Merge branch 'admin/accounts'

Author: dahlia

CHANGES.md

@@ -41,6 +41,18 @@ To be released.
      -  Added dereferenceable local `QuoteAuthorization` ActivityPub objects
         for accepted quotes.
 
+ -  Added custom field editing to the admin account creation and editing
+    forms, allowing up to 10 label–value pairs per profile (beyond
+    Mastodon's limit of 4).  Field values support Markdown and mention
+    syntax.  The Mastodon-compatible `PATCH /api/v1/accounts/
+    update_credentials` endpoint now also accepts up to 10 custom fields
+    via `fields_attributes[0]` through `fields_attributes[9]`.
+
+ -  Fixed a bug in `PATCH /api/v1/accounts/update_credentials` where
+    submitting any credential update (e.g. `display_name`) without
+    `fields_attributes` would silently wipe all existing custom profile
+    fields from the public profile, API responses, and federation output.
+
  -  Added an ActivityPub `quote-inline` fallback to the `content` of explicit
     quote posts created through the Mastodon API.  Software that does not
     support quote posts can now still show the quoted post permalink, while
@@ -94,6 +106,16 @@ To be released.
         are removed; UnoCSS emits a single _src/public/uno.css_ whose
         URL is cache-busted by file mtime.
 
+ -  Added avatar and header image upload to the admin account creation and
+    editing forms, with drag-and-drop support and in-page image preview.
+    Files are stored using the same storage backend as the Mastodon-compatible
+    API (`PATCH /api/v1/accounts/update_credentials`).
+
+ -  Fixed a performance bug on the account edit page where saving an account
+    always triggered a network lookup of [@hollo@hollo.social] regardless of
+    whether the “Receive Hollo news” setting had actually changed.  The lookup
+    now only happens when the news-following state genuinely changes.
+
  -  Improved the performance of authenticated API requests by replacing the
     complex multi-table JOIN query in the `tokenRequired` middleware with a
     lightweight single-table lookup.  Account owner data is now fetched on
@@ -112,6 +134,7 @@ To be released.
  -  Upgraded Fedify to 2.2.1.
 
 [FEP-044f]: https://w3id.org/fep/044f
+[@hollo@hollo.social]: https://hollo.social/@hollo
 [#67]: https://github.com/fedify-dev/hollo/issues/67
 [#127]: https://github.com/fedify-dev/hollo/issues/127
 [#457]: https://github.com/fedify-dev/hollo/pull/457

src/api/v1/accounts.test.ts

@@ -1,3 +1,6 @@
+import { mkdir } from "node:fs/promises";
+
+import { eq } from "drizzle-orm";
 import { beforeEach, describe, expect, it } from "vitest";
 
 import { cleanDatabase } from "../../../tests/helpers";
@@ -9,7 +12,7 @@ import {
 } from "../../../tests/helpers/oauth";
 import db from "../../db";
 import app from "../../index";
-import { posts } from "../../schema";
+import { accountOwners, accounts, posts } from "../../schema";
 import { uuidv7 } from "../../uuid";
 
 describe.sequential("/api/v1/accounts/verify_credentials", () => {
@@ -117,6 +120,72 @@ describe.sequential("/api/v1/accounts/verify_credentials", () => {
   });
 });
 
+describe.sequential("/api/v1/accounts/update_credentials", () => {
+  let client: Awaited<ReturnType<typeof createOAuthApplication>>;
+  let account: Awaited<ReturnType<typeof createAccount>>;
+
+  beforeEach(async () => {
+    await cleanDatabase();
+    await mkdir("tmp/fakes", { recursive: true });
+
+    account = await createAccount({ generateKeyPair: true });
+    client = await createOAuthApplication({
+      scopes: ["write:accounts"],
+    });
+  });
+
+  it("clears existing profile fields when blank field slots are submitted", async () => {
+    expect.assertions(7);
+
+    await db
+      .update(accounts)
+      .set({
+        fieldHtmls: {
+          Website: '<a href="https://example.com">https://example.com</a>',
+        },
+      })
+      .where(eq(accounts.id, account.id));
+    await db
+      .update(accountOwners)
+      .set({
+        fields: {
+          Website: "https://example.com",
+        },
+      })
+      .where(eq(accountOwners.id, account.id));
+
+    const accessToken = await getAccessToken(client, account, [
+      "write:accounts",
+    ]);
+    const form = new FormData();
+    form.set("fields_attributes[0][name]", "");
+    form.set("fields_attributes[0][value]", "");
+
+    const response = await app.request("/api/v1/accounts/update_credentials", {
+      method: "PATCH",
+      headers: {
+        authorization: bearerAuthorization(accessToken),
+      },
+      body: form,
+    });
+
+    expect(response.status).toBe(200);
+    expect(response.headers.get("content-type")).toBe("application/json");
+    expect(response.headers.get("access-control-allow-origin")).toBe("*");
+
+    const credentialAccount = await response.json();
+    expect(credentialAccount.fields).toEqual([]);
+    expect(credentialAccount.source.fields).toEqual([]);
+
+    const updatedAccount = await db.query.accountOwners.findFirst({
+      where: eq(accountOwners.id, account.id),
+      with: { account: true },
+    });
+    expect(updatedAccount?.fields).toEqual({});
+    expect(updatedAccount?.account.fieldHtmls).toEqual({});
+  });
+});
+
 describe.sequential("/api/v1/accounts/:id/statuses", () => {
   let client: Awaited<ReturnType<typeof createOAuthApplication>>;
   let account: Awaited<ReturnType<typeof createAccount>>;

src/api/v1/accounts.ts

@@ -98,14 +98,26 @@ app.patch(
       "source[privacy]": z.enum(["public", "unlisted", "private"]).optional(),
       "source[sensitive]": z.enum(["true", "false"]).optional(),
       "source[language]": z.string().optional(),
-      "fields_attributes[0][name]": z.string().optional(),
-      "fields_attributes[0][value]": z.string().optional(),
-      "fields_attributes[1][name]": z.string().optional(),
-      "fields_attributes[1][value]": z.string().optional(),
-      "fields_attributes[2][name]": z.string().optional(),
-      "fields_attributes[2][value]": z.string().optional(),
-      "fields_attributes[3][name]": z.string().optional(),
-      "fields_attributes[3][value]": z.string().optional(),
+      "fields_attributes[0][name]": z.string().max(255).optional(),
+      "fields_attributes[0][value]": z.string().max(255).optional(),
+      "fields_attributes[1][name]": z.string().max(255).optional(),
+      "fields_attributes[1][value]": z.string().max(255).optional(),
+      "fields_attributes[2][name]": z.string().max(255).optional(),
+      "fields_attributes[2][value]": z.string().max(255).optional(),
+      "fields_attributes[3][name]": z.string().max(255).optional(),
+      "fields_attributes[3][value]": z.string().max(255).optional(),
+      "fields_attributes[4][name]": z.string().max(255).optional(),
+      "fields_attributes[4][value]": z.string().max(255).optional(),
+      "fields_attributes[5][name]": z.string().max(255).optional(),
+      "fields_attributes[5][value]": z.string().max(255).optional(),
+      "fields_attributes[6][name]": z.string().max(255).optional(),
+      "fields_attributes[6][value]": z.string().max(255).optional(),
+      "fields_attributes[7][name]": z.string().max(255).optional(),
+      "fields_attributes[7][value]": z.string().max(255).optional(),
+      "fields_attributes[8][name]": z.string().max(255).optional(),
+      "fields_attributes[8][value]": z.string().max(255).optional(),
+      "fields_attributes[9][name]": z.string().max(255).optional(),
+      "fields_attributes[9][value]": z.string().max(255).optional(),
     }),
   ),
   async (c) => {
@@ -167,23 +179,42 @@ app.patch(
         username: account.handle,
       }),
     };
-    const fields = Object.entries(owner.fields);
-    const fieldHtmls: [string, string][] = [];
-    for (const i of [0, 1, 2, 3] as const) {
+    const fields: ([string, string] | undefined)[] = Object.entries(
+      owner.fields,
+    );
+    let anyFieldAttributeSubmitted = false;
+    for (const i of [0, 1, 2, 3, 4, 5, 6, 7, 8, 9] as const) {
       const name = form[`fields_attributes[${i}][name]`];
       const value = form[`fields_attributes[${i}][value]`];
+      if (name == null && value == null) {
+        continue;
+      }
+      anyFieldAttributeSubmitted = true;
       if (
         name == null ||
         name.trim() === "" ||
         value == null ||
         value.trim() === ""
       ) {
+        fields[i] = undefined;
         continue;
       }
       fields[i] = [name, value];
-      const contentHtml = (await formatText(db, fields[i][1], fmtOpts)).html;
-      fieldHtmls.push([fields[i][0], contentHtml]);
     }
+    const denseFields = fields.filter((f): f is [string, string] => f != null);
+    const fieldHtmlsRecord: Record<string, string> = anyFieldAttributeSubmitted
+      ? Object.fromEntries(
+          await Promise.all(
+            denseFields.map(
+              async ([fieldName, fieldValue]) =>
+                [
+                  fieldName,
+                  (await formatText(db, fieldValue, fmtOpts)).html,
+                ] as [string, string],
+            ),
+          ),
+        )
+      : account.fieldHtmls;
     const bioResult =
       form.note == null ? null : await formatText(db, form.note, fmtOpts);
     const name = form.display_name ?? account.name;
@@ -200,7 +231,7 @@ app.patch(
         bioHtml: bioResult == null ? account.bioHtml : bioResult.html,
         avatarUrl,
         coverUrl,
-        fieldHtmls: Object.fromEntries(fieldHtmls),
+        fieldHtmls: fieldHtmlsRecord,
         protected:
           form.locked == null ? account.protected : form.locked === "true",
         sensitive:
@@ -220,7 +251,9 @@ app.patch(
       .update(accountOwners)
       .set({
         bio: form.note ?? owner.bio,
-        fields: Object.fromEntries(fields),
+        fields: anyFieldAttributeSubmitted
+          ? Object.fromEntries(denseFields)
+          : owner.fields,
         visibility: form["source[privacy]"] ?? owner.visibility,
         language: form["source[language]"] ?? owner.language,
       })