1, t: 0 };
+				minCounter = 1;
+				minTimestamp = 0;
 
 				const info = await serviceUnderTest().limit(limit, actor);
 
@@ -803,7 +881,8 @@ describe(SkRateLimiterService, () => {
 			});
 
 			it('should allow when counter is filled but interval has passed', async () => {
-				counter = { c: 5, t: 0 };
+				limitCounter = 5;
+				limitTimestamp = 0;
 				mockTimeService.now = 1000;
 
 				const info = await serviceUnderTest().limit(limit, actor);
@@ -812,7 +891,8 @@ describe(SkRateLimiterService, () => {
 			});
 
 			it('should allow when minCounter is filled but interval has passed', async () => {
-				minCounter = { c: 1, t: 0 };
+				minCounter = 1;
+				minTimestamp = 0;
 				mockTimeService.now = 1000;
 
 				const info = await serviceUnderTest().limit(limit, actor);
@@ -821,8 +901,10 @@ describe(SkRateLimiterService, () => {
 			});
 
 			it('should scale limit and interval by factor', async () => {
-				counter = { c: 5, t: 0 };
-				minCounter = { c: 1, t: 0 };
+				limitCounter = 5;
+				limitTimestamp = 0;
+				minCounter = 1;
+				minTimestamp = 0;
 				mockTimeService.now += 500;
 
 				const info = await serviceUnderTest().limit(limit, actor, 0.5);
@@ -830,27 +912,81 @@ describe(SkRateLimiterService, () => {
 				expect(info.blocked).toBeFalsy();
 			});
 
-			it('should set key expiration', async () => {
-				const mock = jest.fn(mockRedisSet);
-				mockRedisSet = mock;
+			it('should set bucket counter expiration', async () => {
+				const commands: unknown[][] = [];
+				mockRedis.push(command => {
+					commands.push(command);
+					return null;
+				});
+
+				await serviceUnderTest().limit(limit, actor);
+
+				expect(commands).toContainEqual(['set', 'rl_actor_test_bucket_c', '1', 'EX', 1]);
+			});
+
+			it('should set bucket timestamp expiration', async () => {
+				const commands: unknown[][] = [];
+				mockRedis.push(command => {
+					commands.push(command);
+					return null;
+				});
 
 				await serviceUnderTest().limit(limit, actor);
 
-				expect(mock).toHaveBeenCalledWith(['rl_actor_test_bucket', '{"t":0,"c":1}', 'EX', 1]);
-				expect(mock).toHaveBeenCalledWith(['rl_actor_test_min', '{"t":0,"c":1}', 'EX', 1]);
+				expect(commands).toContainEqual(['set', 'rl_actor_test_bucket_t', '0', 'EX', 1]);
+			});
+
+			it('should set min counter expiration', async () => {
+				const commands: unknown[][] = [];
+				mockRedis.push(command => {
+					commands.push(command);
+					return null;
+				});
+
+				await serviceUnderTest().limit(limit, actor);
+
+				expect(commands).toContainEqual(['set', 'rl_actor_test_min_c', '1', 'EX', 1]);
+			});
+
+			it('should set min timestamp expiration', async () => {
+				const commands: unknown[][] = [];
+				mockRedis.push(command => {
+					commands.push(command);
+					return null;
+				});
+
+				await serviceUnderTest().limit(limit, actor);
+
+				expect(commands).toContainEqual(['set', 'rl_actor_test_min_t', '0', 'EX', 1]);
 			});
 
 			it('should not increment when already blocked', async () => {
-				counter = { c: 5, t: 0 };
-				minCounter = { c: 1, t: 0 };
+				limitCounter = 5;
+				limitTimestamp = 0;
+				minCounter = 1;
+				minTimestamp = 0;
 				mockTimeService.now += 100;
 
 				await serviceUnderTest().limit(limit, actor);
 
-				expect(counter?.c).toBe(5);
-				expect(counter?.t).toBe(0);
-				expect(minCounter?.c).toBe(1);
-				expect(minCounter?.t).toBe(0);
+				expect(limitCounter).toBe(5);
+				expect(limitTimestamp).toBe(0);
+				expect(minCounter).toBe(1);
+				expect(minTimestamp).toBe(0);
+			});
+
+			it('should apply correction if extra calls slip through', async () => {
+				limitCounter = 6;
+				minCounter = 6;
+
+				const info = await serviceUnderTest().limit(limit, actor);
+
+				expect(info.blocked).toBeTruthy();
+				expect(info.remaining).toBe(0);
+				expect(info.resetMs).toBe(2000);
+				expect(info.resetSec).toBe(2);
+				expect(info.fullResetMs).toBe(6000);
+				expect(info.fullResetSec).toBe(6);
 			});
 		});
 	});
-- 
cgit v1.2.3-freya


From ead781900dcf98b9dace91aa4a5ec7b3cecf07e2 Mon Sep 17 00:00:00 2001
From: Hazelnoot <acomputerdog@gmail.com>
Date: Mon, 9 Dec 2024 19:04:59 -0500
Subject: enable rate limits for dev environment

---
 packages/backend/src/server/api/SkRateLimiterService.ts            | 2 +-
 packages/backend/test/unit/server/api/SkRateLimiterServiceTests.ts | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

(limited to 'packages/backend/src/server/api')

diff --git a/packages/backend/src/server/api/SkRateLimiterService.ts b/packages/backend/src/server/api/SkRateLimiterService.ts
index 05166ed93c..b11d1556ba 100644
--- a/packages/backend/src/server/api/SkRateLimiterService.ts
+++ b/packages/backend/src/server/api/SkRateLimiterService.ts
@@ -24,7 +24,7 @@ export class SkRateLimiterService {
 		@Inject(EnvService)
 		envService: EnvService,
 	) {
-		this.disabled = envService.env.NODE_ENV !== 'production';
+		this.disabled = envService.env.NODE_ENV === 'test';
 	}
 
 	public async limit(limit: Keyed<RateLimit>, actor: string, factor = 1): Promise<LimitInfo> {
diff --git a/packages/backend/test/unit/server/api/SkRateLimiterServiceTests.ts b/packages/backend/test/unit/server/api/SkRateLimiterServiceTests.ts
index 871c9afa64..90030495ed 100644
--- a/packages/backend/test/unit/server/api/SkRateLimiterServiceTests.ts
+++ b/packages/backend/test/unit/server/api/SkRateLimiterServiceTests.ts
@@ -120,7 +120,7 @@ describe(SkRateLimiterService, () => {
 			});
 		});
 
-		it('should bypass in non-production', async () => {
+		it('should bypass in test environment', async () => {
 			mockEnvironment.NODE_ENV = 'test';
 
 			const info = await serviceUnderTest().limit({ key: 'l', type: undefined, max: 0 }, actor);
-- 
cgit v1.2.3-freya


From 407b2423af31ecaf44035f66a180a0bbc40e3aaa Mon Sep 17 00:00:00 2001
From: Hazelnoot <acomputerdog@gmail.com>
Date: Tue, 10 Dec 2024 19:01:35 -0500
Subject: fix redis transaction implementation

---
 packages/backend/src/core/CoreModule.ts            |   6 +
 packages/backend/src/core/RedisConnectionPool.ts   | 103 ++++++
 packages/backend/src/core/TimeoutService.ts        |  76 +++++
 packages/backend/src/misc/rate-limit-utils.ts      |  19 +-
 .../backend/src/server/api/SkRateLimiterService.ts | 220 ++++++-------
 .../unit/server/api/SkRateLimiterServiceTests.ts   | 344 ++++++++-------------
 6 files changed, 429 insertions(+), 339 deletions(-)
 create mode 100644 packages/backend/src/core/RedisConnectionPool.ts
 create mode 100644 packages/backend/src/core/TimeoutService.ts

(limited to 'packages/backend/src/server/api')

diff --git a/packages/backend/src/core/CoreModule.ts b/packages/backend/src/core/CoreModule.ts
index b18db7f366..caf135ae4b 100644
--- a/packages/backend/src/core/CoreModule.ts
+++ b/packages/backend/src/core/CoreModule.ts
@@ -155,6 +155,8 @@ import { QueueModule } from './QueueModule.js';
 import { QueueService } from './QueueService.js';
 import { LoggerService } from './LoggerService.js';
 import { SponsorsService } from './SponsorsService.js';
+import { RedisConnectionPool } from './RedisConnectionPool.js';
+import { TimeoutService } from './TimeoutService.js';
 import type { Provider } from '@nestjs/common';
 
 //#region 文字列ベースでのinjection用(循環参照対応のため)
@@ -383,6 +385,8 @@ const $SponsorsService: Provider = { provide: 'SponsorsService', useExisting: Sp
 		ChannelFollowingService,
 		RegistryApiService,
 		ReversiService,
+		RedisConnectionPool,
+		TimeoutService,
 		TimeService,
 		EnvService,
 
@@ -684,6 +688,8 @@ const $SponsorsService: Provider = { provide: 'SponsorsService', useExisting: Sp
 		ChannelFollowingService,
 		RegistryApiService,
 		ReversiService,
+		RedisConnectionPool,
+		TimeoutService,
 		TimeService,
 		EnvService,
 
diff --git a/packages/backend/src/core/RedisConnectionPool.ts b/packages/backend/src/core/RedisConnectionPool.ts
new file mode 100644
index 0000000000..7ebefdfcb3
--- /dev/null
+++ b/packages/backend/src/core/RedisConnectionPool.ts
@@ -0,0 +1,103 @@
+/*
+ * SPDX-FileCopyrightText: hazelnoot and other Sharkey contributors
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+import { Inject, Injectable, OnApplicationShutdown } from '@nestjs/common';
+import Redis, { RedisOptions } from 'ioredis';
+import { DI } from '@/di-symbols.js';
+import type { Config } from '@/config.js';
+import Logger from '@/logger.js';
+import { Timeout, TimeoutService } from '@/core/TimeoutService.js';
+import { LoggerService } from './LoggerService.js';
+
+/**
+ * Target number of connections to keep open and ready for use.
+ * The pool may grow beyond this during bursty traffic, but it will always shrink back to this number.
+ * The pool may remain below this number is the server never experiences enough traffic to consume this many clients.
+ */
+export const poolSize = 16;
+
+/**
+ * How often to drop an idle connection from the pool.
+ * This will never shrink the pool below poolSize.
+ */
+export const poolShrinkInterval = 5 * 1000; // 5 seconds
+
+@Injectable()
+export class RedisConnectionPool implements OnApplicationShutdown {
+	private readonly poolShrinkTimer: Timeout;
+	private readonly pool: Redis.Redis[] = [];
+	private readonly logger: Logger;
+	private readonly redisOptions: RedisOptions;
+
+	constructor(@Inject(DI.config) config: Config, loggerService: LoggerService, timeoutService: TimeoutService) {
+		this.logger = loggerService.getLogger('redis-pool');
+		this.poolShrinkTimer = timeoutService.setInterval(() => this.shrinkPool(), poolShrinkInterval);
+		this.redisOptions = {
+			...config.redis,
+
+			// Set lazyConnect so that we can await() the connection manually.
+			// This helps to avoid a "stampede" of new connections (which are processed in the background!) under bursty conditions.
+			lazyConnect: true,
+			enableOfflineQueue: false,
+		};
+	}
+
+	/**
+	 * Gets a Redis connection from the pool, or creates a new connection if the pool is empty.
+	 * The returned object MUST be returned with a call to free(), even in the case of exceptions!
+	 * Use a try...finally block for safe handling.
+	 */
+	public async alloc(): Promise<Redis.Redis> {
+		let redis = this.pool.pop();
+
+		// The pool may be empty if we're under heavy load and/or we haven't opened all connections.
+		// Just construct a new instance, which will eventually be added to the pool.
+		// Excess clients will be disposed eventually.
+		if (!redis) {
+			redis = new Redis.Redis(this.redisOptions);
+			await redis.connect();
+		}
+
+		return redis;
+	}
+
+	/**
+	 * Returns a Redis connection to the pool.
+	 * The instance MUST not be used after returning!
+	 * Use a try...finally block for safe handling.
+	 */
+	public async free(redis: Redis.Redis): Promise<void> {
+		// https://redis.io/docs/latest/commands/reset/
+		await redis.reset();
+
+		this.pool.push(redis);
+	}
+
+	public async onApplicationShutdown(): Promise<void> {
+		// Cancel timer, otherwise it will cause a memory leak
+		clearInterval(this.poolShrinkTimer);
+
+		// Disconnect all remaining instances
+		while (this.pool.length > 0) {
+			await this.dropClient();
+		}
+	}
+
+	private async shrinkPool(): Promise<void> {
+		this.logger.debug(`Pool size is ${this.pool.length}`);
+		if (this.pool.length > poolSize) {
+			await this.dropClient();
+		}
+	}
+
+	private async dropClient(): Promise<void> {
+		try {
+			const redis = this.pool.pop();
+			await redis?.quit();
+		} catch (err) {
+			this.logger.warn(`Error disconnecting from redis: ${err}`, { err });
+		}
+	}
+}
diff --git a/packages/backend/src/core/TimeoutService.ts b/packages/backend/src/core/TimeoutService.ts
new file mode 100644
index 0000000000..093b9a7b04
--- /dev/null
+++ b/packages/backend/src/core/TimeoutService.ts
@@ -0,0 +1,76 @@
+/*
+ * SPDX-FileCopyrightText: hazelnoot and other Sharkey contributors
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+/**
+ * Provides access to setTimeout, setInterval, and related functions.
+ * Used to support deterministic unit testing.
+ */
+export class TimeoutService {
+	/**
+	 * Returns a promise that resolves after the specified timeout in milliseconds.
+	 */
+	public delay(timeout: number): Promise<void> {
+		return new Promise(resolve => {
+			this.setTimeout(resolve, timeout);
+		});
+	}
+
+	/**
+	 * Passthrough to node's setTimeout
+	 */
+	public setTimeout(handler: TimeoutHandler, timeout?: number): Timeout {
+		return setTimeout(() => handler(), timeout);
+	}
+
+	/**
+	 * Passthrough to node's setInterval
+	 */
+	public setInterval(handler: TimeoutHandler, timeout?: number): Timeout {
+		return setInterval(() => handler(), timeout);
+	}
+
+	/**
+	 * Passthrough to node's clearTimeout
+	 */
+	public clearTimeout(timeout: Timeout) {
+		clearTimeout(timeout);
+	}
+
+	/**
+	 * Passthrough to node's clearInterval
+	 */
+	public clearInterval(timeout: Timeout) {
+		clearInterval(timeout);
+	}
+}
+
+/**
+ * Function to be called when a timer or interval elapses.
+ */
+export type TimeoutHandler = () => void;
+
+/**
+ * A fucked TS issue causes the DOM setTimeout to get merged with Node setTimeout, creating a "quantum method" that returns either "number" or "NodeJS.Timeout" depending on how it's called.
+ * This would be fine, except it always matches the *wrong type*!
+ * The result is this "impossible" scenario:
+ *
+ * ```typescript
+ * // Test evaluates to "false", because the method's return type is not equal to itself.
+ * type Test = ReturnType<typeof setTimeout> extends ReturnType<typeof setTimeout> ? true : false;
+ *
+ * // This is a compiler error, because the type is broken and triggers some internal TS bug.
+ * const timeout = setTimeout(handler);
+ * clearTimeout(timeout); // compiler error here, because even type inference doesn't work.
+ *
+ * // This fails to compile.
+ * function test(handler, timeout): ReturnType<typeof setTimeout> {
+ *   return setTimeout(handler, timeout);
+ * }
+ * ```
+ *
+ * The bug is marked as "wontfix" by TS devs, so we have to work around it ourselves. -_-
+ * By forcing the return type to *explicitly* include both types, we at least make it possible to work with the resulting token.
+ */
+export type Timeout = NodeJS.Timeout | number;
diff --git a/packages/backend/src/misc/rate-limit-utils.ts b/packages/backend/src/misc/rate-limit-utils.ts
index 9909bb97fa..cc13111390 100644
--- a/packages/backend/src/misc/rate-limit-utils.ts
+++ b/packages/backend/src/misc/rate-limit-utils.ts
@@ -117,12 +117,27 @@ export interface LimitInfo {
 	fullResetMs: number;
 }
 
+export const disabledLimitInfo: Readonly<LimitInfo> = Object.freeze({
+	blocked: false,
+	remaining: Number.MAX_SAFE_INTEGER,
+	resetSec: 0,
+	resetMs: 0,
+	fullResetSec: 0,
+	fullResetMs: 0,
+});
+
 export function isLegacyRateLimit(limit: RateLimit): limit is LegacyRateLimit {
 	return limit.type === undefined;
 }
 
-export function hasMinLimit(limit: LegacyRateLimit): limit is LegacyRateLimit & { minInterval: number } {
-	return !!limit.minInterval;
+export type MaxLegacyLimit = LegacyRateLimit & { duration: number, max: number };
+export function hasMaxLimit(limit: LegacyRateLimit): limit is MaxLegacyLimit {
+	return limit.max != null && limit.duration != null;
+}
+
+export type MinLegacyLimit = LegacyRateLimit & { minInterval: number };
+export function hasMinLimit(limit: LegacyRateLimit): limit is MinLegacyLimit {
+	return limit.minInterval != null;
 }
 
 export function sendRateLimitHeaders(reply: FastifyReply, info: LimitInfo): void {
diff --git a/packages/backend/src/server/api/SkRateLimiterService.ts b/packages/backend/src/server/api/SkRateLimiterService.ts
index b11d1556ba..71681aadc9 100644
--- a/packages/backend/src/server/api/SkRateLimiterService.ts
+++ b/packages/backend/src/server/api/SkRateLimiterService.ts
@@ -7,8 +7,9 @@ import { Inject, Injectable } from '@nestjs/common';
 import Redis from 'ioredis';
 import { TimeService } from '@/core/TimeService.js';
 import { EnvService } from '@/core/EnvService.js';
-import { DI } from '@/di-symbols.js';
-import { BucketRateLimit, LegacyRateLimit, LimitInfo, RateLimit, hasMinLimit, isLegacyRateLimit, Keyed } from '@/misc/rate-limit-utils.js';
+import { BucketRateLimit, LegacyRateLimit, LimitInfo, RateLimit, hasMinLimit, isLegacyRateLimit, Keyed, hasMaxLimit, disabledLimitInfo, MaxLegacyLimit, MinLegacyLimit } from '@/misc/rate-limit-utils.js';
+import { RedisConnectionPool } from '@/core/RedisConnectionPool.js';
+import { TimeoutService } from '@/core/TimeoutService.js';
 
 @Injectable()
 export class SkRateLimiterService {
@@ -18,8 +19,11 @@ export class SkRateLimiterService {
 		@Inject(TimeService)
 		private readonly timeService: TimeService,
 
-		@Inject(DI.redis)
-		private readonly redisClient: Redis.Redis,
+		@Inject(TimeoutService)
+		private readonly timeoutService: TimeoutService,
+
+		@Inject(RedisConnectionPool)
+		private readonly redisPool: RedisConnectionPool,
 
 		@Inject(EnvService)
 		envService: EnvService,
@@ -29,117 +33,110 @@ export class SkRateLimiterService {
 
 	public async limit(limit: Keyed<RateLimit>, actor: string, factor = 1): Promise<LimitInfo> {
 		if (this.disabled || factor === 0) {
-			return {
-				blocked: false,
-				remaining: Number.MAX_SAFE_INTEGER,
-				resetSec: 0,
-				resetMs: 0,
-				fullResetSec: 0,
-				fullResetMs: 0,
-			};
+			return disabledLimitInfo;
 		}
 
 		if (factor < 0) {
 			throw new Error(`Rate limit factor is zero or negative: ${factor}`);
 		}
 
-		return await this.tryLimit(limit, actor, factor);
+		const redis = await this.redisPool.alloc();
+		try {
+			return await this.tryLimit(redis, limit, actor, factor);
+		} finally {
+			await this.redisPool.free(redis);
+		}
 	}
 
-	private async tryLimit(limit: Keyed<RateLimit>, actor: string, factor: number, retry = 1): Promise<LimitInfo> {
+	private async tryLimit(redis: Redis.Redis, limit: Keyed<RateLimit>, actor: string, factor: number, retry = 0): Promise<LimitInfo> {
 		try {
+			if (retry > 0) {
+				// Real-world testing showed the need for backoff to "spread out" bursty traffic.
+				const backoff = Math.round(Math.pow(2, retry + Math.random()));
+				await this.timeoutService.delay(backoff);
+			}
+
 			if (isLegacyRateLimit(limit)) {
-				return await this.limitLegacy(limit, actor, factor);
+				return await this.limitLegacy(redis, limit, actor, factor);
 			} else {
-				return await this.limitBucket(limit, actor, factor);
+				return await this.limitBucket(redis, limit, actor, factor);
 			}
 		} catch (err) {
 			// We may experience collision errors from optimistic locking.
 			// This is expected, so we should retry a few times before giving up.
 			// https://redis.io/docs/latest/develop/interact/transactions/#optimistic-locking-using-check-and-set
-			if (err instanceof TransactionError && retry < 3) {
-				return await this.tryLimit(limit, actor, factor, retry + 1);
+			if (err instanceof ConflictError && retry < 4) {
+				// We can reuse the same connection to reduce pool contention, but we have to reset it first.
+				await redis.reset();
+				return await this.tryLimit(redis, limit, actor, factor, retry + 1);
 			}
 
 			throw err;
 		}
 	}
 
-	private async limitLegacy(limit: Keyed<LegacyRateLimit>, actor: string, factor: number): Promise<LimitInfo> {
-		const promises: Promise<LimitInfo | null>[] = [];
-
-		// The "min" limit - if present - is handled directly.
-		if (hasMinLimit(limit)) {
-			promises.push(
-				this.limitMin(limit, actor, factor),
-			);
+	private async limitLegacy(redis: Redis.Redis, limit: Keyed<LegacyRateLimit>, actor: string, factor: number): Promise<LimitInfo> {
+		if (hasMaxLimit(limit)) {
+			return await this.limitMaxLegacy(redis, limit, actor, factor);
+		} else if (hasMinLimit(limit)) {
+			return await this.limitMinLegacy(redis, limit, actor, factor);
+		} else {
+			return disabledLimitInfo;
 		}
+	}
 
-		// Convert the "max" limit into a leaky bucket with 1 drip / second rate.
-		if (limit.max != null && limit.duration != null) {
-			promises.push(
-				this.limitBucket({
-					type: 'bucket',
-					key: limit.key,
-					size: limit.max,
-					dripRate: Math.max(Math.round(limit.duration / limit.max), 1),
-				}, actor, factor),
-			);
-		}
+	private async limitMaxLegacy(redis: Redis.Redis, limit: Keyed<MaxLegacyLimit>, actor: string, factor: number): Promise<LimitInfo> {
+		if (limit.duration === 0) return disabledLimitInfo;
+		if (limit.duration < 0) throw new Error(`Invalid rate limit ${limit.key}: duration is negative (${limit.duration})`);
+		if (limit.max < 1) throw new Error(`Invalid rate limit ${limit.key}: max is less than 1 (${limit.max})`);
 
-		const [lim1, lim2] = await Promise.all(promises);
-		return {
-			blocked: (lim1?.blocked || lim2?.blocked) ?? false,
-			remaining: Math.min(lim1?.remaining ?? Number.MAX_SAFE_INTEGER, lim2?.remaining ?? Number.MAX_SAFE_INTEGER),
-			resetSec: Math.max(lim1?.resetSec ?? 0, lim2?.resetSec ?? 0),
-			resetMs: Math.max(lim1?.resetMs ?? 0, lim2?.resetMs ?? 0),
-			fullResetSec: Math.max(lim1?.fullResetSec ?? 0, lim2?.fullResetSec ?? 0),
-			fullResetMs: Math.max(lim1?.fullResetMs ?? 0, lim2?.fullResetMs ?? 0),
-		};
-	}
+		// Derive initial dripRate from minInterval OR duration/max.
+		const initialDripRate = Math.max(limit.minInterval ?? Math.round(limit.duration / limit.max), 1);
 
-	private async limitMin(limit: Keyed<LegacyRateLimit> & { minInterval: number }, actor: string, factor: number): Promise<LimitInfo | null> {
-		if (limit.minInterval === 0) return null;
-		if (limit.minInterval < 0) throw new Error(`Invalid rate limit ${limit.key}: minInterval is negative (${limit.minInterval})`);
+		// Calculate dripSize to reach max at exactly duration
+		const dripSize = Math.max(Math.round(limit.max / (limit.duration / initialDripRate)), 1);
 
-		const minInterval = Math.max(Math.ceil(limit.minInterval * factor), 0);
-		const expirationSec = Math.max(Math.ceil(minInterval / 1000), 1);
+		// Calculate final dripRate from dripSize and duration/max
+		const dripRate = Math.max(Math.round(limit.duration / (limit.max / dripSize)), 1);
 
-		// Check for window clear
-		const counter = await this.getLimitCounter(limit, actor, 'min');
-		if (counter.counter > 0) {
-			const isCleared = this.timeService.now - counter.timestamp >= minInterval;
-			if (isCleared) {
-				counter.counter = 0;
-			}
-		}
+		const bucketLimit: Keyed<BucketRateLimit> = {
+			type: 'bucket',
+			key: limit.key,
+			size: limit.max,
+			dripRate,
+			dripSize,
+		};
+		return await this.limitBucket(redis, bucketLimit, actor, factor);
+	}
 
-		// Increment the limit, then synchronize with redis
-		const blocked = counter.counter > 0;
-		if (!blocked) {
-			counter.counter++;
-			counter.timestamp = this.timeService.now;
-			await this.updateLimitCounter(limit, actor, 'min', expirationSec, counter);
-		}
+	private async limitMinLegacy(redis: Redis.Redis, limit: Keyed<MinLegacyLimit>, actor: string, factor: number): Promise<LimitInfo> {
+		if (limit.minInterval === 0) return disabledLimitInfo;
+		if (limit.minInterval < 0) throw new Error(`Invalid rate limit ${limit.key}: minInterval is negative (${limit.minInterval})`);
 
-		// Calculate limit status
-		const resetMs = Math.max(minInterval - (this.timeService.now - counter.timestamp), 0);
-		const resetSec = Math.ceil(resetMs / 1000);
-		return { blocked, remaining: 0, resetSec, resetMs, fullResetSec: resetSec, fullResetMs: resetMs };
+		const dripRate = Math.max(Math.round(limit.minInterval), 1);
+		const bucketLimit: Keyed<BucketRateLimit> = {
+			type: 'bucket',
+			key: limit.key,
+			size: 1,
+			dripRate,
+			dripSize: 1,
+		};
+		return await this.limitBucket(redis, bucketLimit, actor, factor);
 	}
 
-	private async limitBucket(limit: Keyed<BucketRateLimit>, actor: string, factor: number): Promise<LimitInfo> {
+	private async limitBucket(redis: Redis.Redis, limit: Keyed<BucketRateLimit>, actor: string, factor: number): Promise<LimitInfo> {
 		if (limit.size < 1) throw new Error(`Invalid rate limit ${limit.key}: size is less than 1 (${limit.size})`);
 		if (limit.dripRate != null && limit.dripRate < 1) throw new Error(`Invalid rate limit ${limit.key}: dripRate is less than 1 (${limit.dripRate})`);
 		if (limit.dripSize != null && limit.dripSize < 1) throw new Error(`Invalid rate limit ${limit.key}: dripSize is less than 1 (${limit.dripSize})`);
 
+		const redisKey = createLimitKey(limit, actor);
 		const bucketSize = Math.max(Math.ceil(limit.size / factor), 1);
 		const dripRate = Math.ceil(limit.dripRate ?? 1000);
 		const dripSize = Math.ceil(limit.dripSize ?? 1);
 		const expirationSec = Math.max(Math.ceil(bucketSize / dripRate), 1);
 
 		// Simulate bucket drips
-		const counter = await this.getLimitCounter(limit, actor, 'bucket');
+		const counter = await this.getLimitCounter(redis, redisKey);
 		if (counter.counter > 0) {
 			const dripsSinceLastTick = Math.floor((this.timeService.now - counter.timestamp) / dripRate) * dripSize;
 			counter.counter = Math.max(counter.counter - dripsSinceLastTick, 0);
@@ -150,7 +147,7 @@ export class SkRateLimiterService {
 		if (!blocked) {
 			counter.counter++;
 			counter.timestamp = this.timeService.now;
-			await this.updateLimitCounter(limit, actor, 'bucket', expirationSec, counter);
+			await this.updateLimitCounter(redis, redisKey, expirationSec, counter);
 		}
 
 		// Calculate how much time is needed to free up a bucket slot
@@ -167,60 +164,49 @@ export class SkRateLimiterService {
 		return { blocked, remaining, resetSec, resetMs, fullResetSec, fullResetMs };
 	}
 
-	private async getLimitCounter(limit: Keyed<RateLimit>, actor: string, subject: string): Promise<LimitCounter> {
-		const timestampKey = createLimitKey(limit, actor, subject, 't');
-		const counterKey = createLimitKey(limit, actor, subject, 'c');
-
-		const [timestamp, counter] = await this.executeRedis(
-			[
-				['get', timestampKey],
-				['get', counterKey],
-			],
-			[
-				timestampKey,
-				counterKey,
-			],
-		);
+	private async getLimitCounter(redis: Redis.Redis, key: string): Promise<LimitCounter> {
+		const counter: LimitCounter = { counter: 0, timestamp: 0 };
 
-		return {
-			timestamp: timestamp ? parseInt(timestamp) : 0,
-			counter: counter ? parseInt(counter) : 0,
-		};
+		// Watch the key BEFORE reading it!
+		await redis.watch(key);
+		const data = await redis.get(key);
+
+		// Data may be missing or corrupt if the key doesn't exist.
+		// This is an expected edge case.
+		if (data) {
+			const parts = data.split(':');
+			if (parts.length === 2) {
+				counter.counter = parseInt(parts[0]);
+				counter.timestamp = parseInt(parts[1]);
+			}
+		}
+
+		return counter;
 	}
 
-	private async updateLimitCounter(limit: Keyed<RateLimit>, actor: string, subject: string, expirationSec: number, counter: LimitCounter): Promise<void> {
-		const timestampKey = createLimitKey(limit, actor, subject, 't');
-		const counterKey = createLimitKey(limit, actor, subject, 'c');
-
-		await this.executeRedis(
-			[
-				['set', timestampKey, counter.timestamp.toString(), 'EX', expirationSec],
-				['set', counterKey, counter.counter.toString(), 'EX', expirationSec],
-			],
-			[
-				timestampKey,
-				counterKey,
-			],
+	private async updateLimitCounter(redis: Redis.Redis, key: string, expirationSec: number, counter: LimitCounter): Promise<void> {
+		const data = `${counter.counter}:${counter.timestamp}`;
+
+		await this.executeRedisMulti(
+			redis,
+			[['set', key, data, 'EX', expirationSec]],
 		);
 	}
 
-	private async executeRedis<Num extends number>(batch: RedisBatch<Num>, watch: string[]): Promise<RedisResults<Num>> {
-		const results = await this.redisClient
-			.multi(batch)
-			.watch(watch)
-			.exec();
+	private async executeRedisMulti<Num extends number>(redis: Redis.Redis, batch: RedisBatch<Num>): Promise<RedisResults<Num>> {
+		const results = await redis.multi(batch).exec();
 
-		// Transaction error
+		// Transaction conflict (retryable)
 		if (!results) {
-			throw new TransactionError('Redis error: transaction conflict');
+			throw new ConflictError('Redis error: transaction conflict');
 		}
 
-		// The entire call failed
+		// Transaction failed (fatal)
 		if (results.length !== batch.length) {
 			throw new Error('Redis error: failed to execute batch');
 		}
 
-		// A particular command failed
+		// Command failed (fatal)
 		const errors = results.map(r => r[0]).filter(e => e != null);
 		if (errors.length > 0) {
 			throw new AggregateError(errors, `Redis error: failed to execute command(s): '${errors.join('\', \'')}'`);
@@ -233,11 +219,11 @@ export class SkRateLimiterService {
 type RedisBatch<Num extends number> = [string, ...unknown[]][] & { length: Num };
 type RedisResults<Num extends number> = (string | null)[] & { length: Num };
 
-function createLimitKey(limit: Keyed<RateLimit>, actor: string, subject: string, value: string): string {
-	return `rl_${actor}_${limit.key}_${subject}_${value}`;
+function createLimitKey(limit: Keyed<RateLimit>, actor: string): string {
+	return `rl_${actor}_${limit.key}`;
 }
 
-class TransactionError extends Error {}
+class ConflictError extends Error {}
 
 interface LimitCounter {
 	timestamp: number;
diff --git a/packages/backend/test/unit/server/api/SkRateLimiterServiceTests.ts b/packages/backend/test/unit/server/api/SkRateLimiterServiceTests.ts
index 90030495ed..deb6b9f80e 100644
--- a/packages/backend/test/unit/server/api/SkRateLimiterServiceTests.ts
+++ b/packages/backend/test/unit/server/api/SkRateLimiterServiceTests.ts
@@ -6,6 +6,8 @@
 import type Redis from 'ioredis';
 import { SkRateLimiterService } from '@/server/api/SkRateLimiterService.js';
 import { BucketRateLimit, Keyed, LegacyRateLimit } from '@/misc/rate-limit-utils.js';
+import { RedisConnectionPool } from '@/core/RedisConnectionPool.js';
+import { Timeout, TimeoutHandler, TimeoutService } from '@/core/TimeoutService.js';
 
 /* eslint-disable @typescript-eslint/no-non-null-assertion */
 
@@ -24,28 +26,50 @@ describe(SkRateLimiterService, () => {
 			},
 		};
 
+		function callMockRedis(command: [string, ...unknown[]]) {
+			const handlerResults = mockRedis.map(handler => handler(command));
+			const finalResult = handlerResults.findLast(result => result != null);
+			return finalResult ?? [null, null];
+		}
+
+		// I apologize to anyone who tries to read this later 🥲
 		mockRedis = [];
 		mockRedisExec = (batch) => {
 			const results: [Error | null, unknown][] = batch.map(command => {
-				const handlerResults = mockRedis.map(handler => handler(command));
-				const finalResult = handlerResults.findLast(result => result != null);
-				return finalResult ?? [new Error('test error: no handler'), null];
+				return callMockRedis(command);
 			});
 			return Promise.resolve(results);
 		};
 		const mockRedisClient = {
+			watch(...args: unknown[]) {
+				const result = callMockRedis(['watch', ...args]);
+				return Promise.resolve(result[0] ?? result[1]);
+			},
+			get(...args: unknown[]) {
+				const result = callMockRedis(['get', ...args]);
+				return Promise.resolve(result[0] ?? result[1]);
+			},
+			set(...args: unknown[]) {
+				const result = callMockRedis(['set', ...args]);
+				return Promise.resolve(result[0] ?? result[1]);
+			},
 			multi(batch: [string, ...unknown[]][]) {
 				return {
-					watch() {
-						return {
-							exec() {
-								return mockRedisExec(batch);
-							},
-						};
+					exec() {
+						return mockRedisExec(batch);
 					},
 				};
 			},
+			reset() {
+				return Promise.resolve();
+			},
 		} as unknown as Redis.Redis;
+		const mockRedisPool = {
+			alloc() {
+				return Promise.resolve(mockRedisClient);
+			},
+			free() {},
+		} as unknown as RedisConnectionPool;
 
 		mockEnvironment = Object.create(process.env);
 		mockEnvironment.NODE_ENV = 'production';
@@ -53,9 +77,22 @@ describe(SkRateLimiterService, () => {
 			env: mockEnvironment,
 		};
 
+		const mockTimeoutService = new class extends TimeoutService {
+			setTimeout(handler: TimeoutHandler): Timeout {
+				handler();
+				return 0;
+			}
+			setInterval(handler: TimeoutHandler): Timeout {
+				handler();
+				return 0;
+			}
+			clearTimeout() {}
+			clearInterval() {}
+		};
+
 		let service: SkRateLimiterService | undefined = undefined;
 		serviceUnderTest = () => {
-			return service ??= new SkRateLimiterService(mockTimeService, mockRedisClient, mockEnvService);
+			return service ??= new SkRateLimiterService(mockTimeService, mockTimeoutService, mockRedisPool, mockEnvService);
 		};
 	});
 
@@ -65,57 +102,23 @@ describe(SkRateLimiterService, () => {
 
 		let limitCounter: number | undefined = undefined;
 		let limitTimestamp: number | undefined = undefined;
-		let minCounter: number | undefined = undefined;
-		let minTimestamp: number | undefined = undefined;
 
 		beforeEach(() => {
 			limitCounter = undefined;
 			limitTimestamp = undefined;
-			minCounter = undefined;
-			minTimestamp = undefined;
 
 			mockRedis.push(([command, ...args]) => {
-				if (command === 'set' && args[0] === 'rl_actor_test_bucket_t') {
-					limitTimestamp = parseInt(args[1] as string);
-					return [null, args[1]];
-				}
-				if (command === 'get' && args[0] === 'rl_actor_test_bucket_t') {
-					return [null, limitTimestamp?.toString() ?? null];
-				}
-				// if (command === 'incr' && args[0] === 'rl_actor_test_bucket_c') {
-				// 	limitCounter = (limitCounter ?? 0) + 1;
-				// 	return [null, null];
-				// }
-				if (command === 'set' && args[0] === 'rl_actor_test_bucket_c') {
-					limitCounter = parseInt(args[1] as string);
+				if (command === 'set' && args[0] === 'rl_actor_test') {
+					const parts = (args[1] as string).split(':');
+					limitCounter = parseInt(parts[0] as string);
+					limitTimestamp = parseInt(parts[1] as string);
 					return [null, args[1]];
 				}
-				if (command === 'get' && args[0] === 'rl_actor_test_bucket_c') {
-					return [null, limitCounter?.toString() ?? null];
+				if (command === 'get' && args[0] === 'rl_actor_test') {
+					const data = `${limitCounter ?? 0}:${limitTimestamp ?? 0}`;
+					return [null, data];
 				}
 
-				if (command === 'set' && args[0] === 'rl_actor_test_min_t') {
-					minTimestamp = parseInt(args[1] as string);
-					return [null, args[1]];
-				}
-				if (command === 'get' && args[0] === 'rl_actor_test_min_t') {
-					return [null, minTimestamp?.toString() ?? null];
-				}
-				// if (command === 'incr' && args[0] === 'rl_actor_test_min_c') {
-				// 	minCounter = (minCounter ?? 0) + 1;
-				// 	return [null, null];
-				// }
-				if (command === 'set' && args[0] === 'rl_actor_test_min_c') {
-					minCounter = parseInt(args[1] as string);
-					return [null, args[1]];
-				}
-				if (command === 'get' && args[0] === 'rl_actor_test_min_c') {
-					return [null, minCounter?.toString() ?? null];
-				}
-				// if (command === 'expire') {
-				// 	return [null, null];
-				// }
-
 				return null;
 			});
 		});
@@ -266,19 +269,7 @@ describe(SkRateLimiterService, () => {
 
 				await serviceUnderTest().limit(limit, actor);
 
-				expect(commands).toContainEqual(['set', 'rl_actor_test_bucket_c', '1', 'EX', 1]);
-			});
-
-			it('should set timestamp expiration', async () => {
-				const commands: unknown[][] = [];
-				mockRedis.push(command => {
-					commands.push(command);
-					return null;
-				});
-
-				await serviceUnderTest().limit(limit, actor);
-
-				expect(commands).toContainEqual(['set', 'rl_actor_test_bucket_t', '0', 'EX', 1]);
+				expect(commands).toContainEqual(['set', 'rl_actor_test', '1:0', 'EX', 1]);
 			});
 
 			it('should not increment when already blocked', async () => {
@@ -379,12 +370,12 @@ describe(SkRateLimiterService, () => {
 
 			it('should retry when redis conflicts', async () => {
 				let numCalls = 0;
-				const realMockRedisExec = mockRedisExec;
+				const originalExec = mockRedisExec;
 				mockRedisExec = () => {
-					if (numCalls > 0) {
-						mockRedisExec = realMockRedisExec;
-					}
 					numCalls++;
+					if (numCalls > 1) {
+						mockRedisExec = originalExec;
+					}
 					return Promise.resolve(null);
 				};
 
@@ -393,7 +384,7 @@ describe(SkRateLimiterService, () => {
 				expect(numCalls).toBe(2);
 			});
 
-			it('should bail out after 3 tries', async () => {
+			it('should bail out after 5 tries', async () => {
 				let numCalls = 0;
 				mockRedisExec = () => {
 					numCalls++;
@@ -403,7 +394,7 @@ describe(SkRateLimiterService, () => {
 				const promise = serviceUnderTest().limit(limit, actor);
 
 				await expect(promise).rejects.toThrow(/transaction conflict/);
-				expect(numCalls).toBe(3);
+				expect(numCalls).toBe(5);
 			});
 
 			it('should apply correction if extra calls slip through', async () => {
@@ -450,8 +441,8 @@ describe(SkRateLimiterService, () => {
 			it('should increment counter when called', async () => {
 				await serviceUnderTest().limit(limit, actor);
 
-				expect(minCounter).not.toBeUndefined();
-				expect(minCounter).toBe(1);
+				expect(limitCounter).not.toBeUndefined();
+				expect(limitCounter).toBe(1);
 			});
 
 			it('should set timestamp when called', async () => {
@@ -459,30 +450,19 @@ describe(SkRateLimiterService, () => {
 
 				await serviceUnderTest().limit(limit, actor);
 
-				expect(minCounter).not.toBeUndefined();
-				expect(minTimestamp).toBe(1000);
+				expect(limitCounter).not.toBeUndefined();
+				expect(limitTimestamp).toBe(1000);
 			});
 
 			it('should decrement counter when minInterval has passed', async () => {
-				minCounter = 1;
-				minTimestamp = 0;
-				mockTimeService.now = 1000;
-
-				await serviceUnderTest().limit(limit, actor);
-
-				expect(minCounter).not.toBeUndefined();
-				expect(minCounter).toBe(1); // 1 (starting) - 1 (interval) + 1 (call) = 1
-			});
-
-			it('should reset counter entirely', async () => {
-				minCounter = 2;
-				minTimestamp = 0;
+				limitCounter = 1;
+				limitTimestamp = 0;
 				mockTimeService.now = 1000;
 
 				await serviceUnderTest().limit(limit, actor);
 
-				expect(minCounter).not.toBeUndefined();
-				expect(minCounter).toBe(1); // 2 (starting) - 2 (interval) + 1 (call) = 1
+				expect(limitCounter).not.toBeUndefined();
+				expect(limitCounter).toBe(1); // 1 (starting) - 1 (interval) + 1 (call) = 1
 			});
 
 			it('should maintain counter between calls over time', async () => {
@@ -495,13 +475,13 @@ describe(SkRateLimiterService, () => {
 				mockTimeService.now += 1000; // 0 - 1 = 0
 				await serviceUnderTest().limit(limit, actor); // 0 + 1 = 1
 
-				expect(minCounter).toBe(1);
-				expect(minTimestamp).toBe(3000);
+				expect(limitCounter).toBe(1);
+				expect(limitTimestamp).toBe(3000);
 			});
 
 			it('should block when interval exceeded', async () => {
-				minCounter = 1;
-				minTimestamp = 0;
+				limitCounter = 1;
+				limitTimestamp = 0;
 
 				const info = await serviceUnderTest().limit(limit, actor);
 
@@ -509,8 +489,8 @@ describe(SkRateLimiterService, () => {
 			});
 
 			it('should calculate correct info when blocked', async () => {
-				minCounter = 1;
-				minTimestamp = 0;
+				limitCounter = 1;
+				limitTimestamp = 0;
 
 				const info = await serviceUnderTest().limit(limit, actor);
 
@@ -521,8 +501,8 @@ describe(SkRateLimiterService, () => {
 			});
 
 			it('should allow when bucket is filled but interval has passed', async () => {
-				minCounter = 1;
-				minTimestamp = 0;
+				limitCounter = 1;
+				limitTimestamp = 0;
 				mockTimeService.now = 1000;
 
 				const info = await serviceUnderTest().limit(limit, actor);
@@ -531,8 +511,8 @@ describe(SkRateLimiterService, () => {
 			});
 
 			it('should scale interval by factor', async () => {
-				minCounter = 1;
-				minTimestamp = 0;
+				limitCounter = 1;
+				limitTimestamp = 0;
 				mockTimeService.now += 500;
 
 				const info = await serviceUnderTest().limit(limit, actor, 0.5);
@@ -549,30 +529,18 @@ describe(SkRateLimiterService, () => {
 
 				await serviceUnderTest().limit(limit, actor);
 
-				expect(commands).toContainEqual(['set', 'rl_actor_test_min_c', '1', 'EX', 1]);
-			});
-
-			it('should set timestamp expiration', async () => {
-				const commands: unknown[][] = [];
-				mockRedis.push(command => {
-					commands.push(command);
-					return null;
-				});
-
-				await serviceUnderTest().limit(limit, actor);
-
-				expect(commands).toContainEqual(['set', 'rl_actor_test_min_t', '0', 'EX', 1]);
+				expect(commands).toContainEqual(['set', 'rl_actor_test', '1:0', 'EX', 1]);
 			});
 
 			it('should not increment when already blocked', async () => {
-				minCounter = 1;
-				minTimestamp = 0;
+				limitCounter = 1;
+				limitTimestamp = 0;
 				mockTimeService.now += 100;
 
 				await serviceUnderTest().limit(limit, actor);
 
-				expect(minCounter).toBe(1);
-				expect(minTimestamp).toBe(0);
+				expect(limitCounter).toBe(1);
+				expect(limitTimestamp).toBe(0);
 			});
 
 			it('should skip if factor is zero', async () => {
@@ -605,17 +573,17 @@ describe(SkRateLimiterService, () => {
 				await expect(promise).rejects.toThrow(/minInterval is negative/);
 			});
 
-			it('should not apply correction to extra calls', async () => {
-				minCounter = 2;
+			it('should apply correction if extra calls slip through', async () => {
+				limitCounter = 2;
 
 				const info = await serviceUnderTest().limit(limit, actor);
 
 				expect(info.blocked).toBeTruthy();
 				expect(info.remaining).toBe(0);
-				expect(info.resetMs).toBe(1000);
-				expect(info.resetSec).toBe(1);
-				expect(info.fullResetMs).toBe(1000);
-				expect(info.fullResetSec).toBe(1);
+				expect(info.resetMs).toBe(2000);
+				expect(info.resetSec).toBe(2);
+				expect(info.fullResetMs).toBe(2000);
+				expect(info.fullResetSec).toBe(2);
 			});
 		});
 
@@ -720,19 +688,7 @@ describe(SkRateLimiterService, () => {
 
 				await serviceUnderTest().limit(limit, actor);
 
-				expect(commands).toContainEqual(['set', 'rl_actor_test_bucket_c', '1', 'EX', 1]);
-			});
-
-			it('should set timestamp expiration', async () => {
-				const commands: unknown[][] = [];
-				mockRedis.push(command => {
-					commands.push(command);
-					return null;
-				});
-
-				await serviceUnderTest().limit(limit, actor);
-
-				expect(commands).toContainEqual(['set', 'rl_actor_test_bucket_t', '0', 'EX', 1]);
+				expect(commands).toContainEqual(['set', 'rl_actor_test', '1:0', 'EX', 1]);
 			});
 
 			it('should not increment when already blocked', async () => {
@@ -774,12 +730,21 @@ describe(SkRateLimiterService, () => {
 				await expect(promise).rejects.toThrow(/factor is zero or negative/);
 			});
 
+			it('should skip if duration is zero', async () => {
+				limit.duration = 0;
+
+				const info = await serviceUnderTest().limit(limit, actor);
+
+				expect(info.blocked).toBeFalsy();
+				expect(info.remaining).toBe(Number.MAX_SAFE_INTEGER);
+			});
+
 			it('should throw if max is zero', async () => {
 				limit.max = 0;
 
 				const promise = serviceUnderTest().limit(limit, actor);
 
-				await expect(promise).rejects.toThrow(/size is less than 1/);
+				await expect(promise).rejects.toThrow(/max is less than 1/);
 			});
 
 			it('should throw if max is negative', async () => {
@@ -787,7 +752,7 @@ describe(SkRateLimiterService, () => {
 
 				const promise = serviceUnderTest().limit(limit, actor);
 
-				await expect(promise).rejects.toThrow(/size is less than 1/);
+				await expect(promise).rejects.toThrow(/max is less than 1/);
 			});
 
 			it('should apply correction if extra calls slip through', async () => {
@@ -811,7 +776,7 @@ describe(SkRateLimiterService, () => {
 				limit = {
 					type: undefined,
 					key,
-					max: 5,
+					max: 10,
 					duration: 5000,
 					minInterval: 1000,
 				};
@@ -824,7 +789,7 @@ describe(SkRateLimiterService, () => {
 			});
 
 			it('should block when limit exceeded', async () => {
-				limitCounter = 5;
+				limitCounter = 10;
 				limitTimestamp = 0;
 
 				const info = await serviceUnderTest().limit(limit, actor);
@@ -832,17 +797,8 @@ describe(SkRateLimiterService, () => {
 				expect(info.blocked).toBeTruthy();
 			});
 
-			it('should block when minInterval exceeded', async () => {
-				minCounter = 1;
-				minTimestamp = 0;
-
-				const info = await serviceUnderTest().limit(limit, actor);
-
-				expect(info.blocked).toBeTruthy();
-			});
-
 			it('should calculate correct info when allowed', async () => {
-				limitCounter = 1;
+				limitCounter = 9;
 				limitTimestamp = 0;
 
 				const info = await serviceUnderTest().limit(limit, actor);
@@ -850,12 +806,12 @@ describe(SkRateLimiterService, () => {
 				expect(info.remaining).toBe(0);
 				expect(info.resetSec).toBe(1);
 				expect(info.resetMs).toBe(1000);
-				expect(info.fullResetSec).toBe(2);
-				expect(info.fullResetMs).toBe(2000);
+				expect(info.fullResetSec).toBe(5);
+				expect(info.fullResetMs).toBe(5000);
 			});
 
-			it('should calculate correct info when blocked by limit', async () => {
-				limitCounter = 5;
+			it('should calculate correct info when blocked', async () => {
+				limitCounter = 10;
 				limitTimestamp = 0;
 
 				const info = await serviceUnderTest().limit(limit, actor);
@@ -867,19 +823,6 @@ describe(SkRateLimiterService, () => {
 				expect(info.fullResetMs).toBe(5000);
 			});
 
-			it('should calculate correct info when blocked by minInterval', async () => {
-				minCounter = 1;
-				minTimestamp = 0;
-
-				const info = await serviceUnderTest().limit(limit, actor);
-
-				expect(info.remaining).toBe(0);
-				expect(info.resetSec).toBe(1);
-				expect(info.resetMs).toBe(1000);
-				expect(info.fullResetSec).toBe(1);
-				expect(info.fullResetMs).toBe(1000);
-			});
-
 			it('should allow when counter is filled but interval has passed', async () => {
 				limitCounter = 5;
 				limitTimestamp = 0;
@@ -890,21 +833,23 @@ describe(SkRateLimiterService, () => {
 				expect(info.blocked).toBeFalsy();
 			});
 
-			it('should allow when minCounter is filled but interval has passed', async () => {
-				minCounter = 1;
-				minTimestamp = 0;
-				mockTimeService.now = 1000;
+			it('should drip according to minInterval', async () => {
+				limitCounter = 10;
+				limitTimestamp = 0;
+				mockTimeService.now += 1000;
 
-				const info = await serviceUnderTest().limit(limit, actor);
+				const i1 = await serviceUnderTest().limit(limit, actor);
+				const i2 = await serviceUnderTest().limit(limit, actor);
+				const i3 = await serviceUnderTest().limit(limit, actor);
 
-				expect(info.blocked).toBeFalsy();
+				expect(i1.blocked).toBeFalsy();
+				expect(i2.blocked).toBeFalsy();
+				expect(i3.blocked).toBeTruthy();
 			});
 
 			it('should scale limit and interval by factor', async () => {
 				limitCounter = 5;
 				limitTimestamp = 0;
-				minCounter = 1;
-				minTimestamp = 0;
 				mockTimeService.now += 500;
 
 				const info = await serviceUnderTest().limit(limit, actor, 0.5);
@@ -912,43 +857,7 @@ describe(SkRateLimiterService, () => {
 				expect(info.blocked).toBeFalsy();
 			});
 
-			it('should set bucket counter expiration', async () => {
-				const commands: unknown[][] = [];
-				mockRedis.push(command => {
-					commands.push(command);
-					return null;
-				});
-
-				await serviceUnderTest().limit(limit, actor);
-
-				expect(commands).toContainEqual(['set', 'rl_actor_test_bucket_c', '1', 'EX', 1]);
-			});
-
-			it('should set bucket timestamp expiration', async () => {
-				const commands: unknown[][] = [];
-				mockRedis.push(command => {
-					commands.push(command);
-					return null;
-				});
-
-				await serviceUnderTest().limit(limit, actor);
-
-				expect(commands).toContainEqual(['set', 'rl_actor_test_bucket_t', '0', 'EX', 1]);
-			});
-
-			it('should set min counter expiration', async () => {
-				const commands: unknown[][] = [];
-				mockRedis.push(command => {
-					commands.push(command);
-					return null;
-				});
-
-				await serviceUnderTest().limit(limit, actor);
-
-				expect(commands).toContainEqual(['set', 'rl_actor_test_min_c', '1', 'EX', 1]);
-			});
-
-			it('should set min timestamp expiration', async () => {
+			it('should set counter expiration', async () => {
 				const commands: unknown[][] = [];
 				mockRedis.push(command => {
 					commands.push(command);
@@ -957,27 +866,22 @@ describe(SkRateLimiterService, () => {
 
 				await serviceUnderTest().limit(limit, actor);
 
-				expect(commands).toContainEqual(['set', 'rl_actor_test_min_t', '0', 'EX', 1]);
+				expect(commands).toContainEqual(['set', 'rl_actor_test', '1:0', 'EX', 1]);
 			});
 
 			it('should not increment when already blocked', async () => {
-				limitCounter = 5;
+				limitCounter = 10;
 				limitTimestamp = 0;
-				minCounter = 1;
-				minTimestamp = 0;
 				mockTimeService.now += 100;
 
 				await serviceUnderTest().limit(limit, actor);
 
-				expect(limitCounter).toBe(5);
+				expect(limitCounter).toBe(10);
 				expect(limitTimestamp).toBe(0);
-				expect(minCounter).toBe(1);
-				expect(minTimestamp).toBe(0);
 			});
 
 			it('should apply correction if extra calls slip through', async () => {
-				limitCounter = 6;
-				minCounter = 6;
+				limitCounter = 12;
 
 				const info = await serviceUnderTest().limit(limit, actor);
 
-- 
cgit v1.2.3-freya


From 0ea9d6ec5d4f037b37a98603f8942404530f2802 Mon Sep 17 00:00:00 2001
From: Hazelnoot <acomputerdog@gmail.com>
Date: Wed, 11 Dec 2024 09:10:11 -0500
Subject: use atomic variant of Leaky Bucket for safe concurrent rate limits

---
 packages/backend/src/core/CoreModule.ts            |   6 -
 packages/backend/src/core/RedisConnectionPool.ts   | 103 -----------
 packages/backend/src/core/TimeoutService.ts        |  76 --------
 .../backend/src/server/SkRateLimiterService.md     | 143 ++++++++++++++
 .../backend/src/server/api/SkRateLimiterService.ts | 206 ++++++++++++---------
 .../unit/server/api/SkRateLimiterServiceTests.ts   | 182 +++++++++++-------
 6 files changed, 375 insertions(+), 341 deletions(-)
 delete mode 100644 packages/backend/src/core/RedisConnectionPool.ts
 delete mode 100644 packages/backend/src/core/TimeoutService.ts
 create mode 100644 packages/backend/src/server/SkRateLimiterService.md

(limited to 'packages/backend/src/server/api')

diff --git a/packages/backend/src/core/CoreModule.ts b/packages/backend/src/core/CoreModule.ts
index caf135ae4b..b18db7f366 100644
--- a/packages/backend/src/core/CoreModule.ts
+++ b/packages/backend/src/core/CoreModule.ts
@@ -155,8 +155,6 @@ import { QueueModule } from './QueueModule.js';
 import { QueueService } from './QueueService.js';
 import { LoggerService } from './LoggerService.js';
 import { SponsorsService } from './SponsorsService.js';
-import { RedisConnectionPool } from './RedisConnectionPool.js';
-import { TimeoutService } from './TimeoutService.js';
 import type { Provider } from '@nestjs/common';
 
 //#region 文字列ベースでのinjection用(循環参照対応のため)
@@ -385,8 +383,6 @@ const $SponsorsService: Provider = { provide: 'SponsorsService', useExisting: Sp
 		ChannelFollowingService,
 		RegistryApiService,
 		ReversiService,
-		RedisConnectionPool,
-		TimeoutService,
 		TimeService,
 		EnvService,
 
@@ -688,8 +684,6 @@ const $SponsorsService: Provider = { provide: 'SponsorsService', useExisting: Sp
 		ChannelFollowingService,
 		RegistryApiService,
 		ReversiService,
-		RedisConnectionPool,
-		TimeoutService,
 		TimeService,
 		EnvService,
 
diff --git a/packages/backend/src/core/RedisConnectionPool.ts b/packages/backend/src/core/RedisConnectionPool.ts
deleted file mode 100644
index 7ebefdfcb3..0000000000
--- a/packages/backend/src/core/RedisConnectionPool.ts
+++ /dev/null
@@ -1,103 +0,0 @@
-/*
- * SPDX-FileCopyrightText: hazelnoot and other Sharkey contributors
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-
-import { Inject, Injectable, OnApplicationShutdown } from '@nestjs/common';
-import Redis, { RedisOptions } from 'ioredis';
-import { DI } from '@/di-symbols.js';
-import type { Config } from '@/config.js';
-import Logger from '@/logger.js';
-import { Timeout, TimeoutService } from '@/core/TimeoutService.js';
-import { LoggerService } from './LoggerService.js';
-
-/**
- * Target number of connections to keep open and ready for use.
- * The pool may grow beyond this during bursty traffic, but it will always shrink back to this number.
- * The pool may remain below this number is the server never experiences enough traffic to consume this many clients.
- */
-export const poolSize = 16;
-
-/**
- * How often to drop an idle connection from the pool.
- * This will never shrink the pool below poolSize.
- */
-export const poolShrinkInterval = 5 * 1000; // 5 seconds
-
-@Injectable()
-export class RedisConnectionPool implements OnApplicationShutdown {
-	private readonly poolShrinkTimer: Timeout;
-	private readonly pool: Redis.Redis[] = [];
-	private readonly logger: Logger;
-	private readonly redisOptions: RedisOptions;
-
-	constructor(@Inject(DI.config) config: Config, loggerService: LoggerService, timeoutService: TimeoutService) {
-		this.logger = loggerService.getLogger('redis-pool');
-		this.poolShrinkTimer = timeoutService.setInterval(() => this.shrinkPool(), poolShrinkInterval);
-		this.redisOptions = {
-			...config.redis,
-
-			// Set lazyConnect so that we can await() the connection manually.
-			// This helps to avoid a "stampede" of new connections (which are processed in the background!) under bursty conditions.
-			lazyConnect: true,
-			enableOfflineQueue: false,
-		};
-	}
-
-	/**
-	 * Gets a Redis connection from the pool, or creates a new connection if the pool is empty.
-	 * The returned object MUST be returned with a call to free(), even in the case of exceptions!
-	 * Use a try...finally block for safe handling.
-	 */
-	public async alloc(): Promise<Redis.Redis> {
-		let redis = this.pool.pop();
-
-		// The pool may be empty if we're under heavy load and/or we haven't opened all connections.
-		// Just construct a new instance, which will eventually be added to the pool.
-		// Excess clients will be disposed eventually.
-		if (!redis) {
-			redis = new Redis.Redis(this.redisOptions);
-			await redis.connect();
-		}
-
-		return redis;
-	}
-
-	/**
-	 * Returns a Redis connection to the pool.
-	 * The instance MUST not be used after returning!
-	 * Use a try...finally block for safe handling.
-	 */
-	public async free(redis: Redis.Redis): Promise<void> {
-		// https://redis.io/docs/latest/commands/reset/
-		await redis.reset();
-
-		this.pool.push(redis);
-	}
-
-	public async onApplicationShutdown(): Promise<void> {
-		// Cancel timer, otherwise it will cause a memory leak
-		clearInterval(this.poolShrinkTimer);
-
-		// Disconnect all remaining instances
-		while (this.pool.length > 0) {
-			await this.dropClient();
-		}
-	}
-
-	private async shrinkPool(): Promise<void> {
-		this.logger.debug(`Pool size is ${this.pool.length}`);
-		if (this.pool.length > poolSize) {
-			await this.dropClient();
-		}
-	}
-
-	private async dropClient(): Promise<void> {
-		try {
-			const redis = this.pool.pop();
-			await redis?.quit();
-		} catch (err) {
-			this.logger.warn(`Error disconnecting from redis: ${err}`, { err });
-		}
-	}
-}
diff --git a/packages/backend/src/core/TimeoutService.ts b/packages/backend/src/core/TimeoutService.ts
deleted file mode 100644
index 093b9a7b04..0000000000
--- a/packages/backend/src/core/TimeoutService.ts
+++ /dev/null
@@ -1,76 +0,0 @@
-/*
- * SPDX-FileCopyrightText: hazelnoot and other Sharkey contributors
- * SPDX-License-Identifier: AGPL-3.0-only
- */
-
-/**
- * Provides access to setTimeout, setInterval, and related functions.
- * Used to support deterministic unit testing.
- */
-export class TimeoutService {
-	/**
-	 * Returns a promise that resolves after the specified timeout in milliseconds.
-	 */
-	public delay(timeout: number): Promise<void> {
-		return new Promise(resolve => {
-			this.setTimeout(resolve, timeout);
-		});
-	}
-
-	/**
-	 * Passthrough to node's setTimeout
-	 */
-	public setTimeout(handler: TimeoutHandler, timeout?: number): Timeout {
-		return setTimeout(() => handler(), timeout);
-	}
-
-	/**
-	 * Passthrough to node's setInterval
-	 */
-	public setInterval(handler: TimeoutHandler, timeout?: number): Timeout {
-		return setInterval(() => handler(), timeout);
-	}
-
-	/**
-	 * Passthrough to node's clearTimeout
-	 */
-	public clearTimeout(timeout: Timeout) {
-		clearTimeout(timeout);
-	}
-
-	/**
-	 * Passthrough to node's clearInterval
-	 */
-	public clearInterval(timeout: Timeout) {
-		clearInterval(timeout);
-	}
-}
-
-/**
- * Function to be called when a timer or interval elapses.
- */
-export type TimeoutHandler = () => void;
-
-/**
- * A fucked TS issue causes the DOM setTimeout to get merged with Node setTimeout, creating a "quantum method" that returns either "number" or "NodeJS.Timeout" depending on how it's called.
- * This would be fine, except it always matches the *wrong type*!
- * The result is this "impossible" scenario:
- *
- * ```typescript
- * // Test evaluates to "false", because the method's return type is not equal to itself.
- * type Test = ReturnType<typeof setTimeout> extends ReturnType<typeof setTimeout> ? true : false;
- *
- * // This is a compiler error, because the type is broken and triggers some internal TS bug.
- * const timeout = setTimeout(handler);
- * clearTimeout(timeout); // compiler error here, because even type inference doesn't work.
- *
- * // This fails to compile.
- * function test(handler, timeout): ReturnType<typeof setTimeout> {
- *   return setTimeout(handler, timeout);
- * }
- * ```
- *
- * The bug is marked as "wontfix" by TS devs, so we have to work around it ourselves. -_-
- * By forcing the return type to *explicitly* include both types, we at least make it possible to work with the resulting token.
- */
-export type Timeout = NodeJS.Timeout | number;
diff --git a/packages/backend/src/server/SkRateLimiterService.md b/packages/backend/src/server/SkRateLimiterService.md
new file mode 100644
index 0000000000..c2752f5027
--- /dev/null
+++ b/packages/backend/src/server/SkRateLimiterService.md
@@ -0,0 +1,143 @@
+# SkRateLimiterService - Leaky Bucket Rate Limit Implementation
+
+SkRateLimiterService replaces Misskey's RateLimiterService for all use cases.
+It offers a simplified API, detailed metrics, and support for Rate Limit headers.
+The prime feature is an implementation of Leaky Bucket - a flexible rate limiting scheme that better supports bursty request patterns common with human interaction.
+
+## Compatibility
+
+The API is backwards-compatible with existing limit definitions, but it's preferred to use the new BucketRateLimit interface.
+Legacy limits will be "translated" into a bucket limit in a way that attempts to respect max, duration, and minInterval (if present).
+SkRateLimiterService is quite not plug-and-play compatible with existing call sites, because it no longer throws when a limit is exceeded.
+Instead, the returned LimitInfo object will have "blocked" set to true.
+Callers are responsible for checking this property and taking any desired action, such as rejecting a request or returning limit details.
+
+## Headers
+
+LimitInfo objects (returned by SkRateLimitService.limit()) can be passed to rate-limit-utils.attachHeaders() to send standard rate limit headers with an HTTP response.
+The defined headers are:
+
+| Header                  | Definition                                                                                                                                                                                                     | Example                    |
+|-------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------|
+| `X-RateLimit-Remaining` | Number of calls that can be made without triggering the rate limit. Will be zero if the limit is already exceeded, or will be exceeded by the next request.                                                    | `X-RateLimit-Remaining: 1` |
+| `X-RateLimit-Clear`     | Time in seconds required to completely clear the rate limit "bucket".                                                                                                                                          | `X-RateLimit-Clear: 1.5`   |
+| `X-RateLimit-Reset`     | Contains the number of seconds to wait before retrying the current request. Clients should delay for at least this long before making another call. Only included if the rate limit has already been exceeded. | `X-RateLimit-Reset: 0.755` |
+| `Retry-After`           | Like `X-RateLimit-Reset`, but measured in seconds (rounded up). Preserved for backwards compatibility, and only included if the rate limit has already been exceeded.                                          | `Retry-After: 2`           |
+
+Note: rate limit headers are not standardized, except for `Retry-After`.
+Header meanings and usage have been devised by adapting common patterns to work with a leaky bucket model instead.
+
+## Performance
+
+SkRateLimiterService makes between 1 and 4 redis transactions per rate limit check.
+One call is read-only, while the others perform at least one write operation.
+Two integer keys are stored per client/subject, and both expire together after the maximum duration of the limit.
+While performance has not been formally tested, it's expected that SkRateLimiterService will perform roughly on par with the legacy RateLimiterService.
+Redis memory usage should be notably lower due to the reduced number of keys and avoidance of set / array constructions.
+
+## Concurrency and Multi-Node Correctness
+
+To provide consistency across multi-node environments, leaky bucket is implemented with only atomic operations (Increment, Decrement, Add, and Subtract).
+This allows the use of Optimistic Locking via modify-check-rollback logic.
+If a data conflict is detected during the "drip" operation, then it's safely reverted by executing its inverse (Increment <-> Decrement, Add <-> Subtract).
+We don't need to check for conflicts when adding the current request, as all checks account for the case where the bucket has been "overfilled".
+Should that happen, the limit delay will be extended until the bucket size is back within limits.
+
+There is one non-atomic `SET` operation used to populate the initial Timestamp value, but we can safely ignore data races there.
+Any possible conflict would have to occur within a few-milliseconds window, which means that the final value can be no more than a few milliseconds off from the expected value.
+This error does not compound, as all further operations are relative (Increment and Add).
+Thus, it's considered an acceptable tradeoff given the limitations imposed by Redis and IORedis library.
+
+## Algorithm Pseudocode
+
+The Atomic Leaky Bucket algorithm is described here, in pseudocode:
+
+```
+# Terms
+# * Now - UNIX timestamp of the current moment
+# * Bucket Size - Maximum number of requests allowed in the bucket
+# * Counter - Number of requests in the bucket
+# * Drip Rate - How often to decrement counter
+# * Drip Size - How much to decrement the counter
+# * Timestamp - UNIX timestamp of last bucket drip
+# * Delta Counter - Difference between current and expected counter value
+# * Delta Timestamp - Difference between current and expected timestamp value 
+
+# 0 - Calculations
+dripRate = ceil(limit.dripRate ?? 1000);
+dripSize = ceil(limit.dripSize ?? 1);
+bucketSize = max(ceil(limit.size / factor), 1);
+maxExpiration = max(ceil((dripRate * ceil(bucketSize / dripSize)) / 1000), 1);;
+
+# 1 - Read
+MULTI
+  GET 'counter' INTO counter
+  GET 'timestamp' INTO timestamp
+EXEC
+
+# 2 - Drip
+if (counter > 0) {
+  # Deltas
+  deltaCounter = floor((now - timestamp) / dripRate) * dripSize;
+  deltaCounter = min(deltaCounter, counter);
+  deltaTimestamp = deltaCounter * dripRate;
+  if (deltaCounter > 0) {
+    # Update
+    expectedTimestamp = timestamp
+    MULTI
+      GET 'timestamp' INTO canaryTimestamp
+      INCRBY 'timestamp' deltaTimestamp
+      EXPIRE 'timestamp' maxExpiration
+      GET 'timestamp' INTO timestamp
+      DECRBY 'counter' deltaCounter
+      EXPIRE 'counter' maxExpiration
+      GET 'counter' INTO counter
+    EXEC
+    # Rollback
+    if (canaryTimestamp != expectedTimestamp) {
+      MULTI
+        DECRBY 'timestamp' deltaTimestamp
+        GET 'timestamp' INTO timestmamp
+        INCRBY 'counter' deltaCounter
+        GET 'counter' INTO counter
+      EXEC
+    }
+  }
+}
+
+# 3 - Check
+blocked = counter >= bucketSize
+if (!blocked) {
+  if (timestamp == 0) {
+    # Edge case - set the initial value for timestamp.
+    # Otherwise the first request will immediately drip away.
+    MULTI
+      SET 'timestamp', now
+      EXPIRE 'timestamp' maxExpiration
+      INCR 'counter'
+      EXPIRE 'counter' maxExpiration
+      GET 'counter' INTO counter
+    EXEC
+  } else {
+    MULTI
+      INCR 'counter'
+      EXPIRE 'counter' maxExpiration
+      GET 'counter' INTO counter
+    EXEC
+  }
+}
+
+# 4 - Handle
+if (blocked) {
+  # Application-specific code goes here.
+  # At this point blocked, counter, and timestamp are all accurate and synced to redis.
+  # Caller can apply limits, calculate headers, log audit failure, or anything else.
+}
+```
+
+## Notes, Resources, and Further Reading
+
+* https://en.wikipedia.org/wiki/Leaky_bucket#As_a_meter
+* https://ietf-wg-httpapi.github.io/ratelimit-headers/darrelmiller-policyname/draft-ietf-httpapi-ratelimit-headers.txt
+* https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Retry-After
+* https://stackoverflow.com/a/16022625
diff --git a/packages/backend/src/server/api/SkRateLimiterService.ts b/packages/backend/src/server/api/SkRateLimiterService.ts
index 71681aadc9..d349e192e1 100644
--- a/packages/backend/src/server/api/SkRateLimiterService.ts
+++ b/packages/backend/src/server/api/SkRateLimiterService.ts
@@ -8,8 +8,7 @@ import Redis from 'ioredis';
 import { TimeService } from '@/core/TimeService.js';
 import { EnvService } from '@/core/EnvService.js';
 import { BucketRateLimit, LegacyRateLimit, LimitInfo, RateLimit, hasMinLimit, isLegacyRateLimit, Keyed, hasMaxLimit, disabledLimitInfo, MaxLegacyLimit, MinLegacyLimit } from '@/misc/rate-limit-utils.js';
-import { RedisConnectionPool } from '@/core/RedisConnectionPool.js';
-import { TimeoutService } from '@/core/TimeoutService.js';
+import { DI } from '@/di-symbols.js';
 
 @Injectable()
 export class SkRateLimiterService {
@@ -19,11 +18,8 @@ export class SkRateLimiterService {
 		@Inject(TimeService)
 		private readonly timeService: TimeService,
 
-		@Inject(TimeoutService)
-		private readonly timeoutService: TimeoutService,
-
-		@Inject(RedisConnectionPool)
-		private readonly redisPool: RedisConnectionPool,
+		@Inject(DI.redis)
+		private readonly redisClient: Redis.Redis,
 
 		@Inject(EnvService)
 		envService: EnvService,
@@ -31,6 +27,12 @@ export class SkRateLimiterService {
 		this.disabled = envService.env.NODE_ENV === 'test';
 	}
 
+	/**
+	 * Check & increment a rate limit
+	 * @param limit The limit definition
+	 * @param actor Client who is calling this limit
+	 * @param factor Scaling factor - smaller = larger limit (less restrictive)
+	 */
 	public async limit(limit: Keyed<RateLimit>, actor: string, factor = 1): Promise<LimitInfo> {
 		if (this.disabled || factor === 0) {
 			return disabledLimitInfo;
@@ -40,52 +42,28 @@ export class SkRateLimiterService {
 			throw new Error(`Rate limit factor is zero or negative: ${factor}`);
 		}
 
-		const redis = await this.redisPool.alloc();
-		try {
-			return await this.tryLimit(redis, limit, actor, factor);
-		} finally {
-			await this.redisPool.free(redis);
-		}
+		return await this.tryLimit(limit, actor, factor);
 	}
 
-	private async tryLimit(redis: Redis.Redis, limit: Keyed<RateLimit>, actor: string, factor: number, retry = 0): Promise<LimitInfo> {
-		try {
-			if (retry > 0) {
-				// Real-world testing showed the need for backoff to "spread out" bursty traffic.
-				const backoff = Math.round(Math.pow(2, retry + Math.random()));
-				await this.timeoutService.delay(backoff);
-			}
-
-			if (isLegacyRateLimit(limit)) {
-				return await this.limitLegacy(redis, limit, actor, factor);
-			} else {
-				return await this.limitBucket(redis, limit, actor, factor);
-			}
-		} catch (err) {
-			// We may experience collision errors from optimistic locking.
-			// This is expected, so we should retry a few times before giving up.
-			// https://redis.io/docs/latest/develop/interact/transactions/#optimistic-locking-using-check-and-set
-			if (err instanceof ConflictError && retry < 4) {
-				// We can reuse the same connection to reduce pool contention, but we have to reset it first.
-				await redis.reset();
-				return await this.tryLimit(redis, limit, actor, factor, retry + 1);
-			}
-
-			throw err;
+	private async tryLimit(limit: Keyed<RateLimit>, actor: string, factor: number): Promise<LimitInfo> {
+		if (isLegacyRateLimit(limit)) {
+			return await this.limitLegacy(limit, actor, factor);
+		} else {
+			return await this.limitBucket(limit, actor, factor);
 		}
 	}
 
-	private async limitLegacy(redis: Redis.Redis, limit: Keyed<LegacyRateLimit>, actor: string, factor: number): Promise<LimitInfo> {
+	private async limitLegacy(limit: Keyed<LegacyRateLimit>, actor: string, factor: number): Promise<LimitInfo> {
 		if (hasMaxLimit(limit)) {
-			return await this.limitMaxLegacy(redis, limit, actor, factor);
+			return await this.limitMaxLegacy(limit, actor, factor);
 		} else if (hasMinLimit(limit)) {
-			return await this.limitMinLegacy(redis, limit, actor, factor);
+			return await this.limitMinLegacy(limit, actor, factor);
 		} else {
 			return disabledLimitInfo;
 		}
 	}
 
-	private async limitMaxLegacy(redis: Redis.Redis, limit: Keyed<MaxLegacyLimit>, actor: string, factor: number): Promise<LimitInfo> {
+	private async limitMaxLegacy(limit: Keyed<MaxLegacyLimit>, actor: string, factor: number): Promise<LimitInfo> {
 		if (limit.duration === 0) return disabledLimitInfo;
 		if (limit.duration < 0) throw new Error(`Invalid rate limit ${limit.key}: duration is negative (${limit.duration})`);
 		if (limit.max < 1) throw new Error(`Invalid rate limit ${limit.key}: max is less than 1 (${limit.max})`);
@@ -106,10 +84,10 @@ export class SkRateLimiterService {
 			dripRate,
 			dripSize,
 		};
-		return await this.limitBucket(redis, bucketLimit, actor, factor);
+		return await this.limitBucket(bucketLimit, actor, factor);
 	}
 
-	private async limitMinLegacy(redis: Redis.Redis, limit: Keyed<MinLegacyLimit>, actor: string, factor: number): Promise<LimitInfo> {
+	private async limitMinLegacy(limit: Keyed<MinLegacyLimit>, actor: string, factor: number): Promise<LimitInfo> {
 		if (limit.minInterval === 0) return disabledLimitInfo;
 		if (limit.minInterval < 0) throw new Error(`Invalid rate limit ${limit.key}: minInterval is negative (${limit.minInterval})`);
 
@@ -121,33 +99,83 @@ export class SkRateLimiterService {
 			dripRate,
 			dripSize: 1,
 		};
-		return await this.limitBucket(redis, bucketLimit, actor, factor);
+		return await this.limitBucket(bucketLimit, actor, factor);
 	}
 
-	private async limitBucket(redis: Redis.Redis, limit: Keyed<BucketRateLimit>, actor: string, factor: number): Promise<LimitInfo> {
+	/**
+	 * Implementation of Leaky Bucket rate limiting - see SkRateLimiterService.md for details.
+	 */
+	private async limitBucket(limit: Keyed<BucketRateLimit>, actor: string, factor: number): Promise<LimitInfo> {
 		if (limit.size < 1) throw new Error(`Invalid rate limit ${limit.key}: size is less than 1 (${limit.size})`);
 		if (limit.dripRate != null && limit.dripRate < 1) throw new Error(`Invalid rate limit ${limit.key}: dripRate is less than 1 (${limit.dripRate})`);
 		if (limit.dripSize != null && limit.dripSize < 1) throw new Error(`Invalid rate limit ${limit.key}: dripSize is less than 1 (${limit.dripSize})`);
 
-		const redisKey = createLimitKey(limit, actor);
+		// 0 - Calculate
+		const now = this.timeService.now;
 		const bucketSize = Math.max(Math.ceil(limit.size / factor), 1);
 		const dripRate = Math.ceil(limit.dripRate ?? 1000);
 		const dripSize = Math.ceil(limit.dripSize ?? 1);
-		const expirationSec = Math.max(Math.ceil(bucketSize / dripRate), 1);
-
-		// Simulate bucket drips
-		const counter = await this.getLimitCounter(redis, redisKey);
-		if (counter.counter > 0) {
-			const dripsSinceLastTick = Math.floor((this.timeService.now - counter.timestamp) / dripRate) * dripSize;
-			counter.counter = Math.max(counter.counter - dripsSinceLastTick, 0);
+		const expirationSec = Math.max(Math.ceil((dripRate * Math.ceil(bucketSize / dripSize)) / 1000), 1);
+
+		// 1 - Read
+		const counterKey = createLimitKey(limit, actor, 'c');
+		const timestampKey = createLimitKey(limit, actor, 't');
+		const counter = await this.getLimitCounter(counterKey, timestampKey);
+
+		// 2 - Drip
+		const dripsSinceLastTick = Math.floor((now - counter.timestamp) / dripRate) * dripSize;
+		const deltaCounter = Math.min(dripsSinceLastTick, counter.counter);
+		const deltaTimestamp = dripsSinceLastTick * dripRate;
+		if (deltaCounter > 0) {
+			// Execute the next drip(s)
+			const results = await this.executeRedisMulti(
+				['get', timestampKey],
+				['incrby', timestampKey, deltaTimestamp],
+				['expire', timestampKey, expirationSec],
+				['get', timestampKey],
+				['decrby', counterKey, deltaCounter],
+				['expire', counterKey, expirationSec],
+				['get', counterKey],
+			);
+			const expectedTimestamp = counter.timestamp;
+			const canaryTimestamp = results[0] ? parseInt(results[0]) : 0;
+			counter.timestamp = results[3] ? parseInt(results[3]) : 0;
+			counter.counter = results[6] ? parseInt(results[6]) : 0;
+
+			// Check for a data collision and rollback
+			if (canaryTimestamp !== expectedTimestamp) {
+				const rollbackResults = await this.executeRedisMulti(
+					['decrby', timestampKey, deltaTimestamp],
+					['get', timestampKey],
+					['incrby', counterKey, deltaCounter],
+					['get', counterKey],
+				);
+				counter.timestamp = rollbackResults[1] ? parseInt(rollbackResults[1]) : 0;
+				counter.counter = rollbackResults[3] ? parseInt(rollbackResults[3]) : 0;
+			}
 		}
 
-		// Increment the limit, then synchronize with redis
+		// 3 - Check
 		const blocked = counter.counter >= bucketSize;
 		if (!blocked) {
-			counter.counter++;
-			counter.timestamp = this.timeService.now;
-			await this.updateLimitCounter(redis, redisKey, expirationSec, counter);
+			if (counter.timestamp === 0) {
+				const results = await this.executeRedisMulti(
+					['set', timestampKey, now],
+					['expire', timestampKey, expirationSec],
+					['incr', counterKey],
+					['expire', counterKey, expirationSec],
+					['get', counterKey],
+				);
+				counter.timestamp = now;
+				counter.counter = results[4] ? parseInt(results[4]) : 0;
+			} else {
+				const results = await this.executeRedisMulti(
+					['incr', counterKey],
+					['expire', counterKey, expirationSec],
+					['get', counterKey],
+				);
+				counter.counter = results[2] ? parseInt(results[2]) : 0;
+			}
 		}
 
 		// Calculate how much time is needed to free up a bucket slot
@@ -164,37 +192,20 @@ export class SkRateLimiterService {
 		return { blocked, remaining, resetSec, resetMs, fullResetSec, fullResetMs };
 	}
 
-	private async getLimitCounter(redis: Redis.Redis, key: string): Promise<LimitCounter> {
-		const counter: LimitCounter = { counter: 0, timestamp: 0 };
-
-		// Watch the key BEFORE reading it!
-		await redis.watch(key);
-		const data = await redis.get(key);
-
-		// Data may be missing or corrupt if the key doesn't exist.
-		// This is an expected edge case.
-		if (data) {
-			const parts = data.split(':');
-			if (parts.length === 2) {
-				counter.counter = parseInt(parts[0]);
-				counter.timestamp = parseInt(parts[1]);
-			}
-		}
-
-		return counter;
-	}
-
-	private async updateLimitCounter(redis: Redis.Redis, key: string, expirationSec: number, counter: LimitCounter): Promise<void> {
-		const data = `${counter.counter}:${counter.timestamp}`;
-
-		await this.executeRedisMulti(
-			redis,
-			[['set', key, data, 'EX', expirationSec]],
+	private async getLimitCounter(counterKey: string, timestampKey: string): Promise<LimitCounter> {
+		const [counter, timestamp] = await this.executeRedisMulti(
+			['get', counterKey],
+			['get', timestampKey],
 		);
+
+		return {
+			counter: counter ? parseInt(counter) : 0,
+			timestamp: timestamp ? parseInt(timestamp) : 0,
+		};
 	}
 
-	private async executeRedisMulti<Num extends number>(redis: Redis.Redis, batch: RedisBatch<Num>): Promise<RedisResults<Num>> {
-		const results = await redis.multi(batch).exec();
+	private async executeRedisMulti(...batch: RedisCommand[]): Promise<RedisResult[]> {
+		const results = await this.redisClient.multi(batch).exec();
 
 		// Transaction conflict (retryable)
 		if (!results) {
@@ -206,21 +217,32 @@ export class SkRateLimiterService {
 			throw new Error('Redis error: failed to execute batch');
 		}
 
+		// Map responses
+		const errors: Error[] = [];
+		const responses: RedisResult[] = [];
+		for (const [error, response] of results) {
+			if (error) errors.push(error);
+			responses.push(response as RedisResult);
+		}
+
 		// Command failed (fatal)
-		const errors = results.map(r => r[0]).filter(e => e != null);
 		if (errors.length > 0) {
-			throw new AggregateError(errors, `Redis error: failed to execute command(s): '${errors.join('\', \'')}'`);
+			const errorMessages = errors
+				.map((e, i) => `Error in command ${i}: ${e}`)
+				.join('\', \'');
+			throw new AggregateError(errors, `Redis error: failed to execute command(s): '${errorMessages}'`);
 		}
 
-		return results.map(r => r[1]) as RedisResults<Num>;
+		return responses;
 	}
 }
 
-type RedisBatch<Num extends number> = [string, ...unknown[]][] & { length: Num };
-type RedisResults<Num extends number> = (string | null)[] & { length: Num };
+// Not correct, but good enough for the basic commands we use.
+type RedisResult = string | null;
+type RedisCommand = [command: string, ...args: unknown[]];
 
-function createLimitKey(limit: Keyed<RateLimit>, actor: string): string {
-	return `rl_${actor}_${limit.key}`;
+function createLimitKey(limit: Keyed<RateLimit>, actor: string, value: string): string {
+	return `rl_${actor}_${limit.key}_${value}`;
 }
 
 class ConflictError extends Error {}
diff --git a/packages/backend/test/unit/server/api/SkRateLimiterServiceTests.ts b/packages/backend/test/unit/server/api/SkRateLimiterServiceTests.ts
index deb6b9f80e..bf424852e6 100644
--- a/packages/backend/test/unit/server/api/SkRateLimiterServiceTests.ts
+++ b/packages/backend/test/unit/server/api/SkRateLimiterServiceTests.ts
@@ -6,8 +6,6 @@
 import type Redis from 'ioredis';
 import { SkRateLimiterService } from '@/server/api/SkRateLimiterService.js';
 import { BucketRateLimit, Keyed, LegacyRateLimit } from '@/misc/rate-limit-utils.js';
-import { RedisConnectionPool } from '@/core/RedisConnectionPool.js';
-import { Timeout, TimeoutHandler, TimeoutService } from '@/core/TimeoutService.js';
 
 /* eslint-disable @typescript-eslint/no-non-null-assertion */
 
@@ -64,12 +62,6 @@ describe(SkRateLimiterService, () => {
 				return Promise.resolve();
 			},
 		} as unknown as Redis.Redis;
-		const mockRedisPool = {
-			alloc() {
-				return Promise.resolve(mockRedisClient);
-			},
-			free() {},
-		} as unknown as RedisConnectionPool;
 
 		mockEnvironment = Object.create(process.env);
 		mockEnvironment.NODE_ENV = 'production';
@@ -77,22 +69,9 @@ describe(SkRateLimiterService, () => {
 			env: mockEnvironment,
 		};
 
-		const mockTimeoutService = new class extends TimeoutService {
-			setTimeout(handler: TimeoutHandler): Timeout {
-				handler();
-				return 0;
-			}
-			setInterval(handler: TimeoutHandler): Timeout {
-				handler();
-				return 0;
-			}
-			clearTimeout() {}
-			clearInterval() {}
-		};
-
 		let service: SkRateLimiterService | undefined = undefined;
 		serviceUnderTest = () => {
-			return service ??= new SkRateLimiterService(mockTimeService, mockTimeoutService, mockRedisPool, mockEnvService);
+			return service ??= new SkRateLimiterService(mockTimeService, mockRedisClient, mockEnvService);
 		};
 	});
 
@@ -108,15 +87,70 @@ describe(SkRateLimiterService, () => {
 			limitTimestamp = undefined;
 
 			mockRedis.push(([command, ...args]) => {
-				if (command === 'set' && args[0] === 'rl_actor_test') {
-					const parts = (args[1] as string).split(':');
-					limitCounter = parseInt(parts[0] as string);
-					limitTimestamp = parseInt(parts[1] as string);
-					return [null, args[1]];
+				if (command === 'get') {
+					if (args[0] === 'rl_actor_test_c') {
+						const data = limitCounter?.toString() ?? null;
+						return [null, data];
+					}
+					if (args[0] === 'rl_actor_test_t') {
+						const data = limitTimestamp?.toString() ?? null;
+						return [null, data];
+					}
+				}
+
+				if (command === 'set') {
+					if (args[0] === 'rl_actor_test_c') {
+						limitCounter = parseInt(args[1] as string);
+						return [null, args[1]];
+					}
+					if (args[0] === 'rl_actor_test_t') {
+						limitTimestamp = parseInt(args[1] as string);
+						return [null, args[1]];
+					}
+				}
+
+				if (command === 'incr') {
+					if (args[0] === 'rl_actor_test_c') {
+						limitCounter = (limitCounter ?? 0) + 1;
+						return [null, null];
+					}
+					if (args[0] === 'rl_actor_test_t') {
+						limitTimestamp = (limitTimestamp ?? 0) + 1;
+						return [null, null];
+					}
+				}
+
+				if (command === 'incrby') {
+					if (args[0] === 'rl_actor_test_c') {
+						limitCounter = (limitCounter ?? 0) + parseInt(args[1] as string);
+						return [null, null];
+					}
+					if (args[0] === 'rl_actor_test_t') {
+						limitTimestamp = (limitTimestamp ?? 0) + parseInt(args[1] as string);
+						return [null, null];
+					}
+				}
+
+				if (command === 'decr') {
+					if (args[0] === 'rl_actor_test_c') {
+						limitCounter = (limitCounter ?? 0) - 1;
+						return [null, null];
+					}
+					if (args[0] === 'rl_actor_test_t') {
+						limitTimestamp = (limitTimestamp ?? 0) - 1;
+						return [null, null];
+					}
 				}
-				if (command === 'get' && args[0] === 'rl_actor_test') {
-					const data = `${limitCounter ?? 0}:${limitTimestamp ?? 0}`;
-					return [null, data];
+
+				if (command === 'decrby') {
+					if (args[0] === 'rl_actor_test_c') {
+						limitCounter = (limitCounter ?? 0) - parseInt(args[1] as string);
+						return [null, null];
+					}
+					if (args[0] === 'rl_actor_test_t') {
+						limitTimestamp = (limitTimestamp ?? 0) - parseInt(args[1] as string);
+						return [null, null];
+					}
 				}
 
 				return null;
@@ -269,7 +303,19 @@ describe(SkRateLimiterService, () => {
 
 				await serviceUnderTest().limit(limit, actor);
 
-				expect(commands).toContainEqual(['set', 'rl_actor_test', '1:0', 'EX', 1]);
+				expect(commands).toContainEqual(['expire', 'rl_actor_test_c', 1]);
+			});
+
+			it('should set timestamp expiration', async () => {
+				const commands: unknown[][] = [];
+				mockRedis.push(command => {
+					commands.push(command);
+					return null;
+				});
+
+				await serviceUnderTest().limit(limit, actor);
+
+				expect(commands).toContainEqual(['expire', 'rl_actor_test_t', 1]);
 			});
 
 			it('should not increment when already blocked', async () => {
@@ -368,35 +414,6 @@ describe(SkRateLimiterService, () => {
 				await expect(promise).rejects.toThrow(/dripSize is less than 1/);
 			});
 
-			it('should retry when redis conflicts', async () => {
-				let numCalls = 0;
-				const originalExec = mockRedisExec;
-				mockRedisExec = () => {
-					numCalls++;
-					if (numCalls > 1) {
-						mockRedisExec = originalExec;
-					}
-					return Promise.resolve(null);
-				};
-
-				await serviceUnderTest().limit(limit, actor);
-
-				expect(numCalls).toBe(2);
-			});
-
-			it('should bail out after 5 tries', async () => {
-				let numCalls = 0;
-				mockRedisExec = () => {
-					numCalls++;
-					return Promise.resolve(null);
-				};
-
-				const promise = serviceUnderTest().limit(limit, actor);
-
-				await expect(promise).rejects.toThrow(/transaction conflict/);
-				expect(numCalls).toBe(5);
-			});
-
 			it('should apply correction if extra calls slip through', async () => {
 				limitCounter = 2;
 
@@ -473,8 +490,9 @@ describe(SkRateLimiterService, () => {
 				await serviceUnderTest().limit(limit, actor); // blocked
 				mockTimeService.now += 1000; // 1 - 1 = 0
 				mockTimeService.now += 1000; // 0 - 1 = 0
-				await serviceUnderTest().limit(limit, actor); // 0 + 1 = 1
+				const info = await serviceUnderTest().limit(limit, actor); // 0 + 1 = 1
 
+				expect(info.blocked).toBeFalsy();
 				expect(limitCounter).toBe(1);
 				expect(limitTimestamp).toBe(3000);
 			});
@@ -529,7 +547,19 @@ describe(SkRateLimiterService, () => {
 
 				await serviceUnderTest().limit(limit, actor);
 
-				expect(commands).toContainEqual(['set', 'rl_actor_test', '1:0', 'EX', 1]);
+				expect(commands).toContainEqual(['expire', 'rl_actor_test_c', 1]);
+			});
+
+			it('should set timer expiration', async () => {
+				const commands: unknown[][] = [];
+				mockRedis.push(command => {
+					commands.push(command);
+					return null;
+				});
+
+				await serviceUnderTest().limit(limit, actor);
+
+				expect(commands).toContainEqual(['expire', 'rl_actor_test_t', 1]);
 			});
 
 			it('should not increment when already blocked', async () => {
@@ -688,7 +718,19 @@ describe(SkRateLimiterService, () => {
 
 				await serviceUnderTest().limit(limit, actor);
 
-				expect(commands).toContainEqual(['set', 'rl_actor_test', '1:0', 'EX', 1]);
+				expect(commands).toContainEqual(['expire', 'rl_actor_test_c', 1]);
+			});
+
+			it('should set timestamp expiration', async () => {
+				const commands: unknown[][] = [];
+				mockRedis.push(command => {
+					commands.push(command);
+					return null;
+				});
+
+				await serviceUnderTest().limit(limit, actor);
+
+				expect(commands).toContainEqual(['expire', 'rl_actor_test_t', 1]);
 			});
 
 			it('should not increment when already blocked', async () => {
@@ -866,7 +908,19 @@ describe(SkRateLimiterService, () => {
 
 				await serviceUnderTest().limit(limit, actor);
 
-				expect(commands).toContainEqual(['set', 'rl_actor_test', '1:0', 'EX', 1]);
+				expect(commands).toContainEqual(['expire', 'rl_actor_test_c', 1]);
+			});
+
+			it('should set timestamp expiration', async () => {
+				const commands: unknown[][] = [];
+				mockRedis.push(command => {
+					commands.push(command);
+					return null;
+				});
+
+				await serviceUnderTest().limit(limit, actor);
+
+				expect(commands).toContainEqual(['expire', 'rl_actor_test_t', 1]);
 			});
 
 			it('should not increment when already blocked', async () => {
-- 
cgit v1.2.3-freya


From 0f5c78a69bf9ccf645b981e6ec844878feafd36c Mon Sep 17 00:00:00 2001
From: Hazelnoot <acomputerdog@gmail.com>
Date: Wed, 11 Dec 2024 09:10:56 -0500
Subject: increase chart rate limits (fixes 429s in control panel / info pages)

---
 packages/backend/src/server/api/endpoints/charts/active-users.ts   | 7 ++++---
 packages/backend/src/server/api/endpoints/charts/ap-request.ts     | 7 ++++---
 packages/backend/src/server/api/endpoints/charts/drive.ts          | 7 ++++---
 packages/backend/src/server/api/endpoints/charts/federation.ts     | 7 ++++---
 packages/backend/src/server/api/endpoints/charts/instance.ts       | 7 ++++---
 packages/backend/src/server/api/endpoints/charts/notes.ts          | 7 ++++---
 packages/backend/src/server/api/endpoints/charts/user/drive.ts     | 7 ++++---
 packages/backend/src/server/api/endpoints/charts/user/following.ts | 7 ++++---
 packages/backend/src/server/api/endpoints/charts/user/notes.ts     | 7 ++++---
 packages/backend/src/server/api/endpoints/charts/user/pv.ts        | 7 ++++---
 packages/backend/src/server/api/endpoints/charts/user/reactions.ts | 7 ++++---
 packages/backend/src/server/api/endpoints/charts/users.ts          | 7 ++++---
 12 files changed, 48 insertions(+), 36 deletions(-)

(limited to 'packages/backend/src/server/api')

diff --git a/packages/backend/src/server/api/endpoints/charts/active-users.ts b/packages/backend/src/server/api/endpoints/charts/active-users.ts
index f6c0c045df..dcdcf46d0b 100644
--- a/packages/backend/src/server/api/endpoints/charts/active-users.ts
+++ b/packages/backend/src/server/api/endpoints/charts/active-users.ts
@@ -17,10 +17,11 @@ export const meta = {
 	allowGet: true,
 	cacheSec: 60 * 60,
 
-	// 10 calls per 5 seconds
+	// Burst up to 100, then 2/sec average
 	limit: {
-		duration: 1000 * 5,
-		max: 10,
+		type: 'bucket',
+		size: 100,
+		dripRate: 500,
 	},
 } as const;
 
diff --git a/packages/backend/src/server/api/endpoints/charts/ap-request.ts b/packages/backend/src/server/api/endpoints/charts/ap-request.ts
index 4c5c0d5d20..28c64229e7 100644
--- a/packages/backend/src/server/api/endpoints/charts/ap-request.ts
+++ b/packages/backend/src/server/api/endpoints/charts/ap-request.ts
@@ -17,10 +17,11 @@ export const meta = {
 	allowGet: true,
 	cacheSec: 60 * 60,
 
-	// 10 calls per 5 seconds
+	// Burst up to 100, then 2/sec average
 	limit: {
-		duration: 1000 * 5,
-		max: 10,
+		type: 'bucket',
+		size: 100,
+		dripRate: 500,
 	},
 } as const;
 
diff --git a/packages/backend/src/server/api/endpoints/charts/drive.ts b/packages/backend/src/server/api/endpoints/charts/drive.ts
index 8210ec8fe7..69ff3c5d7a 100644
--- a/packages/backend/src/server/api/endpoints/charts/drive.ts
+++ b/packages/backend/src/server/api/endpoints/charts/drive.ts
@@ -17,10 +17,11 @@ export const meta = {
 	allowGet: true,
 	cacheSec: 60 * 60,
 
-	// 10 calls per 5 seconds
+	// Burst up to 100, then 2/sec average
 	limit: {
-		duration: 1000 * 5,
-		max: 10,
+		type: 'bucket',
+		size: 100,
+		dripRate: 500,
 	},
 } as const;
 
diff --git a/packages/backend/src/server/api/endpoints/charts/federation.ts b/packages/backend/src/server/api/endpoints/charts/federation.ts
index 56a5dbea31..bd870cc3d9 100644
--- a/packages/backend/src/server/api/endpoints/charts/federation.ts
+++ b/packages/backend/src/server/api/endpoints/charts/federation.ts
@@ -17,10 +17,11 @@ export const meta = {
 	allowGet: true,
 	cacheSec: 60 * 60,
 
-	// 10 calls per 5 seconds
+	// Burst up to 100, then 2/sec average
 	limit: {
-		duration: 1000 * 5,
-		max: 10,
+		type: 'bucket',
+		size: 100,
+		dripRate: 500,
 	},
 } as const;
 
diff --git a/packages/backend/src/server/api/endpoints/charts/instance.ts b/packages/backend/src/server/api/endpoints/charts/instance.ts
index 7f79e1356d..765bf024ee 100644
--- a/packages/backend/src/server/api/endpoints/charts/instance.ts
+++ b/packages/backend/src/server/api/endpoints/charts/instance.ts
@@ -17,10 +17,11 @@ export const meta = {
 	allowGet: true,
 	cacheSec: 60 * 60,
 
-	// 10 calls per 5 seconds
+	// Burst up to 100, then 2/sec average
 	limit: {
-		duration: 1000 * 5,
-		max: 10,
+		type: 'bucket',
+		size: 100,
+		dripRate: 500,
 	},
 } as const;
 
diff --git a/packages/backend/src/server/api/endpoints/charts/notes.ts b/packages/backend/src/server/api/endpoints/charts/notes.ts
index b3660b558b..ecac436311 100644
--- a/packages/backend/src/server/api/endpoints/charts/notes.ts
+++ b/packages/backend/src/server/api/endpoints/charts/notes.ts
@@ -17,10 +17,11 @@ export const meta = {
 	allowGet: true,
 	cacheSec: 60 * 60,
 
-	// 10 calls per 5 seconds
+	// Burst up to 100, then 2/sec average
 	limit: {
-		duration: 1000 * 5,
-		max: 10,
+		type: 'bucket',
+		size: 100,
+		dripRate: 500,
 	},
 } as const;
 
diff --git a/packages/backend/src/server/api/endpoints/charts/user/drive.ts b/packages/backend/src/server/api/endpoints/charts/user/drive.ts
index 716c41f385..98ec40ade2 100644
--- a/packages/backend/src/server/api/endpoints/charts/user/drive.ts
+++ b/packages/backend/src/server/api/endpoints/charts/user/drive.ts
@@ -17,10 +17,11 @@ export const meta = {
 	allowGet: true,
 	cacheSec: 60 * 60,
 
-	// 10 calls per 5 seconds
+	// Burst up to 100, then 2/sec average
 	limit: {
-		duration: 1000 * 5,
-		max: 10,
+		type: 'bucket',
+		size: 100,
+		dripRate: 500,
 	},
 } as const;
 
diff --git a/packages/backend/src/server/api/endpoints/charts/user/following.ts b/packages/backend/src/server/api/endpoints/charts/user/following.ts
index b67b5ca338..cb3dd36bab 100644
--- a/packages/backend/src/server/api/endpoints/charts/user/following.ts
+++ b/packages/backend/src/server/api/endpoints/charts/user/following.ts
@@ -17,10 +17,11 @@ export const meta = {
 	allowGet: true,
 	cacheSec: 60 * 60,
 
-	// 10 calls per 5 seconds
+	// Burst up to 100, then 2/sec average
 	limit: {
-		duration: 1000 * 5,
-		max: 10,
+		type: 'bucket',
+		size: 100,
+		dripRate: 500,
 	},
 } as const;
 
diff --git a/packages/backend/src/server/api/endpoints/charts/user/notes.ts b/packages/backend/src/server/api/endpoints/charts/user/notes.ts
index e5587cab86..0742a21210 100644
--- a/packages/backend/src/server/api/endpoints/charts/user/notes.ts
+++ b/packages/backend/src/server/api/endpoints/charts/user/notes.ts
@@ -17,10 +17,11 @@ export const meta = {
 	allowGet: true,
 	cacheSec: 60 * 60,
 
-	// 10 calls per 5 seconds
+	// Burst up to 100, then 2/sec average
 	limit: {
-		duration: 1000 * 5,
-		max: 10,
+		type: 'bucket',
+		size: 100,
+		dripRate: 500,
 	},
 } as const;
 
diff --git a/packages/backend/src/server/api/endpoints/charts/user/pv.ts b/packages/backend/src/server/api/endpoints/charts/user/pv.ts
index cbae3a21c1..a220381b00 100644
--- a/packages/backend/src/server/api/endpoints/charts/user/pv.ts
+++ b/packages/backend/src/server/api/endpoints/charts/user/pv.ts
@@ -17,10 +17,11 @@ export const meta = {
 	allowGet: true,
 	cacheSec: 60 * 60,
 
-	// 10 calls per 5 seconds
+	// Burst up to 100, then 2/sec average
 	limit: {
-		duration: 1000 * 5,
-		max: 10,
+		type: 'bucket',
+		size: 100,
+		dripRate: 500,
 	},
 } as const;
 
diff --git a/packages/backend/src/server/api/endpoints/charts/user/reactions.ts b/packages/backend/src/server/api/endpoints/charts/user/reactions.ts
index d734240742..3bb33622c2 100644
--- a/packages/backend/src/server/api/endpoints/charts/user/reactions.ts
+++ b/packages/backend/src/server/api/endpoints/charts/user/reactions.ts
@@ -17,10 +17,11 @@ export const meta = {
 	allowGet: true,
 	cacheSec: 60 * 60,
 
-	// 10 calls per 5 seconds
+	// Burst up to 100, then 2/sec average
 	limit: {
-		duration: 1000 * 5,
-		max: 10,
+		type: 'bucket',
+		size: 100,
+		dripRate: 500,
 	},
 } as const;
 
diff --git a/packages/backend/src/server/api/endpoints/charts/users.ts b/packages/backend/src/server/api/endpoints/charts/users.ts
index 6e1a8ebd4f..b5452517ab 100644
--- a/packages/backend/src/server/api/endpoints/charts/users.ts
+++ b/packages/backend/src/server/api/endpoints/charts/users.ts
@@ -17,10 +17,11 @@ export const meta = {
 	allowGet: true,
 	cacheSec: 60 * 60,
 
-	// 10 calls per 5 seconds
+	// Burst up to 100, then 2/sec average
 	limit: {
-		duration: 1000 * 5,
-		max: 10,
+		type: 'bucket',
+		size: 100,
+		dripRate: 500,
 	},
 } as const;
 
-- 
cgit v1.2.3-freya


From 755ff8783b9b4c1b4e5949fa417e0c85a8bc0e29 Mon Sep 17 00:00:00 2001
From: Hazelnoot <acomputerdog@gmail.com>
Date: Wed, 11 Dec 2024 14:07:25 -0500
Subject: clarify naming of legacy rate limit methods

---
 packages/backend/src/server/api/SkRateLimiterService.ts | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

(limited to 'packages/backend/src/server/api')

diff --git a/packages/backend/src/server/api/SkRateLimiterService.ts b/packages/backend/src/server/api/SkRateLimiterService.ts
index d349e192e1..38c97b63df 100644
--- a/packages/backend/src/server/api/SkRateLimiterService.ts
+++ b/packages/backend/src/server/api/SkRateLimiterService.ts
@@ -55,15 +55,15 @@ export class SkRateLimiterService {
 
 	private async limitLegacy(limit: Keyed<LegacyRateLimit>, actor: string, factor: number): Promise<LimitInfo> {
 		if (hasMaxLimit(limit)) {
-			return await this.limitMaxLegacy(limit, actor, factor);
+			return await this.limitLegacyMinMax(limit, actor, factor);
 		} else if (hasMinLimit(limit)) {
-			return await this.limitMinLegacy(limit, actor, factor);
+			return await this.limitLegacyMinOnly(limit, actor, factor);
 		} else {
 			return disabledLimitInfo;
 		}
 	}
 
-	private async limitMaxLegacy(limit: Keyed<MaxLegacyLimit>, actor: string, factor: number): Promise<LimitInfo> {
+	private async limitLegacyMinMax(limit: Keyed<MaxLegacyLimit>, actor: string, factor: number): Promise<LimitInfo> {
 		if (limit.duration === 0) return disabledLimitInfo;
 		if (limit.duration < 0) throw new Error(`Invalid rate limit ${limit.key}: duration is negative (${limit.duration})`);
 		if (limit.max < 1) throw new Error(`Invalid rate limit ${limit.key}: max is less than 1 (${limit.max})`);
@@ -87,7 +87,7 @@ export class SkRateLimiterService {
 		return await this.limitBucket(bucketLimit, actor, factor);
 	}
 
-	private async limitMinLegacy(limit: Keyed<MinLegacyLimit>, actor: string, factor: number): Promise<LimitInfo> {
+	private async limitLegacyMinOnly(limit: Keyed<MinLegacyLimit>, actor: string, factor: number): Promise<LimitInfo> {
 		if (limit.minInterval === 0) return disabledLimitInfo;
 		if (limit.minInterval < 0) throw new Error(`Invalid rate limit ${limit.key}: minInterval is negative (${limit.minInterval})`);
 
-- 
cgit v1.2.3-freya


From 00c4637b1186fa78a3955e8b5103c05c2e2b4431 Mon Sep 17 00:00:00 2001
From: Hazelnoot <acomputerdog@gmail.com>
Date: Thu, 12 Dec 2024 07:34:14 -0500
Subject: federate profile when `hideOnlineStatus` changes

---
 packages/backend/src/server/api/endpoints/i/update.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'packages/backend/src/server/api')

diff --git a/packages/backend/src/server/api/endpoints/i/update.ts b/packages/backend/src/server/api/endpoints/i/update.ts
index 8e61b8f784..c640caee75 100644
--- a/packages/backend/src/server/api/endpoints/i/update.ts
+++ b/packages/backend/src/server/api/endpoints/i/update.ts
@@ -587,7 +587,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 	// these two methods need to be kept in sync with
 	// `ApRendererService.renderPerson`
 	private userNeedsPublishing(oldUser: MiLocalUser, newUser: Partial<MiUser>): boolean {
-		for (const field of ['avatarId', 'bannerId', 'backgroundId', 'isBot', 'username', 'name', 'isLocked', 'isExplorable', 'isCat', 'noindex', 'speakAsCat', 'movedToUri', 'alsoKnownAs'] as (keyof MiUser)[]) {
+		for (const field of ['avatarId', 'bannerId', 'backgroundId', 'isBot', 'username', 'name', 'isLocked', 'isExplorable', 'isCat', 'noindex', 'speakAsCat', 'movedToUri', 'alsoKnownAs', 'hideOnlineStatus'] as (keyof MiUser)[]) {
 			if ((field in newUser) && oldUser[field] !== newUser[field]) {
 				return true;
 			}
-- 
cgit v1.2.3-freya


From fe37aa2ce851dfba4cb7b47ee569d20272b7f75e Mon Sep 17 00:00:00 2001
From: Hazelnoot <acomputerdog@gmail.com>
Date: Mon, 9 Dec 2024 09:11:39 -0500
Subject: Add "enable RSS" user privacy toggle

---
 locales/index.d.ts                                          |  8 ++++++++
 .../backend/migration/1733748798177-add_user_enableRss.js   | 13 +++++++++++++
 packages/backend/src/core/SignupService.ts                  |  1 +
 packages/backend/src/core/activitypub/ApRendererService.ts  |  1 +
 packages/backend/src/core/activitypub/misc/contexts.ts      |  1 +
 .../backend/src/core/activitypub/models/ApPersonService.ts  |  2 ++
 packages/backend/src/core/activitypub/type.ts               |  1 +
 packages/backend/src/core/entities/UserEntityService.ts     |  1 +
 packages/backend/src/models/User.ts                         | 11 +++++++++++
 packages/backend/src/models/json-schema/user.ts             |  4 ++++
 packages/backend/src/server/api/endpoints/i/update.ts       |  2 ++
 packages/backend/src/server/web/ClientServerService.ts      |  1 +
 packages/frontend/src/pages/settings/privacy.vue            |  6 ++++++
 packages/misskey-js/src/autogen/types.ts                    |  2 ++
 sharkey-locales/en-US.yml                                   |  2 ++
 15 files changed, 56 insertions(+)
 create mode 100644 packages/backend/migration/1733748798177-add_user_enableRss.js

(limited to 'packages/backend/src/server/api')

diff --git a/locales/index.d.ts b/locales/index.d.ts
index 7ab1b7f545..3ffa402598 100644
--- a/locales/index.d.ts
+++ b/locales/index.d.ts
@@ -10847,6 +10847,14 @@ export interface Locale extends ILocale {
      * Stop note search from indexing your public notes.
      */
     "makeIndexableDescription": string;
+    /**
+     * Enable RSS feed
+     */
+    "enableRss": string;
+    /**
+     * Generate an RSS feed containing your basic profile details and public notes. Users can subscribe to the feed without a follow request or approval.
+     */
+    "enableRssDescription": string;
     /**
      * Require approval for new users
      */
diff --git a/packages/backend/migration/1733748798177-add_user_enableRss.js b/packages/backend/migration/1733748798177-add_user_enableRss.js
new file mode 100644
index 0000000000..64662ca7b8
--- /dev/null
+++ b/packages/backend/migration/1733748798177-add_user_enableRss.js
@@ -0,0 +1,13 @@
+export class AddUserEnableRss1733748798177 {
+    name = 'AddUserEnableRss1733748798177'
+
+    async up(queryRunner) {
+				// Disable by default, then specifically enable for all existing local users.
+				await queryRunner.query(`ALTER TABLE "user" ADD "enable_rss" boolean NOT NULL DEFAULT false`);
+				await queryRunner.query(`UPDATE "user" SET "enable_rss" = true WHERE host IS NULL;`)
+		}
+
+    async down(queryRunner) {
+				await queryRunner.query(`ALTER TABLE "user" DROP COLUMN "enable_rss"`);
+		}
+}
diff --git a/packages/backend/src/core/SignupService.ts b/packages/backend/src/core/SignupService.ts
index 1b0b1e5bbd..3f0523b610 100644
--- a/packages/backend/src/core/SignupService.ts
+++ b/packages/backend/src/core/SignupService.ts
@@ -135,6 +135,7 @@ export class SignupService {
 				isRoot: isTheFirstUser,
 				approved: isTheFirstUser || (opts.approved ?? !this.meta.approvalRequiredForSignup),
 				signupReason: reason,
+				enableRss: false,
 			}));
 
 			await transactionalEntityManager.save(new MiUserKeypair({
diff --git a/packages/backend/src/core/activitypub/ApRendererService.ts b/packages/backend/src/core/activitypub/ApRendererService.ts
index ff909778e8..57489c754f 100644
--- a/packages/backend/src/core/activitypub/ApRendererService.ts
+++ b/packages/backend/src/core/activitypub/ApRendererService.ts
@@ -531,6 +531,7 @@ export class ApRendererService {
 			hideOnlineStatus: user.hideOnlineStatus,
 			noindex: user.noindex,
 			indexable: !user.noindex,
+			enableRss: user.enableRss,
 			speakAsCat: user.speakAsCat,
 			attachment: attachment.length ? attachment : undefined,
 		};
diff --git a/packages/backend/src/core/activitypub/misc/contexts.ts b/packages/backend/src/core/activitypub/misc/contexts.ts
index 1c4239502e..9c2640758f 100644
--- a/packages/backend/src/core/activitypub/misc/contexts.ts
+++ b/packages/backend/src/core/activitypub/misc/contexts.ts
@@ -567,6 +567,7 @@ const extension_context_definition = {
 	hideOnlineStatus: 'sharkey:hideOnlineStatus',
 	backgroundUrl: 'sharkey:backgroundUrl',
 	listenbrainz: 'sharkey:listenbrainz',
+	enableRss: 'sharkey:enableRss',
 	// vcard
 	vcard: 'http://www.w3.org/2006/vcard/ns#',
 } satisfies Context;
diff --git a/packages/backend/src/core/activitypub/models/ApPersonService.ts b/packages/backend/src/core/activitypub/models/ApPersonService.ts
index 2cb31b1f09..b1bd379861 100644
--- a/packages/backend/src/core/activitypub/models/ApPersonService.ts
+++ b/packages/backend/src/core/activitypub/models/ApPersonService.ts
@@ -385,6 +385,7 @@ export class ApPersonService implements OnModuleInit {
 					lastFetchedAt: new Date(),
 					name: truncate(person.name, nameLength),
 					noindex: (person as any).noindex ?? false,
+					enableRss: person.enableRss === true,
 					isLocked: person.manuallyApprovesFollowers,
 					movedToUri: person.movedTo,
 					movedAt: person.movedTo ? new Date() : null,
@@ -584,6 +585,7 @@ export class ApPersonService implements OnModuleInit {
 			isCat: (person as any).isCat === true,
 			speakAsCat: (person as any).speakAsCat != null ? (person as any).speakAsCat === true : (person as any).isCat === true,
 			noindex: (person as any).noindex ?? false,
+			enableRss: person.enableRss === true,
 			isLocked: person.manuallyApprovesFollowers,
 			movedToUri: person.movedTo ?? null,
 			alsoKnownAs: person.alsoKnownAs ?? null,
diff --git a/packages/backend/src/core/activitypub/type.ts b/packages/backend/src/core/activitypub/type.ts
index a0a5ae00dc..6da382e3ec 100644
--- a/packages/backend/src/core/activitypub/type.ts
+++ b/packages/backend/src/core/activitypub/type.ts
@@ -217,6 +217,7 @@ export interface IActor extends IObject {
 	'vcard:Address'?: string;
 	hideOnlineStatus?: boolean;
 	noindex?: boolean;
+	enableRss?: boolean;
 	listenbrainz?: string;
 	backgroundUrl?: string;
 }
diff --git a/packages/backend/src/core/entities/UserEntityService.ts b/packages/backend/src/core/entities/UserEntityService.ts
index b1832ca0f5..8a48c8c6b4 100644
--- a/packages/backend/src/core/entities/UserEntityService.ts
+++ b/packages/backend/src/core/entities/UserEntityService.ts
@@ -539,6 +539,7 @@ export class UserEntityService implements OnModuleInit {
 			isBot: user.isBot,
 			isCat: user.isCat,
 			noindex: user.noindex,
+			enableRss: user.enableRss,
 			isSilenced: user.isSilenced || this.roleService.getUserPolicies(user.id).then(r => !r.canPublicNote),
 			speakAsCat: user.speakAsCat ?? false,
 			approved: user.approved,
diff --git a/packages/backend/src/models/User.ts b/packages/backend/src/models/User.ts
index 73a44de558..8420b5b129 100644
--- a/packages/backend/src/models/User.ts
+++ b/packages/backend/src/models/User.ts
@@ -311,6 +311,17 @@ export class MiUser {
 	})
 	public signupReason: string | null;
 
+	/**
+	 * True if profile RSS feeds are enabled for this user.
+	 * Enabled by default (opt-out) for existing users, to avoid breaking any existing feeds.
+	 * Disabled by default (opt-in) for newly created users, for privacy.
+	 */
+	@Column('boolean', {
+		name: 'enable_rss',
+		default: true,
+	})
+	public enableRss = true;
+
 	constructor(data: Partial<MiUser>) {
 		if (data == null) return;
 
diff --git a/packages/backend/src/models/json-schema/user.ts b/packages/backend/src/models/json-schema/user.ts
index d5e847cc40..12ed1f2009 100644
--- a/packages/backend/src/models/json-schema/user.ts
+++ b/packages/backend/src/models/json-schema/user.ts
@@ -130,6 +130,10 @@ export const packedUserLiteSchema = {
 			type: 'boolean',
 			nullable: false, optional: false,
 		},
+		enableRss: {
+			type: 'boolean',
+			nullable: false, optional: false,
+		},
 		isBot: {
 			type: 'boolean',
 			nullable: false, optional: true,
diff --git a/packages/backend/src/server/api/endpoints/i/update.ts b/packages/backend/src/server/api/endpoints/i/update.ts
index c640caee75..cae2964628 100644
--- a/packages/backend/src/server/api/endpoints/i/update.ts
+++ b/packages/backend/src/server/api/endpoints/i/update.ts
@@ -187,6 +187,7 @@ export const paramDef = {
 		noCrawle: { type: 'boolean' },
 		preventAiLearning: { type: 'boolean' },
 		noindex: { type: 'boolean' },
+		enableRss: { type: 'boolean' },
 		isBot: { type: 'boolean' },
 		isCat: { type: 'boolean' },
 		speakAsCat: { type: 'boolean' },
@@ -337,6 +338,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 			if (typeof ps.hideOnlineStatus === 'boolean') updates.hideOnlineStatus = ps.hideOnlineStatus;
 			if (typeof ps.publicReactions === 'boolean') profileUpdates.publicReactions = ps.publicReactions;
 			if (typeof ps.noindex === 'boolean') updates.noindex = ps.noindex;
+			if (typeof ps.enableRss === 'boolean') updates.enableRss = ps.enableRss;
 			if (typeof ps.isBot === 'boolean') updates.isBot = ps.isBot;
 			if (typeof ps.carefulBot === 'boolean') profileUpdates.carefulBot = ps.carefulBot;
 			if (typeof ps.autoAcceptFollowed === 'boolean') profileUpdates.autoAcceptFollowed = ps.autoAcceptFollowed;
diff --git a/packages/backend/src/server/web/ClientServerService.ts b/packages/backend/src/server/web/ClientServerService.ts
index aca98c4d37..42f9b104ff 100644
--- a/packages/backend/src/server/web/ClientServerService.ts
+++ b/packages/backend/src/server/web/ClientServerService.ts
@@ -510,6 +510,7 @@ export class ClientServerService {
 				usernameLower: username.toLowerCase(),
 				host: host ?? IsNull(),
 				isSuspended: false,
+				enableRss: true,
 			});
 
 			return user && await this.feedService.packFeed(user);
diff --git a/packages/frontend/src/pages/settings/privacy.vue b/packages/frontend/src/pages/settings/privacy.vue
index b155d6e316..dccfb584ae 100644
--- a/packages/frontend/src/pages/settings/privacy.vue
+++ b/packages/frontend/src/pages/settings/privacy.vue
@@ -43,6 +43,10 @@ SPDX-License-Identifier: AGPL-3.0-only
 		{{ i18n.ts.makeExplorable }}
 		<template #caption>{{ i18n.ts.makeExplorableDescription }}</template>
 	</MkSwitch>
+	<MkSwitch v-model="enableRss" @update:modelValue="save()">
+		{{ i18n.ts.enableRss }}
+		<template #caption>{{ i18n.ts.enableRssDescription }}</template>
+	</MkSwitch>
 
 	<FormSection>
 		<div class="_gaps_m">
@@ -89,6 +93,7 @@ const isLocked = ref($i.isLocked);
 const autoAcceptFollowed = ref($i.autoAcceptFollowed);
 const noCrawle = ref($i.noCrawle);
 const noindex = ref($i.noindex);
+const enableRss = ref($i.enableRss);
 const isExplorable = ref($i.isExplorable);
 const hideOnlineStatus = ref($i.hideOnlineStatus);
 const publicReactions = ref($i.publicReactions);
@@ -106,6 +111,7 @@ function save() {
 		autoAcceptFollowed: !!autoAcceptFollowed.value,
 		noCrawle: !!noCrawle.value,
 		noindex: !!noindex.value,
+		enableRss: !!enableRss.value,
 		isExplorable: !!isExplorable.value,
 		hideOnlineStatus: !!hideOnlineStatus.value,
 		publicReactions: !!publicReactions.value,
diff --git a/packages/misskey-js/src/autogen/types.ts b/packages/misskey-js/src/autogen/types.ts
index 29c2e814d2..b161698f27 100644
--- a/packages/misskey-js/src/autogen/types.ts
+++ b/packages/misskey-js/src/autogen/types.ts
@@ -3913,6 +3913,7 @@ export type components = {
       /** @default false */
       isSystem?: boolean;
       noindex: boolean;
+      enableRss: boolean;
       isBot?: boolean;
       isCat?: boolean;
       speakAsCat?: boolean;
@@ -21320,6 +21321,7 @@ export type operations = {
           noCrawle?: boolean;
           preventAiLearning?: boolean;
           noindex?: boolean;
+          enableRss?: boolean;
           isBot?: boolean;
           isCat?: boolean;
           speakAsCat?: boolean;
diff --git a/sharkey-locales/en-US.yml b/sharkey-locales/en-US.yml
index f15646a156..4e462edda7 100644
--- a/sharkey-locales/en-US.yml
+++ b/sharkey-locales/en-US.yml
@@ -88,6 +88,8 @@ searchEngineCustomURIDescription: "The custom URI must be input in the format li
 searchEngineCusomURI: "Custom URI"
 makeIndexable: "Make public notes not indexable"
 makeIndexableDescription: "Stop note search from indexing your public notes."
+enableRss: "Enable RSS feed"
+enableRssDescription: "Generate an RSS feed containing your basic profile details and public notes. Users can subscribe to the feed without a follow request or approval."
 sendErrorReportsDescription: "When turned on, detailed error information will be shared with Sharkey when a problem occurs, helping to improve the quality of Sharkey.\nThis will include information such the version of your OS, what browser you're using, your activity in Sharkey, etc."
 noInquiryUrlWarning: "Contact URL is not set."
 misskeyUpdated: "Sharkey has been updated!"
-- 
cgit v1.2.3-freya


From 02b600c9dae3e4f461fef884e061468d8b647b63 Mon Sep 17 00:00:00 2001
From: Hazelnoot <acomputerdog@gmail.com>
Date: Thu, 12 Dec 2024 07:29:02 -0500
Subject: federate profile when changing `enableRss` value

---
 packages/backend/src/server/api/endpoints/i/update.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'packages/backend/src/server/api')

diff --git a/packages/backend/src/server/api/endpoints/i/update.ts b/packages/backend/src/server/api/endpoints/i/update.ts
index cae2964628..91f871a952 100644
--- a/packages/backend/src/server/api/endpoints/i/update.ts
+++ b/packages/backend/src/server/api/endpoints/i/update.ts
@@ -589,7 +589,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 	// these two methods need to be kept in sync with
 	// `ApRendererService.renderPerson`
 	private userNeedsPublishing(oldUser: MiLocalUser, newUser: Partial<MiUser>): boolean {
-		for (const field of ['avatarId', 'bannerId', 'backgroundId', 'isBot', 'username', 'name', 'isLocked', 'isExplorable', 'isCat', 'noindex', 'speakAsCat', 'movedToUri', 'alsoKnownAs', 'hideOnlineStatus'] as (keyof MiUser)[]) {
+		for (const field of ['avatarId', 'bannerId', 'backgroundId', 'isBot', 'username', 'name', 'isLocked', 'isExplorable', 'isCat', 'noindex', 'speakAsCat', 'movedToUri', 'alsoKnownAs', 'hideOnlineStatus', 'enableRss'] as (keyof MiUser)[]) {
 			if ((field in newUser) && oldUser[field] !== newUser[field]) {
 				return true;
 			}
-- 
cgit v1.2.3-freya


From 1c65f234458c5ce6f67280bc2aa7b4e04f1aa671 Mon Sep 17 00:00:00 2001
From: Hazelnoot <acomputerdog@gmail.com>
Date: Thu, 12 Dec 2024 07:31:11 -0500
Subject: safer typings for `userNeedsPublishing` and `profileNeedsPublishing`

---
 packages/backend/src/server/api/endpoints/i/update.ts | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

(limited to 'packages/backend/src/server/api')

diff --git a/packages/backend/src/server/api/endpoints/i/update.ts b/packages/backend/src/server/api/endpoints/i/update.ts
index 91f871a952..c22cbe5d4b 100644
--- a/packages/backend/src/server/api/endpoints/i/update.ts
+++ b/packages/backend/src/server/api/endpoints/i/update.ts
@@ -589,12 +589,15 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 	// these two methods need to be kept in sync with
 	// `ApRendererService.renderPerson`
 	private userNeedsPublishing(oldUser: MiLocalUser, newUser: Partial<MiUser>): boolean {
-		for (const field of ['avatarId', 'bannerId', 'backgroundId', 'isBot', 'username', 'name', 'isLocked', 'isExplorable', 'isCat', 'noindex', 'speakAsCat', 'movedToUri', 'alsoKnownAs', 'hideOnlineStatus', 'enableRss'] as (keyof MiUser)[]) {
+		const basicFields: (keyof MiUser)[] = ['avatarId', 'bannerId', 'backgroundId', 'isBot', 'username', 'name', 'isLocked', 'isExplorable', 'isCat', 'noindex', 'speakAsCat', 'movedToUri', 'alsoKnownAs', 'hideOnlineStatus', 'enableRss'];
+		for (const field of basicFields) {
 			if ((field in newUser) && oldUser[field] !== newUser[field]) {
 				return true;
 			}
 		}
-		for (const arrayField of ['emojis', 'tags'] as (keyof MiUser)[]) {
+
+		const arrayFields: (keyof MiUser)[] = ['emojis', 'tags'];
+		for (const arrayField of arrayFields) {
 			if ((arrayField in newUser) !== (arrayField in oldUser)) {
 				return true;
 			}
@@ -604,7 +607,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 			if (!Array.isArray(oldArray) || !Array.isArray(newArray)) {
 				return true;
 			}
-			if (oldArray.join("\0") !== newArray.join("\0")) {
+			if (oldArray.join('\0') !== newArray.join('\0')) {
 				return true;
 			}
 		}
@@ -612,12 +615,15 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 	}
 
 	private profileNeedsPublishing(oldProfile: MiUserProfile, newProfile: Partial<MiUserProfile>): boolean {
-		for (const field of ['description', 'followedMessage', 'birthday', 'location', 'listenbrainz'] as (keyof MiUserProfile)[]) {
+		const basicFields: (keyof MiUserProfile)[] = ['description', 'followedMessage', 'birthday', 'location', 'listenbrainz'];
+		for (const field of basicFields) {
 			if ((field in newProfile) && oldProfile[field] !== newProfile[field]) {
 				return true;
 			}
 		}
-		for (const arrayField of ['fields'] as (keyof MiUserProfile)[]) {
+
+		const arrayFields: (keyof MiUserProfile)[] = ['fields'];
+		for (const arrayField of arrayFields) {
 			if ((arrayField in newProfile) !== (arrayField in oldProfile)) {
 				return true;
 			}
@@ -627,7 +633,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 			if (!Array.isArray(oldArray) || !Array.isArray(newArray)) {
 				return true;
 			}
-			if (oldArray.join("\0") !== newArray.join("\0")) {
+			if (oldArray.join('\0') !== newArray.join('\0')) {
 				return true;
 			}
 		}
-- 
cgit v1.2.3-freya


From e9f68ab2b03bda4aa972f917f26e53d10f7058b7 Mon Sep 17 00:00:00 2001
From: dakkar <dakkar@thenautilus.net>
Date: Thu, 12 Dec 2024 17:40:22 +0000
Subject: actually publish profile updates with changes to new mk fields

I had forgotten to check these
---
 packages/backend/src/server/api/endpoints/i/update.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'packages/backend/src/server/api')

diff --git a/packages/backend/src/server/api/endpoints/i/update.ts b/packages/backend/src/server/api/endpoints/i/update.ts
index fe28b50338..bb0f5aa11a 100644
--- a/packages/backend/src/server/api/endpoints/i/update.ts
+++ b/packages/backend/src/server/api/endpoints/i/update.ts
@@ -621,7 +621,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 	// these two methods need to be kept in sync with
 	// `ApRendererService.renderPerson`
 	private userNeedsPublishing(oldUser: MiLocalUser, newUser: Partial<MiUser>): boolean {
-		const basicFields: (keyof MiUser)[] = ['avatarId', 'bannerId', 'backgroundId', 'isBot', 'username', 'name', 'isLocked', 'isExplorable', 'isCat', 'noindex', 'speakAsCat', 'movedToUri', 'alsoKnownAs', 'hideOnlineStatus', 'enableRss'];
+		const basicFields: (keyof MiUser)[] = ['avatarId', 'bannerId', 'backgroundId', 'isBot', 'username', 'name', 'isLocked', 'isExplorable', 'isCat', 'noindex', 'speakAsCat', 'movedToUri', 'alsoKnownAs', 'hideOnlineStatus', 'enableRss', 'requireSigninToViewContents', 'makeNotesFollowersOnlyBefore', 'makeNotesHiddenBefore'];
 		for (const field of basicFields) {
 			if ((field in newUser) && oldUser[field] !== newUser[field]) {
 				return true;
-- 
cgit v1.2.3-freya


From 0c1dd73341bdbdb05dfea0b6215fa4e0c3cd7a8b Mon Sep 17 00:00:00 2001
From: dakkar <dakkar@thenautilus.net>
Date: Fri, 13 Dec 2024 15:56:07 +0000
Subject: on 429, retry `fetchAccount` instead of failing

when switching between accounts, with many tabs open (10 seem to be
enough), they all hit the endpoint at the same time, and some get rate
limited.

treating a 429 as a fatal error confuses the frontend, which ends up
logging the user out of all their accounts.

this code makes the frontend retry, after waiting the appropriate
amount of time.

seems to work fine in my testing.
---
 packages/backend/src/server/api/ApiCallService.ts | 1 +
 packages/frontend/src/account.ts                  | 7 +++++++
 2 files changed, 8 insertions(+)

(limited to 'packages/backend/src/server/api')

diff --git a/packages/backend/src/server/api/ApiCallService.ts b/packages/backend/src/server/api/ApiCallService.ts
index c6c33f7303..974be7e4e1 100644
--- a/packages/backend/src/server/api/ApiCallService.ts
+++ b/packages/backend/src/server/api/ApiCallService.ts
@@ -340,6 +340,7 @@ export class ApiCallService implements OnApplicationShutdown {
 						code: 'RATE_LIMIT_EXCEEDED',
 						id: 'd5826d14-3982-4d2e-8011-b9e9f02499ef',
 						httpStatusCode: 429,
+						info,
 					});
 				}
 			}
diff --git a/packages/frontend/src/account.ts b/packages/frontend/src/account.ts
index e3416f2c29..f0a464084f 100644
--- a/packages/frontend/src/account.ts
+++ b/packages/frontend/src/account.ts
@@ -147,6 +147,13 @@ function fetchAccount(token: string, id?: string, forceShowDialog?: boolean): Pr
 								text: i18n.ts.tokenRevokedDescription,
 							});
 						}
+					} else if (res.error.id === 'd5826d14-3982-4d2e-8011-b9e9f02499ef') {
+						// rate limited
+						const timeToWait = res.error.info?.resetMs ?? 1000;
+						window.setTimeout(timeToWait, () => {
+							fetchAccount(token, id, forceShowDialog).then(done, fail);
+						});
+						return;
 					} else {
 						await alert({
 							type: 'error',
-- 
cgit v1.2.3-freya


From 9b1fc969086fb0c3ea88c979f254e964f9218dc5 Mon Sep 17 00:00:00 2001
From: dakkar <dakkar@thenautilus.net>
Date: Fri, 13 Dec 2024 16:17:43 +0000
Subject: fix passing rate limiting info via ApiError

---
 packages/backend/src/server/api/ApiCallService.ts | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

(limited to 'packages/backend/src/server/api')

diff --git a/packages/backend/src/server/api/ApiCallService.ts b/packages/backend/src/server/api/ApiCallService.ts
index 974be7e4e1..03f25a51fe 100644
--- a/packages/backend/src/server/api/ApiCallService.ts
+++ b/packages/backend/src/server/api/ApiCallService.ts
@@ -340,8 +340,7 @@ export class ApiCallService implements OnApplicationShutdown {
 						code: 'RATE_LIMIT_EXCEEDED',
 						id: 'd5826d14-3982-4d2e-8011-b9e9f02499ef',
 						httpStatusCode: 429,
-						info,
-					});
+					}, info);
 				}
 			}
 		}
-- 
cgit v1.2.3-freya


From e50ff9db6ae91e1ad34bc50935300515841bf719 Mon Sep 17 00:00:00 2001
From: Marie <github@yuugi.dev>
Date: Sun, 15 Dec 2024 22:41:16 +0100
Subject: upd: make schedule time work cross timezones

---
 packages/backend/package.json                      |  2 +-
 .../server/api/endpoints/notes/schedule/create.ts  | 10 ++--
 packages/frontend/package.json                     |  1 +
 .../frontend/src/components/MkScheduleEditor.vue   |  3 +-
 pnpm-lock.yaml                                     | 54 ++++++++--------------
 5 files changed, 28 insertions(+), 42 deletions(-)

(limited to 'packages/backend/src/server/api')

diff --git a/packages/backend/package.json b/packages/backend/package.json
index 702b788061..dd6c9cc792 100644
--- a/packages/backend/package.json
+++ b/packages/backend/package.json
@@ -141,11 +141,11 @@
 		"juice": "11.0.0",
 		"megalodon": "workspace:*",
 		"meilisearch": "0.45.0",
-		"juice": "11.0.0",
 		"microformats-parser": "2.0.2",
 		"mime-types": "2.1.35",
 		"misskey-js": "workspace:*",
 		"misskey-reversi": "workspace:*",
+		"moment": "^2.30.1",
 		"ms": "3.0.0-canary.1",
 		"nanoid": "5.0.8",
 		"nested-property": "4.0.0",
diff --git a/packages/backend/src/server/api/endpoints/notes/schedule/create.ts b/packages/backend/src/server/api/endpoints/notes/schedule/create.ts
index 7d20b6b82a..c6032fbdae 100644
--- a/packages/backend/src/server/api/endpoints/notes/schedule/create.ts
+++ b/packages/backend/src/server/api/endpoints/notes/schedule/create.ts
@@ -6,6 +6,7 @@
 import ms from 'ms';
 import { In } from 'typeorm';
 import { Inject, Injectable } from '@nestjs/common';
+import moment from 'moment';
 import { isPureRenote } from '@/misc/is-renote.js';
 import type { MiUser } from '@/models/User.js';
 import type {
@@ -307,7 +308,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 			if (ps.poll) {
 				let scheduleNote_scheduledAt = Date.now();
 				if (typeof ps.scheduleNote.scheduledAt === 'number') {
-					scheduleNote_scheduledAt = ps.scheduleNote.scheduledAt;
+					scheduleNote_scheduledAt = moment.utc(ps.scheduleNote.scheduledAt).local().valueOf();
 				}
 				if (typeof ps.poll.expiresAt === 'number') {
 					if (ps.poll.expiresAt < scheduleNote_scheduledAt) {
@@ -318,7 +319,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 				}
 			}
 			if (typeof ps.scheduleNote.scheduledAt === 'number') {
-				if (ps.scheduleNote.scheduledAt < Date.now()) {
+				if (moment.utc(ps.scheduleNote.scheduledAt).local().valueOf() < Date.now()) {
 					throw new ApiError(meta.errors.cannotCreateAlreadyExpiredSchedule);
 				}
 			} else {
@@ -347,14 +348,15 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 			if (ps.scheduleNote.scheduledAt) {
 				me.token = null;
 				const noteId = this.idService.gen(new Date().getTime());
+				const schedNoteLocalTime = moment.utc(ps.scheduleNote.scheduledAt).local().valueOf();
 				await this.noteScheduleRepository.insert({
 					id: noteId,
 					note: note,
 					userId: me.id,
-					scheduledAt: new Date(ps.scheduleNote.scheduledAt),
+					scheduledAt: new Date(schedNoteLocalTime),
 				});
 
-				const delay = new Date(ps.scheduleNote.scheduledAt).getTime() - Date.now();
+				const delay = new Date(schedNoteLocalTime).getTime() - Date.now();
 				await this.queueService.ScheduleNotePostQueue.add(String(delay), {
 					scheduleNoteId: noteId,
 				}, {
diff --git a/packages/frontend/package.json b/packages/frontend/package.json
index 752b6cb388..ce3fd90a86 100644
--- a/packages/frontend/package.json
+++ b/packages/frontend/package.json
@@ -57,6 +57,7 @@
 		"misskey-bubble-game": "workspace:*",
 		"misskey-js": "workspace:*",
 		"misskey-reversi": "workspace:*",
+		"moment": "^2.30.1",
 		"photoswipe": "5.4.4",
 		"punycode": "2.3.1",
 		"rollup": "4.26.0",
diff --git a/packages/frontend/src/components/MkScheduleEditor.vue b/packages/frontend/src/components/MkScheduleEditor.vue
index f40d37c962..695a474998 100644
--- a/packages/frontend/src/components/MkScheduleEditor.vue
+++ b/packages/frontend/src/components/MkScheduleEditor.vue
@@ -18,6 +18,7 @@ SPDX-License-Identifier: AGPL-3.0-only
 
 <script lang="ts" setup>
 import { onMounted, ref, watch } from 'vue';
+import moment from 'moment';
 import MkInput from '@/components/MkInput.vue';
 import { formatDateTimeString } from '@/scripts/format-time-string.js';
 import { addTime } from '@/scripts/time.js';
@@ -46,7 +47,7 @@ if (props.modelValue.scheduledAt) {
 
 function get() {
 	const calcAt = () => {
-		return new Date(`${ atDate.value } ${ atTime.value }`).getTime();
+		return moment(`${ atDate.value } ${ atTime.value }`).utc().valueOf();
 	};
 
 	return { scheduledAt: calcAt() };
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index d01454e892..39956522fc 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -139,7 +139,7 @@ importers:
         version: 10.4.7(@nestjs/common@10.4.7(reflect-metadata@0.2.2)(rxjs@7.8.1))(@nestjs/platform-express@10.4.7)(encoding@0.1.13)(reflect-metadata@0.2.2)(rxjs@7.8.1)
       '@nestjs/testing':
         specifier: 10.4.7
-        version: 10.4.7(@nestjs/common@10.4.7(reflect-metadata@0.2.2)(rxjs@7.8.1))(@nestjs/core@10.4.7(@nestjs/common@10.4.7(reflect-metadata@0.2.2)(rxjs@7.8.1))(@nestjs/platform-express@10.4.7)(encoding@0.1.13)(reflect-metadata@0.2.2)(rxjs@7.8.1))(@nestjs/platform-express@10.4.7(@nestjs/common@10.4.7(reflect-metadata@0.2.2)(rxjs@7.8.1))(@nestjs/core@10.4.7))
+        version: 10.4.7(@nestjs/common@10.4.7(reflect-metadata@0.2.2)(rxjs@7.8.1))(@nestjs/core@10.4.7)(@nestjs/platform-express@10.4.7)
       '@peertube/http-signature':
         specifier: 1.7.0
         version: 1.7.0
@@ -320,6 +320,9 @@ importers:
       misskey-reversi:
         specifier: workspace:*
         version: link:../misskey-reversi
+      moment:
+        specifier: ^2.30.1
+        version: 2.30.1
       ms:
         specifier: 3.0.0-canary.1
         version: 3.0.0-canary.1
@@ -832,6 +835,9 @@ importers:
       misskey-reversi:
         specifier: workspace:*
         version: link:../misskey-reversi
+      moment:
+        specifier: ^2.30.1
+        version: 2.30.1
       photoswipe:
         specifier: 5.4.4
         version: 5.4.4
@@ -1194,7 +1200,7 @@ importers:
         version: 7.17.0(eslint@9.14.0)(typescript@5.6.3)
       '@vitest/coverage-v8':
         specifier: 1.6.0
-        version: 1.6.0(vitest@1.6.0(@types/node@22.9.0)(happy-dom@10.0.3)(jsdom@24.1.1)(sass@1.79.4)(terser@5.36.0))
+        version: 1.6.0(vitest@1.6.0(@types/node@22.9.0)(happy-dom@10.0.3)(jsdom@24.1.1(bufferutil@4.0.8)(utf-8-validate@6.0.4))(sass@1.79.4)(terser@5.36.0))
       '@vue/runtime-core':
         specifier: 3.5.12
         version: 3.5.12
@@ -8425,6 +8431,9 @@ packages:
   module-details-from-path@1.0.3:
     resolution: {integrity: sha512-ySViT69/76t8VhE1xXHK6Ch4NcDd26gx0MzKXLO+F7NOtnqH68d9zF94nT8ZWSxXh8ELOERsnJO/sWt1xZYw5A==}
 
+  moment@2.30.1:
+    resolution: {integrity: sha512-uEmtNhbDOrWPFS+hdjFCBfy9f2YoyzRpwcl+DqpC6taX21FzsTLQVbMV/W7PzNSX6x/bhC1zA3c2UQ5NzH6how==}
+
   ms@2.0.0:
     resolution: {integrity: sha512-Tpp60P6IUJDTuOq/5Z8cdskzJujfwqfOTkrwIwj7IRISpnkJnT6SyJ4PCPnGMoFjC9ddhal5KVIYtAt97ix05A==}
 
@@ -13269,7 +13278,7 @@ snapshots:
     transitivePeerDependencies:
       - supports-color
 
-  '@nestjs/testing@10.4.7(@nestjs/common@10.4.7(reflect-metadata@0.2.2)(rxjs@7.8.1))(@nestjs/core@10.4.7(@nestjs/common@10.4.7(reflect-metadata@0.2.2)(rxjs@7.8.1))(@nestjs/platform-express@10.4.7)(encoding@0.1.13)(reflect-metadata@0.2.2)(rxjs@7.8.1))(@nestjs/platform-express@10.4.7(@nestjs/common@10.4.7(reflect-metadata@0.2.2)(rxjs@7.8.1))(@nestjs/core@10.4.7))':
+  '@nestjs/testing@10.4.7(@nestjs/common@10.4.7(reflect-metadata@0.2.2)(rxjs@7.8.1))(@nestjs/core@10.4.7)(@nestjs/platform-express@10.4.7)':
     dependencies:
       '@nestjs/common': 10.4.7(reflect-metadata@0.2.2)(rxjs@7.8.1)
       '@nestjs/core': 10.4.7(@nestjs/common@10.4.7(reflect-metadata@0.2.2)(rxjs@7.8.1))(@nestjs/platform-express@10.4.7)(encoding@0.1.13)(reflect-metadata@0.2.2)(rxjs@7.8.1)
@@ -15490,7 +15499,7 @@ snapshots:
     transitivePeerDependencies:
       - supports-color
 
-  '@vitest/coverage-v8@1.6.0(vitest@1.6.0(@types/node@22.9.0)(happy-dom@10.0.3)(jsdom@24.1.1)(sass@1.79.4)(terser@5.36.0))':
+  '@vitest/coverage-v8@1.6.0(vitest@1.6.0(@types/node@22.9.0)(happy-dom@10.0.3)(jsdom@24.1.1(bufferutil@4.0.8)(utf-8-validate@6.0.4))(sass@1.79.4)(terser@5.36.0))':
     dependencies:
       '@ampproject/remapping': 2.2.1
       '@bcoe/v8-coverage': 0.2.3
@@ -15505,7 +15514,7 @@ snapshots:
       std-env: 3.7.0
       strip-literal: 2.1.0
       test-exclude: 6.0.0
-      vitest: 1.6.0(@types/node@22.9.0)(happy-dom@10.0.3)(jsdom@24.1.1)(sass@1.79.4)(terser@5.36.0)
+      vitest: 1.6.0(@types/node@22.9.0)(happy-dom@10.0.3)(jsdom@24.1.1(bufferutil@4.0.8)(utf-8-validate@6.0.4))(sass@1.79.4)(terser@5.36.0)
     transitivePeerDependencies:
       - supports-color
 
@@ -19348,35 +19357,6 @@ snapshots:
 
   jsdoc-type-pratt-parser@4.1.0: {}
 
-  jsdom@24.1.1:
-    dependencies:
-      cssstyle: 4.0.1
-      data-urls: 5.0.0
-      decimal.js: 10.4.3
-      form-data: 4.0.1
-      html-encoding-sniffer: 4.0.0
-      http-proxy-agent: 7.0.2
-      https-proxy-agent: 7.0.5
-      is-potential-custom-element-name: 1.0.1
-      nwsapi: 2.2.12
-      parse5: 7.2.1
-      rrweb-cssom: 0.7.1
-      saxes: 6.0.0
-      symbol-tree: 3.2.4
-      tough-cookie: 4.1.4
-      w3c-xmlserializer: 5.0.0
-      webidl-conversions: 7.0.0
-      whatwg-encoding: 3.1.1
-      whatwg-mimetype: 4.0.0
-      whatwg-url: 14.0.0
-      ws: 8.18.0(bufferutil@4.0.7)(utf-8-validate@6.0.3)
-      xml-name-validator: 5.0.0
-    transitivePeerDependencies:
-      - bufferutil
-      - supports-color
-      - utf-8-validate
-    optional: true
-
   jsdom@24.1.1(bufferutil@4.0.7)(utf-8-validate@6.0.3):
     dependencies:
       cssstyle: 4.0.1
@@ -20215,6 +20195,8 @@ snapshots:
 
   module-details-from-path@1.0.3: {}
 
+  moment@2.30.1: {}
+
   ms@2.0.0: {}
 
   ms@2.1.2: {}
@@ -22848,7 +22830,7 @@ snapshots:
       - supports-color
       - terser
 
-  vitest@1.6.0(@types/node@22.9.0)(happy-dom@10.0.3)(jsdom@24.1.1)(sass@1.79.4)(terser@5.36.0):
+  vitest@1.6.0(@types/node@22.9.0)(happy-dom@10.0.3)(jsdom@24.1.1(bufferutil@4.0.8)(utf-8-validate@6.0.4))(sass@1.79.4)(terser@5.36.0):
     dependencies:
       '@vitest/expect': 1.6.0
       '@vitest/runner': 1.6.0
@@ -22873,7 +22855,7 @@ snapshots:
     optionalDependencies:
       '@types/node': 22.9.0
       happy-dom: 10.0.3
-      jsdom: 24.1.1
+      jsdom: 24.1.1(bufferutil@4.0.8)(utf-8-validate@6.0.4)
     transitivePeerDependencies:
       - less
       - lightningcss
-- 
cgit v1.2.3-freya


From 9160ede4d5482d70623dd64c47f13b61f7639fc0 Mon Sep 17 00:00:00 2001
From: bunnybeam <mailbunnybeam@gmail.com>
Date: Sat, 21 Dec 2024 01:34:56 +0000
Subject: replace RE2 with RegExp for regex word mute validation

---
 packages/backend/src/server/api/endpoints/i/update.ts | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

(limited to 'packages/backend/src/server/api')

diff --git a/packages/backend/src/server/api/endpoints/i/update.ts b/packages/backend/src/server/api/endpoints/i/update.ts
index bb0f5aa11a..09c06a108d 100644
--- a/packages/backend/src/server/api/endpoints/i/update.ts
+++ b/packages/backend/src/server/api/endpoints/i/update.ts
@@ -3,7 +3,6 @@
  * SPDX-License-Identifier: AGPL-3.0-only
  */
 
-import RE2 from 're2';
 import * as mfm from '@transfem-org/sfm-js';
 import { Inject, Injectable } from '@nestjs/common';
 import ms from 'ms';
@@ -325,7 +324,7 @@ export default class extends Endpoint<typeof meta, typeof paramDef> { // eslint-
 					if (!regexp) throw new ApiError(meta.errors.invalidRegexp);
 
 					try {
-						new RE2(regexp[1], regexp[2]);
+						new RegExp(regexp[1], regexp[2]);
 					} catch (err) {
 						throw new ApiError(meta.errors.invalidRegexp);
 					}
-- 
cgit v1.2.3-freya