From f100533fe809fd0488e1caab9f711f25f358ebae Mon Sep 17 00:00:00 2001
From: Aditoo17 <42938951+Aditoo17@users.noreply.github.com>
Date: Mon, 17 Dec 2018 17:39:58 +0100
Subject: [PATCH 01/29] L10n: Update Czech translation

---
 .../lang/vendor/backup/cs/notifications.php   | 35 +++++++++++++++++++
 1 file changed, 35 insertions(+)
 create mode 100644 resources/lang/vendor/backup/cs/notifications.php

diff --git a/resources/lang/vendor/backup/cs/notifications.php b/resources/lang/vendor/backup/cs/notifications.php
new file mode 100644
index 000000000..947eb436e
--- /dev/null
+++ b/resources/lang/vendor/backup/cs/notifications.php
@@ -0,0 +1,35 @@
+<?php
+
+return [
+    'exception_message' => 'Zpráva výjimky: :message',
+    'exception_trace' => 'Stopa výjimky: :trace',
+    'exception_message_title' => 'Zpráva výjimky',
+    'exception_trace_title' => 'Stopa výjimky',
+
+    'backup_failed_subject' => 'Záloha :application_name neuspěla',
+    'backup_failed_body' => 'Důležité: Při záloze :application_name se vyskytla chyba',
+
+    'backup_successful_subject' => 'Úspěšná nová záloha :application_name',
+    'backup_successful_subject_title' => 'Úspěšná nová záloha!',
+    'backup_successful_body' => 'Dobrá zpráva, na disku jménem :disk_name byla úspěšně vytvořena nová záloha :application_name.',
+
+    'cleanup_failed_subject' => 'Vyčištění záloh :application_name neuspělo.',
+    'cleanup_failed_body' => 'Při vyčištění záloh :application_name se vyskytla chyba',
+
+    'cleanup_successful_subject' => 'Vyčištění záloh :application_name úspěšné',
+    'cleanup_successful_subject_title' => 'Vyčištění záloh bylo úspěšné!',
+    'cleanup_successful_body' => 'Vyčištění záloh :application_name na disku jménem :disk_name bylo úspěšné.',
+
+    'healthy_backup_found_subject' => 'Zálohy pro :application_name na disku :disk_name jsou zdravé',
+    'healthy_backup_found_subject_title' => 'Zálohy pro :application_name jsou zdravé',
+    'healthy_backup_found_body' => 'Zálohy pro :application_name jsou považovány za zdravé. Dobrá práce!',
+
+    'unhealthy_backup_found_subject' => 'Důležité: Zálohy pro :application_name jsou nezdravé',
+    'unhealthy_backup_found_subject_title' => 'Důležité: Zálohy pro :application_name jsou nezdravé. :problem',
+    'unhealthy_backup_found_body' => 'Zálohy pro :application_name na disku :disk_name Jsou nezdravé.',
+    'unhealthy_backup_found_not_reachable' => 'Nelze se dostat k cíli zálohy. :error',
+    'unhealthy_backup_found_empty' => 'Tato aplikace nemá vůbec žádné zálohy.',
+    'unhealthy_backup_found_old' => 'Poslední záloha vytvořená dne :date je považována za příliš starou.',
+    'unhealthy_backup_found_unknown' => 'Omlouváme se, nemůžeme určit přesný důvod.',
+    'unhealthy_backup_found_full' => 'Zálohy zabírají příliš mnoho místa na disku. Aktuální využití disku je :disk_usage, což je vyšší než povolený limit :disk_limit.',
+];

From bffaac1b08cd63fb27708a8001e25fd32ffb0c24 Mon Sep 17 00:00:00 2001
From: Carly Ho <yaysunshine@gmail.com>
Date: Tue, 25 Dec 2018 15:42:12 -0600
Subject: [PATCH 02/29] Add comment button to comment form where browser has
 'Touch' event enabled

---
 resources/assets/js/components.js             | 13 +++++++---
 .../assets/js/components/PostComponent.vue    | 21 ++++++++-------
 resources/assets/sass/custom.scss             | 26 ++++++++++++++++---
 3 files changed, 44 insertions(+), 16 deletions(-)

diff --git a/resources/assets/js/components.js b/resources/assets/js/components.js
index 50aa36bda..3acb43982 100644
--- a/resources/assets/js/components.js
+++ b/resources/assets/js/components.js
@@ -25,6 +25,13 @@ pixelfed.readmore = () => {
   });
 };
 
+try {
+    document.createEvent("TouchEvent");
+    $('body').addClass('touch');
+} catch (e) {
+    return false;
+}
+
 window.InfiniteScroll = require('infinite-scroll');
 window.filesize = require('filesize');
 window.Plyr = require('plyr');
@@ -137,10 +144,10 @@ window.pixelfed.copyToClipboard = (str) => {
   const el = document.createElement('textarea');
   el.value = str;
   el.setAttribute('readonly', '');
-  el.style.position = 'absolute';                 
+  el.style.position = 'absolute';
   el.style.left = '-9999px';
   document.body.appendChild(el);
-  const selected = 
+  const selected =
     document.getSelection().rangeCount > 0
       ? document.getSelection().getRangeAt(0)
       : false;
@@ -162,4 +169,4 @@ $(document).ready(function() {
 const warningTitleCSS = 'color:red; font-size:60px; font-weight: bold; -webkit-text-stroke: 1px black;';
 const warningDescCSS = 'font-size: 18px;';
 console.log('%cStop!', warningTitleCSS);
-console.log("%cThis is a browser feature intended for developers. If someone told you to copy and paste something here to enable a Pixelfed feature or \"hack\" someone's account, it is a scam and will give them access to your Pixelfed account.", warningDescCSS);
\ No newline at end of file
+console.log("%cThis is a browser feature intended for developers. If someone told you to copy and paste something here to enable a Pixelfed feature or \"hack\" someone's account, it is a scam and will give them access to your Pixelfed account.", warningDescCSS);
diff --git a/resources/assets/js/components/PostComponent.vue b/resources/assets/js/components/PostComponent.vue
index c3b9f6258..cba5e9d62 100644
--- a/resources/assets/js/components/PostComponent.vue
+++ b/resources/assets/js/components/PostComponent.vue
@@ -56,11 +56,11 @@
        </div>
         <div class="col-12 col-md-8 px-0 mx-0">
             <div class="postPresenterLoader text-center">
-              <div class="lds-ring"><div></div><div></div><div></div><div></div></div> 
+              <div class="lds-ring"><div></div><div></div><div></div><div></div></div>
             </div>
             <div class="postPresenterContainer d-none d-flex justify-content-center align-items-center">
               <div v-if="status.pf_type === 'photo'" class="w-100">
-                <photo-presenter :status="status"></photo-presenter>  
+                <photo-presenter :status="status"></photo-presenter>
               </div>
 
               <div v-else-if="status.pf_type === 'video'" class="w-100">
@@ -156,6 +156,7 @@
               <input type="hidden" name="_token" value="">
               <input type="hidden" name="item" :value="statusId">
               <input class="form-control" name="comment" placeholder="Add a comment..." autocomplete="off">
+              <input type="submit" value="Send" class="btn btn-primary comment-submit" />
             </form>
           </div>
         </div>
@@ -164,10 +165,10 @@
     </div>
   </div>
 
-  <b-modal ref="likesModal" 
+  <b-modal ref="likesModal"
     id="l-modal"
-    hide-footer 
-    centered 
+    hide-footer
+    centered
     title="Likes"
     body-class="list-group-flush p-0">
     <div class="list-group">
@@ -195,10 +196,10 @@
       </infinite-loading>
     </div>
   </b-modal>
-  <b-modal ref="sharesModal" 
+  <b-modal ref="sharesModal"
     id="s-modal"
-    hide-footer 
-    centered 
+    hide-footer
+    centered
     title="Shares"
     body-class="list-group-flush p-0">
     <div class="list-group">
@@ -281,7 +282,7 @@ export default {
         $('head title').text(title);
       }
     },
-    
+
     methods: {
       authCheck() {
         let authed = $('body').hasClass('loggedIn');
@@ -510,4 +511,4 @@ export default {
       }
     }
 }
-</script>
\ No newline at end of file
+</script>
diff --git a/resources/assets/sass/custom.scss b/resources/assets/sass/custom.scss
index ea2e55bd8..45068728b 100644
--- a/resources/assets/sass/custom.scss
+++ b/resources/assets/sass/custom.scss
@@ -267,6 +267,26 @@ body, button, input, textarea {
 .card {
   box-shadow: 0 2px 6px 0 hsla(0, 0%, 0%, 0.2);
   border: none;
+
+  .comment-submit {
+      display: none;
+      position: absolute;
+      bottom: 12px;
+      right: 20px;
+      width: 60px;
+      text-align: center;
+      border-radius: 0 3px 3px 0;
+  }
+}
+
+.touch .card {
+    input[name="comment"] {
+        padding-right: 70px;
+    }
+
+    .comment-submit {
+        display: block;
+    }
 }
 
 .box-shadow {
@@ -319,7 +339,7 @@ details summary::-webkit-details-marker {
   box-shadow: 0 2px 4px 0 rgba(0,0,0,0.08);
   border-radius: 5px;
   padding: .5em 1em .5em .5em;
-} 
+}
 
 .input-elevated::placeholder {
   color: #838D99;
@@ -417,7 +437,7 @@ details summary::-webkit-details-marker {
     background: rgba(0,0,0,0.04);
 }
 
-.timeline-sidenav.nav-pills .nav-link.active, 
+.timeline-sidenav.nav-pills .nav-link.active,
 .timeline-sidenav.nav-pills .show > .nav-link {
     color: #08d;
     background: transparent;
@@ -434,4 +454,4 @@ details summary::-webkit-details-marker {
 
 .notification-tooltip .arrow::before {
   border-bottom-color:#dc3545 !important;
-}
\ No newline at end of file
+}

From 94a1d7da90a56cee42c805f1e44d6574ed000d19 Mon Sep 17 00:00:00 2001
From: Edward Betts <edward@4angle.com>
Date: Tue, 25 Dec 2018 21:59:32 +0000
Subject: [PATCH 03/29] Correct spelling mistakes

---
 resources/assets/js/components.js                    | 2 +-
 resources/assets/js/components/DiscoverComponent.vue | 2 +-
 resources/assets/js/components/PostComments.vue      | 4 ++--
 resources/assets/js/components/PostComponent.vue     | 4 ++--
 resources/assets/js/components/notifications.js      | 2 +-
 resources/views/settings/remove/permanent.blade.php  | 2 +-
 resources/views/site/help/getting-started.blade.php  | 2 +-
 resources/views/status/compose.blade.php             | 4 ++--
 resources/views/status/edit.blade.php                | 2 +-
 9 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/resources/assets/js/components.js b/resources/assets/js/components.js
index 50aa36bda..cc91bc2f4 100644
--- a/resources/assets/js/components.js
+++ b/resources/assets/js/components.js
@@ -55,7 +55,7 @@ require('./components/statusform');
 //     });
 // }
 
-// Initalize Notification Helper
+// Initialize Notification Helper
 window.pixelfed.n = {};
 
 Vue.component(
diff --git a/resources/assets/js/components/DiscoverComponent.vue b/resources/assets/js/components/DiscoverComponent.vue
index 974234b45..7cec33b60 100644
--- a/resources/assets/js/components/DiscoverComponent.vue
+++ b/resources/assets/js/components/DiscoverComponent.vue
@@ -70,7 +70,7 @@ export default {
       }).catch(err => {
         swal(
           'Whoops! Something went wrong...',
-          'An error occured, please try again later.',
+          'An error occurred, please try again later.',
           'error'
         );
       });
diff --git a/resources/assets/js/components/PostComments.vue b/resources/assets/js/components/PostComments.vue
index cc57ad699..6122f0b21 100644
--- a/resources/assets/js/components/PostComments.vue
+++ b/resources/assets/js/components/PostComments.vue
@@ -104,7 +104,7 @@ export default {
                 $('.postCommentsLoader .lds-ring')
                   .attr('style','width:100%')
                   .addClass('pt-4 font-weight-bold text-muted')
-                  .text('An error occured, cannot fetch comments. Please try again later.');
+                  .text('An error occurred, cannot fetch comments. Please try again later.');
               } else {
                 switch(error.response.status) {
                   case 401:
@@ -118,7 +118,7 @@ export default {
                     $('.postCommentsLoader .lds-ring')
                       .attr('style','width:100%')
                       .addClass('pt-4 font-weight-bold text-muted')
-                      .text('An error occured, cannot fetch comments. Please try again later.');
+                      .text('An error occurred, cannot fetch comments. Please try again later.');
                   break;
                 }
               }
diff --git a/resources/assets/js/components/PostComponent.vue b/resources/assets/js/components/PostComponent.vue
index c3b9f6258..50a6970e2 100644
--- a/resources/assets/js/components/PostComponent.vue
+++ b/resources/assets/js/components/PostComponent.vue
@@ -339,7 +339,7 @@ export default {
                 $('.postPresenterContainer').removeClass('d-none');
             }).catch(error => {
               if(!error.response) {
-                $('.postPresenterLoader .lds-ring').attr('style','width:100%').addClass('pt-4 font-weight-bold text-muted').text('An error occured, cannot fetch media. Please try again later.');
+                $('.postPresenterLoader .lds-ring').attr('style','width:100%').addClass('pt-4 font-weight-bold text-muted').text('An error occurred, cannot fetch media. Please try again later.');
               } else {
                 switch(error.response.status) {
                   case 401:
@@ -350,7 +350,7 @@ export default {
                   break;
 
                   default:
-                  $('.postPresenterLoader .lds-ring').attr('style','width:100%').addClass('pt-4 font-weight-bold text-muted').text('An error occured, cannot fetch media. Please try again later.');
+                  $('.postPresenterLoader .lds-ring').attr('style','width:100%').addClass('pt-4 font-weight-bold text-muted').text('An error occurred, cannot fetch media. Please try again later.');
                   break;
                 }
               }
diff --git a/resources/assets/js/components/notifications.js b/resources/assets/js/components/notifications.js
index 3ca2d8451..687c70e54 100644
--- a/resources/assets/js/components/notifications.js
+++ b/resources/assets/js/components/notifications.js
@@ -96,7 +96,7 @@ $(document).ready(function() {
 		}).catch(err => {
 			swal(
 				'Something went wrong!',
-				'An error occured, please try again later.',
+				'An error occurred, please try again later.',
 				'error'
 			);
 		});
diff --git a/resources/views/settings/remove/permanent.blade.php b/resources/views/settings/remove/permanent.blade.php
index b95aa2894..a805ce668 100644
--- a/resources/views/settings/remove/permanent.blade.php
+++ b/resources/views/settings/remove/permanent.blade.php
@@ -16,7 +16,7 @@
     <p class="">When you press the button below, your photos, comments, likes, friendships and all other data will be removed permanently and will not be recoverable. If you decide to create another Pixelfed account in the future, you cannot sign up with the same username again on this instance.</p>
 
     <div class="alert alert-danger my-5">
-      <span class="font-weight-bold">Warning:</span> Some remote servers may contain your public data (statuses, avatars, ect) and will not be deleted until federation support is launched.
+      <span class="font-weight-bold">Warning:</span> Some remote servers may contain your public data (statuses, avatars, etc) and will not be deleted until federation support is launched.
     </div>
 
   	<p>
diff --git a/resources/views/site/help/getting-started.blade.php b/resources/views/site/help/getting-started.blade.php
index 10adae72f..a764433f1 100644
--- a/resources/views/site/help/getting-started.blade.php
+++ b/resources/views/site/help/getting-started.blade.php
@@ -64,7 +64,7 @@
 <p>	
 	<a class="text-dark font-weight-bold" data-toggle="collapse" href="#collapse5" role="button" aria-expanded="false" aria-controls="collapse5">
 		<i class="fas fa-chevron-down mr-2"></i>
-		I recieved an email that I created an account, but I never signed up for one.
+		I received an email that I created an account, but I never signed up for one.
 	</a>
 	<div class="collapse" id="collapse5">
 		<div class="mt-2">
diff --git a/resources/views/status/compose.blade.php b/resources/views/status/compose.blade.php
index 8b5251a2f..691a97a3e 100644
--- a/resources/views/status/compose.blade.php
+++ b/resources/views/status/compose.blade.php
@@ -354,7 +354,7 @@ $(document).on('change', '.file-input', function(e) {
         el.remove();
       }
     }).catch(function(e) {
-      swal('Oops, something went wrong!', 'An unexpected error occured.', 'error');
+      swal('Oops, something went wrong!', 'An unexpected error occurred.', 'error');
     });
     io.value = null;
   });
@@ -478,7 +478,7 @@ $(document).on('click', '#create', function(e) {
       let data = res.data;
       window.location.href = data;
     }).catch(err => {
-      swal('Oops, something went wrong!', 'An unexpected error occured.', 'error');
+      swal('Oops, something went wrong!', 'An unexpected error occurred.', 'error');
     });
 })
 
diff --git a/resources/views/status/edit.blade.php b/resources/views/status/edit.blade.php
index ffb23cb37..d69843552 100644
--- a/resources/views/status/edit.blade.php
+++ b/resources/views/status/edit.blade.php
@@ -83,7 +83,7 @@
     }).then((res) => {
       swal('Success!', 'You have successfully updated your post', 'success');
     }).catch((err) => {
-      swal('Something went wrong', 'An error occured, please try again later', 'error');
+      swal('Something went wrong', 'An error occurred, please try again later', 'error');
     });
   });
 

From 14d43ba845042a6b63a5c6c2c2ce161935ebade7 Mon Sep 17 00:00:00 2001
From: Daniel Supernault <danielsupernault@gmail.com>
Date: Tue, 25 Dec 2018 15:21:25 -0700
Subject: [PATCH 04/29] Fix AP fanout

---
 app/Jobs/StatusPipeline/StatusActivityPubDeliver.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/Jobs/StatusPipeline/StatusActivityPubDeliver.php b/app/Jobs/StatusPipeline/StatusActivityPubDeliver.php
index 1100f0988..12a66c373 100644
--- a/app/Jobs/StatusPipeline/StatusActivityPubDeliver.php
+++ b/app/Jobs/StatusPipeline/StatusActivityPubDeliver.php
@@ -38,7 +38,7 @@ class StatusActivityPubDeliver implements ShouldQueue
     {
         $status = $this->status;
 
-        if($status->local == true || $status->url || $status->uri) {
+        if($status->local == false || $status->url || $status->uri) {
             return;
         }
 

From 55ca00ba3006ccd9263a1a4b948c8543843aa619 Mon Sep 17 00:00:00 2001
From: Daniel Supernault <danielsupernault@gmail.com>
Date: Tue, 25 Dec 2018 17:45:29 -0700
Subject: [PATCH 05/29] Update FederationController, fixes #680

---
 app/Http/Controllers/FederationController.php | 11 +++++++++--
 app/Util/ActivityPub/Inbox.php                |  3 ++-
 2 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/app/Http/Controllers/FederationController.php b/app/Http/Controllers/FederationController.php
index 2511b9984..b1e7d18cd 100644
--- a/app/Http/Controllers/FederationController.php
+++ b/app/Http/Controllers/FederationController.php
@@ -181,13 +181,20 @@ XML;
             return ProfileController::accountCheck($profile);
         }
         $body = $request->getContent();
-        $bodyDecoded = json_decode($body, true);
+        $bodyDecoded = json_decode($body, true, 8);
         $signature = $request->header('signature');
         if(!$signature) {
             abort(400, 'Missing signature header');
         }
         $signatureData = HttpSignature::parseSignatureHeader($signature);
-        $actor = Profile::whereKeyId($signatureData['keyId'])->first();
+        $keyId = Helpers::validateUrl($signatureData['keyId']);
+        $id = Helpers::validateUrl($bodyDecoded['id']);
+        $keyDomain = parse_url($keyId, PHP_URL_HOST);
+        $idDomain = parse_url($id, PHP_URL_HOST);
+        if(!$keyDomain || !$idDomain || $keyDomain !== $idDomain) {
+            abort(400, 'Invalid request');
+        }
+        $actor = Profile::whereKeyId($keyId)->first();
         if(!$actor) {
             $actor = Helpers::profileFirstOrNew($bodyDecoded['actor']);
         }
diff --git a/app/Util/ActivityPub/Inbox.php b/app/Util/ActivityPub/Inbox.php
index 7791fe977..5b2b6bfe9 100644
--- a/app/Util/ActivityPub/Inbox.php
+++ b/app/Util/ActivityPub/Inbox.php
@@ -167,12 +167,13 @@ class Inbox
             return;
         }
 
-        $status = DB::transaction(function() use($activity, $actor) {
+        $status = DB::transaction(function() use($activity, $actor, $url) {
             $caption = str_limit(strip_tags($activity['content']), config('pixelfed.max_caption_length'));
             $status = new Status;
             $status->profile_id = $actor->id;
             $status->caption = $caption;
             $status->visibility = $status->scope = 'public';
+            $status->uri = $url;
             $status->url = $url;
             $status->save();
             return $status;

From fedcdb204db420368401db92b81273764c1c18d6 Mon Sep 17 00:00:00 2001
From: Daniel Supernault <danielsupernault@gmail.com>
Date: Tue, 25 Dec 2018 18:06:12 -0700
Subject: [PATCH 06/29] Update FederationController

---
 app/Http/Controllers/FederationController.php | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/app/Http/Controllers/FederationController.php b/app/Http/Controllers/FederationController.php
index b1e7d18cd..27b657b3a 100644
--- a/app/Http/Controllers/FederationController.php
+++ b/app/Http/Controllers/FederationController.php
@@ -191,6 +191,14 @@ XML;
         $id = Helpers::validateUrl($bodyDecoded['id']);
         $keyDomain = parse_url($keyId, PHP_URL_HOST);
         $idDomain = parse_url($id, PHP_URL_HOST);
+        if(isset($bodyDecoded['object']) 
+            && is_array($bodyDecoded['object'])
+            && isset($bodyDecoded['object']['attributedTo'])
+        ) {
+            if(parse_url($bodyDecoded['object']['attributedTo'], PHP_URL_HOST) !== $idDomain) {
+                abort(400, 'Invalid request');
+            }
+        }
         if(!$keyDomain || !$idDomain || $keyDomain !== $idDomain) {
             abort(400, 'Invalid request');
         }

From eaaf8fbcd709ebb95668aa2b95ec6875bd740295 Mon Sep 17 00:00:00 2001
From: Daniel Supernault <danielsupernault@gmail.com>
Date: Tue, 25 Dec 2018 18:07:32 -0700
Subject: [PATCH 07/29] Update FederationController

---
 app/Http/Controllers/FederationController.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/Http/Controllers/FederationController.php b/app/Http/Controllers/FederationController.php
index 27b657b3a..c93b1b664 100644
--- a/app/Http/Controllers/FederationController.php
+++ b/app/Http/Controllers/FederationController.php
@@ -195,7 +195,7 @@ XML;
             && is_array($bodyDecoded['object'])
             && isset($bodyDecoded['object']['attributedTo'])
         ) {
-            if(parse_url($bodyDecoded['object']['attributedTo'], PHP_URL_HOST) !== $idDomain) {
+            if(parse_url($bodyDecoded['object']['attributedTo'], PHP_URL_HOST) !== $keyDomain) {
                 abort(400, 'Invalid request');
             }
         }

From 310d427a34eb4c0fd311ff1ed61b41cb35bc4314 Mon Sep 17 00:00:00 2001
From: Daniel Supernault <danielsupernault@gmail.com>
Date: Tue, 25 Dec 2018 19:41:12 -0700
Subject: [PATCH 08/29] Update Timeline.vue, fix notification avatar bug

---
 public/js/components.js                     | Bin 580538 -> 580617 bytes
 public/mix-manifest.json                    | Bin 321 -> 321 bytes
 resources/assets/js/components/Timeline.vue |  11 +++++++----
 3 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/public/js/components.js b/public/js/components.js
index 176e3326510210d720f22be2e85f4e9dadc341b5..1a5ce592677fbf99c80ec244dfd56607a201662f 100644
GIT binary patch
delta 336
zcmdnBUAc3I@`e-_mh^OOrRfLVn7*j%mFE|w=q44VCT3S7m{wo`-Nc-nS|uGNrC80$
z2`+0{9E+2~CJVZXvXonz`%hnZi$i6zpX+OBu=w<Y?o5f3?d3Qo+e^w#US27@-SrEL
zg%p<p+|cP8`B^=tAK_ztha|WiC}_)wBmh=5Ifq$%dVn*N-1IC#)*VQ)+ZBaar*dt!
zOk66)l$$vHfICwX)K0$U2Nl~NR50E>+rHPG35c1u?{#N+wVF*SG+n<K=vj#KINQ}^
zS%H{syP7O}0~0gQBa;vEOR<;$Lu7hm6jP9dnTbV;fuV`9l1`?MqJd6zt!AxGd2&+a
YWZOiY=>kTqobC7I*|*=5=eV;Q0Q-M)1ONa4

delta 240
zcmeC&p}cFm@`e-_mK>K5rRn@~>}Hb>y5_Tl<c4@m{}9F`%Hr%7oIU-+Ee@5<g>J8<
zH&5?gD#i>HntYI7ipAfpuz0$GHfxZCWr}fXnz@mIl1`?MqJd6zt!Ax`b8ceB<b<U1
z=?eKw?9F=@ZQr|y@!DC4CZI*;ljpnaoqqN!D@Xg}0wy44-afg2<<)Ai-J27VE=f)H
zD6pSgQ~M1}@2UF><#SBVVHTghKZi+fvO~iTnBZowMqjS>S{YU#X4_sX!~TJZIXS6v
U`f5W~({^12_U*a~9CvmD0C)deP5=M^

diff --git a/public/mix-manifest.json b/public/mix-manifest.json
index 54baaeb4051ca1c4006d450e362a032d03ddcc4f..44662a12af5711b690e64fd15d63102d131e1ddf 100644
GIT binary patch
delta 30
lcmX@ebdYI+p@@Z<nUSeQvVn23K~kb&Vv4z0n!!ZZKLCl&35Eaw

delta 30
lcmX@ebdYI+p@@-Xa#E_Hp@C6~p-HNliA7>+qWMJEKLCzL3AF$K

diff --git a/resources/assets/js/components/Timeline.vue b/resources/assets/js/components/Timeline.vue
index baf48c9c8..e265ae6fc 100644
--- a/resources/assets/js/components/Timeline.vue
+++ b/resources/assets/js/components/Timeline.vue
@@ -156,22 +156,22 @@
 							<div class="media-body font-weight-light small">
 								<div v-if="n.type == 'favourite'">
 									<p class="my-0">
-										<a :href="n.account.url" class="font-weight-bold text-dark">{{n.account.username}}</a> liked your <a class="font-weight-bold" v-bind:href="replyUrl(n.status)">post</a>.
+										<a :href="n.account.url" class="font-weight-bold text-dark word-break">{{n.account.username}}</a> liked your <a class="font-weight-bold" v-bind:href="replyUrl(n.status)">post</a>.
 									</p>
 								</div>
 								<div v-else-if="n.type == 'comment'">
 									<p class="my-0">
-										<a :href="n.account.url" class="font-weight-bold text-dark">{{n.account.username}}</a> commented on your <a class="font-weight-bold" v-bind:href="replyUrl(n.status)">post</a>.
+										<a :href="n.account.url" class="font-weight-bold text-dark word-break">{{n.account.username}}</a> commented on your <a class="font-weight-bold" v-bind:href="replyUrl(n.status)">post</a>.
 									</p>
 								</div>
 								<div v-else-if="n.type == 'mention'">
 									<p class="my-0">
-										<a :href="n.account.url" class="font-weight-bold text-dark">{{n.account.username}}</a> <a class="font-weight-bold" v-bind:href="mentionUrl(n.status)">mentioned</a> you.
+										<a :href="n.account.url" class="font-weight-bold text-dark word-break">{{n.account.username}}</a> <a class="font-weight-bold" v-bind:href="mentionUrl(n.status)">mentioned</a> you.
 									</p>
 								</div>
 								<div v-else-if="n.type == 'follow'">
 									<p class="my-0">
-										<a :href="n.account.url" class="font-weight-bold text-dark">{{n.account.username}}</a> followed you.
+										<a :href="n.account.url" class="font-weight-bold text-dark word-break">{{n.account.username}}</a> followed you.
 									</p>	
 								</div>
 							</div>
@@ -211,6 +211,9 @@
 	.cursor-pointer {
 		cursor: pointer;
 	}
+	.word-break {
+		word-break: break-all;
+	}
 </style>
 
 <script type="text/javascript">

From 8c2fa76c7dbe30c1f8724b58254da8626955221f Mon Sep 17 00:00:00 2001
From: Daniel Supernault <danielsupernault@gmail.com>
Date: Tue, 25 Dec 2018 20:43:02 -0700
Subject: [PATCH 09/29] Bump version to 0.7.3

---
 config/pixelfed.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/pixelfed.php b/config/pixelfed.php
index b0118cd0e..bb7d3daee 100644
--- a/config/pixelfed.php
+++ b/config/pixelfed.php
@@ -23,7 +23,7 @@ return [
     | This value is the version of your PixelFed instance.
     |
     */
-    'version' => '0.7.2',
+    'version' => '0.7.3',
 
     /*
     |--------------------------------------------------------------------------

From e2b782466de85616fbb192a2720954b214e55958 Mon Sep 17 00:00:00 2001
From: Daniel Supernault <danielsupernault@gmail.com>
Date: Tue, 25 Dec 2018 22:05:47 -0700
Subject: [PATCH 10/29] Update helpers

---
 app/Util/ActivityPub/Helpers.php | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/app/Util/ActivityPub/Helpers.php b/app/Util/ActivityPub/Helpers.php
index b1cd2909e..8154a6ca6 100644
--- a/app/Util/ActivityPub/Helpers.php
+++ b/app/Util/ActivityPub/Helpers.php
@@ -210,6 +210,18 @@ class Helpers {
 				$activity = ['object' => $res];
 			}
 
+			$idDomain = parse_url($activity['id'], PHP_URL_HOST);
+			$urlDomain = parse_url($url, PHP_URL_HOST);
+			$actorDomain = parse_url($activity['object']['attributedTo'], PHP_URL_HOST);
+
+			if(
+				$idDomain !== $urlDomain || 
+				$actorDomain !== $urlDomain || 
+				$idDomain !== $actorDomain
+			) {
+				abort(400, 'Invalid object');
+			}
+
 			$profile = self::profileFirstOrNew($activity['object']['attributedTo']);
 			if(isset($activity['object']['inReplyTo']) && !empty($activity['object']['inReplyTo']) && $replyTo == true) {
 				$reply_to = self::statusFirstOrFetch($activity['object']['inReplyTo'], false);

From ee167f0f8c591826b673fc0cc16e38163b2eb5db Mon Sep 17 00:00:00 2001
From: Daniel Supernault <danielsupernault@gmail.com>
Date: Tue, 25 Dec 2018 22:06:06 -0700
Subject: [PATCH 11/29] Bump version to 0.7.4

---
 config/pixelfed.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/pixelfed.php b/config/pixelfed.php
index bb7d3daee..e954c6b64 100644
--- a/config/pixelfed.php
+++ b/config/pixelfed.php
@@ -23,7 +23,7 @@ return [
     | This value is the version of your PixelFed instance.
     |
     */
-    'version' => '0.7.3',
+    'version' => '0.7.4',
 
     /*
     |--------------------------------------------------------------------------

From 03007b175485cf433c6e3fb2da648b12fd7380c0 Mon Sep 17 00:00:00 2001
From: Daniel Supernault <danielsupernault@gmail.com>
Date: Tue, 25 Dec 2018 23:56:18 -0700
Subject: [PATCH 12/29] Update AP helpers

---
 app/Util/ActivityPub/Helpers.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/Util/ActivityPub/Helpers.php b/app/Util/ActivityPub/Helpers.php
index 8154a6ca6..3a73c1a95 100644
--- a/app/Util/ActivityPub/Helpers.php
+++ b/app/Util/ActivityPub/Helpers.php
@@ -210,7 +210,7 @@ class Helpers {
 				$activity = ['object' => $res];
 			}
 
-			$idDomain = parse_url($activity['id'], PHP_URL_HOST);
+			$idDomain = parse_url($res['id'], PHP_URL_HOST);
 			$urlDomain = parse_url($url, PHP_URL_HOST);
 			$actorDomain = parse_url($activity['object']['attributedTo'], PHP_URL_HOST);
 

From 69f745f0c03936ed44b8d46c321324c950d6f8cb Mon Sep 17 00:00:00 2001
From: Daniel Supernault <danielsupernault@gmail.com>
Date: Wed, 26 Dec 2018 00:51:43 -0700
Subject: [PATCH 13/29] Update FixUsername command

---
 app/Console/Commands/FixUsernames.php | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/app/Console/Commands/FixUsernames.php b/app/Console/Commands/FixUsernames.php
index 04f628edd..3e59abe54 100644
--- a/app/Console/Commands/FixUsernames.php
+++ b/app/Console/Commands/FixUsernames.php
@@ -39,11 +39,6 @@ class FixUsernames extends Command
      */
     public function handle()
     {
-        if(version_compare(config('pixelfed.version'), '0.7.2') !== -1) {
-            $this->info('This command is only for versions lower than 0.7.2');
-            return;
-        }
-
         $this->info('Collecting data ...');
 
         $affected = collect([]);

From 1239fd17d6ccea744ae4c8f740630acc2e0412b8 Mon Sep 17 00:00:00 2001
From: hnrd <cg@zknt.org>
Date: Wed, 26 Dec 2018 20:50:58 +0100
Subject: [PATCH 14/29] pin docker images to PHP 7.2

---
 contrib/docker/Dockerfile.apache | 2 +-
 contrib/docker/Dockerfile.fpm    | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/contrib/docker/Dockerfile.apache b/contrib/docker/Dockerfile.apache
index 7f4b8742d..1bd5961e0 100644
--- a/contrib/docker/Dockerfile.apache
+++ b/contrib/docker/Dockerfile.apache
@@ -1,4 +1,4 @@
-FROM php:7-apache
+FROM php:7.2-apache
 
 ARG COMPOSER_VERSION="1.6.5"
 ARG COMPOSER_CHECKSUM="67bebe9df9866a795078bb2cf21798d8b0214f2e0b2fd81f2e907a8ef0be3434"
diff --git a/contrib/docker/Dockerfile.fpm b/contrib/docker/Dockerfile.fpm
index 6c7822ea0..93676b10e 100644
--- a/contrib/docker/Dockerfile.fpm
+++ b/contrib/docker/Dockerfile.fpm
@@ -1,4 +1,4 @@
-FROM php:7-fpm
+FROM php:7.2-fpm
 
 ARG COMPOSER_VERSION="1.6.5"
 ARG COMPOSER_CHECKSUM="67bebe9df9866a795078bb2cf21798d8b0214f2e0b2fd81f2e907a8ef0be3434"

From bc6256c28e25ecfbed18d049bf99a31daff99900 Mon Sep 17 00:00:00 2001
From: hnrd <cg@zknt.org>
Date: Wed, 26 Dec 2018 20:51:47 +0100
Subject: [PATCH 15/29] Require PHP < 7.3 for Pixelfed to work.

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 4b9684e9b..a2520a39e 100644
--- a/README.md
+++ b/README.md
@@ -17,7 +17,7 @@ there is a stable release**. The following setup instructions are intended for
 testing and development.
 
 ## Requirements
- - PHP >= 7.1.3 (7.2+ recommended for stable version)
+ - PHP >= 7.1.3 < 7.3 (7.2.x recommended for stable version)
  - MySQL >= 5.7, Postgres (MariaDB and sqlite are not supported yet)
  - Redis
  - Composer

From 83f69409d640989eaa40a9b8f441fb4410d97f4b Mon Sep 17 00:00:00 2001
From: Daniel Supernault <danielsupernault@gmail.com>
Date: Wed, 26 Dec 2018 15:51:53 -0700
Subject: [PATCH 16/29] Update web routes

---
 routes/web.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/routes/web.php b/routes/web.php
index 8aebe6e90..aac1c1010 100644
--- a/routes/web.php
+++ b/routes/web.php
@@ -92,7 +92,7 @@ Route::domain(config('pixelfed.domain.app'))->middleware(['validemail', 'twofact
 
         Route::group(['prefix' => 'report'], function () {
             Route::get('/', 'ReportController@showForm')->name('report.form');
-            Route::post('/', 'ReportController@formStore')->middleware('throttle:100,1440');
+            Route::post('/', 'ReportController@formStore')->middleware('throttle:10,5');
             Route::get('not-interested', 'ReportController@notInterestedForm')->name('report.not-interested');
             Route::get('spam', 'ReportController@spamForm')->name('report.spam');
             Route::get('spam/comment', 'ReportController@spamCommentForm')->name('report.spam.comment');
@@ -120,7 +120,7 @@ Route::domain(config('pixelfed.domain.app'))->middleware(['validemail', 'twofact
         ->name('settings');
         Route::post('home', 'SettingsController@homeUpdate')->middleware('throttle:250,1440');
         Route::get('avatar', 'SettingsController@avatar')->name('settings.avatar');
-        Route::post('avatar', 'AvatarController@store')->middleware('throttle:50,1440');
+        Route::post('avatar', 'AvatarController@store');
         Route::get('password', 'SettingsController@password')->name('settings.password')->middleware('dangerzone');
         Route::post('password', 'SettingsController@passwordUpdate')->middleware(['throttle:2,1440','dangerzone']);
         Route::get('email', 'SettingsController@email')->name('settings.email');

From 3c63bc49cf958a28d366b9349cd4f4736ecdc969 Mon Sep 17 00:00:00 2001
From: Daniel Supernault <danielsupernault@gmail.com>
Date: Thu, 27 Dec 2018 01:02:08 -0700
Subject: [PATCH 17/29] Update PublicApiController

---
 app/Http/Controllers/PublicApiController.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/app/Http/Controllers/PublicApiController.php b/app/Http/Controllers/PublicApiController.php
index 86bbe0407..51fe32eee 100644
--- a/app/Http/Controllers/PublicApiController.php
+++ b/app/Http/Controllers/PublicApiController.php
@@ -300,7 +300,7 @@ class PublicApiController extends Controller
                       ->whereNotIn('profile_id', $filtered)
                       ->whereNull('in_reply_to_id')
                       ->whereNull('reblog_of_id')
-                      ->whereVisibility('public')
+                      ->whereIn('visibility',['public', 'unlisted', 'private'])
                       ->withCount(['comments', 'likes'])
                       ->orderBy('created_at', 'desc')
                       ->limit($limit)
@@ -311,7 +311,7 @@ class PublicApiController extends Controller
                       ->whereNotIn('profile_id', $filtered)
                       ->whereNull('in_reply_to_id')
                       ->whereNull('reblog_of_id')
-                      ->whereVisibility('public')
+                      ->whereIn('visibility',['public', 'unlisted', 'private'])
                       ->withCount(['comments', 'likes'])
                       ->orderBy('created_at', 'desc')
                       ->simplePaginate($limit);

From 2ab70f43441113a7d888e789e21f5655362f9b20 Mon Sep 17 00:00:00 2001
From: Daniel Supernault <danielsupernault@gmail.com>
Date: Thu, 27 Dec 2018 01:17:15 -0700
Subject: [PATCH 18/29] Bump version to 0.7.5

---
 config/pixelfed.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/pixelfed.php b/config/pixelfed.php
index e954c6b64..419e38e02 100644
--- a/config/pixelfed.php
+++ b/config/pixelfed.php
@@ -23,7 +23,7 @@ return [
     | This value is the version of your PixelFed instance.
     |
     */
-    'version' => '0.7.4',
+    'version' => '0.7.5',
 
     /*
     |--------------------------------------------------------------------------

From 2eff42bd764cd119d53966d25a43ebfb35d636a9 Mon Sep 17 00:00:00 2001
From: Daniel Supernault <danielsupernault@gmail.com>
Date: Thu, 27 Dec 2018 21:32:50 -0700
Subject: [PATCH 19/29] Update SecuritySettings Controller, add 2FA backup code
 regeneration

---
 app/Http/Controllers/Settings/SecuritySettings.php | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/app/Http/Controllers/Settings/SecuritySettings.php b/app/Http/Controllers/Settings/SecuritySettings.php
index 99547b73b..5d1c49ad3 100644
--- a/app/Http/Controllers/Settings/SecuritySettings.php
+++ b/app/Http/Controllers/Settings/SecuritySettings.php
@@ -110,6 +110,19 @@ trait SecuritySettings
 		return view('settings.security.2fa.recovery-codes', compact('user', 'codes'));
 	}
 
+	public function securityTwoFactorRecoveryCodesRegenerate(Request $request)
+	{
+		$user = Auth::user();
+
+		if(!$user->{'2fa_enabled'} || !$user->{'2fa_secret'}) {
+			abort(403);
+		}
+		$backups = $this->generateBackupCodes();
+		$user->{'2fa_backup_codes'} = json_encode($backups);
+		$user->save();
+		return redirect(route('settings.security.2fa.recovery'));
+	}
+
 	public function securityTwoFactorUpdate(Request $request)
 	{
 		$user = Auth::user();

From f7c1801ab82073ceed016d00e9b8bb7f18367b43 Mon Sep 17 00:00:00 2001
From: Daniel Supernault <danielsupernault@gmail.com>
Date: Thu, 27 Dec 2018 21:33:15 -0700
Subject: [PATCH 20/29] Update web routes

---
 routes/web.php | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/routes/web.php b/routes/web.php
index aac1c1010..f74f894e6 100644
--- a/routes/web.php
+++ b/routes/web.php
@@ -166,6 +166,10 @@ Route::domain(config('pixelfed.domain.app'))->middleware(['validemail', 'twofact
                 '2fa/recovery-codes',
                 'SettingsController@securityTwoFactorRecoveryCodes'
             )->name('settings.security.2fa.recovery');
+            Route::post(
+                '2fa/recovery-codes',
+                'SettingsController@securityTwoFactorRecoveryCodesRegenerate'
+            );
         });
 
         Route::get('applications', 'SettingsController@applications')->name('settings.applications');

From 3a38c7386b48e2a24f476a74f810b41c67c86bed Mon Sep 17 00:00:00 2001
From: Daniel Supernault <danielsupernault@gmail.com>
Date: Thu, 27 Dec 2018 21:34:51 -0700
Subject: [PATCH 21/29] Update AccountController, allow 2FA backup codes

---
 app/Http/Controllers/AccountController.php | 32 ++++++++++++++++++++++
 1 file changed, 32 insertions(+)

diff --git a/app/Http/Controllers/AccountController.php b/app/Http/Controllers/AccountController.php
index 87423c5aa..980dd4dcd 100644
--- a/app/Http/Controllers/AccountController.php
+++ b/app/Http/Controllers/AccountController.php
@@ -339,6 +339,11 @@ class AccountController extends Controller
             $request->session()->push('2fa.session.active', true);
             return redirect('/');
         } else {
+
+            if($this->twoFactorBackupCheck($request, $code, $user)) {
+                return redirect('/');
+            }
+
             if($request->session()->has('2fa.attempts')) {
                 $count = (int) $request->session()->has('2fa.attempts');
                 $request->session()->push('2fa.attempts', $count + 1);
@@ -350,4 +355,31 @@ class AccountController extends Controller
             ]);
         }
     }
+
+    protected function twoFactorBackupCheck($request, $code, User $user)
+    {
+            $backupCodes = $user->{'2fa_backup_codes'};
+            if($backupCodes) {
+                $codes = json_decode($backupCodes, true);
+                foreach ($codes as $c) {
+                    if(hash_equals($c, $code)) {
+                        // remove code
+                        $codes = array_flatten(array_diff($codes, [$code]));
+                        $user->{'2fa_backup_codes'} = json_encode($codes);
+                        $user->save();
+                        $request->session()->push('2fa.session.active', true);
+                        return true;
+                    } else {
+                        return false;
+                    }
+                }
+            } else {
+                return false;
+            }  
+    }
+
+    public function accountRestored(Request $request)
+    {
+        //
+    }
 }

From 8576392662ea33f916cb31cf4d6e9dfdcd7ad672 Mon Sep 17 00:00:00 2001
From: Daniel Supernault <danielsupernault@gmail.com>
Date: Thu, 27 Dec 2018 21:35:24 -0700
Subject: [PATCH 22/29] Update 2FA view

---
 .../security/2fa/recovery-codes.blade.php     | 32 ++++++++++++-------
 1 file changed, 21 insertions(+), 11 deletions(-)

diff --git a/resources/views/settings/security/2fa/recovery-codes.blade.php b/resources/views/settings/security/2fa/recovery-codes.blade.php
index 47f37af29..9b6c61e4a 100644
--- a/resources/views/settings/security/2fa/recovery-codes.blade.php
+++ b/resources/views/settings/security/2fa/recovery-codes.blade.php
@@ -7,16 +7,26 @@
   </div>
 
   <hr>
-  
-  <p class="lead pb-3">
-  	Each code can only be used once.
-  </p>
-
-  <p class="lead"></p>
-  <ul class="list-group">
-  	@foreach($codes as $code)
-  	<li class="list-group-item"><code>{{$code}}</code></li>
-  	@endforeach
-  </ul>
+    @if(count($codes) > 0)
+      <p class="lead pb-3">
+      	Each code can only be used once.
+      </p>
+      <ul class="list-group">
+      	@foreach($codes as $code)
+      	<li class="list-group-item"><code>{{$code}}</code></li>
+      	@endforeach
+      </ul>
+    @else
+    <div class="pt-5">
+      <h4 class="font-weight-bold">You are out of recovery codes</h4>
+      <p class="lead">Generate more recovery codes and store them in a safe place.</p>
+      <p>
+        <form method="post">
+          @csrf
+          <button type="submit" class="btn btn-primary font-weight-bold">Generate Recovery Codes</button>
+        </form>
+      </p>
+    </div>
+    @endif
 
 @endsection
\ No newline at end of file

From ce6ba4cd4b05d997a96fbf15fd981e46384f7c17 Mon Sep 17 00:00:00 2001
From: Daniel Supernault <danielsupernault@gmail.com>
Date: Thu, 27 Dec 2018 21:36:11 -0700
Subject: [PATCH 23/29] Bump version to 0.7.6

---
 config/pixelfed.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/pixelfed.php b/config/pixelfed.php
index 419e38e02..25c9c0870 100644
--- a/config/pixelfed.php
+++ b/config/pixelfed.php
@@ -23,7 +23,7 @@ return [
     | This value is the version of your PixelFed instance.
     |
     */
-    'version' => '0.7.5',
+    'version' => '0.7.6',
 
     /*
     |--------------------------------------------------------------------------

From 88189360c648403303bd9e261325f3c9b739e6f9 Mon Sep 17 00:00:00 2001
From: Daniel Supernault <danielsupernault@gmail.com>
Date: Thu, 27 Dec 2018 22:50:09 -0700
Subject: [PATCH 24/29] Update Settings view, fix avatar upload bug

---
 resources/views/settings/home.blade.php | 72 ++++++++-----------------
 1 file changed, 22 insertions(+), 50 deletions(-)

diff --git a/resources/views/settings/home.blade.php b/resources/views/settings/home.blade.php
index aadee58d6..adae0ae9d 100644
--- a/resources/views/settings/home.blade.php
+++ b/resources/views/settings/home.blade.php
@@ -6,18 +6,30 @@
     <h3 class="font-weight-bold">Account Settings</h3>
   </div>
   <hr>
-  <form method="post">
-    @csrf
-    <div class="form-group row">
-      <div class="col-sm-3">
-        <img src="{{Auth::user()->profile->avatarUrl()}}" width="38px" height="38px" class="rounded-circle float-right">
-      </div>
-      <div class="col-sm-9">
-        <p class="lead font-weight-bold mb-0">{{Auth::user()->username}}</p>
-        <p class="mb-0"><a href="#" class="font-weight-bold change-profile-photo">Change Profile Photo</a></p>
-        <p><span class="small font-weight-bold">Max avatar size: <span id="maxAvatarSize"></span></span></p>
+  <div class="form-group row">
+    <div class="col-sm-3">
+      <img src="{{Auth::user()->profile->avatarUrl()}}" width="38px" height="38px" class="rounded-circle float-right">
+    </div>
+    <div class="col-sm-9">
+      <p class="lead font-weight-bold mb-0">{{Auth::user()->username}}</p>
+      <p><a href="#" class="font-weight-bold change-profile-photo" data-toggle="collapse" data-target="#avatarCollapse" aria-expanded="false" aria-controls="avatarCollapse">Change Profile Photo</a></p>
+      <div class="collapse" id="avatarCollapse">
+        <form method="post" action="/settings/avatar" enctype="multipart/form-data">
+        @csrf
+        <div class="card card-body">
+          <div class="custom-file mb-1">
+            <input type="file" name="avatar" class="custom-file-input" id="avatarInput">
+            <label class="custom-file-label" for="avatarInput">Select a profile photo</label>
+          </div>
+          <p><span class="small font-weight-bold">Must be a jpeg or png. Max avatar size: <span id="maxAvatarSize"></span></span></p>
+          <p class="mb-0"><button type="submit" class="btn btn-primary px-4 py-0 font-weight-bold">Upload</button></p>
+        </div>
+        </form>
       </div>
     </div>
+  </div>
+  <form method="post">
+    @csrf
     <div class="form-group row">
       <label for="name" class="col-sm-3 col-form-label font-weight-bold text-right">Name</label>
       <div class="col-sm-9">
@@ -118,45 +130,5 @@
   });
 
   $('#maxAvatarSize').text(filesize({{config('pixelfed.max_avatar_size') * 1024}}, {round: 0}));
-
-  $(document).on('click', '.change-profile-photo', function(e) {
-    e.preventDefault();
-    swal({
-      title: 'Upload Photo',
-      content: {
-        element: 'input',
-        attributes: {
-          placeholder: 'Upload your photo.',
-          type: 'file',
-          name: 'photoUpload',
-          id: 'photoUploadInput'
-        }
-      },
-      buttons: {
-        confirm: {
-          text: 'Upload'
-        }
-      }
-    }).then((res) => {
-      if(!res) {
-        return;
-      }
-      const input = $('#photoUploadInput')[0];
-      const photo = input.files[0];
-      const form = new FormData();
-      form.append("upload", photo);
-
-      axios.post('/api/v1/avatar/update', form, {
-          headers: {
-            'Content-Type': 'multipart/form-data'
-          }
-      }).then((res) => {
-        swal('Success', 'Your photo has been successfully updated! It may take a few minutes to update across the site.', 'success');
-      }).catch((res) => {
-        let msg = res.response.data.errors.upload[0];
-        swal('Something went wrong', msg, 'error');
-      });
-    });
-  });
 </script>
 @endpush

From 1cca479fad6a2f4a35d3bef9238f252150051c99 Mon Sep 17 00:00:00 2001
From: Daniel Supernault <danielsupernault@gmail.com>
Date: Thu, 27 Dec 2018 22:55:21 -0700
Subject: [PATCH 25/29] Update AP Inbox

---
 app/Util/ActivityPub/Inbox.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/Util/ActivityPub/Inbox.php b/app/Util/ActivityPub/Inbox.php
index 5b2b6bfe9..2d764f040 100644
--- a/app/Util/ActivityPub/Inbox.php
+++ b/app/Util/ActivityPub/Inbox.php
@@ -220,7 +220,7 @@ class Inbox
             // send Accept to remote profile
             $accept = [
                 '@context' => 'https://www.w3.org/ns/activitystreams',
-                'id'       => $target->permalink().'#accepts/follows/',
+                'id'       => $target->permalink().'#accepts/follows/' . $follower->id,
                 'type'     => 'Accept',
                 'actor'    => $target->permalink(),
                 'object'   => [

From a2a69c9d6c8c812964c3a54b279cb3ad18d706ad Mon Sep 17 00:00:00 2001
From: Daniel Supernault <danielsupernault@gmail.com>
Date: Fri, 28 Dec 2018 20:25:19 -0700
Subject: [PATCH 26/29] Update config

---
 config/pixelfed.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/config/pixelfed.php b/config/pixelfed.php
index 25c9c0870..feb3ed318 100644
--- a/config/pixelfed.php
+++ b/config/pixelfed.php
@@ -23,7 +23,7 @@ return [
     | This value is the version of your PixelFed instance.
     |
     */
-    'version' => '0.7.6',
+    'version' => '0.7.7',
 
     /*
     |--------------------------------------------------------------------------
@@ -59,7 +59,7 @@ return [
     */
     'restricted_names' => [
       'reserved_routes' => true,
-      'use_blacklist'   => false,
+      'use_blacklist'   => env('USERNAME_BLACKLIST', false),
     ],
 
     /*

From cfbd7d5a1a1aca0e9ac36d2bbe0fbb6320e3993b Mon Sep 17 00:00:00 2001
From: Daniel Supernault <danielsupernault@gmail.com>
Date: Fri, 28 Dec 2018 20:39:16 -0700
Subject: [PATCH 27/29] Update RestrictedNames

---
 app/Util/Lexer/RestrictedNames.php | 31 ++++++++++++++++++++++++------
 1 file changed, 25 insertions(+), 6 deletions(-)

diff --git a/app/Util/Lexer/RestrictedNames.php b/app/Util/Lexer/RestrictedNames.php
index 0bd2648b6..5fe8d4d38 100644
--- a/app/Util/Lexer/RestrictedNames.php
+++ b/app/Util/Lexer/RestrictedNames.php
@@ -39,7 +39,6 @@ class RestrictedNames
      'ftp',
      'guest',
      'guests',
-     'help',
      'hostmaster',
      'hostmaster',
      'image',
@@ -94,9 +93,6 @@ class RestrictedNames
      'ssladmin',
      'ssladministrator',
      'sslwebmaster',
-     'status',
-     'support',
-     'support',
      'sys',
      'sysadmin',
      'system',
@@ -107,7 +103,6 @@ class RestrictedNames
      'uucp',
      'webmaster',
      'wpad',
-     'www',
    ];
 
     public static $reserved = [
@@ -126,36 +121,60 @@ class RestrictedNames
      'account',
      'api',
      'auth',
+     'broadcast',
+     'broadcaster',
      'css',
      'checkpoint',
+     'collection',
+     'collections',
      'c',
-     'i',
+     'cdn',
      'dashboard',
      'deck',
      'discover',
      'docs',
+     'error',
+     'explore',
      'fonts',
      'home',
+     'help',
+     'helpcenter',
+     'i',
      'img',
      'js',
+     'live',
      'login',
      'logout',
      'media',
+     'official',
      'p',
      'password',
+     'reset',
      'report',
      'reports',
+     'robot',
+     'robots',
      'search',
+     'send',
      'settings',
+     'status',
      'statuses',
      'site',
      'sites',
+     'static',
+     'story',
+     'stories',
+     'support',
+     'telescope',
      'timeline',
      'timelines',
      'tour',
      'user',
      'users',
      'vendor',
+     'ws',
+     'wss',
+     'www',
      '400',
      '401',
      '403',

From 714e47f38700d6cbb6ba8c338be238a79fd7a333 Mon Sep 17 00:00:00 2001
From: Daniel Supernault <danielsupernault@gmail.com>
Date: Sat, 29 Dec 2018 16:56:39 -0700
Subject: [PATCH 28/29] Add Accept validator/test

---
 .env.testing                              |  2 +
 app/Util/ActivityPub/Validator/Accept.php | 32 +++++++++++++
 tests/Unit/ActivityPub/AcceptVerbTest.php | 55 +++++++++++++++++++++++
 3 files changed, 89 insertions(+)
 create mode 100644 app/Util/ActivityPub/Validator/Accept.php
 create mode 100644 tests/Unit/ActivityPub/AcceptVerbTest.php

diff --git a/.env.testing b/.env.testing
index f7dcfe55e..a37e329eb 100644
--- a/.env.testing
+++ b/.env.testing
@@ -53,3 +53,5 @@ MIX_PUSHER_APP_CLUSTER="${PUSHER_APP_CLUSTER}"
 MIX_APP_URL="${APP_URL}"
 MIX_API_BASE="${API_BASE}"
 MIX_API_SEARCH="${API_SEARCH}"
+
+TELESCOPE_ENABLED=false
diff --git a/app/Util/ActivityPub/Validator/Accept.php b/app/Util/ActivityPub/Validator/Accept.php
new file mode 100644
index 000000000..7230a37f3
--- /dev/null
+++ b/app/Util/ActivityPub/Validator/Accept.php
@@ -0,0 +1,32 @@
+<?php
+
+namespace App\Util\ActivityPub\Validator;
+
+use Validator;
+use Illuminate\Validation\Rule;
+
+class Accept {
+
+	public static function validate($payload)
+	{
+		$valid = Validator::make($payload, [
+			'@context' => 'required',
+			'id' => 'required|string',
+			'type' => [
+				'required',
+				Rule::in(['Accept'])
+			],
+			'actor' => 'required|url|active_url',
+			'object' => 'required',
+			'object.id' => 'required|url|active_url',
+			'object.type' => [
+				'required',
+				Rule::in(['Follow'])
+			],
+			'object.actor' => 'required|url|active_url',
+			'object.object' => 'required|url|active_url|same:actor',
+		])->passes();
+
+		return $valid;
+	}
+}
\ No newline at end of file
diff --git a/tests/Unit/ActivityPub/AcceptVerbTest.php b/tests/Unit/ActivityPub/AcceptVerbTest.php
new file mode 100644
index 000000000..c949624db
--- /dev/null
+++ b/tests/Unit/ActivityPub/AcceptVerbTest.php
@@ -0,0 +1,55 @@
+<?php
+
+namespace Tests\Unit;
+
+use Tests\TestCase;
+use Illuminate\Foundation\Testing\WithFaker;
+use Illuminate\Foundation\Testing\RefreshDatabase;
+use App\Util\ActivityPub\Validator\Accept;
+
+class AcceptVerbTest extends TestCase
+{
+	protected $validAccept;
+	protected $invalidAccept;
+
+	public function setUp()
+	{
+		parent::setUp();
+		$this->validAccept = [
+			'@context' => 'https://www.w3.org/ns/activitystreams',
+			'id' => 'https://example.org/og/b3e4a40b-0b26-4c5a-9079-094bd633fab7',
+			'type' => 'Accept',
+			'actor' => 'https://example.org/u/alice',
+			'object' => [
+				'id' => 'https://example.net/u/bob#follows/bb27f601-ddb9-4567-8f16-023d90605ca9',
+				'type' => 'Follow',
+				'actor' => 'https://example.net/u/bob',
+				'object' => 'https://example.org/u/alice'
+			]
+		];
+		$this->invalidAccept = [
+			'@context' => 'https://www.w3.org/ns/activitystreams',
+			'id' => 'https://example.org/og/b3e4a40b-0b26-4c5a-9079-094bd633fab7',
+			'type' => 'Accept2',
+			'actor' => 'https://example.org/u/alice',
+			'object' => [
+				'id' => 'https://example.net/u/bob#follows/bb27f601-ddb9-4567-8f16-023d90605ca9',
+				'type' => 'Follow',
+				'actor' => 'https://example.net/u/bob',
+				'object' => 'https://example.org/u/alice'
+			]
+		];
+	}
+
+	/** @test */
+	public function basic_accept()
+	{
+		$this->assertTrue(Accept::validate($this->validAccept));
+	}
+
+	/** @test */
+	public function invalid_accept()
+	{
+		$this->assertFalse(Accept::validate($this->invalidAccept));
+	}
+}

From 2d2c9a60f8b118b7fbe34c70ea820f4b9094be4a Mon Sep 17 00:00:00 2001
From: Daniel Supernault <danielsupernault@gmail.com>
Date: Sat, 29 Dec 2018 21:50:37 -0700
Subject: [PATCH 29/29] Fixes #719, add blind key rotation

---
 app/Http/Controllers/FederationController.php | 44 +++++++++++++++++--
 1 file changed, 40 insertions(+), 4 deletions(-)

diff --git a/app/Http/Controllers/FederationController.php b/app/Http/Controllers/FederationController.php
index c93b1b664..508874341 100644
--- a/app/Http/Controllers/FederationController.php
+++ b/app/Http/Controllers/FederationController.php
@@ -180,6 +180,20 @@ XML;
         if($profile->status != null) {
             return ProfileController::accountCheck($profile);
         }
+        $body = $request->getContent();
+        $bodyDecoded = json_decode($body, true, 8);
+        if($this->verifySignature($request, $profile) == true) {
+            InboxWorker::dispatch($request->headers->all(), $profile, $bodyDecoded);
+        } else if($this->blindKeyRotation($request, $profile) == true) {
+            InboxWorker::dispatch($request->headers->all(), $profile, $bodyDecoded);
+        } else {
+            abort(400, 'Bad Signature');
+        }
+        return;
+    }
+
+    protected function verifySignature(Request $request, Profile $profile)
+    {
         $body = $request->getContent();
         $bodyDecoded = json_decode($body, true, 8);
         $signature = $request->header('signature');
@@ -209,11 +223,33 @@ XML;
         $pkey = openssl_pkey_get_public($actor->public_key);
         $inboxPath = "/users/{$profile->username}/inbox";
         list($verified, $headers) = HTTPSignature::verify($pkey, $signatureData, $request->headers->all(), $inboxPath, $body);
-        if($verified !== 1) { 
-            abort(400, 'Invalid signature.');
+        if($verified == 1) { 
+            return true;
+        } else {
+            return false;
         }
-        InboxWorker::dispatch($request->headers->all(), $profile, $bodyDecoded);
-        return;
+    }
+
+    protected function blindKeyRotation(Request $request, Profile $profile)
+    {
+        $signature = $request->header('signature');
+        if(!$signature) {
+            abort(400, 'Missing signature header');
+        }
+        $signatureData = HttpSignature::parseSignatureHeader($signature);
+        $keyId = Helpers::validateUrl($signatureData['keyId']);
+        $actor = Profile::whereKeyId($keyId)->first();
+        $res = Zttp::timeout(5)->withHeaders([
+          'Accept'     => 'application/ld+json; profile="https://www.w3.org/ns/activitystreams"',
+          'User-Agent' => 'PixelFedBot v0.1 - https://pixelfed.org',
+        ])->get($actor->remote_url);
+        $res = json_decode($res->body(), true, 8);
+        if($res['publicKey']['id'] !== $actor->key_id) {
+            return false;
+        }
+        $actor->public_key = $res['publicKey']['publicKeyPem'];
+        $actor->save();
+        return $this->verifySignature($request, $profile);
     }
 
     public function userFollowing(Request $request, $username)