Add documentation for new AS Notification/Profile feature

Add LDAP support Matrix ID room invites notifications
Add extra placeholders for Matrix ID room invites notifications
2018-10-16 21:28:38 +02:00 · 2018-10-16 21:28:38 +02:00 · 2018-10-16 21:28:38 +02:00 · 2018-10-16 21:28:38 +02:00 · 2018-10-12 16:21:29 +02:00 · 2018-10-10 02:10:48 +02:00
270 changed files with 11570 additions and 3895 deletions
--- a/.travis.yml
+++ b/.travis.yml
@@ -1,4 +1,8 @@
-language: groovy
+language: java
-
+before_cache:
-jdk:
+  - rm -f  $HOME/.gradle/caches/modules-2/modules-2.lock
-  - oraclejdk8
+  - rm -fr $HOME/.gradle/caches/*/plugin-resolution/
 cache:
  directories:
    - $HOME/.gradle/caches/
    - $HOME/.gradle/wrapper/
--- a/12
+++ b/12
@@ -1,11 +1,17 @@
 FROM openjdk:8-jre-alpine
 RUN apk update && apk add bash && rm -rf /var/lib/apk/* /var/cache/apk/*
 VOLUME /etc/mxisd
 VOLUME /var/mxisd
 EXPOSE 8090
 ADD build/libs/mxisd.jar /mxisd.jar
 ADD src/docker/start.sh /start.sh
 ENV JAVA_OPTS=""
 ENV CONF_FILE_PATH="/etc/mxisd/mxisd.yaml"
 ENV SIGN_KEY_PATH="/var/mxisd/sign.key"
 ENV SQLITE_DATABASE_PATH="/var/mxisd/mxisd.db"
 CMD [ "/start.sh" ]
 ADD src/docker/start.sh /start.sh
 ADD build/libs/mxisd.jar /mxisd.jar
--- a/README.md
+++ b/README.md
@@ -1,226 +1,105 @@
-mxisd - Federated Matrix Identity Server Daemon
+mxisd - Federated Matrix Identity Server
-----
+----------------------------------------
-![Travis-CI build status](https://travis-ci.org/kamax-io/mxisd.svg?branch=master)  
+![Travis-CI build status](https://travis-ci.org/kamax-matrix/mxisd.svg?branch=master)  
-[Overview](#overview) | [Features](#features) | [Lookup process](#lookup-process) | [Packages](#packages) | 
+- [Overview](#overview)
-[From source](#from-source) | [Configuration](#configuration) | [Network Discovery](#network-discovery) | 
+- [Features](#features)
-[Integration](#integration) | [Support](#support)
+- [Use cases](#use-cases)
 - [Getting Started](#getting-started)
 - [Support](#support)
 - [Contribute](#contribute)
 - [FAQ](#faq)
 - [Contact](#contact)
 # Overview
-mxisd is a Federated Matrix Identity server for self-hosted Matrix infrastructures.
+mxisd is a Federated Matrix Identity server for self-hosted Matrix infrastructures with [enhanced features](#features).
 As an enhanced Identity service, it implements the [Matrix Identity service API](https://kamax.io/matrix/api/identity_service/unstable.html)
 and several [extra features](#features) that greatly enhance user experience within Matrix.
 It is the one stop shop for anything regarding Authentication, Directory and Identity management in Matrix built in a
 single coherent product.
-mxisd uses a cascading lookup model which performs lookup from a more authoritative to a less authoritative source, usually doing:
+mxisd is specifically designed to connect to an existing on-premise Identity store (AD/Samba/LDAP, SQL Database,
- Local identity stores: LDAP, etc.
+Web services/app, etc.) and ease the integration of a Matrix infrastructure within an existing one.
 - Federated identity stores: another Identity Server in charge of a specific domain, if applicable
 - Configured identity stores: another Identity Server specifically configured, if part of some sort of group trust
 - Root identity store: vector.im/matrix.org central Identity Servers
-mxisd provides an alternative to [sydent](https://github.com/matrix-org/sydent), while still connecting to the vector.im and matrix.org Identity servers, 
+The core principle of mxisd is to map between Matrix IDs and 3PIDs (Third-Party IDentifiers) for the Homeserver and its
-by implementing the [Matrix Identity Service specification](https://matrix.org/docs/spec/identity_service/unstable.html).
+users. 3PIDs can be anything that uniquely and globally identify a user, like:
 - Email address
 - Phone number
 - Skype/Live ID
 - Twitter handle
 - Facebook ID
-mxisd only aims to support workflows that do NOT break federation or basic lookup processes of the Matrix ecosystem.
+If you are unfamiliar with the Identity vocabulary and concepts in Matrix, **please read this [introduction](docs/concepts.md)**.
 # Features
- Single lookup of 3PID (E-mail, phone number, etc.) by the Matrix Client or Homeserver.
+[Identity](docs/features/identity.md): As a [regular Matrix Identity service](https://kamax.io/matrix/api/identity_service/unstable.html#general-principles):
- Bulk lookups when trying to find possible matches within contacts in Android and iOS clients.
+- Search for people by 3PID using its own Identity stores
- Bind of 3PID by a Matrix user within a Matrix client.
+  ([Spec](https://kamax.io/matrix/api/identity_service/unstable.html#association-lookup))
- Support of invitation to rooms by e-mail with e-mail notification to invitee.
+- Invite people to rooms by 3PID using its own Identity stores, with notifications to the invitee (Email, SMS, etc.)
- Authentication support in [synapse](https://github.com/matrix-org/synapse) via the [REST auth module](https://github.com/kamax-io/matrix-synapse-rest-auth).
+  ([Spec](https://kamax.io/matrix/api/identity_service/unstable.html#post-matrix-identity-api-v1-store-invite))
 - Allow users to add 3PIDs to their settings/profile
  ([Spec](https://kamax.io/matrix/api/identity_service/unstable.html#establishing-associations))
 - Register accounts on your Homeserver with 3PIDs
  ([Spec](https://kamax.io/matrix/api/identity_service/unstable.html#establishing-associations))
-In the pipe:
+As an enhanced Identity service:
- Support to proxy 3PID bindings in user profile to the central Matrix.org servers
+- [Federation](docs/features/federation.md): Use a recursive lookup mechanism when searching and inviting people by 3PID,
  allowing to fetch data from:
  - Own Identity store(s)
  - Federated Identity servers, if applicable to the 3PID
  - Arbitrary Identity servers
  - Central Matrix Identity servers
 - [Session Control](docs/threepids/session/session.md): Extensive control of where 3PIDs are transmitted so they are not
  leaked publicly by users
 - [Authentication](docs/features/authentication.md): Use your Identity stores to perform authentication in [synapse](https://github.com/matrix-org/synapse)
  via the [REST password provider](https://github.com/kamax-io/matrix-synapse-rest-auth)
 - [Directory search](docs/features/directory.md) which allows you to search for users within your organisation,
  even without prior contact within Matrix using arbitrary search terms
 - [Auto-fill of user profile](docs/features/authentication.md#profile-auto-fill) (Display name, 3PIDs)
 - [Bridge Integration](docs/features/bridge-integration.md): Automatically bridge users without a published Matrix ID
-# Lookup Process
+# Use cases
-Default Lookup strategy will use a priority order and a configurable recursive/local type of request.
+- Use your existing Identity stores, do not duplicate your users information
 - Auto-fill user profiles with relevant information
 - As an organisation, stay in control of your data so it is not published to other servers by default where they
  currently **cannot be removed**
 - Users can directly find each other using whatever attribute is relevant within your Identity store
 - Federate your Identity server so you can discover others and/or others can discover you
-## E-mail
+# Getting started
-Given the 3PID `john.doe@example.org`, the following will be performed until a mapping is found:
+See the [dedicated document](docs/getting-started.md)
 - LDAP: lookup the Matrix ID (partial or complete) from a configurable attribute using a dedicated query.
 - DNS: lookup another Identity Server using the domain part of an e-mail and:
  - Look for a SRV record under `_matrix-identity._tcp.example.org`
  - Lookup using the base domain name `example.org`
 - Forwarder: Proxy the request to other configurable identity servers.
 ## Phone number
 Given the phone number `+123456789`, the following lookup logic will be performed:
 - LDAP: lookup the Matrix ID (partial or complete) from a configurable attribute using a dedicated query.
 - Forwarder: Proxy the request to other configurable identity servers.
 # Packages
 See [releases]((https://github.com/kamax-io/mxisd/releases)) for native installers of supported systems.  
 If none is available, please use other packages or build from source.
 ## Debian
 ### Download
 See the [releases section](https://github.com/kamax-io/mxisd/releases).
 ### Configure and run
 After installation:
 1. Copy the sample config file `/etc/mxisd/mxisd-sample.yaml` to `/etc/mxisd/mxisd.yaml`
 2. [Configure](#configuration)
 3. Start the service: `sudo systemctl start mxisd`
 ### From source
 Requirements:
 - fakeroot
 - dpkg-deb
 Run:
 ```
 ./gradlew buildDeb 
 ```
 You will find the debian package in `build/dist`
 ## Docker
 ```
 docker pull kamax/mxisd
 ```
 For more info, see [the public repository](https://hub.docker.com/r/kamax/mxisd/)
 ### From source
 [Build mxisd](#build) then build the docker image:
 ```
 ./gradlew dockerBuild
 ```
 You can run a container of the given image and test it with the following command (adapt volumes host paths):
 ```
 docker run -v /data/mxisd/etc:/etc/mxisd -v /data/mxisd/var:/var/mxisd -p 8090:8090 -t kamax/mxisd:latest-dev
 ```
 # From Source
 ## Requirements
 - JDK 1.8
 ## Build
 ```
 git clone https://github.com/kamax-io/mxisd.git
 cd mxisd
 ./gradlew build
 ```
 then see the [Configuration](#configuration) section.
 ## Test build
 Start the server in foreground to validate the build:
 ```
 java -jar build/libs/mxisd.jar
 ```
 Ensure the signing key is available:
 ```
 $ curl http://localhost:8090/_matrix/identity/api/v1/pubkey/ed25519:0
 {"public_key":"..."}
 ```
 Test basic recursive lookup (requires Internet connection with access to TCP 443):
 ```
 $ curl 'http://localhost:8090/_matrix/identity/api/v1/lookup?medium=email&address=mxisd-lookup-test@kamax.io'
 {"address":"mxisd-lookup-test@kamax.io","medium":"email","mxid":"@mxisd-lookup-test:kamax.io",...}
 ```
 If you enabled LDAP, you can also validate your config with a similar request after replacing the `address` value with something present within your LDAP
 ```
 curl "http://localhost:8090/_matrix/identity/api/v1/lookup?medium=email&address=john.doe@example.org"
 ```
 If you plan on testing the integration with a homeserver, you will need to run an HTTPS reverse proxy in front of it
 as the reference Home Server implementation [synapse](https://github.com/matrix-org/synapse) requires a HTTPS connection
 to an ID server.  
 See the [Integration section](https://github.com/kamax-io/mxisd#integration) for more details.
 ## Install
 After [building](#build) the software, run all the following commands as `root` or using `sudo`
 1. Prepare files and directories:
 ```
 # Create a dedicated user
 useradd -r mxisd
 # Create bin directory
 mkdir /opt/mxisd
 # Create config directory and set ownership
 mkdir /etc/mxisd
 chown mxisd /etc/mxisd
 # Create data directory and set ownership
 mkdir /var/opt/mxisd
 chown mxisd /var/opt/mxisd
 # Copy <repo root>/build/libs/mxisd.jar to bin directory
 cp ./build/libs/mxisd.jar /opt/mxisd/
 chown mxisd /opt/mxisd/mxisd.jar
 chmod a+x /opt/mxisd/mxisd.jar
 # Create symlink for easy exec
 ln -s /opt/mxisd/mxisd.jar /usr/bin/mxisd
 ```
 2. Copy the config file created earlier `./application.example.yaml` to `/etc/mxisd/mxisd.yaml`
 3. [Configure](#configuration)
 4. Copy `<repo root>/src/systemd/mxisd.service` to `/etc/systemd/system/` and edit if needed
 5. Enable service for auto-startup
 ```
 systemctl enable mxisd
 ```
 6. Start mxisd
 ```
 systemctl start mxisd
 ```
 # Configuration
 After following the specific instructions to create a config file from the sample:
 1. Set the `matrix.domain` value to the domain value used in your Home Server configuration
 2. Set an absolute location for the signing keys using `key.path`
 3. Configure the E-mail invite sender with items starting in `invite.sender.email`
 In case your IS public domain does not match your Matrix domain, see `server.name` and `server.publicUrl` 
 config items.
 ## Backends
 ### LDAP (AD, Samba, LDAP)
 If you want to use LDAP backend as an Identity store:
 1. Enable it with `ldap.enabled`
 2. Configure connection options using items starting in `ldap.connection`
 3. You may want to valid default values for `ldap.attribute` items
 ### SQL (SQLite, PostgreSQL)
 If you want to connect to use a synapse DB (SQLite or PostgreSQL) as Identity store, follow the example config for `sql` config items.
 ### REST (Webapps/websites integration)
 If you want to use the REST backend as an Identity store:
 1. Enable it with `rest.enabled`
 2. Configure options starting with `rest` and see the dedicated documentation in `docs/backends/rest.md`
 # Network Discovery
 To allow other federated Identity Server to reach yours, the same algorithm used for Homeservers takes place:
 1. Check for the appropriate DNS SRV record
 2. If not found, use the base domain
 If your Identity Server public hostname does not match your Matrix domain, configure the following DNS SRV entry 
 and replace `matrix.example.com` by your Identity server public hostname - **Make sure to end with a final dot!**
 ```
 _matrix-identity._tcp.example.com. 3600 IN SRV 10 0 443 matrix.example.com.
 ``` 
 This would only apply for 3PID that are DNS-based, like e-mails. For anything else, like phone numbers, no federation 
 is currently possible.  
 The port must be HTTPS capable. Typically, the port `8090` of mxisd should be behind a reverse proxy which does HTTPS.
 See the [integration section](#integration) for more details.
 # Integration
 - [HTTPS and Reverse proxy](https://github.com/kamax-io/mxisd/wiki/HTTPS)
 - [synapse](https://github.com/kamax-io/mxisd/wiki/Homeserver-Integration) as Identity server
 - [synapse with REST auth module](https://github.com/kamax-io/matrix-synapse-rest-auth/blob/master/README.md) 
 as authentication module
 # Support
 ## Community
-If you need help, want to report a bug or just say hi, you can reach us on Matrix at 
+Over Matrix: [#mxisd:kamax.io](https://matrix.to/#/#mxisd:kamax.io) ([Preview](https://view.matrix.org/room/!NPRUEisLjcaMtHIzDr:kamax.io/))
 [#mxisd:kamax.io](https://matrix.to/#/#mxisd:kamax.io) or [directly peek anonymously](https://view.matrix.org/room/!NPRUEisLjcaMtHIzDr:kamax.io/).
 For more high-level discussion about the Identity Server architecture/API, go to 
 [#matrix-identity:matrix.org](https://matrix.to/#/#matrix-identity:matrix.org)
-## Professional
+For more high-level discussion about the Identity Server architecture/API, go to  [#matrix-identity:kamax.io](https://matrix.to/#/#matrix-identity:kamax.io)
-If you would prefer professional support/custom development for mxisd and/or for Matrix in general, including other open source technologies/products, 
+
-please visit [our website](https://www.kamax.io/) to get in touch with us and get a quote.
+## Commercial
 If you would prefer professional support/custom development for mxisd and/or for Matrix in general, including other open
 source technologies/products:
 - Visit our [website](https://www.kamax.io/) to get in touch with us and get a quote.
 - Come in our general Matrix room: [#kamax-matrix:kamax.io](https://matrix.to/#/#kamax-matrix:kamax.io)
 # Contribute 
 You can contribute as a community member by:
 - Giving us feedback about your usage of mxisd, even if it seems unimportant or if all is working well!
 - Opening issues for any weird behaviour or bug. mxisd should feel natural, let us know if it does not!
 - Helping us improve the documentation: tell us what is good or not good (in an issue or in Matrix), or make a PR with
 changes you feel improve the doc.
 - Contribute code directly: we love contributors! All your contributions will be licensed under AGPLv3.
 - [Donate!](https://liberapay.com/maximusdor/) Any donation is welcome, regardless how small or big, and will directly
 be used for the fixed costs and developer time of mxisd.
 You can contribute as an organisation/corporation by:
 - Get a [support contract](#commercial). This is the best way you can help us as it ensures mxisd is
 maintained regularly and you get direct access to the support team.
 - Sponsoring new features or bug fixes. [Get in touch](#contact) so we can discuss it further.
 # FAQ
 See the [dedicated document](docs/faq.md)
 # Contact
 Get in touch via:
 - Matrix: [#mxisd:kamax.io](https://matrix.to/#/#mxisd:kamax.io)
 - Email: see our website: [Kamax.io](https://www.kamax.io)
--- a/application.example.yaml
+++ b/application.example.yaml
@@ -1,373 +1,30 @@
-# Sample configuration file explaining all possible options, their default value and if they are required or not.
+# Sample configuration file explaining the minimum required keys to be set to run mxisd
 #
-# Any optional configuration item will be prefixed by # (comment character) with the configuration item following
+# For a complete list of options, see https://github.com/kamax-matrix/mxisd
 # directly without any whitespace character.
 # Default values for optional configuration item will also follow such item.
 #
 # Any mandatory configuration item will not be prefixed by # and will also contain a value as example that must be
 # changed. It is advised to re-create a clean config file with only the required configuration item.
 #######################
 # Matrix config items #
 #######################
 # Matrix domain, same as the domain configure in your Homeserver configuration.
 # (note: in Synapse Homeserver, the Matrix domain may be defined as 'server_name' in configuration file).
 #
 # This is used to build the various identifiers for identity, auth and directory.
 matrix.domain: ''
-
+################
-#######################
+# Signing keys #
-# Server config items #
+################
 #######################
 # Indicate on which port the Identity Server will listen.
 #
 # This is be default an unencrypted port.
 # HTTPS can be configured using Tomcat configuration properties.
 #
 #server.port: 8090
 # Public hostname of this identity server.
 #
 # This would be typically be the same as your Matrix domain.
 # In case it is not, set this value.
 #
 # This value is used in various signatures within the Matrix protocol and should be a reachable hostname.
 # You can validate by ensuring you see a JSON answer when calling (replace the domain):
 # https://example.org/_matrix/identity/status
 #
 #server.name: 'example.org'
 # Public URL to reach this identity server
 #
 # This is used with 3PID invites in room and other Homeserver key verification workflow.
 # If left unconfigured, it will be generated from the server name.
 #
 # You should typically set this value if you want to change the public port under which
 # this Identity server is reachable.
 #
 # %SERVER_NAME% placeholder is available to avoid configuration duplication.
 # e.g. 'https://%SERVER_NAME%:8443'
 #
 #server.publicUrl: 'https://example.org'
 #############################
 # Signing keys config items #
 #############################
 # Absolute path for the Identity Server signing key.
 # During testing, /var/tmp/mxisd.key is a possible value
 #
-# For production, use a stable location like:
+# For production, recommended location shall be one of the following:
 #   - /var/opt/mxisd/sign.key
 #   - /var/local/mxisd/sign.key
 #   - /var/lib/mxisd/sign.key
 key.path: '/path/to/sign.key'
 #################################
 # Recurisve lookup config items #
 #################################
 # Configuration items for recursion-type of lookup
 #
-# Lookup access are divided into two types:
+# The signing key is auto-generated during execution time if not present.
-# - Local
+key.path: ''
 # - Remote
 #
 # This is similar to DNS lookup and recursion and is therefore prone to the same vulnerabilities.
 # By default, only non-public hosts are allowed to perform recursive lookup.
 #
 # This will also prevent very basic endless loops where host A ask host B, which in turn is configured to ask host A,
 # which would then ask host B again, etc.
 # Enable recursive lookup globally
 #
 #lookup.recursive.enabled: true
 # Whitelist of CIDR that will trigger a recursive lookup.
 # The default list includes all private IPv4 address and the IPv6 loopback.
 #
 #lookup.recursive.allowedCidr:
 #  - '127.0.0.0/8'
 #  - '10.0.0.0/8'
 #  - '172.16.0.0/12'
 #  - '192.168.0.0/16'
 #  - '::1/128'
 # In case no binding is found, query an application server which implements the single lookup end-point
 # to return bridge virtual user that would allow the user to be contacted directly by the said bridge.
 #
 # If a binding is returned, the application server is not expected to sign the message as it is not meant to be
 # reachable from the outside.
 # If a signature is provided, it will be discarded/replaced by this IS implementation (to be implemented).
 #
 # IMPORTANT: This bypass the regular Invite system of the Homeserver. It will be up to the Application Server
 # to handle such invite. Also, if the bridged user were to actually join Matrix later, or if a 3PID binding is found
 # room rights and history would not be transferred, as it would appear as a regular Matrix user to the Homeserver.
 #
 # This configuration is only helpful for Application Services that want to overwrite bridging for 3PID that are
 # handled by the Homeserver. Do not enable unless the Application Server specifically supports it!
 # Enable unknown 3PID bridging globally
 #
 #lookup.recursive.bridge.enabled: false
 # Enable unknown 3PID bridging for hosts that are allowed to perform recursive lookups.
 # Leaving this setting to true is highly recommended in a standard setup, unless this Identity Server
 # is meant to always return a virtual user MXID even for the outside world.
 #
 #lookup.recursive.bridge.recursiveOnly: true
 # This mechanism can handle the following scenarios:
 #
 # - Single Application Server for all 3PID types: only configure the server value, comment out the rest.
 #
 # - Specific Application Server for some 3PID types, default server for the rest: configure the server value and
 #          each specific 3PID type.
 #
 # - Only specific 3PID types: do not configure the server value or leave it empty/blank, configure each specific
 #          3PID type.
 # Default application server to use for all 3PID types. Remove config item or leave empty/blank to disable.
 #
 #lookup.recursive.bridge.server: ''
 # Configure each 3PID type with a specific application server. Remove config item or leave empty/blank to disable.
 #
 #lookup.recursive.bridge.mappings.email: 'http://localhost:8091'
 #lookup.recursive.bridge.mappings.msisdn: ''
 #####################
 # LDAP config items #
 #####################
 # Global enable/disable switch
 #
 #ldap.enabled: false
 #### Connection related config items
 # If the connection should be secure
 #
 #ldap.connection.tls: false
 # Host to connect to
 #
 #ldap.connection.host: 'localhost'
 # Port to connect to
 #
 #ldap.connection.port: 389
 # Bind DN for the connection.
 #
 # If Bind DN and password are empty, anonymous authentication is performed
 #
 #ldap.connection.bindDn: 'CN=Matrix Identity Server,CN=Users,DC=example,DC=org'
 # Bind password for the connection.
 #
 #ldap.connection.bindPassword: 'password'
 # Base DN used in all queries
 #
 #ldap.connection.baseDn: 'CN=Users,DC=example,DC=org'
 #### How to map Matrix attributes with LDAP attributes when performing lookup/auth
 #
 # How should we resolve the Matrix ID in case of a match using the attribute.
 #
 # The following type are supported:
 # - uid : the attribute only contains the UID part of the Matrix ID. e.g. 'john.doe' in @john.doe:example.org
 # - mxid : the attribute contains the full Matrix ID - e.g. '@john.doe:example.org'
 #
 #ldap.attribute.uid.type: 'uid'
 # The attribute containing the binding itself. This value will be used differently depending on the type.
 #
 # /!\ This should match the synapse LDAP Authenticator 'uid' configuration /!\
 #
 # Typical values:
 # - For type 'uid': 'userPrincipalName' or 'uid' or 'saMAccountName'
 # - For type 'mxid', regardless of the directory type, we recommend using 'pager' as it is a standard attribute and
 #   is typically not used.
 #
 #ldap.attribute.uid.value: 'userPrincipalName'
 # The display name of the user
 #
 #ldap.attribute.name: 'displayName'
 #### Configuration section relating the authentication of users performed via LDAP.
 #
 # This can be done using the REST Auth module for synapse and pointing it to the identity server.
 # See https://github.com/kamax-io/matrix-synapse-rest-auth
 #
 # During authentication, What to filter potential users by, typically by using a dedicated group.
 # If this value is not set, login check will be performed for all entities within the LDAP
 #
 # Example: (memberOf=CN=Matrix Users,CN=Users,DC=example,DC=org)
 #
 #ldap.auth.filter: ''
 #### Configuration section relating to identity lookups
 #
 # E-mail query
 #
 #ldap.identity.medium.email: "(|(mailPrimaryAddress=%3pid)(mail=%3pid)(otherMailbox=%3pid))"
 # Phone numbers query
 #
 # Phone numbers use the MSISDN format: https://en.wikipedia.org/wiki/MSISDN
 # This format does not include international prefix (+ or 00) and therefore has to be put in the query.
 # Adapt this to your needs for each attribute.
 #
 #ldap.identity.medium.msisdn: "(|(telephoneNumber=+%3pid)(mobile=+%3pid)(homePhone=+%3pid)(otherTelephone=+%3pid)(otherMobile=+%3pid)(otherHomePhone=+%3pid))"
 ############################
 # SQL Provider config item #
 ############################
 #
 # Example configuration to integrate with synapse SQLite DB (default configuration)
 #
 #sql.enabled: true
 #sql.type: 'sqlite'
 #sql.connection: '/var/lib/matrix-synapse/homeserver.db'
 #
 # Example configuration to integrate with synapse PostgreSQL DB
 #sql.enabled: true
 #sql.type: 'postgresql'
 #sql.connection: '//dnsOrIpToServer/dbName?user=synapseDbUser&password=synapseDbPassword'
 #
 # Configuration for an arbitrary server with arbitrary driver
 #
 # sql.identity.type possible values:
 # - uid       Returned value is the localpart of the Matrix ID
 # - mxid      Full Matrix ID, including domain
 #
 # sql.identity.query MUST contain a column with label 'uid'
 #
 # If you would like to overwrite the global lookup query for specific medium type,
 # add a config item (see below for example) in the following format
 # sql.identity.medium.theMediumIdYouWant: 'the query'
 #sql.enabled: true
 #sql.type: 'jdbcDriverName'
 #sql.connection: '//dnsOrIpToServer/dbName?user=synapseDbUser&password=synapseDbPassword'
 #sql.identity.type: 'mxid'
 #sql.identity.query: 'SELECT raw AS uid FROM table WHERE medium = ? AND address = ?'
 #sql.identity.medium.email: 'SELECT raw AS uid FROM emailTable WHERE address = ?'
 #######################################
 # Lookup queries forward config items #
 #######################################
 # List of forwarders to use to try to match a 3PID.
 #
 # Each server will be tried in the given order, going to the next if no binding was found or an error occurred.
 # These are the current root Identity Servers of the Matrix network.
 #
 #forward.servers:
 #  - "https://matrix.org"
 #  - "https://vector.im"
 #############################
 # 3PID invites config items #
 #############################
 #
 #### E-mail invite sender
 #
 # SMTP host
 invite.sender.email.host: "smtp.example.org"
 # SMTP port
 invite.sender.email.port: 587
 # TLS mode for the connection.
 #
 # Possible values:
 #  0    Disable TLS entirely
 #  1    Enable TLS if supported by server
 #  2    Force TLS and fail if not available
 #
 #invite.sender.email.tls: 1
 # Login for SMTP
 invite.sender.email.login: "matrix-identity@example.org"
 # Password for the account
 invite.sender.email.password: "ThePassword"
 # The e-mail to send as. If empty, will be the same as login
 invite.sender.email.email: "matrix-identity@example.org"
 # The display name used in the e-mail
 #
 #invite.sender.email.name: "mxisd Identity Server"
 # The E-mail template to use, using built-in template by default
 #
 # The template is expected to be a full e-mail body, including client headers, using MIME and UTF-8 encoding.
 # The following headers will be set by mxisd directly and should not be present in the template:
 # - From
 # - To
 # - Date
 # - Message-Id
 # - X-Mailer
 #
 # The following placeholders are available:
 # - %DOMAIN%                Domain name as per server.name config item
 # - %DOMAIN_PRETTY%         Word capitalize version of the domain. e.g. example.org -> Example.org
 # - %FROM_EMAIL%            Value of this section's email config item
 # - %FROM_NAME%             Value of this section's name config item
 # - %SENDER_ID%             Matrix ID of the invitation sender
 # - %SENDER_NAME%           Display name of the invitation sender, empty if not available
 # - %SENDER_NAME_OR_ID%     Value of %SENDER_NAME% or, if empty, value of %SENDER_ID%
 # - %INVITE_MEDIUM%         Medium of the invite (e.g. email, msisdn)
 # - %INVITE_ADDRESS%        Address used to invite
 # - %ROOM_ID%               ID of the room where the invitation took place
 # - %ROOM_NAME%             Name of the room, empty if not available
 # - %ROOM_NAME_OR_ID%       Value of %ROOM_NAME% or, if empty, value of %ROOM_ID%
 #
 #invite.sender.email.template: "/absolute/path/to/file"
 ############################
@@ -380,10 +37,7 @@ invite.sender.email.email: "matrix-identity@example.org"
 #
 #storage.backend: 'sqlite'
-
+# Path to the SQLite DB file
 #### Generic SQLite provider config
 #
 # Path to the SQLite DB file, required if SQLite backend is chosen
 #
 # Examples:
 #  - /var/opt/mxisd/mxisd.db
@@ -393,22 +47,68 @@ invite.sender.email.email: "matrix-identity@example.org"
 storage.provider.sqlite.database: '/path/to/mxisd.db'
-
+####################
-######################
+# Fallback servers #
-# DNS-related config #
+####################
 ######################
 # The domain to overwrite
 #
-#dns.overwrite.homeserver.name: 'example.org'
+# Root/Central servers to be used as final fallback when performing lookups.
-
+# By default, for privacy reasons, matrix.org servers are not enabled anymore.
-
+# See the following issue: https://github.com/kamax-matrix/mxisd/issues/76
 # - 'env' from environment variable specified by value
 # - any other value will use the value as-is as host
 #
-#dns.overwrite.homeserver.type: 'raw'
+# If you would like to use them and trade away your privacy for convenience, uncomment the following option:
 # The value to use, depending on the type.
 # Protocol will always be HTTPS
 #
-#dns.overwrite.homeserver.value: 'localhost:8448'
+#forward.servers: ['matrix-org']
 ################
 # LDAP Backend #
 ################
 # If you would like to integrate with your AD/Samba/LDAP server,
 # see https://github.com/kamax-matrix/mxisd/blob/master/docs/backends/ldap.md
 ###############
 # SQL Backend #
 ###############
 # If you would like to integrate with a MySQL/MariaDB/PostgreQL/SQLite DB,
 # see https://github.com/kamax-matrix/mxisd/blob/master/docs/backends/sql.md
 ################
 # REST Backend #
 ################
 # If you would like to integrate with an existing web service/webapp,
 # see https://github.com/kamax-matrix/mxisd/blob/master/docs/backends/rest.md
 #################################################
 # Notifications for invites/addition to profile #
 #################################################
 # If you would like to change the content,
 # see https://github.com/kamax-matrix/mxisd/blob/master/docs/threepids/notifications/template-generator.md
 #
 #### E-mail invite sender
 #
 # SMTP host
 threepid.medium.email.connectors.smtp.host: "smtp.example.org"
 # SMTP port
 threepid.medium.email.connectors.smtp.port: 587
 # TLS mode for the connection.
 #
 # Possible values:
 #  0    Disable TLS entirely
 #  1    Enable TLS if supported by server (default)
 #  2    Force TLS and fail if not available
 #
 #threepid.medium.email.connectors.smtp.tls: 1
 # Login for SMTP
 threepid.medium.email.connectors.smtp.login: "matrix-identity@example.org"
 # Password for the account
 threepid.medium.email.connectors.smtp.password: "ThePassword"
 # The e-mail to send as.
 threepid.medium.email.identity.from: "matrix-identity@example.org"
--- a/build.gradle
+++ b/build.gradle
@@ -1,10 +1,8 @@
 import java.util.regex.Pattern
 /*
 * mxisd - Matrix Identity Server Daemon
- * Copyright (C) 2017 Maxime Dor
+ * Copyright (C) 2017 Kamax Sarl
 *
- * https://max.kamax.io/
+ * https://www.kamax.io/
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Affero General Public License as
@@ -20,7 +18,9 @@ import java.util.regex.Pattern
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
-apply plugin: 'groovy'
+import java.util.regex.Pattern
 apply plugin: 'java'
 apply plugin: 'org.springframework.boot'
 def confFileName = "application.example.yaml"
@@ -47,7 +47,7 @@ String gitVersion() {
    def versionPattern = Pattern.compile("v(\\d+\\.)?(\\d+\\.)?(\\d+)(-.*)?")
    ByteArrayOutputStream out = new ByteArrayOutputStream()
    exec {
-        commandLine = [ 'git', 'describe', '--always', '--dirty' ]
+        commandLine = ['git', 'describe', '--tags', '--always', '--dirty']
        standardOutput = out
    }
    def v = out.toString().replace(System.lineSeparator(), '')
@@ -65,25 +65,23 @@ buildscript {
 }
 repositories {
    maven { url "https://kamax.io/maven/releases/" }
    mavenCentral()
    maven { url "https://kamax.io/maven/releases/" }
    maven { url "https://kamax.io/maven/snapshots/" }
 }
 dependencies {
    // We are a groovy project
    compile 'org.codehaus.groovy:groovy-all:2.4.7'
    // Easy file management
    compile 'commons-io:commons-io:2.5'
    // Spring Boot - standalone app
-    compile 'org.springframework.boot:spring-boot-starter-web:1.5.3.RELEASE'
+    compile 'org.springframework.boot:spring-boot-starter-web:1.5.10.RELEASE'
    // Thymeleaf for HTML templates
-    compile "org.springframework.boot:spring-boot-starter-thymeleaf:1.5.3.RELEASE"
+    compile "org.springframework.boot:spring-boot-starter-thymeleaf:1.5.10.RELEASE"
    // Matrix Java SDK
-    compile 'io.kamax:matrix-java-sdk:0.0.2'
+    compile 'io.kamax:matrix-java-sdk:0.0.14-8-g0e57ec6'
    // ed25519 handling
    compile 'net.i2p.crypto:eddsa:0.1.0'
@@ -97,9 +95,6 @@ dependencies {
    // HTTP connections
    compile 'org.apache.httpcomponents:httpclient:4.5.3'
    // JSON
    compile 'com.google.code.gson:gson:2.8.1'
    // Phone numbers validation
    compile 'com.googlecode.libphonenumber:libphonenumber:8.7.1'
@@ -113,12 +108,24 @@ dependencies {
    // ORMLite
    compile 'com.j256.ormlite:ormlite-jdbc:5.0'
    // Connection Pool
    compile 'com.mchange:c3p0:0.9.5.2'
    // SQLite
    compile 'org.xerial:sqlite-jdbc:3.20.0'
    // PostgreSQL
    compile 'org.postgresql:postgresql:42.1.4'
    // MariaDB/MySQL
    compile 'org.mariadb.jdbc:mariadb-java-client:2.1.2'
    // Twilio SDK for SMS
    compile 'com.twilio.sdk:twilio:7.14.5'
    // SendGrid SDK to send emails from GCE
    compile 'com.sendgrid:sendgrid-java:2.2.2'
    testCompile 'junit:junit:4.12'
    testCompile 'com.github.tomakehurst:wiremock:2.8.0'
 }
--- a/docs/README.md
+++ b/docs/README.md
@@ -0,0 +1,25 @@
 # Table of Contents
 - [Identity Concepts in Matrix](concepts.md)
 - [Getting Started](getting-started.md)
 - [Build from sources](build.md) (Optional)
 - Installation
  - [Debian package](install/debian.md)
  - [ArchLinux](install/archlinux.md)
  - [Docker](install/docker.md)
  - [From source](install/source.md)
 - [Architecture overview](architecture.md)
 - [Configuration](configure.md)
 - Features
  - [Authentication](features/authentication.md)
  - [Directory search](features/directory.md)
  - [Identity](features/identity.md)
  - [Federation](features/federation.md)
  - [Bridge integration](features/bridge-integration.md)
 - [Identity Stores](stores/README.md)
 - Notifications
  - Handlers
    - [Basic](threepids/notification/basic-handler.md)
    - [SendGrid](threepids/notification/sendgrid-handler.md)
 - [Sessions](threepids/session/session.md)
  - [Views](threepids/session/session-views.md)
 - [FAQ](faq.md)
--- a/docs/_config.yml
+++ b/docs/_config.yml
@@ -0,0 +1 @@
 theme: jekyll-theme-cayman
--- a/docs/architecture.md
+++ b/docs/architecture.md
@@ -0,0 +1,40 @@
 # Architecture
 ## Overview
 ### Basic setup with default settings
 ```
 Client
   |
 TCP 443
   |   +---------------------+            +---------------------------+
   +-> | Reverse proxy       |            | Homeserver                |
       |                     | TCP 8008   |                           |
       |  /_matrix/* -------------------> | - 3PID invite from client |
       |                     |            |   |                       |
       |  /_matrix/identity/ |            |   |                       |
       +--|------------------+            +---|-----------------------+
          |                                   |
          +<---------------------------------<+
          |
          |   +-------------------+
 TCP 8090 +-> | mxisd             |
              |                   |
              | - Profile's 3PIDs |
              | - 3PID Invites    |
              +-|-----------------+
                |
             TCP 443
                |  +------------------------+
                |  | Remote Federated       |
                |  | mxisd servers          |
                |  |                        |
                +--> - 3PID Invites         |
                   +------------------------+
 ```
 ### With Authentication
 See the [dedicated document](features/authentication.md).
 ### With Directory
 See the [dedicated document](features/directory.md).
 ### With Federation
 See the [dedicated document](features/federation.md).
--- a/docs/build.md
+++ b/docs/build.md
@@ -0,0 +1,73 @@
 # From source
 - [Binaries](#binaries)
  - [Requirements](#requirements)
  - [Build](#build)
 - [Debian package](#debian-package)
 - [Docker image](#docker-image)
 - [Next steps](#next-steps)
 ## Binaries
 ### Requirements
 - JDK 1.8
 ### Build
 ```bash
 git clone https://github.com/kamax-matrix/mxisd.git
 cd mxisd
 ./gradlew build
 ```
 Create a new configuration file by coping `application.example.yaml` to `application.yaml` and edit to your needs.  
 For advanced configuration, see the [Configure section](configure.md).  
 **NOTE**: `application.yaml` is also called `mxisd.yaml` in some specific installations.
 Start the server in foreground to validate the build and configuration:
 ```bash
 java -jar build/libs/mxisd.jar
 ```
 Ensure the signing key is available:
 ```bash
 $ curl 'http://localhost:8090/_matrix/identity/api/v1/pubkey/ed25519:0'
 {"public_key":"..."}
 ```
 Test basic recursive lookup (requires Internet connection with access to TCP 443):
 ```bash
 $ curl 'http://localhost:8090/_matrix/identity/api/v1/lookup?medium=email&address=mxisd-federation-test@kamax.io'
 {"address":"mxisd-federation-test@kamax.io","medium":"email","mxid":"@mxisd-lookup-test:kamax.io",...}
 ```
 If you enabled LDAP, you can also validate your config with a similar request after replacing the `address` value with
 something present within your LDAP
 ```bash
 curl 'http://localhost:8090/_matrix/identity/api/v1/lookup?medium=email&address=john.doe@example.org'
 ```
 If you plan on testing the integration with a homeserver, you will need to run an HTTPS reverse proxy in front of it
 as the reference Home Server implementation [synapse](https://github.com/matrix-org/synapse) requires a HTTPS connection
 to an ID server.  
 Next step: [Install your compiled binaries](install/source.md)
 ## Debian package
 Requirements:
 - fakeroot
 - dpkg-deb
 [Build mxisd](#build) then:
 ```bash
 ./gradlew buildDeb 
 ```
 You will find the debian package in `build/dist`.  
 Then follow the instruction in the [Debian package](install/debian.md) document.
 ## Docker image
 [Build mxisd](#build) then:
 ```bash
 ./gradlew dockerBuild
 ```
 Then follow the instructions in the [Docker install](install/docker.md#configure) document.
 ## Next steps
 - [Integrate with your infrastructure](getting-started.md#integrate)
--- a/docs/concepts.md
+++ b/docs/concepts.md
@@ -0,0 +1,43 @@
 # Concepts
 - [Matrix](#matrix)
 - [mxisd](#mxisd)
 ## Matrix
 The following concepts are part of the Matrix ecosystem and specification.
 ### 3PID
 `3PID` stands for Third-Party Identifier.  
 It is also commonly written:
 - `3pid`
 - `tpid`
 A 3PID is a globally unique canonical identifier which is made of:
 - Medium, which describes what network it belongs to (Email, Phone, Twitter, Discord, etc.)
 - Address, the actual value people typically use on a daily basis.
 mxisd core mission is to map those identifiers to Matrix User IDs.
 ### Homeserver
 Where a user **account and data** are stored.
 ### Identity server
 An Identity server:
 - Does lookup of 3PIDs to User Matrix IDs.
 - Does validate 3PIDs ownership, typically by sending a code that the user has to enter in an application/on a website.
 - Does send notifications about room invites where no Matrix User ID could be found for the invitee.
 An Identity server:
 - **DOES NOT** store user accounts.
 - **DOES NOT** store user data.
 - **DOES NOT** allow migration of user account and/or data between homeservers. 
 ### 3PID session
 The fact to validate a 3PID (email, phone number, etc.) via the introduction of a token which was sent to the 3PID address.
 ## mxisd
 The following concepts are specific to mxisd.
 ### Identity store
 Where your user accounts and 3PID mappings are stored.
 mxisd itself **DOES NOT STORE** user accounts or 3PID mappings.
--- a/docs/configure.md
+++ b/docs/configure.md
@@ -0,0 +1,102 @@
 # Configuration
 - [Concepts](#concepts)
  - [Syntax](#syntax)
  - [Variables](#variables)
 - [Matrix](#matrix)
 - [Server](#server)
 - [Storage](#storage)
 - [Identity stores](#identity-stores)
 - [3PID Validation sessions](#3pid-validation-sessions)
 - [Notifications](#notifications)
 ## Concepts
 ### Syntax
 The configuration file is [YAML](http://yaml.org/) based, allowing two types of syntax.
 Properties-like:
 ```yaml
 my.config.item: 'value'
 ```
 Object-like:
 ```yaml
 my:
  config:
    item: 'value'
 ```
 These can also be combined within the same file.  
 Both syntax will be used interchangeably in these documents.
 ### Variables
 It is possible to copy the value of a configuration item into another using the syntax `${config.key.item}`.  
 Example that will copy the value of `matrix.domain` into `server.name`:
 ```yaml
 matrix:
  domain: 'example.org'
 server:
  name: '${matrix.domain}'
 ```
 **WARNING:** mxisd might overwrite/adapt some values during launch. Those changes will not be reflected into copied keys.
 ## Matrix
 `matrix.domain`
 Matrix domain name, same as the Homeserver, used to build appropriate Matrix IDs |
 ---
 `matrix.identity.servers`
 Namespace to create arbitrary list of Identity servers, usable in other parts of the configuration |
 Example:
 ```yaml
 matrix.identity.servers:
  myOtherServers:
    - 'https://other1.example.org'
    - 'https://other2.example.org'
 ```
 Create a list under the label `root` containing a single Identity server, `https://matrix.org`
 ## Server
 - `server.name`: Public hostname of mxisd, if different from the Matrix domain.
 - `server.port`: HTTP port to listen on (unencrypted)
 - `server.publicUrl`: Defaults to `https://${server.name}`
 ## Storage
 ### SQLite
 `storage.provider.sqlite.database`: Absolute location of the SQLite database
 ## Identity stores
 See the [Identity stores](stores/README.md) for specific configuration
 ## 3PID Validation sessions
 See the dedicated documents:
 - [Flow](threepids/session/session.md)
 - [Branding](threepids/session/session-views.md)
 ## Notifications
 - `notification.handler.<3PID medium>`: Handler to use for the given 3PID medium. Repeatable.
 Example:
 ```yaml
 notification.handler.email: 'sendgrid'
 notification.handler.msisdn: 'raw'
 ```
 - Emails notifications would use the `sendgrid` handler, which define its own configuration under `notification.handlers.sendgrid`
 - Phone notification would use the `raw` handler, basic default built-in handler of mxisd
 ### Handlers
 - `notification.handers.<handler ID>`: Handler-specific configuration for the given handler ID. Repeatable.
 Example:
 ```yaml
 notification.handlers.raw: ...
 notification.handlers.sendgrid: ...
 ```
 Built-in:
 - [Raw](threepids/notification/basic-handler.md)
 - [SendGrid](threepids/notification/sendgrid-handler.md)
--- a/docs/faq.md
+++ b/docs/faq.md
@@ -0,0 +1,87 @@
 # Frequently Asked Questions
 ### This is all very complicated and I'm getting confused with all the words, concepts and diagrams - Help!
 Matrix is still a very young protocol and there are a whole lot of rough edges.  
 Identity in Matrix is one of the most difficult topic, mainly as it has not received much love in the past years.
 We have tried our best to put together documentation that requires almost no knowledge of Matrix inner workings to get a
 first basic setup running which relies on you reading the documentation in the right order:
 - [The Concepts](concepts.md) in few words.
 - [Getting Started](getting-started.md) step-by-step to a minimal working install.
 - [Identity stores](stores/README.md) you wish to fetch data from.
 - [Features](features) you are interested in that will use your Identity store(s) data.
 **IMPORTANT**: Be aware that mxisd tries to fit within the current protocol and existing products and basic understanding
 of the Matrix protocol is required for some advanced features.
 If all fails, come over to [the project room](https://matrix.to/#/#mxisd:kamax.io) and we'll do our best to get you
 started and answer questions you might have.
 ### Do I need to use mxisd if I run a Homeserver?
 No, but it is strongly recommended, even if you don't use any Identity store or integration.
 In its default configuration, mxisd uses other federated public servers when performing queries.  
 It can also [be configured](features/identity.md#lookups) to use the central matrix.org servers, giving you access to at
 least the same information as if you were not running it.
 It will also give your users a choice to make their 3PIDs available publicly, ensuring they are made aware of the
 privacy consequences, which is not the case with the central Matrix.org servers.
 So mxisd is like your gatekeeper and guardian angel. It does not change what you already know, just adds some nice
 simple features on top of it.
 ### I'm not sure I understand what an "Identity server" is supposed to be or do...
 The current Identity service API is more a placeholder, as the Matrix devs did not have time so far to really work on
 what they want to do with that part of the ecosystem. Therefore, "Identity" is currently a misleading word and concept.
 Given the scope of the current Identity Service API, it would be best called "Invitation service".
 Because the current scope is so limited and no integration is done with the Homeserver, there was a big lack of features
 for groups/corporations/organisation. This is where mxisd comes in.
 mxisd implements the Identity Service API and also a set of features which are expected by regular users, truly living
 up to its "Identity server" name.
 ### Can I migrate my existing account on another Matrix server with mxisd?
 No.
 Accounts cannot currently migrate/move from one server to another.  
 See a [brief explanation document](concepts.md) about Matrix and mxisd concepts and vocabulary.
 ### I already use the synapse LDAP3 auth provider. Why should I care about mxisd?
 The [synapse LDAP3 auth provider](https://github.com/matrix-org/matrix-synapse-ldap3) is not longer maintained and
 only handles on specific flow: validate credentials at login.
 It does not:
 - Auto-provision user profiles
 - Integrate with Identity management
 - Integrate with Directory searches
 mxisd is a replacement and enhancement of it, offering coherent results in all areas, which the LDAP3 auth provider
 does not.
 ### Sydent is the official Identity server implementation of the Matrix team. Why not use that?
 You can, but [sydent](https://github.com/matrix-org/sydent):
 - [should not be used and/or self-hosted](https://github.com/matrix-org/sydent/issues/22)
 - is not meant to be linked to a specific Homeserver / domain
 - cannot handle federation or proxy lookups, effectively isolating your users from the rest of the network
 - forces you to duplicate all your identity data, so people can be found by 3PIDs
 - forces users to enter all their emails and phone numbers manually in their profile
 So really, you should go with mxisd.
 ### Will I loose access to the central Matrix.org/Vector.im Identity data if I use mxisd?
 No.
 In its default configuration, mxisd does not talk to the central Identity server matrix.org to avoid leaking your private
 data and those of people you might know.
 mxisd [can be configured](features/identity.md#lookups) to talk to the central Identity servers if you wish.
 ### So mxisd is just a big hack! I don't want to use non-official features!
 mxisd primary concerns are your privacy and to always be compatible with the Matrix ecosystem and the Identity service API.  
 Whenever the API will be updated and/or enhanced, mxisd will follow, remaining 100% compatible with the ecosystem.
 ### Should I use mxisd if I don't host my own Homeserver?
 No.
 It is possible, but it is not supported and the scope of features will be extremely limited.
 Please consider hosting your own Homeserver and using mxisd alongside it.
--- a/docs/features/authentication.md
+++ b/docs/features/authentication.md
@@ -0,0 +1,155 @@
 # Authentication
 - [Description](#description)
 - [Basic](#basic)
  - [Overview](#overview)
  - [synapse](#synapse)
  - [mxisd](#mxisd)
  - [Validate](#validate)
  - [Next steps](#next-steps)
    - [Profile auto-fil](#profile-auto-fill)
 - [Advanced](#advanced)
  - [Overview](#overview-1)
  - [Requirements](#requirements)
  - [Configuration](#configuration)
    - [Reverse Proxy](#reverse-proxy)
      - [Apache2](#apache2)
    - [DNS Overwrite](#dns-overwrite)
 ## Description
 Authentication is an enhanced feature of mxisd to ensure coherent and centralized identity management.  
 It allows to use Identity stores configured in mxisd to authenticate users on your Homeserver.
 Authentication is divided into two parts:
 - [Basic](#basic): authenticate with a regular username.
 - [Advanced](#advanced): same as basic with extra ability to authenticate using a 3PID.
 ## Basic
 Authentication by username is possible by linking synapse and mxisd together using a specific module for synapse, also
 known as password provider.
 ### Overview
 An overview of the Basic Authentication process:
 ```
                                                                                    Identity stores
 Client                                                                             +------+
   |                                            +-------------------------+    +--> | LDAP |
   |   +---------------+  /_matrix/identity     | mxisd                   |    |    +------+
   +-> | Reverse proxy | >------------------+   |                         |    |
       +--|------------+                    |   |                         |    |    +--------+
          |                                 +-----> Check ID stores     >------+--> | SQL DB |
     Login request                          |   |                         |    |    +--------+
          |                                 |   |     |                   |    |
          |   +--------------------------+  |   +-----|-------------------+    +-->  ...
          +-> | Homeserver               |  |         |
              |                          |  |         |
              | - Validate credentials >----+         |
              |   Using REST auth module |            |
              |                          |            |
              | - Auto-provision <-------------------<+
              |   user profiles          |    If valid credentials and supported by Identity store(s)
              +--------------------------+
 ```
 Performed on [synapse with REST auth module](https://github.com/kamax-io/matrix-synapse-rest-auth/blob/master/README.md)
 ### Synapse
 - Install the [password provider](https://github.com/kamax-io/matrix-synapse-rest-auth)
 - Edit your **synapse** configuration:
  - As described by the auth module documentation
  - Set `endpoint` to `http://mxisdAddress:8090` - Replace `mxisdAddress` by an IP/host name that provides a direct
  connection to mxisd.  
  This **MUST NOT** be a public address, and SHOULD NOT go through a reverse proxy.
 - Restart synapse
 ### mxisd
 - Configure and enable at least one [Identity store](../stores/README.md)
 - Restart mxisd
 ### Validate
 Login on the Homeserver using credentials present in one of your Identity stores.
 ## Next steps
 ### Profile auto-fill
 Auto-filling user profile depends on its support by your configured Identity stores.  
 See your Identity store [documentation](../stores/README.md) on how to enable the feature.
 ## Advanced
 The Authentication feature allows users to login to their Homeserver by using their 3PIDs in a configured Identity store.
 ### Overview
 This is performed by intercepting the Homeserver endpoint `/_matrix/client/r0/login` as depicted below:
 ```
            +----------------------------+
            |  Reverse Proxy             |
            |                            |
            |                            |     Step 1    +---------------------------+     Step 2
            |                            |               |                           |
 Client+---->| /_matrix/client/r0/login +---------------->|                           | Look up address  +---------+
            |                      ^     |               |  mxisd - Identity server  +----------------->| Backend |
            |                      |     |               |                           |                  +---------+
            | /_matrix/* +--+      +---------------------+                           |
            |               |            |               +---------------+-----------+
            |               |            |     Step 4                    |
            |               |            |                               | Step 3
            +---------------|------------+                               |
                            |                                            | /_matrix/client/r0/login
                            |                       +--------------+     |
                            |                       |              |     |
                            +---------------------->|  Homeserver  |<----+
                                                    |              |
                                                    +--------------+
 ```
 Steps of user authentication using a 3PID:
 1. The intercepted login request is directly sent to mxisd instead of the Homeserver.
 2. Identity stores are queried for a matching user identity in order to modify the request to use the user name.
 3. The Homeserver, from which the request was intercepted, is queried using the request at previous step.
   Its address is resolved using the DNS Overwrite feature to reach its internal address on a non-encrypted port.
 4. The response from the Homeserver is sent back to the client, believing it was the HS which directly answered.
 ### Requirements
 - [Basic Authentication configured and working](#basic)
 - Reverse proxy setup
 - Homeserver
 - Compatible [Identity store](../stores/README.md)
 ### Configuration
 #### Reverse Proxy
 ##### Apache2
 The specific configuration to put under the relevant `VirtualHost`:
 ```apache
 ProxyPass /_matrix/client/r0/login http://localhost:8090/_matrix/client/r0/login
 ```
 `ProxyPreserveHost` or equivalent **must** be enabled to detect to which Homeserver mxisd should talk to when building results.
 Your VirtualHost should now look similar to:
 ```apache
 <VirtualHost *:443>
    ServerName example.org
    ...
    ProxyPreserveHost on
    ProxyPass /_matrix/client/r0/login http://localhost:8090/_matrix/client/r0/login
    ProxyPass /_matrix/identity http://localhost:8090/_matrix/identity
    ProxyPass /_matrix http://localhost:8008/_matrix
 </VirtualHost>
 ```
 #### DNS Overwrite
 Just like you need to configure a reverse proxy to send client requests to mxisd, you also need to configure mxisd with
 the internal IP of the Homeserver so it can talk to it directly to integrate its directory search.
 To do so, put the following configuration in your mxisd configuration:
 ```yaml
 dns.overwrite.homeserver.client:
  - name: 'example.org'
    value: 'http://localhost:8008'
 ```
 `name` must be the hostname of the URL that clients use when connecting to the Homeserver.
 You can use `${server.name}` to auto-populate the `value` using the `server.name` configuration option and avoid duplicating it.
 In case the hostname is the same as your Matrix domain and `server.name` is not explicitely set in the config, `server.name` will default to
 `matrix.domain` and will still probably have the correct value.
 `value` is the base internal URL of the Homeserver, without any `/_matrix/..` or trailing `/`.
--- a/docs/features/bridge-integration.md
+++ b/docs/features/bridge-integration.md
@@ -0,0 +1,28 @@
 # Bridge Integration
 To help natural bridge integration into the regular usage of a Matrix client, mxisd provides a way for bridge to reply
 to 3PID queries if no mapping was found, allowing seamless bridging to a network.
 This is performed by implementing a specific endpoint on the bridge to map a 3PID lookup to a virtual user.
 **NOTE**: This document is incomplete and might be misleading. In doubt, come in our Matrix room.  
 You can also look at our [Email Bridge README](https://github.com/kamax-io/matrix-appservice-email#mxisd) for an example
 of working configuration.
 ## Configuration
 ```yaml
 lookup.recursive.bridge.enabled: <boolean>
 lookup.recursive.bridge.recursiveOnly: <boolean>
 lookup.recursive.bridge.server: <URL to the bridge endpoint for all 3PID medium>
 lookup.recursive.bridge.mappings:
  <3PID MEDIUM HERE>: <URL to dedicated bridge for that medium>
 ```
 ## Integration
 Implement a simplified version of the [Identity service single lookup endpoint](https://kamax.io/matrix/api/identity_service/unstable.html#get-matrix-identity-api-v1-lookup)
 with only the following parameters needed:
 - `address`
 - `medium`
 - `mxid`
 Or an empty object if no resolution exists or desired.
--- a/docs/features/directory.md
+++ b/docs/features/directory.md
@@ -0,0 +1,149 @@
 # User Directory
 - [Description](#description)
 - [Overview](#overview)
 - [Requirements](#requirements)
 - [Configuration](#configuration)
  - [Reverse Proxy](#reverse-proxy)
    - [Apache2](#apache2)
    - [nginx](#nginx)
  - [DNS Overwrite](#dns-overwrite)
 - [Next steps](#next-steps)
 ## Description
 This feature allows you to search for existing and/or potential users that are already present in your Identity backend
 or that already share a room with you on the Homeserver.
 Without any integration, synapse:
 - Only search within the users **already** known to you or in public rooms
 - Only search on the Display Name and the Matrix ID
 By enabling this feature, you can by default:
 - Search on Matrix ID, Display name and 3PIDs (Email, phone numbers) of any users already in your configured backend
 - Search for users which you are not in contact with yet. Super useful for corporations who want to give Matrix access
 internally, so users can just find themselves **prior** to having any common room(s)
 - Add extra attributes of your backend to extend the search
 - Include your homeserver search results to those found by mxisd
 By integrating mxisd, you get the default behaviour and a bunch of extras, ensuring your users will always find each other.
 ## Overview
 This is performed by intercepting the Homeserver endpoint `/_matrix/client/r0/user_directory/search` like so:
 ```
           +----------------------------------------------+
 Client --> | Reverse proxy                                                                         Step 2
           |                                              Step 1    +-------------------------+
           |   /_matrix/client/r0/user_directory/search ----------> |                         |  Search in   +---------+
           |                        /\                              | mxisd - Identity server | -----------> | Backend |
           |   /_matrix/*            \----------------------------- |                         |  all users   +---------+
           |        |            Step 4: Send back merged results   +-------------------------+
           +        |                                                            |
                    |                                                          Step 3
                    |                                                            |
                    |    +------------+                                Search in known users
                    \--> | Homeserver | <----------------------------------------/
                         +------------+   /_matrix/client/r0/user_directory/search
 ```
 Steps:
 1. The intercepted request is directly sent to mxisd instead of the Homeserver.
 2. Identity stores are queried for any match on the search value sent by the client.
 3. The Homeserver, from which the request was intercepted, is queried using the same request as the client.
   Its address is resolved using the DNS Overwrite feature to reach its internal address on a non-encrypted port.
 4. Results from Identity stores and the Homeserver are merged together and sent back to the client, believing it was the HS
 which directly answered the request.
 ## Requirements
 - Reverse proxy setup, which you should already have in place if you use mxisd
 - At least one compatible [Identity store](../stores/README.md) enabled
 ## Configuration
 ### Reverse Proxy
 #### Apache2
 The specific configuration to put under the relevant `VirtualHost`:
 ```apache
 ProxyPass /_matrix/client/r0/user_directory/ http://0.0.0.0:8090/_matrix/client/r0/user_directory/
 ```
 `ProxyPreserveHost` or equivalent must be enabled to detect to which Homeserver mxisd should talk to when building
 results.
 Your `VirtualHost` should now look like this:
 ```apache
 <VirtualHost *:443>
    ServerName example.org
    ...
    ProxyPreserveHost on
    ProxyPass /_matrix/client/r0/user_directory/ http://localhost:8090/_matrix/client/r0/user_directory/
    ProxyPass /_matrix/identity http://localhost:8090/_matrix/identity
    ProxyPass /_matrix http://localhost:8008/_matrix
 </VirtualHost>
 ```
 #### nginx
 The specific configuration to add under your `server` section is:
 ```nginx
 location /_matrix/client/r0/user_directory {
    proxy_pass http://0.0.0.0:8090/_matrix/client/r0/user_directory;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $remote_addr;
 }
 ```
 Your `server` section should now look like this:
 ```nginx
 server {
    listen 443 ssl;
    server_name example.org;
    ...
    location /_matrix/client/r0/user_directory {
        proxy_pass http://localhost:8090/_matrix/client/r0/user_directory;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $remote_addr;
    }
    location /_matrix/identity {
        proxy_pass http://localhost:8090/_matrix/identity;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $remote_addr;
    }
    location /_matrix {
        proxy_pass http://localhost:8008/_matrix;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $remote_addr;
    }
 }
 ```
 ### DNS Overwrite
 Just like you need to configure a reverse proxy to send client requests to mxisd, you also need to configure mxisd with
 the internal IP of the Homeserver so it can talk to it directly to integrate its directory search.
 To do so, use the following configuration:
 ```yaml
 dns.overwrite.homeserver.client:
  - name: 'example.org'
    value: 'http://localhost:8008'
 ```
 `name` must be the hostname of the URL that clients use when connecting to the Homeserver.  
 In case the hostname is the same as your Matrix domain, you can use `${matrix.domain}` to auto-populate the value using
 the `matrix.domain` configuration option and avoid duplicating it.
 `value` is the base internal URL of the Homeserver, without any `/_matrix/..` or trailing `/`.
 ## Next steps
 ### Homeserver results
 You can configure if the Homeserver should be queried at all when doing a directory search.  
 To disable Homeserver results, set the following in mxisd configuration file:
 ```yaml
 directory.exclude.homeserver: true
 ```
 ### 3PID exclusion in search
 You can configure if the 3PID should also be included when doing a directory search.
 By default, a search is performed on the 3PIDs. If you would like to not include them:
 ```yaml
 directory.exclude.threepid: true
 ```
--- a/docs/features/experimental/application-service.md
+++ b/docs/features/experimental/application-service.md
@@ -0,0 +1,63 @@
 # Integration as an Application Service
 **WARNING:** These features are currently highly experimental. They can be removed or modified without notice.  
 All the features requires a Homeserver capable of connecting Application Services.
 ## Email notification for Room invites by Matrix ID
 This feature allows for users found in Identity stores to be instantly notified about Room Invites, regardless if their
 account was already provisioned on the Homeserver.
 ### Requirements
 - [Identity store(s)](../../stores/README.md) supporting the Profile feature
 - At least one email entry in the identity store for each user that could be invited.
 ### Configuration
 In your mxisd config file:
 ```yaml
 matrix:
  listener:
    url:  '<URL TO THE CS API OF THE HOMESERVER>'
    localpart: 'appservice-mxisd'
    token:
      hs: 'HS_TOKEN_CHANGE_ME'
 ```
 You can also change the default template of the notification using the `generic.matrixId` template option.  
 See [the Template generator documentation](../../threepids/notification/template-generator.md) for more info.
 ### Homeserver integration
 #### Synapse
 Create a new appservice registration file. Futher config will assume it is in `/etc/matrix-synapse/appservice-mxisd.yaml`
 ```yaml
 id: "appservice-mxisd"
 url: "http://127.0.0.1:8090"
 as_token: "AS_TOKEN_CHANGE_ME"
 hs_token: "HS_TOKEN_CHANGE_ME"
 sender_localpart: "appservice-mxisd"
 namespaces:
  users:
    - regex: "@*"
      exclusive: false
  aliases: []
  rooms: []
 ```
 `id`: An arbitrary unique string to identify the AS.  
 `url`: mxisd to reach mxisd. This ideally should be HTTP and not going through any reverse proxy.  
 `as_token`: Arbitrary value used by mxisd when talking to the HS. Not currently used.  
 `hs_token`: Arbitrary value used by synapse when talking to mxisd. Must match `token.hs` in mxisd config.
 `sender_localpart`: Username for the mxisd itself on the HS. Default configuration should be kept.  
 `namespaces`: To be kept as is.  
 Edit your `homeserver.yaml` and add a new entry to the appservice config file, which should look something like this:
 ```yaml
 app_service_config_files:
  - '/etc/matrix-synapse/appservice-mxisd.yaml'
  - ...
 ```
 Restart synapse when done to register mxisd.
 #### Others
 See your Homeserver documentation on how to integrate.
 ### Test
 Invite a user which is part of your domain while an appropriate Identity store is used.
--- a/docs/features/experimental/profile.md
+++ b/docs/features/experimental/profile.md
@@ -0,0 +1,12 @@
 # Profile enhancement
 **WARNING**: Alpha feature, not officially supported. Do not use.
 This feature allows to enhance a profile query with more info than just Matrix ID and Display name, allowing for custom
 applications to retrieve custom data not currently provided by synapse, per example.
 ## Configuration
 ### Reverse proxy
 #### Apache
 ```apache
 ProxyPassMatch "^/_matrix/client/r0/profile/([^/]+)$" "http://127.0.0.1:8090/_matrix/client/r0/profile/$1"
 ```
--- a/docs/features/federation.md
+++ b/docs/features/federation.md
@@ -0,0 +1,49 @@
 # Federation
 Federation is the process by which domain owners can make compatible 3PIDs mapping auto-discoverable by looking for another
 Federated Identity server using the DNS domain part of the 3PID.
 Emails are the best candidate for this kind of resolution which are DNS domain based already.  
 On the other hand, Phone numbers cannot be resolved this way.
 For 3PIDs which are not compatible with the DNS system, mxisd can be configured to talk to fallback Identity servers like
 the central matrix.org one. See the [Identity feature](identity.md#lookups) for instructions on how to enable it.
 Outbound federation is enabled by default while inbound federation is opt-in and require a specific DNS record.
 ## Overview
 ```
              +-------------------+   +-------------> +----------+
              | mxisd             |   |               | Backends |
              |                   |   |      +------> +----------+
              |                   |   |      |
              | Invites / Lookups |   |      |
 Federated    | +--------+        |   |      |
 Identity  ---->| Remote |>-----------+      |
 Server       | +--------+        |          |
              |                   |          |
              | +--------+        |          |        +-------------------+
 Homeserver --->| Local  |>------------------+------> | Remote Federated  |
 and clients  | +--------+        |                   | mxisd servers     |
              +-------------------+                   +-------------------+
 ```
 ## Inbound
 If you would like to be reachable for lookups over federation, create the following DNS SRV entry and replace
 `matrix.example.com` by your Identity server public hostname:
 ```
 _matrix-identity._tcp.example.com. 3600 IN SRV 10 0 443 matrix.example.com.
 ``` 
 The port must be HTTPS capable which is what you get in a regular setup with a reverse proxy from 443 to TCP 8090 of mxisd.
 ## Outbound
 If you would like to disable outbound federation and isolate your identity server from the rest of the Matrix network,
 use the following mxisd configuration options:
 ```yaml
 lookup.recursive.enabled: false
 invite.resolution.recursive: false
 session.policy.validation.forLocal.toRemote.enabled: false
 session.policy.validation.forRemote.toRemote.enabled: false
 ``` 
 There is currently no way to selectively disable federation towards specific servers, but this feature is planned.
--- a/docs/features/identity.md
+++ b/docs/features/identity.md
@@ -0,0 +1,31 @@
 # Identity
 **WARNING**: This document is incomplete and can be missleading.
 Implementation of the [Unofficial Matrix Identity Service API](https://kamax.io/matrix/api/identity_service/unstable.html).
 ## Lookups
 If you would like to use the central matrix.org Identity server to ensure maximum discovery at the cost of potentially
 leaking all your contacts information, add the following to your configuration:
 ```yaml
 forward.servers:
  - 'matrix-org'
 ```
 **NOTE:** You should carefully consider enabling this option, which is discouraged.  
 For more info, see the [relevant issue](https://github.com/kamax-matrix/mxisd/issues/76).
 ## Room Invitations
 Resolution can be customized using the following configuration:
 `invite.resolution.recursive`  
 - Default value: `true`  
 - Description: Control if the pending invite resolution should be done recursively or not.  
  **DANGER ZONE:** This setting has the potential to create "an isolated island", which can have unexpected side effects
  and break invites in rooms. This will most likely not have the effect you think it does. Only change the value if you
  understand the consequences.
 `invite.resolution.timer`  
 - Default value: `1`  
 - Description: How often, in minutes, mxisd should try to resolve pending invites.
 ## 3PID addition to user profile
 See the [3PID session documents](../threepids/session)
--- a/docs/getting-started.md
+++ b/docs/getting-started.md
@@ -0,0 +1,141 @@
 # Getting started
 1. [Preparation](#preparation)
 2. [Install](#install)
 3. [Configure](#configure)
 4. [Integrate](#integrate)
 5. [Validate](#validate)
 6. [Next steps](#next-steps)
 Following these quick start instructions, you will have a basic setup that can perform recursive/federated lookups and
 talk to the central Matrix.org Identity server.  
 This will be a good ground work for further integration with features and your existing Identity stores.
 ## Preparation
 You will need:
 - Working Homeserver, ideally with working federation
 - Reverse proxy with regular TLS/SSL certificate (Let's encrypt) for your mxisd domain
 As synapse requires an HTTPS connection when talking to an Identity service, **a reverse proxy is required** as mxisd does
 not support HTTPS listener at this time.
 For maximum integration, it is best to have your Homeserver and mxisd reachable via the same hostname.
 Be aware of a [NAT/Reverse proxy gotcha](https://github.com/kamax-matrix/mxisd/wiki/Gotchas#nating) if you use the same
 hostname.
 The following Quick Start guide assumes you will host the Homeserver and mxisd under the same hostname.  
 If you would like a high-level view of the infrastructure and how each feature is integrated, see the
 [dedicated document](architecture.md)
 ## Install
 Install via:
 - [Debian package](install/debian.md)
 - [ArchLinux](install/archlinux.md)
 - [Docker image](install/docker.md)
 - [Sources](build.md)
 See the [Latest release](https://github.com/kamax-matrix/mxisd/releases/latest) for links to each.
 ## Configure
 **NOTE**: please view the install instruction for your platform, as this step might be optional or already handled for you.
 Create/edit a minimal configuration (see installer doc for the location):
 ```yaml
 matrix.domain: 'example.org'
 key.path: '/path/to/signing.key.file'
 storage.provider.sqlite.database: '/path/to/mxisd.db'
 ```  
 - `matrix.domain` should be set to your Homeserver domain (`server_name` in synapse configuration)
 - `key.path` will store the signing keys, which must be kept safe! If the file does not exist, keys will be generated for you.
 - `storage.provider.sqlite.database` is the location of the SQLite Database file which will hold state (invites, etc.)
 If your HS/mxisd hostname is not the same as your Matrix domain, configure `server.name`.  
 Complete configuration guide is available [here](configure.md).
 ## Integrate
 For an overview of a typical mxisd infrastructure, see the [dedicated document](architecture.md)
 ### Reverse proxy
 #### Apache2
 In the `VirtualHost` section handling the domain with SSL, add the following and replace `0.0.0.0` by the internal
 hostname/IP pointing to mxisd.  
 **This line MUST be present before the one for the homeserver!**
 ```apache
 ProxyPass /_matrix/identity http://0.0.0.0:8090/_matrix/identity
 ```
 Typical configuration would look like:
 ```apache
 <VirtualHost *:443>
    ServerName example.org
    ...
    ProxyPreserveHost on
    ProxyPass /_matrix/identity http://localhost:8090/_matrix/identity
    ProxyPass /_matrix http://localhost:8008/_matrix
 </VirtualHost>
 ```
 #### nginx
 In the `server` section handling the domain with SSL, add the following and replace `0.0.0.0` with the internal
 hostname/IP pointing to mxisd.
 **This line MUST be present before the one for the homeserver!**
 ```nginx
 location /_matrix/identity {
    proxy_pass http://0.0.0.0:8090/_matrix/identity;
 }
 ```
 Typical configuration would look like:
 ```nginx
 server {
    listen 443 ssl;
    server_name example.org;
    ...
    location /_matrix/identity {
        proxy_pass http://localhost:8090/_matrix/identity;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $remote_addr;
    }
    location /_matrix {
        proxy_pass http://localhost:8008/_matrix;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $remote_addr;
    }
 }
 ```
 ### Synapse
 Add your mxisd domain into the `homeserver.yaml` at `trusted_third_party_id_servers` and restart synapse.  
 In a typical configuration, you would end up with something similar to:
 ```yaml
 trusted_third_party_id_servers:
    - example.org
 ```
 It is recommended to remove `matrix.org` and `vector.im` (or any other default entry) from your configuration so only
 your own Identity server is authoritative for your HS.
 ## Validate
 **NOTE:** In case your homeserver has no working federation, step 5 will not happen. If step 4 took place, consider
 your installation validated.
 1. Log in using your Matrix client and set `https://example.org` as your Identity server URL, replacing `example.org` by
 the relevant hostname which you configured in your reverse proxy.
 2. Create a new empty room. All further actions will take place in this room.
 3. Invite `mxisd-federation-test@kamax.io`
 4. The 3PID invite should be turned into a Matrix invite to `@mxisd-lookup-test:kamax.io`.
 5. The invited test user will join the room, send a congratulation message and leave.
 **NOTE:** You might not see a suggestion for the e-mail address, which is normal. Still proceed with the invite.
 If it worked, it means you are up and running and can enjoy mxisd in its basic mode! Congratulations!  
 If it did not work, [get in touch](../README.md#support) and we'll do our best to get you started.
 ## Next steps
 Once your mxisd server is up and running, there are several ways you can enhance and integrate further with your
 infrastructure:
 - [Enable extra features](features/)
 - [Use your own Identity stores](stores/README.md)
--- a/docs/install/archlinux.md
+++ b/docs/install/archlinux.md
@@ -0,0 +1,3 @@
 # Arch Linux package
 An Arch Linux package in the AUR repos is maintained by [r3pek](https://matrix.to/#/@r3pek:r3pek.org), a community member.  
 See https://aur.archlinux.org/packages/mxisd/
--- a/docs/install/debian.md
+++ b/docs/install/debian.md
@@ -0,0 +1,39 @@
 # Debian package
 ## Install
 1. Download the [latest release](https://github.com/kamax-matrix/mxisd/releases/latest)
 2. Run:
 ```bash
 dpkg -i /path/to/downloaded/mxisd.deb
 ```
 ## Files
 | Location                            | Purpose                                      |
 |-------------------------------------|----------------------------------------------|
 | `/etc/mxisd`                        | Configuration directory                      |
 | `/etc/mxisd/mxisd.yaml`             | Main configuration file                      |
 | `/etc/systemd/system/mxisd.service` | Systemd configuration file for mxisd service |
 | `/usr/lib/mxisd`                    | Binaries                                     |
 | `/var/lib/mxisd`                    | Data                                         |
 | `/var/lib/mxisd/signing.key`        | Default location for mxisd signing keys      |
 ## Control
 Start mxisd using:
 ```bash
 sudo systemctl start mxisd
 ```
 Stop mxisd using:
 ```bash
 sudo systemctl stop mxisd
 ```
 ## Troubleshoot
 All logs are sent to `STDOUT` which are saved in `/var/log/syslog` by default.  
 You can:
 - grep & tail using `mxisd`:
 ```
 tail -n 99 -f /var/log/syslog | grep mxisd
 ```
 - use Systemd's journal:
 ```
 journalctl -f -n 99 -u mxisd
 ```
--- a/docs/install/docker.md
+++ b/docs/install/docker.md
@@ -0,0 +1,22 @@
 # Docker
 ## Fetch
 Pull the latest stable image:
 ```bash
 docker pull kamax/mxisd
 ```
 ## Configure
 On first run, simply using `MATRIX_DOMAIN` as an environment variable will create a default config for you.  
 You can also provide a configuration file named `mxisd.yaml` in the volume mapped to `/etc/mxisd` before starting your
 container.
 ## Run
 Use the following command after adapting to your needs:
 - The `MATRIX_DOMAIN` environment variable to yours
 - The volumes host paths
 ```bash
 docker run --rm -e MATRIX_DOMAIN=example.org -v /data/mxisd/etc:/etc/mxisd -v /data/mxisd/var:/var/mxisd -p 8090:8090 -t kamax/mxisd
 ```
 For more info, including the list of possible tags, see [the public repository](https://hub.docker.com/r/kamax/mxisd/)
--- a/docs/install/source.md
+++ b/docs/install/source.md
@@ -0,0 +1,38 @@
 # Install from sources
 ## Instructions
 Follow the [build instructions](../build.md) then:
 1. Prepare files and directories:
 ```bash
 # Create a dedicated user
 useradd -r mxisd
 # Create bin directory
 mkdir /opt/mxisd
 # Create config directory and set ownership
 mkdir -p /etc/opt/mxisd
 chown -R mxisd /etc/opt/mxisd
 # Create data directory and set ownership
 mkdir -p /var/opt/mxisd
 chown -R mxisd /var/opt/mxisd
 # Copy <repo root>/build/libs/mxisd.jar to bin directory
 cp ./build/libs/mxisd.jar /opt/mxisd/
 chown mxisd /opt/mxisd/mxisd.jar
 chmod a+x /opt/mxisd/mxisd.jar
 # Create symlink for easy exec
 ln -s /opt/mxisd/mxisd.jar /usr/bin/mxisd
 ```
 2. Copy the sample config file `./application.example.yaml` to `/etc/opt/mxisd/mxisd.yaml`, edit to your needs
 3. Copy `src/systemd/mxisd.service` to `/etc/systemd/system/` and edit if needed
 4. Enable service for auto-startup
 ```bash
 systemctl enable mxisd
 ```
 5. Start mxisd
 ```bash
 systemctl start mxisd
 ```
--- a/docs/stores/README.md
+++ b/docs/stores/README.md
@@ -0,0 +1,7 @@
 # Identity Stores
 - [Synapse](synapse.md)
 - [LDAP-based](ldap.md)
 - [SQL Databases](sql.md)
 - [Website / Web service / Web app](rest.md)
 - [Google Firebase](firebase.md)
 - [Wordpress](wordpress.md)
--- a/docs/stores/firebase.md
+++ b/docs/stores/firebase.md
@@ -0,0 +1,53 @@
 # Google Firebase Identity store
 https://firebase.google.com/
 ## Features
 |      Name      | Supported? |
 |----------------|------------|
 | Authentication | Yes        |
 | Directory      | No         |
 | Identity       | Yes        |
 | Profile        | No         |
 ## Requirements
 This backend requires a suitable Matrix client capable of performing Firebase authentication and passing the following
 information:
 - Firebase User ID as Matrix username
 - Firebase token as Matrix password
 If your client is Riot, you will need a custom version.
 ## Configuration
 ```yaml
 firebase.enabled: <boolean>
 ```
 Enable/disable this identity store.
 Example:
 ```yaml
 firebase.enabled: <boolean>
 ```
 ---
 ```yaml
 firebase.credentials: <string>
 ```
 Path to the credentials file provided by Google Firebase to use with an external app.
 Example:
 ```yaml
 firebase.credentials: '/path/to/firebase/credentials.json'
 ```
 ---
 ```yaml
 firebase.database: <string>
 ```
 URL to your Firebase database.
 Example:
 ```yaml
 firebase.database: 'https://my-project.firebaseio.com/'
 ```
--- a/docs/stores/ldap.md
+++ b/docs/stores/ldap.md
@@ -0,0 +1,121 @@
 # LDAP Identity store
 ## Supported products:
 - Samba
 - Active Directory
 - OpenLDAP
 - NetIQ eDirectory
 For NetIQ, replace all the `ldap` prefix in the configuration by `netiq`.
 ## Features
 |      Name      | Supported? |
 |----------------|------------|
 | Authentication | Yes        |
 | Directory      | Yes        |
 | Identity       | Yes        |
 | Profile        | Yes        |
 ## Getting started
 ### Base
 To use your LDAP backend, add the bare minimum configuration in mxisd config file:
 ```yaml
 ldap.enabled: true
 ldap.connection.host: 'ldapHostnameOrIp'
 ldap.connection.port: 389
 ldap.connection.bindDn: 'CN=My Mxisd User,OU=Users,DC=example,DC=org'
 ldap.connection.bindPassword: 'TheUserPassword'
 ldap.connection.baseDn: 'OU=Users,DC=example,DC=org'
 ```
 These are standard LDAP connection configuration. mxisd will try to connect on port default port 389 without encryption.
 ### TLS/SSL connection
 If you would like to use a TLS/SSL connection, use the following configuration options (STARTLS not supported):
 ```yaml
 ldap.connection.tls: true
 ldap.connection.port: 12345
 ```
 ### Filter results
 You can also set a default global filter on any LDAP queries:
 ```yaml
 ldap.filter: '(memberOf=CN=My Matrix Users,OU=Groups,DC=example,DC=org)'
 ```
 This example would only return users part of the group called `My Matrix Users`.
 This can be overwritten or append in each specific flow describe below.
 For supported syntax, see the [LDAP library documentation](http://directory.apache.org/api/user-guide/2.3-searching.html#filter).
 ### Attribute mapping
 LDAP features are based on mapping LDAP attributes to Matrix concepts, like a Matrix ID, its localpart, the user display
 name, their email(s) and/or phone number(s).
 Default attributes are well suited for Active Directory/Samba. In case you are using a native LDAP backend, you will
 most certainly configure those mappings.
 #### User ID
 `ldap.attribute.uid.type`: How to process the User ID (UID) attribute:
 - `uid` will consider the value as the [Localpart](https://matrix.org/docs/spec/intro.html#user-identifiers)
 - `mxid` will consider the value as a complete [Matrix ID](https://matrix.org/docs/spec/intro.html#user-identifiers)
 `ldap.attribute.uid.value`: Attribute to use to set the User ID value.
 The following example would set the `sAMAccountName` attribute as a Matrix User ID localpart:
 ```yaml
 ldap.attribute.uid.type: 'uid'
 ldap.attribute.uid.value: 'sAMAccountName'
 ```
 #### Display name
 Use `ldap.attribute.name`.
 The following example would set the display name to the value of the `cn` attribute:
 ```yaml
 ldap.attribute.name: 'cn'
 ```
 #### 3PIDs
 You can also change the attribute lists for 3PID, like email or phone numbers.
 The following example would overwrite the [default list of attributes](../../src/main/resources/application.yaml#L67)
 for emails and phone number:
 ```yaml
 ldap.attribute.threepid.email:
  - 'mail'
  - 'otherMailAttribute'
 ldap.attribute.threepid.msisdn:
  - 'phone'
  - 'otherPhoneAttribute'
 ```
 ## Features
 ### Identity
 Identity features (related to 3PID invites or searches) are enabled and configured using default values and no specific
 configuration item is needed to get started.
 #### Configuration
 - `ldap.identity.filter`: Specific user filter applied during identity search. Global filter is used if blank/not set.
 - `ldap.identity.medium`: Namespace to overwrite generated queries from the list of attributes for each 3PID medium.
 ### Authentication
 No further configuration is needed to use the Authentication feature with LDAP once globally enabled and configured.
 Profile auto-fill is enabled by default. It will use the `ldap.attribute.name` and `ldap.attribute.threepid` configuration
 options to get a lit of attributes to be used to build the user profile to pass on to synapse during authentication.
 #### Configuration
 - `ldap.auth.filter`: Specific user filter applied during identity search. Global filter is used if blank/not set.
 ### Directory
 No further configuration is needed to use the Directory feature with LDAP once globally enabled and configured.
 #### Configuration
 To set a specific filter applied during directory search, use `ldap.directory.filter`
 If you would like to use extra attributes in search that are not 3PIDs, like nicknames, group names, employee number:
 ```yaml
 ldap.directory.attribute.other:
  - 'myNicknameAttribute'
  - 'memberOf'
  - 'employeeNumberAttribute'
 ```
--- a/docs/backends/rest.md
+++ b/docs/backends/rest.md
@@ -1,41 +1,43 @@
-# REST backend
+# REST Identity store
 The REST backend allows you to query identity data in existing webapps, like:
 - Forums (phpBB, Discourse, etc.)
 - Custom Identity stores (Keycloak, ...)
 - CRMs (Wordpress, ...)
 - self-hosted clouds (Nextcloud, ownCloud, ...)
 It supports the following mxisd flows:
 - Identity lookup
 - Authentication
 To integrate this backend with your webapp, you will need to implement three specific REST endpoints detailed below.
 ## Features
 |      Name      | Supported? |
 |----------------|------------|
 | Authentication | Yes        |
 | Directory      | Yes        |
 | Identity       | Yes        |
 | Profile        | No         |
 ## Configuration
 | Key                              | Default                                        | Description                                          |
---------------------------------|---------------------------------------|------------------------------------------------------|
+|----------------------------------|------------------------------------------------|------------------------------------------------------|
-| rest.enabled                   | false                                 | Globally enable/disable the REST backend             |
+| `rest.enabled`                   | `false`                                        | Globally enable/disable the REST backend             |
-| rest.host                      | *empty*                               | Default base URL to use for the different endpoints. |
+| `rest.host`                      | *None*                                        | Default base URL to use for the different endpoints. |
-| rest.endpoints.auth            | /_mxisd/identity/api/v1/auth          | Endpoint to validate credentials                     |
+| `rest.endpoints.auth`            | `/_mxisd/backend/api/v1/auth/login`            | Validate credentials and get user profile            |
-| rest.endpoints.identity.single | /_mxisd/identity/api/v1/lookup/single | Endpoint to query a single 3PID                      |
+| `rest.endpoints.directory`       | `/_mxisd/backend/api/v1/directory/user/search` | Search for users by arbitrary input                  |
-| rest.endpoints.identity.bulk   | /_mxisd/identity/api/v1/lookup/bulk   | Endpoint to query a list of 3PID                     |
+| `rest.endpoints.identity.single` | `/_mxisd/backend/api/v1/identity/single`       | Endpoint to query a single 3PID                      |
 | `rest.endpoints.identity.bulk`   | `/_mxisd/backend/api/v1/identity/bulk`         | Endpoint to query a list of 3PID                     |
 Endpoint values can handle two formats:
 - URL Path starting with `/` that gets happened to the `rest.host`
 - Full URL, if you want each endpoint to go to a specific server/protocol/port
-`rest.host` is only mandatory if at least one endpoint is not a full URL.
+`rest.host` is mandatory if at least one endpoint is not a full URL.
 ## Endpoints
-### Authenticate
+### Authentication
 Configured with `rest.endpoints.auth`
 HTTP method: `POST`  
-Encoding: JSON UTF-8
+Content-type: JSON UTF-8
 #### Request Body
-```
+```json
 {
  "auth": {
    "mxid": "@john.doe:example.org",
@@ -48,7 +50,7 @@ Encoding: JSON UTF-8
 #### Response Body
 If the authentication fails:
-```
+```json
 {
  "auth": {
    "success": false
@@ -59,7 +61,7 @@ If the authentication fails:
 If the authentication succeed:
 - `auth.id` supported values: `localpart`, `mxid`
 - `auth.profile` and any sub-member are all optional
-```
+```json
 {
  "auth": {
    "success": true,
@@ -84,15 +86,54 @@ If the authentication succeed:
 }
 ```
-### Lookup
+### Directory
 #### Single
 Configured with `rest.endpoints.identity.single`
 HTTP method: `POST`
-Encoding: JSON UTF-8  
+Content-type: JSON UTF-8
 #### Request Body
 ```json
 {
  "by": "<search type>",
  "search_term": "doe"
 }
 ```
 `by` can be:
 - `name`
 - `threepid`
 #### Response Body:
 If users found:
 ```json
 {
  "limited": false,
  "results": [
    {
      "avatar_url": "http://domain.tld/path/to/avatar.png",
      "display_name": "John Doe",
      "user_id": "UserIdLocalpart"
    },
    {
      ...
    }
  ]
 }
 ```
 If no user found:
 ```json
 {
  "limited": false,
  "results": []
 }
 ```
 ### Identity
 #### Single 3PID lookup
 HTTP method: `POST`  
 Content-type: JSON UTF-8  
 #### Request Body
 ```json
 {
  "lookup": {
    "medium": "email",
@@ -104,7 +145,7 @@ Encoding: JSON UTF-8
 #### Response Body
 If a match was found:
 - `lookup.id.type` supported values: `localpart`, `mxid`
-```
+```json
 {
  "lookup": {
    "medium": "email",
@@ -118,18 +159,16 @@ If a match was found:
 ```
 If no match was found:
-```
+```json
 {}
 ```
-#### Bulk
+#### Bulk 3PID lookup
 Configured with `rest.endpoints.identity.bulk`
 HTTP method: `POST`  
-Encoding: JSON UTF-8  
+Content-type: JSON UTF-8  
 #### Request Body
-```
+```json
 {
  "lookup": [
    {
@@ -147,7 +186,7 @@ Encoding: JSON UTF-8
 #### Response Body
 For all entries where a match was found:
 - `lookup[].id.type` supported values: `localpart`, `mxid`
-```
+```json
 {
  "lookup": [
    {
@@ -171,7 +210,7 @@ For all entries where a match was found:
 ```
 If no match was found:
-```
+```json
 {
  "lookup": []
 }
--- a/docs/stores/sql.md
+++ b/docs/stores/sql.md
@@ -0,0 +1,99 @@
 # SQL Identity store
 ## Supported Databases
 - PostgreSQL
 - MariaDB
 - MySQL
 - SQLite
 ## Features
 |      Name      | Supported? |
 |----------------|------------|
 | Authentication | No         |
 | Directory      | Yes        |
 | Identity       | Yes        |
 | Profile        | Yes        |
 Due to the implementation complexity of supporting arbitrary hashing/encoding mechanisms or auth flow, Authentication
 will be out of scope of SQL Identity stores and should be done via one of the other identity stores, typically
 the [REST Identity store](rest.md).
 ## Configuration
 ### Basic
 ```yaml
 sql.enabled: <boolean>
 ```
 Enable/disable the identity store
 ---
 ```yaml
 sql.type: <string>
 ```
 Set the SQL backend to use:
 - `sqlite`
 - `postgresql`
 - `mariadb`
 - `mysql`
 ### Connection
 #### SQLite
 ```yaml
 sql.connection: <string>
 ```
 Set the value to the absolute path to the Synapse SQLite DB file.
 Example: `/path/to/sqlite/file.db`
 #### Others
 ```yaml
 sql.connection: //<HOST[:PORT]/DB?user=USER&password=PASS
 ```
 Set the connection info for the database by replacing the following values:
 - `HOST`: Hostname of the SQL server
 - `PORT`: Optional port value, if not default
 - `DB`: Database name
 - `USER`: Username for the connection
 - `PASS`: Password for the connection
 This follow the JDBC URI syntax. See [official website](https://docs.oracle.com/javase/tutorial/jdbc/basics/connecting.html#db_connection_url).
 ### Directory
 ```yaml
 sql.directory.enabled: false
 ```
 ---
 ```yaml
 sql.directory.query:
  name:
    type: <string>
    value: <string>
  threepid:
    type: <string>
    value: <string>
 ```
 For each query, `type` can be used to tell mxisd how to process the ID column:
 - `localpart` will append the `matrix.domain` to it
 - `mxid` will use the ID as-is. If it is not a valid Matrix ID, the search will fail.
 `value` is the SQL query and must return two columns:
 - The first being the User ID
 - The second being its display name
 Example:
 ```yaml
 sql.directory.query:
  name:
    type: 'localpart'
    value: 'SELECT idColumn, displayNameColumn FROM table WHERE displayNameColumn LIKE ?'
  threepid:
    type: 'localpart'
    value: 'SELECT idColumn, displayNameColumn FROM table WHERE threepidColumn LIKE ?'
 ```
 ### Identity
 ```yaml
 sql.identity.type: <string>
 sql.identity.query: <string>
 ```
--- a/docs/stores/synapse.md
+++ b/docs/stores/synapse.md
@@ -0,0 +1,49 @@
 # Synapse Identity Store
 Synapse's Database itself can be used as an Identity store.
 ## Features
 |      Name      | Supported? |
 |----------------|------------|
 | Authentication | No         |
 | Directory      | Yes        |
 | Identity       | Yes        |
 | Profile        | Yes        |
 Authentication is done by Synapse itself.
 ## Configuration
 ### Basic
 ```yaml
 synapseSql.enabled: <boolean>
 ```
 Enable/disable the identity store
 ---
 ```yaml
 synapseSql.type: <string>
 ```
 Set the SQL backend to use which is configured in synapse:
 - `sqlite`
 - `postgresql`
 ### SQLite
 ```yaml
 synapseSql.connection: <string>
 ```
 Set the value to the absolute path to the Synapse SQLite DB file.
 Example: `/path/to/synapse/sqliteFile.db`
 ### PostgreSQL
 ```yaml
 synapseSql.connection: //<HOST[:PORT]/DB?user=USER&password=PASS
 ```
 Set the connection info for the database by replacing the following values:
 - `HOST`: Hostname of the SQL server
 - `PORT`: Optional port value, if not default
 - `DB`: Database name
 - `USER`: Username for the connection
 - `PASS`: Password for the connection
 ### Query customization
 See the [SQL Identity store](sql.md)
--- a/docs/stores/wordpress.md
+++ b/docs/stores/wordpress.md
@@ -0,0 +1,66 @@
 # Wordpress Identity store
 This Identity store allows you to use user accounts registered on your Wordpress setup.  
 Two types of connections are required for full support:
 - [REST API](https://developer.wordpress.org/rest-api/) with JWT authentication
 - Direct SQL access
 ## Features
 |      Name      | Supported? |
 |----------------|------------|
 | Authentication | Yes        |
 | Directory      | Yes        |
 | Identity       | Yes        |
 | Profile        | No         |
 ## Requirements
 - [Wordpress](https://wordpress.org/download/) >= 4.4
 - Permalink structure set to `Post Name`
 - [JWT Auth plugin for REST API](https://wordpress.org/plugins/jwt-authentication-for-wp-rest-api/)
 - SQL Credentials to the Wordpress Database
 ## Configuration
 ### Wordpress
 #### JWT Auth
 Set a JWT secret into `wp-config.php` like so:
 ```php
 define('JWT_AUTH_SECRET_KEY', 'your-top-secret-key');
 ```
 `your-top-secret-key` should be set to a randomly generated value which is kept secret.
 #### Rewrite of `index.php`
 Wordpress is normally configured with rewrite of `index.php` so it does not appear in URLs.  
 If this is not the case for your installation, the mxisd URL will need to be appended with `/index.php`
 ### mxisd
 Enable in the configuration:
 ```yaml
 wordpress.enabled: true
 ```
 Configure the URL to your Wordpress installation - see above about added `/index.php`:
 ```yaml
 wordpress.rest.base: 'http://localhost:8080'
 ```
 Configure the SQL connection to your Wordpress database:
 ```yaml
 wordpress.sql.connection: '//127.0.0.1/wordpress?user=root&password=example'
 ```
 ---
 By default, MySQL database is expected. If you use another database, use:
 ```yaml
 wordpress.sql.type: <string>
 ```
 With possible values:
 - `mysql`
 - `mariadb`
 - `postgresql`
 - `sqlite`
 ---
 To configure the tables prefix for default queries, in case a custom value was set during Wordpress install:
 ```yaml
 wordpress.sql.tablePrefix: <string>
 ```
 By default, the value is set to `wp_`.
--- a/docs/threepids/medium/email/smtp-connector.md
+++ b/docs/threepids/medium/email/smtp-connector.md
@@ -0,0 +1,19 @@
 # Email notifications - SMTP connector
 Enabled by default.
 Connector ID: `smtp`
 ## Configuration
 ```yaml
 threepid.medium.email:
  identity:
    from: 'identityServerEmail@example.org'
    name: 'My Identity Server'
  connectors:
    smtp:
      host: 'smtpHostname'
      port: 587
      tls: 1 # 0 = no STARTLS, 1 = try, 2 = force
      login: 'smtpLogin'
      password: 'smtpPassword'
 ```
--- a/docs/threepids/medium/msisdn/twilio-connector.md
+++ b/docs/threepids/medium/msisdn/twilio-connector.md
@@ -0,0 +1,11 @@
 # SMS notifications - Twilio connector
 Enabled by default.
 Connector ID: `twilio`
 ## Configuration
 ```yaml
 threepid.medium.msisdn.connectors.twilio.accountSid: 'myAccountSid'
 threepid.medium.msisdn.connectors.twilio.authToken: 'myAuthToken'
 threepid.medium.msisdn.connectors.twilio.number: '+123456789'
 ```
--- a/docs/threepids/notification/basic-handler.md
+++ b/docs/threepids/notification/basic-handler.md
@@ -0,0 +1,37 @@
 # Basic Notification handler
 Basic notification handler which uses two components:
 - Content generator, to produce the notifications
 - Connectors to send the notification content
 This handler can be used with the 3PID types:
 - `email`
 - `msisdn` (Phone numbers)
 ## Generators
 - [Template](template-generator.md)
 ## Connectors
 - Email
  - [SMTP](../medium/email/smtp-connector.md)
 - SMS
  - [Twilio](../medium/msisdn/twilio-connector.md)
 ## Configuration
 Enabled by default or with:
 ```yaml
 notification.handler.email: 'raw'
 ```
 **WARNING:** Will be consolidated soon, prone to breaking changes.  
 Structure and default values:
 ```yaml
 threepid.medium:
  email:
    identity:
      from: ''
      name: ''
    connector: 'smtp'
    generator: 'template'
  msisdn:
    connector: 'twilio'
    generator: 'template'
 ```
--- a/docs/threepids/notification/sendgrid-handler.md
+++ b/docs/threepids/notification/sendgrid-handler.md
@@ -0,0 +1,7 @@
 # SendGrid Notification handler
 To be completed. See [raw possible configuration items](https://github.com/kamax-matrix/mxisd/blob/master/src/main/resources/application.yaml#L172).
 Enabled with:
 ```yaml
 notification.handler.email: 'sendgrid'
 ```
--- a/docs/threepids/notification/template-generator.md
+++ b/docs/threepids/notification/template-generator.md
@@ -0,0 +1,73 @@
 # Notifications: Generate from templates
 To create notification content, you can use the `template` generator if supported for the 3PID medium which will read
 content from configured files.
 Placeholders can be integrated into the templates to dynamically populate such content with relevant information like
 the 3PID that was requested, the domain of your Identity server, etc.
 Templates can be configured for each event that would send a notification to the end user. Events share a set of common
 placeholders and also have their own individual set of placeholders.
 ## Configuration
 To configure paths to the various templates:
 ```yaml
 threepid.medium.<YOUR 3PID MEDIUM HERE>:
  generators:
    template:
      invite: '/path/to/invite-template.eml'
      session:
        validation:
          local: '/path/to/validate-local-template.eml'
          remote: 'path/to/validate-remote-template.eml'
      generic:
        matrixId: '/path/to/mxid-invite-template.eml'
 ```
 The `template` generator is usually the default, so no further configuration is needed.
 ##  Global placeholders
 | Placeholder           | Purpose                                                                      |
 |-----------------------|------------------------------------------------------------------------------|
 | `%DOMAIN%`            | Identity server authoritative domain, as configured in `matrix.domain`       |
 | `%DOMAIN_PRETTY%`     | Same as `%DOMAIN%` with the first letter upper case and all other lower case |
 | `%FROM_EMAIL%`        | Email address configured in `threepid.medium.<3PID medium>.identity.from`    |
 | `%FROM_NAME%`         | Name configured in `threepid.medium.<3PID medium>.identity.name`             |
 | `%RECIPIENT_MEDIUM%`  | The 3PID medium, like `email` or `msisdn`                                    |
 | `%RECIPIENT_ADDRESS%` | The address to which the notification is sent                                |
 ## Events
 ### Room invitation
 This template is used when someone is invited into a room using an email address which has no known bind to a Matrix ID.
 #### Placeholders
 | Placeholder           | Purpose                                                                                  |
 |-----------------------|------------------------------------------------------------------------------------------|
 | `%SENDER_ID%`         | Matrix ID of the user who made the invite                                                |
 | `%SENDER_NAME%`       | Display name of the user who made the invite, if not available/set, empty                |
 | `%SENDER_NAME_OR_ID%` | Display name of the user who made the invite. If not available/set, its Matrix ID        |
 | `%INVITE_MEDIUM%`     | The 3PID medium for the invite.                                                          |
 | `%INVITE_ADDRESS%`    | The 3PID address for the invite.                                                         |
 | `%ROOM_ID%`           | The Matrix ID of the Room in which the invite took place                                 |
 | `%ROOM_NAME%`         | The Name of the room in which the invite took place. If not available/set, empty         |
 | `%ROOM_NAME_OR_ID%`   | The Name of the room in which the invite took place. If not available/set, its Matrix ID |
 ### Local validation of 3PID Session
 This template is used when to user which added their 3PID address to their profile/settings and the session policy
 allows at least local sessions.  
 #### Placeholders
 | Placeholder          | Purpose                                                                              |
 |----------------------|--------------------------------------------------------------------------------------|
 | `%VALIDATION_LINK%`  | URL, including token, to validate the 3PID session.                                  |
 | `%VALIDATION_TOKEN%` | The token needed to validate the local session, in case the user cannot use the link |
 ### Remote validation of 3PID Session
 This template is used when to user which added their 3PID address to their profile/settings and the session policy only
 allows remote sessions.
 **NOTE:** 3PID session always require local validation of a token, even if a remote session is enforced.  
 One cannot bind a Matrix ID to the session until both local and remote sessions have been validated.
 #### Placeholders
 | Placeholder          | Purpose                                                |
 |----------------------|--------------------------------------------------------|
 | `%VALIDATION_TOKEN%` | The token needed to validate the session               |
 | `%NEXT_URL%`         | URL to continue with remote validation of the session. |
--- a/docs/threepids/session/session-views.md
+++ b/docs/threepids/session/session-views.md
@@ -0,0 +1,86 @@
 # Web pages for the 3PID sessions
 You can customize the various pages used during a 3PID validation using [Thymeleaf templates](http://www.thymeleaf.org/).
 ## Configuration
 Pseudo-configuration to illustrate the structure:
 ```yaml
 # CONFIGURATION EXAMPLE
 # DO NOT COPY/PASTE THIS IN YOUR CONFIGURATION
 view.session.local:
  onTokenSubmit:
    success: '/path/to/session/local/tokenSubmitSuccess-page.html'
    failure: '/path/to/session/local/tokenSubmitFailure-page.html'
 view.session.localRemote:
  onTokenSubmit:
    success: '/path/to/session/localRemote/tokenSubmitSuccess-page.html'
    failure: '/path/to/session/local/tokenSubmitFailure-page.html'
 view.session.remote:
  onRequest:
    success: '/path/to/session/remote/requestSuccess-page.html'
    failure: '/path/to/session/remote/requestFailure-page.html'
  onCheck:
    success: '/path/to/session/remote/checkSuccess-page.html'
    failure: '/path/to/session/remote/checkFailure-page.html'
 # CONFIGURATION EXAMPLE
 # DO NOT COPY/PASTE THIS IN YOUR CONFIGURATION
 ```
 3PID session are divided into three config sections:
 - `local` for local-only 3PID sessions
 - `localRemote` for local 3PID sessions that can also be turned into remote sessions, if the user so desires
 - `remote` for remote-only 3PID sessions
 Each section contains a sub-key per support event. Finally, a `success` and `failure` key is available depending on the
 outcome of the request.
 ## Local
 ### onTokenSubmit
 This is triggered when a user submit a validation token for a 3PID session. It is typically visited when clicking the
 link in a validation email.
 The template should typically inform the user that the validation was successful and to go back in their Matrix client
 to finish the validation process.
 #### Placeholders
 No object/placeholder are currently available.
 ## Local & Remote
 ### onTokenSubmit
 This is triggered when a user submit a validation token for a 3PID session. It is typically visited when clicking the
 link in a validation email.
 The template should typically inform the user that their 3PID address will not yet be publicly/globally usable. In case
 they want to make it, they should start a Remote 3PID session with a given link or that they can go back to their Matrix
 client if they do not wish to proceed any further.
 #### Placeholders
 ##### Success
 `<a th:href="${remoteSessionLink}">text</a>` can be used to display the link to start a Remote 3PID session.
 ##### Failure
 No object/placeholder are currently available.
 ## Remote
 ### onRequest
 This is triggered when a user starts a Remote 3PID session, usually from a link produced in the `local.onTokenSubmit`
 view or in a remote-only 3PID notification.
 The template should typically inform the user that the remote creation was successful, followed the instructions sent by
 the remote Identity server and, once that is done, click a link to validate the session.
 #### Placeholders
 ##### Success
 `<a th:href="${checkLink}">text</a>` can be used to display the link to validate the Remote 3PID session.
 ##### Failure
 No object/placeholder are currently available.
 ### onCheck
 This is triggered when a user attempts to inform the Identity server that the Remote 3PID session has been validated
 with the remote Identity server.
 The template should typically inform the user that the validation was successful and to go back in their Matrix client
 to finish the validation process.
 #### Placeholders
 No object/placeholder are currently available.
--- a/docs/threepids/session/session.md
+++ b/docs/threepids/session/session.md
@@ -6,8 +6,10 @@
  - [Session scope](#session-scope)
 - [Notifications](#notifications)
  - [Email](#email)
  - [Phone numbers](#msisdn-(phone-numbers))
 - [Usage](#usage)
  - [Configuration](#configuration)
  - [Web views](#web-views)
  - [Scenarios](#scenarios)
    - [Default](#default)
    - [Local sessions only](#local-sessions-only)
@@ -15,7 +17,7 @@
    - [Sessions disabled](#sessions-disabled)
 ## Overview
-When adding an email, a phone number or any other kind of 3PID (Third-Party Identifier), 
+When adding an email, a phone number or any other kind of 3PID (Third-Party Identifier) in a Matrix client, 
 the identity server is called to validate the 3PID.
 Once this 3PID is validated, the Homeserver will publish the user Matrix ID on the Identity Server and
@@ -45,7 +47,7 @@ To ensure lookup works consistency within the current Matrix network, the centra
 used to store *remote* sessions and binds.
 On the flip side, at the time of writing, the Matrix specification and the central Matrix.org servers do not allow to
-remote a 3PID bind. This means that once a 3PID is published (email, phone number, etc.), it cannot be easily remove
+remote a 3PID bind. This means that once a 3PID is published (email, phone number, etc.), it cannot be easily removed
 and would require contacting the Matrix.org administrators for each bind individually.  
 This poses a privacy, control and security concern, especially for groups/corporations that want to keep a tight control
 on where such identifiers can be made publicly visible.
@@ -78,9 +80,8 @@ Sessions can be scoped as:
 **IMPORTANT NOTE:** mxisd does not store bindings directly. While a user can see its email, phone number or any other
 3PID in its settings/profile, it does **NOT** mean it is published anywhere and can be used to invite/search the user.
-Identity backends (LDAP, REST, SQL) are the ones holding such data.  
+Identity stores are the ones holding such data.  
-If you still want added arbitrary 3PIDs to be discoverable on your local server, you will need to link mxisd to your
+If you still want added arbitrary 3PIDs to be discoverable on a synapse Homeserver, use the corresponding [Identity store](../../stores/synapse.md).
 synapse DB to make it an Identity backend.
 See the [Scenarios](#scenarios) for more info on how and why.
@@ -97,11 +98,17 @@ Built-in generators and connectors for supported 3PID types:
 ### Email
 Generators:
- Template
+- [Template](../notification/template-generator.md)
 Connectors:
- SMTP
+- [SMTP](../medium/email/smtp-connector.md)
 #### MSISDN (Phone numbers)
 Generators:
 - [Template](../notification/template-generator.md)
 Connectors:
 - [Twilio](../medium/msisdn/twilio-connector.md) with SMS
 ## Usage
 ### Configuration
@@ -109,89 +116,26 @@ The following example of configuration (incomplete extract) shows which items ar
 **IMPORTANT:** Most configuration items shown have default values and should not be included in your own configuration
 file unless you want to specifically overwrite them.
-Please refer to the full example config file to see which keys are mandatory and to be included in your configuration.
+```yaml
-```
+# CONFIGURATION EXAMPLE
-matrix:
+# DO NOT COPY/PASTE THIS IN YOUR CONFIGURATION
-  identity:
+session.policy.validation.enabled: true
-    servers:
+session.policy.validation.forLocal:
      root: # Not to be included in config! Already present in default config!
        - 'https://matrix.org'
 threepid:
  medium:
    email:
      connector: 'smtp'
      generator: 'template'
      connectors:
        smtp:
          host: ''
          port: 587
          tls: 1
          login: ''
          password: ''
      generators:
        template:  # Not to be included in config! Already present in default config!
          invite: 'classpath:email/invite-template.eml'
          session:
            validation:
              local: 'classpath:email/validate-local-template.eml'
              remote: 'classpath:email/validate-remote-template.eml'
 session:
  policy:
    validation:
      enabled: true
      forLocal:
  enabled: true
  toLocal: true
  toRemote:
    enabled: true
    server: 'configExample'  # Not to be included in config! Already present in default config!
-      forRemote:
+session.policy.validation.forRemote:
  enabled: true
-        toLocal: false
+  toLocal: true
  toRemote:
    enabled: true
    server: 'configExample'  # Not to be included in config! Already present in default config!
 # DO NOT COPY/PASTE THIS IN YOUR CONFIGURATION
 # CONFIGURATION EXAMPLE
 ```
 `matrix.identity.servers` is the namespace to configure arbitrary list of Identity servers with a label as parent key.  
 In the above example, the list with label `configExample` contains a single server entry pointing to `https://matrix.org`.  
 **NOTE:** The server list is set to `root` by default and should typically NOT be included in your config.  
 Identity server entry can be of two format:
 - URL, bypassing any kind of domain and port discovery
 - Domain name as `string`, allowing federated discovery to take place.
 The label can be used in other places of the configuration, allowing you to only declare Identity servers once.
 ---
 `threepid.medium.<3PID>` is the namespace to configure 3PID specific items, not directly tied to any other component of
 mxisd.  
 In the above example, only `email` is defined as 3PID type.
 Each 3PID namespace comes with 4 configuration key allowing you to configure generators and connectors for notifications:
 - `connectors` is a configuration namespace to be used for any connector configuration. Child keys represent the unique
 ID for each connector.
 - `generators` is a configuration namespace to be used for any generator configuration. Child keys represent the unique
 ID for each generator.
 - `connector` is given the ID of the connector to be used at runtime.
 - `generator` is given the ID of the generator to be used at runtime.
 In the above example, emails notifications are generated by the `template` module and sent with the `smtp` module.
 mxisd comes with the following IDs built-in:  
 **Connectors**
 - `smtp` for a basic SMTP connector, attempting STARTLS by default.
 **Generators**
 - `template`, loading content from template files, using built-in mxisd templates by default.
 ---
 `session.policy.validation` is the core configuration to control what users configured to use your Identity server
 are allowed to do in terms of 3PID sessions.
@@ -207,9 +151,17 @@ Each scope is divided into three parts:
 If both `toLocal` and `toRemote` are enabled, the user will be offered to initiate a remote session once their 3PID
 locally validated.
 ### Web views
 Once a user click on a validation link, it is taken to the Identity Server validation page where the token is submitted.  
 If the session or token is invalid, an error page is displayed.  
 Workflow pages are also available for the remote 3PID session process.
 See [the dedicated document](session-views.md)
 on how to configure/customize/brand those pages to your liking.
 ### Scenarios
 It is important to keep in mind that mxisd does not create bindings, irrelevant if a user added a 3PID to their profile.  
-Instead, when queried for bindings, mxisd will query Identity backends which are responsible to store this kind of information.
+Instead, when queried for bindings, mxisd will query Identity stores which are responsible to store this kind of information.
 This has the side effect that any 3PID added to a user profile which is NOT within a configured and enabled Identity backend
 will simply not be usable for search or invites, **even on the same Homeserver!**  
@@ -217,8 +169,7 @@ mxisd does not store binds on purpose, as one of its primary goal is to ensure m
 and the rest of the Matrix ecosystem is preserved.
 Nonetheless, because mxisd also aims at offering support for tight control over identity data, it is possible to have
-such 3PID bindings available for search and invite queries on the local Homeserver by using the `SQL` backend and
+such 3PID bindings available for search and invite queries on synapse with the corresponding [Identity store](../../stores/synapse.md).
 configuring it to use the synapse database. Support for `SQLite` and `PostgreSQL` is available.
 See the [Local sessions only](#local-sessions-only) use case for more information on how to configure.
@@ -226,7 +177,7 @@ See the [Local sessions only](#local-sessions-only) use case for more informatio
 By default, mxisd allows the following:
 |                 | Local Session     | Remote Session |
-|----------------|-------|--------|
+|-----------------|-------------------|----------------|
 | **Local 3PID**  | Yes               | Yes, offered   |
 | **Remote 3PID** | No, Remote forced | Yes            |
@@ -240,8 +191,8 @@ Other e-mail addresses and phone number will be redirected to remote sessions to
 ecosystem and other federated servers.
 #### Local sessions only
-**NOTE:** This does not affect 3PID lookups (queries to find Matrix IDs) which will remain public due to limitation
+**NOTE:** This does not affect 3PID lookups (queries to find Matrix IDs). See [Federation](../../features/federation.md)
-in the Matrix protocol.
+to disable remote lookup for those.
 This configuration ensures maximum confidentiality and privacy.
 Typical use cases:
@@ -253,37 +204,22 @@ No 3PID will be sent to a remote Identity server and all validation will be perf
 On the flip side, people with *Remote* 3PID scopes will not be found from other servers.
 Use the following values:
-```
+```yaml
-session:
+session.policy.validation.enabled: true
-  policy:
+session.policy.validation.forLocal:
    validation:
      enabled: true
      forLocal:
  enabled: true
  toLocal: true
  toRemote:
    enabled: false
-      forRemote:
+session.policy.validation.forRemote:
  enabled: true
  toLocal: true
  toRemote:
    enabled: false
 ```
-**IMPORTANT**: When using local-only mode, you will also need to link mxisd to synapse if you want user searches and invites to work.
+**IMPORTANT**: When using local-only mode and if you are using synapse, you will also need to enable its dedicated Identity
-To do so, add/edit the following configuration keys:
+store if you want user searches and invites to work. To do so, see the [dedicated document](../../stores/synapse.md).
 ```
 sql:
  enabled: true
  type: 'postgresql'
  connection: ''
 ```
 - `sql.enabled` set to `true` to activate the SQL backend.
 - `sql.type` can be set to `sqlite` or `postgresql`, depending on your synapse setup.
 - `sql.connection` use a JDBC format which is appened after the `jdbc:type:` connection URI.
 Example values for each type:
  - `sqlite`: `/path/to/homeserver.db`
  - `postgresql`: `//localhost/database?user=synapse&password=synapse`
 #### Remote sessions only
 This configuration ensures all 3PID are made public for maximum compatibility and reach within the Matrix ecosystem, at
@@ -294,17 +230,14 @@ Typical use cases:
 - Homeserver with registration enabled
 Use the following values:
-```
+```yaml
-session:
+session.policy.validation.enabled: true
-  policy:
+session.policy.validation.forLocal:
    validation:
      enabled: true
      forLocal:
  enabled: true
  toLocal: false
  toRemote:
    enabled: true
-      forRemote:
+session.policy.validation.forRemote:
  enabled: true
  toLocal: false
  toRemote:
@@ -315,10 +248,7 @@ session:
 This configuration would disable 3PID session altogether, preventing users from adding emails and/or phone numbers to
 their profiles.  
 This would be used if mxisd is also performing authentication for the Homeserver, typically with synapse and the
-[REST Auth module](https://github.com/kamax-io/matrix-synapse-rest-auth).
+[REST password provider](https://github.com/kamax-io/matrix-synapse-rest-auth).
 While this feature is not yet ready in the REST auth module, you would use this configuration mode to auto-populate 3PID
 at user login and prevent any further add.
 **This mode comes with several important restrictions:**
 - This does not prevent users from removing 3PID from their profile. They would be unable to add them back!
@@ -327,9 +257,6 @@ at user login and prevent any further add.
 It is therefore recommended to not fully disable sessions but instead restrict specific set of 3PID and Session scopes.
 Use the following values to enable this mode:
-```
+```yaml
-session:
+session.policy.validation.enabled: false
  policy:
    validation:
      enabled: false
 ```
--- a/src/debian/control
+++ b/src/debian/control
@@ -1,6 +1,6 @@
 Package: mxisd
 Maintainer: Kamax.io <foss@kamax.io>
-Homepage: https://github.com/kamax-io/mxisd
+Homepage: https://github.com/kamax-matrix/mxisd
 Description: Federated Matrix Identity Server
 Architecture: all
 Depends: openjdk-8-jre | openjdk-8-jre-headless | openjdk-8-jdk | openjdk-8-jdk-headless
--- a/src/docker/start.sh
+++ b/src/docker/start.sh
@@ -1,2 +1,25 @@
-#!/bin/sh
+#!/usr/bin/env bash
 if [[ -n "$CONF_FILE_PATH" ]] && [ ! -f "$CONF_FILE_PATH" ]; then
    echo "Generating config file $CONF_FILE_PATH"
    touch "CONF_FILE_PATH"
    if [[ -n "$MATRIX_DOMAIN" ]]; then
        echo "Setting matrix domain to $MATRIX_DOMAIN"
        echo "matrix.domain: $MATRIX_DOMAIN" >> "$CONF_FILE_PATH"
    fi
    if [[ -n "$SIGN_KEY_PATH" ]]; then
        echo "Setting signing key path to $SIGN_KEY_PATH"
        echo "key.path: $SIGN_KEY_PATH" >> "$CONF_FILE_PATH"
    fi
    if [[ -n "$SQLITE_DATABASE_PATH" ]]; then
        echo "Setting SQLite DB path to $SQLITE_DATABASE_PATH"
        echo "storage.provider.sqlite.database: $SQLITE_DATABASE_PATH" >> "$CONF_FILE_PATH"
    fi
    echo "Starting mxisd..."
    echo
 fi
 exec java $JAVA_OPTS -Djava.security.egd=file:/dev/./urandom -Dspring.config.location=/etc/mxisd/ -Dspring.config.name=mxisd -jar /mxisd.jar
--- a/src/main/groovy/io/kamax/mxisd/backend/firebase/GoogleFirebaseAuthenticator.groovy
+++ b/src/main/groovy/io/kamax/mxisd/backend/firebase/GoogleFirebaseAuthenticator.groovy
@@ -1,193 +0,0 @@
 /*
 * mxisd - Matrix Identity Server Daemon
 * Copyright (C) 2017 Maxime Dor
 *
 * https://max.kamax.io/
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Affero General Public License as
 * published by the Free Software Foundation, either version 3 of the
 * License, or (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Affero General Public License for more details.
 *
 * You should have received a copy of the GNU Affero General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 package io.kamax.mxisd.backend.firebase
 import com.google.firebase.FirebaseApp
 import com.google.firebase.FirebaseOptions
 import com.google.firebase.auth.*
 import com.google.firebase.internal.NonNull
 import com.google.firebase.tasks.OnFailureListener
 import com.google.firebase.tasks.OnSuccessListener
 import io.kamax.matrix.ThreePidMedium
 import io.kamax.matrix._MatrixID
 import io.kamax.mxisd.ThreePid
 import io.kamax.mxisd.UserIdType
 import io.kamax.mxisd.auth.provider.AuthenticatorProvider
 import io.kamax.mxisd.auth.provider.BackendAuthResult
 import org.apache.commons.lang.StringUtils
 import org.slf4j.Logger
 import org.slf4j.LoggerFactory
 import java.util.concurrent.CountDownLatch
 import java.util.concurrent.TimeUnit
 import java.util.regex.Pattern
 public class GoogleFirebaseAuthenticator implements AuthenticatorProvider {
    private Logger log = LoggerFactory.getLogger(GoogleFirebaseAuthenticator.class);
    private static final Pattern matrixIdLaxPattern = Pattern.compile("@(.*):(.+)"); // FIXME use matrix-java-sdk
    private boolean isEnabled;
    private String domain;
    private FirebaseApp fbApp;
    private FirebaseAuth fbAuth;
    private void waitOnLatch(BackendAuthResult result, CountDownLatch l, long timeout, TimeUnit unit, String purpose) {
        try {
            l.await(timeout, unit);
        } catch (InterruptedException e) {
            log.warn("Interrupted while waiting for " + purpose);
            result.failure();
        }
    }
    public GoogleFirebaseAuthenticator(boolean isEnabled) {
        this.isEnabled = isEnabled;
    }
    public GoogleFirebaseAuthenticator(String credsPath, String db, String domain) {
        this(true);
        this.domain = domain;
        try {
            fbApp = FirebaseApp.initializeApp(getOpts(credsPath, db), "AuthenticationProvider");
            fbAuth = FirebaseAuth.getInstance(fbApp);
            log.info("Google Firebase Authentication is ready");
        } catch (IOException e) {
            throw new RuntimeException("Error when initializing Firebase", e);
        }
    }
    private FirebaseCredential getCreds(String credsPath) throws IOException {
        if (StringUtils.isNotBlank(credsPath)) {
            return FirebaseCredentials.fromCertificate(new FileInputStream(credsPath));
        } else {
            return FirebaseCredentials.applicationDefault();
        }
    }
    private FirebaseOptions getOpts(String credsPath, String db) throws IOException {
        if (StringUtils.isBlank(db)) {
            throw new IllegalArgumentException("Firebase database is not configured");
        }
        return new FirebaseOptions.Builder()
                .setCredential(getCreds(credsPath))
                .setDatabaseUrl(db)
                .build();
    }
    @Override
    public boolean isEnabled() {
        return isEnabled;
    }
    private void waitOnLatch(CountDownLatch l) {
        try {
            l.await(30, TimeUnit.SECONDS);
        } catch (InterruptedException e) {
            log.warn("Interrupted while waiting for Firebase auth check");
        }
    }
    @Override
    public BackendAuthResult authenticate(_MatrixID mxid, String password) {
        if (!isEnabled()) {
            throw new IllegalStateException();
        }
        log.info("Trying to authenticate {}", mxid);
        BackendAuthResult result = BackendAuthResult.failure();
        String localpart = m.group(1);
        CountDownLatch l = new CountDownLatch(1);
        fbAuth.verifyIdToken(password).addOnSuccessListener(new OnSuccessListener<FirebaseToken>() {
            @Override
            void onSuccess(FirebaseToken token) {
                try {
                    if (!StringUtils.equals(localpart, token.getUid())) {
                        log.info("Failture to authenticate {}: Matrix ID localpart '{}' does not match Firebase UID '{}'", id, localpart, token.getUid());
                        result = BackendAuthResult.failure();
                        return;
                    }
                    result = BackendAuthResult.success(mxid.getId(), UserIdType.MatrixID, token.getName());
                    log.info("{} was successfully authenticated", mxid);
                    log.info("Fetching profile for {}", mxid);
                    CountDownLatch userRecordLatch = new CountDownLatch(1);
                    fbAuth.getUser(token.getUid()).addOnSuccessListener(new OnSuccessListener<UserRecord>() {
                        @Override
                        void onSuccess(UserRecord user) {
                            try {
                                if (StringUtils.isNotBlank(user.getEmail())) {
                                    result.withThreePid(new ThreePid(ThreePidMedium.Email.getId(), user.getEmail()));
                                }
                                if (StringUtils.isNotBlank(user.getPhoneNumber())) {
                                    result.withThreePid(new ThreePid(ThreePidMedium.PhoneNumber.getId(), user.getPhoneNumber()));
                                }
                            } finally {
                                userRecordLatch.countDown();
                            }
                        }
                    }).addOnFailureListener(new OnFailureListener() {
                        @Override
                        void onFailure(@NonNull Exception e) {
                            try {
                                log.warn("Unable to fetch Firebase user profile for {}", mxid);
                                result = BackendAuthResult.failure();
                            } finally {
                                userRecordLatch.countDown();
                            }
                        }
                    });
                    waitOnLatch(result, userRecordLatch, 30, TimeUnit.SECONDS, "Firebase user profile");
                } finally {
                    l.countDown()
                }
            }
        }).addOnFailureListener(new OnFailureListener() {
            @Override
            void onFailure(@NonNull Exception e) {
                try {
                    if (e instanceof IllegalArgumentException) {
                        log.info("Failure to authenticate {}: invalid firebase token", mxid);
                    } else {
                        log.info("Failure to authenticate {}: {}", id, e.getMessage(), e);
                        log.info("Exception", e);
                    }
                    result = BackendAuthResult.failure();
                } finally {
                    l.countDown()
                }
            }
        });
        waitOnLatch(result, l, 30, TimeUnit.SECONDS, "Firebase auth check");
        return result;
    }
 }
--- a/src/main/groovy/io/kamax/mxisd/backend/firebase/GoogleFirebaseProvider.groovy
+++ b/src/main/groovy/io/kamax/mxisd/backend/firebase/GoogleFirebaseProvider.groovy
@@ -1,191 +0,0 @@
 /*
 * mxisd - Matrix Identity Server Daemon
 * Copyright (C) 2017 Maxime Dor
 *
 * https://max.kamax.io/
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Affero General Public License as
 * published by the Free Software Foundation, either version 3 of the
 * License, or (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Affero General Public License for more details.
 *
 * You should have received a copy of the GNU Affero General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 package io.kamax.mxisd.backend.firebase
 import com.google.firebase.FirebaseApp
 import com.google.firebase.FirebaseOptions
 import com.google.firebase.auth.FirebaseAuth
 import com.google.firebase.auth.FirebaseCredential
 import com.google.firebase.auth.FirebaseCredentials
 import com.google.firebase.auth.UserRecord
 import com.google.firebase.internal.NonNull
 import com.google.firebase.tasks.OnFailureListener
 import com.google.firebase.tasks.OnSuccessListener
 import io.kamax.matrix.ThreePidMedium
 import io.kamax.mxisd.lookup.SingleLookupReply
 import io.kamax.mxisd.lookup.SingleLookupRequest
 import io.kamax.mxisd.lookup.ThreePidMapping
 import io.kamax.mxisd.lookup.provider.IThreePidProvider
 import org.apache.commons.lang.StringUtils
 import org.slf4j.Logger
 import org.slf4j.LoggerFactory
 import java.util.concurrent.CountDownLatch
 import java.util.concurrent.TimeUnit
 import java.util.function.Consumer
 import java.util.regex.Pattern
 public class GoogleFirebaseProvider implements IThreePidProvider {
    private Logger log = LoggerFactory.getLogger(GoogleFirebaseProvider.class);
    private static final Pattern matrixIdLaxPattern = Pattern.compile("@(.*):(.+)");
    private boolean isEnabled;
    private String domain;
    private FirebaseApp fbApp;
    private FirebaseAuth fbAuth;
    public GoogleFirebaseProvider(boolean isEnabled) {
        this.isEnabled = isEnabled;
    }
    public GoogleFirebaseProvider(String credsPath, String db, String domain) {
        this(true);
        this.domain = domain;
        try {
            fbApp = FirebaseApp.initializeApp(getOpts(credsPath, db), "ThreePidProvider");
            fbAuth = FirebaseAuth.getInstance(fbApp);
            log.info("Google Firebase Authentication is ready");
        } catch (IOException e) {
            throw new RuntimeException("Error when initializing Firebase", e);
        }
    }
    private FirebaseCredential getCreds(String credsPath) throws IOException {
        if (StringUtils.isNotBlank(credsPath)) {
            return FirebaseCredentials.fromCertificate(new FileInputStream(credsPath));
        } else {
            return FirebaseCredentials.applicationDefault();
        }
    }
    private FirebaseOptions getOpts(String credsPath, String db) throws IOException {
        if (StringUtils.isBlank(db)) {
            throw new IllegalArgumentException("Firebase database is not configured");
        }
        return new FirebaseOptions.Builder()
                .setCredential(getCreds(credsPath))
                .setDatabaseUrl(db)
                .build();
    }
    private String getMxid(UserRecord record) {
        return "@${record.getUid()}:${domain}";
    }
    @Override
    public boolean isEnabled() {
        return isEnabled;
    }
    @Override
    public boolean isLocal() {
        return true;
    }
    @Override
    public int getPriority() {
        return 25;
    }
    private void waitOnLatch(CountDownLatch l) {
        try {
            l.await(30, TimeUnit.SECONDS);
        } catch (InterruptedException e) {
            log.warn("Interrupted while waiting for Firebase auth check");
        }
    }
    private Optional<UserRecord> findInternal(String medium, String address) {
        UserRecord r;
        CountDownLatch l = new CountDownLatch(1);
        OnSuccessListener<UserRecord> success = new OnSuccessListener<UserRecord>() {
            @Override
            void onSuccess(UserRecord result) {
                log.info("Found 3PID match for {}:{} - UID is {}", medium, address, result.getUid())
                r = result;
                l.countDown()
            }
        };
        OnFailureListener failure = new OnFailureListener() {
            @Override
            void onFailure(@NonNull Exception e) {
                log.info("No 3PID match for {}:{} - {}", medium, address, e.getMessage())
                r = null;
                l.countDown()
            }
        };
        if (ThreePidMedium.Email.is(medium)) {
            log.info("Performing E-mail 3PID lookup for {}", address)
            fbAuth.getUserByEmail(address)
                    .addOnSuccessListener(success)
                    .addOnFailureListener(failure);
            waitOnLatch(l);
        } else if (ThreePidMedium.PhoneNumber.is(medium)) {
            log.info("Performing msisdn 3PID lookup for {}", address)
            fbAuth.getUserByPhoneNumber(address)
                    .addOnSuccessListener(success)
                    .addOnFailureListener(failure);
            waitOnLatch(l);
        } else {
            log.info("{} is not a supported 3PID medium", medium);
            r = null;
        }
        return Optional.ofNullable(r);
    }
    @Override
    public Optional<SingleLookupReply> find(SingleLookupRequest request) {
        Optional<UserRecord> urOpt = findInternal(request.getType(), request.getThreePid())
        if (urOpt.isPresent()) {
            return Optional.of(new SingleLookupReply(request, getMxid(urOpt.get())));
        }
        return Optional.empty();
    }
    @Override
    public List<ThreePidMapping> populate(List<ThreePidMapping> mappings) {
        List<ThreePidMapping> results = new ArrayList<>();
        mappings.parallelStream().forEach(new Consumer<ThreePidMapping>() {
            @Override
            void accept(ThreePidMapping o) {
                Optional<UserRecord> urOpt = findInternal(o.getMedium(), o.getValue());
                if (urOpt.isPresent()) {
                    ThreePidMapping result = new ThreePidMapping();
                    result.setMedium(o.getMedium())
                    result.setValue(o.getValue())
                    result.setMxid(getMxid(urOpt.get()))
                    results.add(result)
                }
            }
        });
        return results;
    }
 }
--- a/src/main/groovy/io/kamax/mxisd/backend/ldap/LdapGenericBackend.java
+++ b/src/main/groovy/io/kamax/mxisd/backend/ldap/LdapGenericBackend.java
@@ -1,57 +0,0 @@
 /*
 * mxisd - Matrix Identity Server Daemon
 * Copyright (C) 2017 Maxime Dor
 *
 * https://max.kamax.io/
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Affero General Public License as
 * published by the Free Software Foundation, either version 3 of the
 * License, or (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Affero General Public License for more details.
 *
 * You should have received a copy of the GNU Affero General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 package io.kamax.mxisd.backend.ldap;
 import io.kamax.mxisd.config.ldap.LdapConfig;
 import org.apache.commons.lang.StringUtils;
 import org.apache.directory.api.ldap.model.exception.LdapException;
 import org.apache.directory.ldap.client.api.LdapConnection;
 import org.apache.directory.ldap.client.api.LdapNetworkConnection;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Component;
@Component
 public class LdapGenericBackend {
    private Logger log = LoggerFactory.getLogger(LdapGenericBackend.class);
    @Autowired
    private LdapConfig ldapCfg;
    protected LdapConnection getConn() {
        return new LdapNetworkConnection(ldapCfg.getConn().getHost(), ldapCfg.getConn().getPort(), ldapCfg.getConn().isTls());
    }
    protected void bind(LdapConnection conn) throws LdapException {
        if (StringUtils.isBlank(ldapCfg.getConn().getBindDn()) && StringUtils.isBlank(ldapCfg.getConn().getBindPassword())) {
            conn.anonymousBind();
        } else {
            conn.bind(ldapCfg.getConn().getBindDn(), ldapCfg.getConn().getBindPassword());
        }
    }
    protected LdapConfig getCfg() {
        return ldapCfg;
    }
 }
--- a/src/main/groovy/io/kamax/mxisd/backend/ldap/LdapThreePidProvider.groovy
+++ b/src/main/groovy/io/kamax/mxisd/backend/ldap/LdapThreePidProvider.groovy
@@ -1,169 +0,0 @@
 /*
 * mxisd - Matrix Identity Server Daemon
 * Copyright (C) 2017 Maxime Dor
 *
 * https://max.kamax.io/
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Affero General Public License as
 * published by the Free Software Foundation, either version 3 of the
 * License, or (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Affero General Public License for more details.
 *
 * You should have received a copy of the GNU Affero General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 package io.kamax.mxisd.backend.ldap
 import io.kamax.mxisd.config.MatrixConfig
 import io.kamax.mxisd.lookup.SingleLookupReply
 import io.kamax.mxisd.lookup.SingleLookupRequest
 import io.kamax.mxisd.lookup.ThreePidMapping
 import io.kamax.mxisd.lookup.provider.IThreePidProvider
 import org.apache.commons.lang.StringUtils
 import org.apache.directory.api.ldap.model.cursor.CursorLdapReferralException
 import org.apache.directory.api.ldap.model.cursor.EntryCursor
 import org.apache.directory.api.ldap.model.entry.Attribute
 import org.apache.directory.api.ldap.model.entry.Entry
 import org.apache.directory.api.ldap.model.message.SearchScope
 import org.apache.directory.ldap.client.api.LdapConnection
 import org.slf4j.Logger
 import org.slf4j.LoggerFactory
 import org.springframework.beans.factory.annotation.Autowired
 import org.springframework.stereotype.Component
@Component
 class LdapThreePidProvider extends LdapGenericBackend implements IThreePidProvider {
    public static final String UID = "uid"
    public static final String MATRIX_ID = "mxid"
    private Logger log = LoggerFactory.getLogger(LdapThreePidProvider.class)
    @Autowired
    private MatrixConfig mxCfg
    @Override
    boolean isEnabled() {
        return getCfg().isEnabled()
    }
    private String getUidAttribute() {
        return getCfg().getAttribute().getUid().getValue();
    }
    @Override
    boolean isLocal() {
        return true
    }
    @Override
    int getPriority() {
        return 20
    }
    Optional<String> lookup(LdapConnection conn, String medium, String value) {
        String uidAttribute = getUidAttribute()
        Optional<String> queryOpt = getCfg().getIdentity().getQuery(medium)
        if (!queryOpt.isPresent()) {
            log.warn("{} is not a configured 3PID type for LDAP lookup", medium)
            return Optional.empty()
        }
        String searchQuery = queryOpt.get().replaceAll("%3pid", value)
        EntryCursor cursor = conn.search(getCfg().getConn().getBaseDn(), searchQuery, SearchScope.SUBTREE, uidAttribute)
        try {
            while (cursor.next()) {
                Entry entry = cursor.get()
                log.info("Found possible match, DN: {}", entry.getDn().getName())
                Attribute attribute = entry.get(uidAttribute)
                if (attribute == null) {
                    log.info("DN {}: no attribute {}, skpping", entry.getDn(), getCfg().getAttribute())
                    continue
                }
                String data = attribute.get().toString()
                if (data.length() < 1) {
                    log.info("DN {}: empty attribute {}, skipping", getCfg().getAttribute())
                    continue
                }
                StringBuilder matrixId = new StringBuilder()
                // TODO Should we turn this block into a map of functions?
                String uidType = getCfg().getAttribute().getUid().getType()
                if (StringUtils.equals(UID, uidType)) {
                    matrixId.append("@").append(data).append(":").append(mxCfg.getDomain())
                } else if (StringUtils.equals(MATRIX_ID, uidType)) {
                    matrixId.append(data)
                } else {
                    log.warn("Bind was found but type {} is not supported", uidType)
                    continue
                }
                log.info("DN {} is a valid match", entry.getDn().getName())
                return Optional.of(matrixId.toString())
            }
        } catch (CursorLdapReferralException e) {
            log.warn("3PID {} is only available via referral, skipping", value)
        } finally {
            cursor.close()
        }
        return Optional.empty()
    }
    @Override
    Optional<SingleLookupReply> find(SingleLookupRequest request) {
        log.info("Performing LDAP lookup ${request.getThreePid()} of type ${request.getType()}")
        LdapConnection conn = getConn()
        try {
            bind(conn)
            Optional<String> mxid = lookup(conn, request.getType(), request.getThreePid())
            if (mxid.isPresent()) {
                return Optional.of(new SingleLookupReply(request, mxid.get()));
            }
        } finally {
            conn.close()
        }
        log.info("No match found")
        return Optional.empty()
    }
    @Override
    List<ThreePidMapping> populate(List<ThreePidMapping> mappings) {
        log.info("Looking up {} mappings", mappings.size())
        List<ThreePidMapping> mappingsFound = new ArrayList<>()
        LdapConnection conn = getConn()
        try {
            bind(conn)
            for (ThreePidMapping mapping : mappings) {
                try {
                    Optional<String> mxid = lookup(conn, mapping.getMedium(), mapping.getValue())
                    if (mxid.isPresent()) {
                        mapping.setMxid(mxid.get())
                        mappingsFound.add(mapping)
                    }
                } catch (IllegalArgumentException e) {
                    log.warn("{} is not a supported 3PID type for LDAP lookup", mapping.getMedium())
                }
            }
        } finally {
            conn.close()
        }
        return mappingsFound
    }
 }
--- a/src/main/groovy/io/kamax/mxisd/config/RecursiveLookupBridgeConfig.groovy
+++ b/src/main/groovy/io/kamax/mxisd/config/RecursiveLookupBridgeConfig.groovy
@@ -1,83 +0,0 @@
 /*
 * mxisd - Matrix Identity Server Daemon
 * Copyright (C) 2017 Maxime Dor
 *
 * https://max.kamax.io/
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Affero General Public License as
 * published by the Free Software Foundation, either version 3 of the
 * License, or (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Affero General Public License for more details.
 *
 * You should have received a copy of the GNU Affero General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 package io.kamax.mxisd.config
 import org.slf4j.Logger
 import org.slf4j.LoggerFactory
 import org.springframework.beans.factory.InitializingBean
 import org.springframework.boot.context.properties.ConfigurationProperties
 import org.springframework.context.annotation.Configuration
@Configuration
@ConfigurationProperties(prefix = "lookup.recursive.bridge")
 class RecursiveLookupBridgeConfig implements InitializingBean {
    private Logger log = LoggerFactory.getLogger(RecursiveLookupBridgeConfig.class)
    private boolean enabled
    private boolean recursiveOnly
    private String server
    private Map<String, String> mappings = new HashMap<>()
    boolean getEnabled() {
        return enabled
    }
    void setEnabled(boolean enabled) {
        this.enabled = enabled
    }
    boolean getRecursiveOnly() {
        return recursiveOnly
    }
    void setRecursiveOnly(boolean recursiveOnly) {
        this.recursiveOnly = recursiveOnly
    }
    String getServer() {
        return server
    }
    void setServer(String server) {
        this.server = server
    }
    Map<String, String> getMappings() {
        return mappings
    }
    void setMappings(Map<String, String> mappings) {
        this.mappings = mappings
    }
    @Override
    void afterPropertiesSet() throws Exception {
        log.info("--- Bridge integration lookups config ---")
        log.info("Enabled: {}", getEnabled())
        if (getEnabled()) {
            log.info("Recursive only: {}", getRecursiveOnly())
            log.info("Fallback Server: {}", getServer())
            log.info("Mappings: {}", mappings.size())
        }
    }
 }
--- a/src/main/groovy/io/kamax/mxisd/config/RecursiveLookupConfig.groovy
+++ b/src/main/groovy/io/kamax/mxisd/config/RecursiveLookupConfig.groovy
@@ -1,58 +0,0 @@
 /*
 * mxisd - Matrix Identity Server Daemon
 * Copyright (C) 2017 Maxime Dor
 *
 * https://max.kamax.io/
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Affero General Public License as
 * published by the Free Software Foundation, either version 3 of the
 * License, or (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Affero General Public License for more details.
 *
 * You should have received a copy of the GNU Affero General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 package io.kamax.mxisd.config
 import org.springframework.boot.context.properties.ConfigurationProperties
 import org.springframework.context.annotation.Configuration
@Configuration
@ConfigurationProperties(prefix = "lookup.recursive")
 class RecursiveLookupConfig {
    private boolean enabled
    private List<String> allowedCidr
    private RecursiveLookupBridgeConfig bridge
    boolean isEnabled() {
        return enabled
    }
    void setEnabled(boolean enabled) {
        this.enabled = enabled
    }
    List<String> getAllowedCidr() {
        return allowedCidr
    }
    void setAllowedCidr(List<String> allowedCidr) {
        this.allowedCidr = allowedCidr
    }
    RecursiveLookupBridgeConfig getBridge() {
        return bridge
    }
    void setBridge(RecursiveLookupBridgeConfig bridge) {
        this.bridge = bridge
    }
 }
--- a/src/main/groovy/io/kamax/mxisd/config/ldap/LdapConfig.groovy
+++ b/src/main/groovy/io/kamax/mxisd/config/ldap/LdapConfig.groovy
@@ -1,129 +0,0 @@
 /*
 * mxisd - Matrix Identity Server Daemon
 * Copyright (C) 2017 Maxime Dor
 *
 * https://max.kamax.io/
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Affero General Public License as
 * published by the Free Software Foundation, either version 3 of the
 * License, or (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Affero General Public License for more details.
 *
 * You should have received a copy of the GNU Affero General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 package io.kamax.mxisd.config.ldap
 import groovy.json.JsonOutput
 import io.kamax.mxisd.backend.ldap.LdapThreePidProvider
 import org.apache.commons.lang.StringUtils
 import org.slf4j.Logger
 import org.slf4j.LoggerFactory
 import org.springframework.beans.factory.annotation.Autowired
 import org.springframework.boot.context.properties.ConfigurationProperties
 import org.springframework.context.annotation.Configuration
 import javax.annotation.PostConstruct
@Configuration
@ConfigurationProperties(prefix = "ldap")
 class LdapConfig {
    private Logger log = LoggerFactory.getLogger(LdapConfig.class)
    private boolean enabled
    @Autowired
    private LdapConnectionConfig conn
    private LdapAttributeConfig attribute
    private LdapAuthConfig auth
    private LdapIdentityConfig identity
    boolean isEnabled() {
        return enabled
    }
    void setEnabled(boolean enabled) {
        this.enabled = enabled
    }
    LdapConnectionConfig getConn() {
        return conn
    }
    void setConn(LdapConnectionConfig conn) {
        this.conn = conn
    }
    LdapAttributeConfig getAttribute() {
        return attribute
    }
    void setAttribute(LdapAttributeConfig attribute) {
        this.attribute = attribute
    }
    LdapAuthConfig getAuth() {
        return auth
    }
    void setAuth(LdapAuthConfig auth) {
        this.auth = auth
    }
    LdapIdentityConfig getIdentity() {
        return identity
    }
    void setIdentity(LdapIdentityConfig identity) {
        this.identity = identity
    }
    @PostConstruct
    void afterPropertiesSet() {
        log.info("--- LDAP Config ---")
        log.info("Enabled: {}", isEnabled())
        if (!isEnabled()) {
            return
        }
        if (StringUtils.isBlank(conn.getHost())) {
            throw new IllegalStateException("LDAP Host must be configured!")
        }
        if (1 > conn.getPort() || 65535 < conn.getPort()) {
            throw new IllegalStateException("LDAP port is not valid")
        }
        if (StringUtils.isBlank(attribute.getUid().getType())) {
            throw new IllegalStateException("Attribute UID Type cannot be empty")
        }
        if (StringUtils.isBlank(attribute.getUid().getValue())) {
            throw new IllegalStateException("Attribute UID value cannot be empty")
        }
        String uidType = attribute.getUid().getType();
        if (!StringUtils.equals(LdapThreePidProvider.UID, uidType) && !StringUtils.equals(LdapThreePidProvider.MATRIX_ID, uidType)) {
            throw new IllegalArgumentException("Unsupported LDAP UID type: " + uidType)
        }
        log.info("Host: {}", conn.getHost())
        log.info("Port: {}", conn.getPort())
        log.info("Bind DN: {}", conn.getBindDn())
        log.info("Base DN: {}", conn.getBaseDn())
        log.info("Attribute: {}", JsonOutput.toJson(attribute))
        log.info("Auth: {}", JsonOutput.toJson(auth))
        log.info("Identity: {}", JsonOutput.toJson(identity))
    }
 }
--- a/src/main/groovy/io/kamax/mxisd/config/ldap/LdapConnectionConfig.java
+++ b/src/main/groovy/io/kamax/mxisd/config/ldap/LdapConnectionConfig.java
@@ -1,85 +0,0 @@
 /*
 * mxisd - Matrix Identity Server Daemon
 * Copyright (C) 2017 Maxime Dor
 *
 * https://max.kamax.io/
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Affero General Public License as
 * published by the Free Software Foundation, either version 3 of the
 * License, or (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Affero General Public License for more details.
 *
 * You should have received a copy of the GNU Affero General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 package io.kamax.mxisd.config.ldap;
 import org.springframework.boot.context.properties.ConfigurationProperties;
 import org.springframework.context.annotation.Configuration;
@Configuration
@ConfigurationProperties(prefix = "ldap.connection")
 public class LdapConnectionConfig {
    private boolean tls;
    private String host;
    private int port;
    private String bindDn;
    private String bindPassword;
    private String baseDn;
    public boolean isTls() {
        return tls;
    }
    public void setTls(boolean tls) {
        this.tls = tls;
    }
    public String getHost() {
        return host;
    }
    public void setHost(String host) {
        this.host = host;
    }
    public int getPort() {
        return port;
    }
    public void setPort(int port) {
        this.port = port;
    }
    public String getBindDn() {
        return bindDn;
    }
    public void setBindDn(String bindDn) {
        this.bindDn = bindDn;
    }
    public String getBindPassword() {
        return bindPassword;
    }
    public void setBindPassword(String bindPassword) {
        this.bindPassword = bindPassword;
    }
    public String getBaseDn() {
        return baseDn;
    }
    public void setBaseDn(String baseDn) {
        this.baseDn = baseDn;
    }
 }
--- a/src/main/groovy/io/kamax/mxisd/config/sql/SqlProviderAuthConfig.java
+++ b/src/main/groovy/io/kamax/mxisd/config/sql/SqlProviderAuthConfig.java
@@ -1,21 +0,0 @@
 package io.kamax.mxisd.config.sql;
 import org.springframework.boot.context.properties.ConfigurationProperties;
 import org.springframework.context.annotation.Configuration;
 // Unused
@Configuration
@ConfigurationProperties("sql.auth")
 public class SqlProviderAuthConfig {
    private boolean enabled;
    public boolean isEnabled() {
        return enabled;
    }
    public void setEnabled(boolean enabled) {
        this.enabled = enabled;
    }
 }
--- a/src/main/groovy/io/kamax/mxisd/config/sql/SqlProviderConfig.java
+++ b/src/main/groovy/io/kamax/mxisd/config/sql/SqlProviderConfig.java
@@ -1,96 +0,0 @@
 /*
 * mxisd - Matrix Identity Server Daemon
 * Copyright (C) 2017 Maxime Dor
 *
 * https://max.kamax.io/
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Affero General Public License as
 * published by the Free Software Foundation, either version 3 of the
 * License, or (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Affero General Public License for more details.
 *
 * You should have received a copy of the GNU Affero General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 package io.kamax.mxisd.config.sql;
 import com.google.gson.Gson;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.boot.context.properties.ConfigurationProperties;
 import org.springframework.context.annotation.Configuration;
 import javax.annotation.PostConstruct;
@Configuration
@ConfigurationProperties("sql")
 public class SqlProviderConfig {
    private Logger log = LoggerFactory.getLogger(SqlProviderConfig.class);
    private boolean enabled;
    private String type;
    private String connection;
    private SqlProviderAuthConfig auth;
    private SqlProviderIdentityConfig identity;
    public boolean isEnabled() {
        return enabled;
    }
    public void setEnabled(boolean enabled) {
        this.enabled = enabled;
    }
    public String getType() {
        return type;
    }
    public void setType(String type) {
        this.type = type;
    }
    public String getConnection() {
        return connection;
    }
    public void setConnection(String connection) {
        this.connection = connection;
    }
    public SqlProviderAuthConfig getAuth() {
        return auth;
    }
    public void setAuth(SqlProviderAuthConfig auth) {
        this.auth = auth;
    }
    public SqlProviderIdentityConfig getIdentity() {
        return identity;
    }
    public void setIdentity(SqlProviderIdentityConfig identity) {
        this.identity = identity;
    }
    @PostConstruct
    private void postConstruct() {
        log.info("--- SQL Provider config ---");
        log.info("Enabled: {}", isEnabled());
        if (isEnabled()) {
            log.info("Type: {}", getType());
            log.info("Connection: {}", getConnection());
            log.info("Auth enabled: {}", getAuth().isEnabled());
            log.info("Identy type: {}", getIdentity().getType());
            log.info("Identity medium queries: {}", new Gson().toJson(getIdentity().getMedium()));
        }
    }
 }
--- a/src/main/groovy/io/kamax/mxisd/controller/v1/AuthController.java
+++ b/src/main/groovy/io/kamax/mxisd/controller/v1/AuthController.java
@@ -1,89 +0,0 @@
 /*
 * mxisd - Matrix Identity Server Daemon
 * Copyright (C) 2017 Maxime Dor
 *
 * https://max.kamax.io/
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Affero General Public License as
 * published by the Free Software Foundation, either version 3 of the
 * License, or (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Affero General Public License for more details.
 *
 * You should have received a copy of the GNU Affero General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 package io.kamax.mxisd.controller.v1;
 import com.google.gson.Gson;
 import com.google.gson.JsonElement;
 import com.google.gson.JsonObject;
 import com.google.gson.JsonParser;
 import io.kamax.mxisd.auth.AuthManager;
 import io.kamax.mxisd.auth.UserAuthResult;
 import org.apache.commons.io.IOUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.MediaType;
 import org.springframework.web.bind.annotation.CrossOrigin;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RestController;
 import javax.servlet.http.HttpServletRequest;
 import java.io.IOException;
 import java.nio.charset.StandardCharsets;
@RestController
@CrossOrigin
@RequestMapping(produces = MediaType.APPLICATION_JSON_UTF8_VALUE)
 public class AuthController {
    private Logger log = LoggerFactory.getLogger(AuthController.class);
    private Gson gson = new Gson();
    @Autowired
    private AuthManager mgr;
    @RequestMapping(value = "/_matrix-internal/identity/v1/check_credentials", method = RequestMethod.POST)
    public String checkCredentials(HttpServletRequest req) {
        try {
            JsonElement el = new JsonParser().parse(IOUtils.toString(req.getInputStream(), StandardCharsets.UTF_8));
            if (!el.isJsonObject() || !el.getAsJsonObject().has("user")) {
                throw new IllegalArgumentException("Missing user key");
            }
            JsonObject authData = el.getAsJsonObject().get("user").getAsJsonObject();
            if (!authData.has("id") || !authData.has("password")) {
                throw new IllegalArgumentException("Missing id or password keys");
            }
            String id = authData.get("id").getAsString();
            log.info("Requested to check credentials for {}", id);
            String password = authData.get("password").getAsString();
            UserAuthResult result = mgr.authenticate(id, password);
            JsonObject authObj = new JsonObject();
            authObj.addProperty("success", result.isSuccess());
            if (result.isSuccess()) {
                authObj.addProperty("mxid", result.getMxid());
                authObj.addProperty("display_name", result.getDisplayName());
            }
            JsonObject obj = new JsonObject();
            obj.add("authentication", authObj);
            return gson.toJson(obj);
        } catch (IOException e) {
            throw new RuntimeException(e);
        }
    }
 }
--- a/src/main/groovy/io/kamax/mxisd/controller/v1/DefaultExceptionHandler.java
+++ b/src/main/groovy/io/kamax/mxisd/controller/v1/DefaultExceptionHandler.java
@@ -1,106 +0,0 @@
 /*
 * mxisd - Matrix Identity Server Daemon
 * Copyright (C) 2017 Maxime Dor
 *
 * https://max.kamax.io/
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Affero General Public License as
 * published by the Free Software Foundation, either version 3 of the
 * License, or (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Affero General Public License for more details.
 *
 * You should have received a copy of the GNU Affero General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 package io.kamax.mxisd.controller.v1;
 import com.google.gson.Gson;
 import com.google.gson.JsonObject;
 import io.kamax.mxisd.exception.BadRequestException;
 import io.kamax.mxisd.exception.InternalServerError;
 import io.kamax.mxisd.exception.MappingAlreadyExistsException;
 import io.kamax.mxisd.exception.MatrixException;
 import org.apache.commons.lang.StringUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.MediaType;
 import org.springframework.web.bind.MissingServletRequestParameterException;
 import org.springframework.web.bind.annotation.*;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import java.time.Instant;
@ControllerAdvice
@ResponseBody
@RequestMapping(produces = MediaType.APPLICATION_JSON_UTF8_VALUE)
 public class DefaultExceptionHandler {
    private Logger log = LoggerFactory.getLogger(DefaultExceptionHandler.class);
    private static Gson gson = new Gson();
    static String handle(String erroCode, String error) {
        JsonObject obj = new JsonObject();
        obj.addProperty("errcode", erroCode);
        obj.addProperty("error", error);
        return gson.toJson(obj);
    }
    @ExceptionHandler(InternalServerError.class)
    public String handle(InternalServerError e, HttpServletResponse response) {
        if (StringUtils.isNotBlank(e.getInternalReason())) {
            log.error("Reference #{} - {}", e.getReference(), e.getInternalReason());
        } else {
            log.error("Reference #{}", e);
        }
        return handleGeneric(e, response);
    }
    @ExceptionHandler(MatrixException.class)
    public String handleGeneric(MatrixException e, HttpServletResponse response) {
        response.setStatus(e.getStatus());
        return handle(e.getErrorCode(), e.getError());
    }
    @ResponseStatus(HttpStatus.BAD_REQUEST)
    @ExceptionHandler(MissingServletRequestParameterException.class)
    public String handle(MissingServletRequestParameterException e) {
        return handle("M_INVALID_BODY", e.getMessage());
    }
    @ResponseStatus(HttpStatus.BAD_REQUEST)
    @ExceptionHandler(MappingAlreadyExistsException.class)
    public String handle(MappingAlreadyExistsException e) {
        return handle("M_ALREADY_EXISTS", e.getMessage());
    }
    @ResponseStatus(HttpStatus.BAD_REQUEST)
    @ExceptionHandler(BadRequestException.class)
    public String handle(BadRequestException e) {
        return handle("M_BAD_REQUEST", e.getMessage());
    }
    @ResponseStatus(HttpStatus.INTERNAL_SERVER_ERROR)
    @ExceptionHandler(RuntimeException.class)
    public String handle(HttpServletRequest req, RuntimeException e) {
        log.error("Unknown error when handling {}", req.getRequestURL(), e);
        return handle(
                "M_UNKNOWN",
                StringUtils.defaultIfBlank(
                        e.getMessage(),
                        "An internal server error occured. If this error persists, please contact support with reference #" +
                                Instant.now().toEpochMilli()
                )
        );
    }
 }
--- a/src/main/groovy/io/kamax/mxisd/controller/v1/MappingController.groovy
+++ b/src/main/groovy/io/kamax/mxisd/controller/v1/MappingController.groovy
@@ -1,121 +0,0 @@
 /*
 * mxisd - Matrix Identity Server Daemon
 * Copyright (C) 2017 Maxime Dor
 *
 * https://max.kamax.io/
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Affero General Public License as
 * published by the Free Software Foundation, either version 3 of the
 * License, or (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Affero General Public License for more details.
 *
 * You should have received a copy of the GNU Affero General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 package io.kamax.mxisd.controller.v1
 import com.google.gson.Gson
 import com.google.gson.JsonObject
 import groovy.json.JsonOutput
 import groovy.json.JsonSlurper
 import io.kamax.mxisd.controller.v1.io.SingeLookupReplyJson
 import io.kamax.mxisd.lookup.*
 import io.kamax.mxisd.lookup.strategy.LookupStrategy
 import io.kamax.mxisd.signature.SignatureManager
 import org.apache.commons.lang.StringUtils
 import org.slf4j.Logger
 import org.slf4j.LoggerFactory
 import org.springframework.beans.factory.annotation.Autowired
 import org.springframework.http.MediaType
 import org.springframework.web.bind.annotation.CrossOrigin
 import org.springframework.web.bind.annotation.RequestMapping
 import org.springframework.web.bind.annotation.RequestParam
 import org.springframework.web.bind.annotation.RestController
 import javax.servlet.http.HttpServletRequest
 import static org.springframework.web.bind.annotation.RequestMethod.GET
 import static org.springframework.web.bind.annotation.RequestMethod.POST
@RestController
@CrossOrigin
@RequestMapping(path = IdentityAPIv1.BASE, produces = MediaType.APPLICATION_JSON_UTF8_VALUE)
 class MappingController {
    private Logger log = LoggerFactory.getLogger(MappingController.class)
    private JsonSlurper json = new JsonSlurper()
    private Gson gson = new Gson()
    @Autowired
    private LookupStrategy strategy
    @Autowired
    private SignatureManager signMgr
    private void setRequesterInfo(ALookupRequest lookupReq, HttpServletRequest req) {
        lookupReq.setRequester(req.getRemoteAddr())
        String xff = req.getHeader("X-FORWARDED-FOR")
        lookupReq.setRecursive(StringUtils.isNotBlank(xff))
        if (lookupReq.isRecursive()) {
            lookupReq.setRecurseHosts(Arrays.asList(xff.split(",")))
        }
        lookupReq.setUserAgent(req.getHeader("USER-AGENT"))
    }
    @RequestMapping(value = "/lookup", method = GET)
    String lookup(HttpServletRequest request, @RequestParam String medium, @RequestParam String address) {
        SingleLookupRequest lookupRequest = new SingleLookupRequest()
        setRequesterInfo(lookupRequest, request)
        lookupRequest.setType(medium)
        lookupRequest.setThreePid(address)
        log.info("Got single lookup request from {} with client {} - Is recursive? {}", lookupRequest.getRequester(), lookupRequest.getUserAgent(), lookupRequest.isRecursive())
        Optional<SingleLookupReply> lookupOpt = strategy.find(lookupRequest)
        if (!lookupOpt.isPresent()) {
            log.info("No mapping was found, return empty JSON object")
            return JsonOutput.toJson([])
        }
        SingleLookupReply lookup = lookupOpt.get()
        if (lookup.isSigned()) {
            log.info("Lookup is already signed, sending as-is")
            return lookup.getBody();
        } else {
            log.info("Lookup is not signed, signing")
            JsonObject obj = new Gson().toJsonTree(new SingeLookupReplyJson(lookup)).getAsJsonObject()
            obj.add("signatures", signMgr.signMessageGson(gson.toJson(obj)))
            return gson.toJson(obj)
        }
    }
    @RequestMapping(value = "/bulk_lookup", method = POST)
    String bulkLookup(HttpServletRequest request) {
        BulkLookupRequest lookupRequest = new BulkLookupRequest()
        setRequesterInfo(lookupRequest, request)
        log.info("Got single lookup request from {} with client {} - Is recursive? {}", lookupRequest.getRequester(), lookupRequest.getUserAgent(), lookupRequest.isRecursive())
        ClientBulkLookupRequest input = (ClientBulkLookupRequest) json.parseText(request.getInputStream().getText())
        List<ThreePidMapping> mappings = new ArrayList<>()
        for (List<String> mappingRaw : input.getThreepids()) {
            ThreePidMapping mapping = new ThreePidMapping()
            mapping.setMedium(mappingRaw.get(0))
            mapping.setValue(mappingRaw.get(1))
            mappings.add(mapping)
        }
        lookupRequest.setMappings(mappings)
        ClientBulkLookupAnswer answer = new ClientBulkLookupAnswer()
        answer.addAll(strategy.find(lookupRequest))
        return JsonOutput.toJson(answer)
    }
 }
--- a/src/main/groovy/io/kamax/mxisd/key/KeyManager.groovy
+++ b/src/main/groovy/io/kamax/mxisd/key/KeyManager.groovy
@@ -1,106 +0,0 @@
 /*
 * mxisd - Matrix Identity Server Daemon
 * Copyright (C) 2017 Maxime Dor
 *
 * https://max.kamax.io/
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Affero General Public License as
 * published by the Free Software Foundation, either version 3 of the
 * License, or (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Affero General Public License for more details.
 *
 * You should have received a copy of the GNU Affero General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 package io.kamax.mxisd.key
 import io.kamax.mxisd.config.KeyConfig
 import net.i2p.crypto.eddsa.EdDSAEngine
 import net.i2p.crypto.eddsa.EdDSAPrivateKey
 import net.i2p.crypto.eddsa.EdDSAPublicKey
 import net.i2p.crypto.eddsa.KeyPairGenerator
 import net.i2p.crypto.eddsa.spec.EdDSANamedCurveTable
 import net.i2p.crypto.eddsa.spec.EdDSAParameterSpec
 import net.i2p.crypto.eddsa.spec.EdDSAPrivateKeySpec
 import net.i2p.crypto.eddsa.spec.EdDSAPublicKeySpec
 import org.apache.commons.io.FileUtils
 import org.springframework.beans.factory.InitializingBean
 import org.springframework.beans.factory.annotation.Autowired
 import org.springframework.stereotype.Component
 import java.nio.charset.StandardCharsets
 import java.nio.file.Files
 import java.nio.file.Path
 import java.nio.file.Paths
 import java.security.KeyPair
 import java.security.MessageDigest
 import java.security.PrivateKey
@Component
 class KeyManager implements InitializingBean {
    @Autowired
    private KeyConfig keyCfg
    private EdDSAParameterSpec keySpecs
    private EdDSAEngine signEngine
    private List<KeyPair> keys
    @Override
    void afterPropertiesSet() throws Exception {
        keySpecs = EdDSANamedCurveTable.getByName(EdDSANamedCurveTable.CURVE_ED25519_SHA512)
        signEngine = new EdDSAEngine(MessageDigest.getInstance(keySpecs.getHashAlgorithm()))
        keys = new ArrayList<>()
        Path privKey = Paths.get(keyCfg.getPath())
        if (!Files.exists(privKey)) {
            KeyPair pair = (new KeyPairGenerator()).generateKeyPair()
            String keyEncoded = Base64.getEncoder().encodeToString(pair.getPrivate().getEncoded())
            FileUtils.writeStringToFile(privKey.toFile(), keyEncoded, StandardCharsets.ISO_8859_1)
            keys.add(pair)
        } else {
            if (Files.isDirectory(privKey)) {
                throw new RuntimeException("Invalid path for private key: ${privKey.toString()}")
            }
            if (Files.isReadable(privKey)) {
                byte[] seed = Base64.getDecoder().decode(FileUtils.readFileToString(privKey.toFile(), StandardCharsets.ISO_8859_1))
                EdDSAPrivateKeySpec privKeySpec = new EdDSAPrivateKeySpec(seed, keySpecs)
                EdDSAPublicKeySpec pubKeySpec = new EdDSAPublicKeySpec(privKeySpec.getA(), keySpecs)
                keys.add(new KeyPair(new EdDSAPublicKey(pubKeySpec), new EdDSAPrivateKey(privKeySpec)))
            }
        }
    }
    int getCurrentIndex() {
        return 0
    }
    KeyPair getKeys(int index) {
        return keys.get(index)
    }
    PrivateKey getPrivateKey(int index) {
        return getKeys(index).getPrivate()
    }
    EdDSAPublicKey getPublicKey(int index) {
        return (EdDSAPublicKey) getKeys(index).getPublic()
    }
    EdDSAParameterSpec getSpecs() {
        return keySpecs
    }
    String getPublicKeyBase64(int index) {
        return Base64.getEncoder().encodeToString(getPublicKey(index).getAbyte())
    }
 }
--- a/src/main/groovy/io/kamax/mxisd/lookup/provider/ForwarderProvider.groovy
+++ b/src/main/groovy/io/kamax/mxisd/lookup/provider/ForwarderProvider.groovy
@@ -1,88 +0,0 @@
 /*
 * mxisd - Matrix Identity Server Daemon
 * Copyright (C) 2017 Maxime Dor
 *
 * https://max.kamax.io/
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Affero General Public License as
 * published by the Free Software Foundation, either version 3 of the
 * License, or (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Affero General Public License for more details.
 *
 * You should have received a copy of the GNU Affero General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 package io.kamax.mxisd.lookup.provider
 import io.kamax.mxisd.config.ForwardConfig
 import io.kamax.mxisd.lookup.SingleLookupReply
 import io.kamax.mxisd.lookup.SingleLookupRequest
 import io.kamax.mxisd.lookup.ThreePidMapping
 import io.kamax.mxisd.lookup.fetcher.IRemoteIdentityServerFetcher
 import org.slf4j.Logger
 import org.slf4j.LoggerFactory
 import org.springframework.beans.factory.annotation.Autowired
 import org.springframework.stereotype.Component
@Component
 class ForwarderProvider implements IThreePidProvider {
    private Logger log = LoggerFactory.getLogger(ForwarderProvider.class)
    @Autowired
    private ForwardConfig cfg
    @Autowired
    private IRemoteIdentityServerFetcher fetcher
    @Override
    boolean isEnabled() {
        return true
    }
    @Override
    boolean isLocal() {
        return false
    }
    @Override
    int getPriority() {
        return 0
    }
    @Override
    Optional<SingleLookupReply> find(SingleLookupRequest request) {
        for (String root : cfg.getServers()) {
            Optional<SingleLookupReply> answer = fetcher.find(root, request)
            if (answer.isPresent()) {
                return answer
            }
        }
        return Optional.empty()
    }
    @Override
    List<ThreePidMapping> populate(List<ThreePidMapping> mappings) {
        List<ThreePidMapping> mappingsToDo = new ArrayList<>(mappings)
        List<ThreePidMapping> mappingsFoundGlobal = new ArrayList<>()
        for (String root : cfg.getServers()) {
            log.info("{} mappings remaining: {}", mappingsToDo.size(), mappingsToDo)
            log.info("Querying {}", root)
            List<ThreePidMapping> mappingsFound = fetcher.find(root, mappingsToDo)
            log.info("{} returned {} mappings", root, mappingsFound.size())
            mappingsFoundGlobal.addAll(mappingsFound)
            mappingsToDo.removeAll(mappingsFound)
        }
        return mappingsFoundGlobal
    }
 }
--- a/src/main/groovy/io/kamax/mxisd/lookup/provider/RemoteIdentityServerFetcher.groovy
+++ b/src/main/groovy/io/kamax/mxisd/lookup/provider/RemoteIdentityServerFetcher.groovy
@@ -1,135 +0,0 @@
 /*
 * mxisd - Matrix Identity Server Daemon
 * Copyright (C) 2017 Maxime Dor
 *
 * https://max.kamax.io/
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Affero General Public License as
 * published by the Free Software Foundation, either version 3 of the
 * License, or (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Affero General Public License for more details.
 *
 * You should have received a copy of the GNU Affero General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 package io.kamax.mxisd.lookup.provider
 import groovy.json.JsonException
 import groovy.json.JsonOutput
 import groovy.json.JsonSlurper
 import io.kamax.mxisd.controller.v1.ClientBulkLookupRequest
 import io.kamax.mxisd.lookup.SingleLookupReply
 import io.kamax.mxisd.lookup.SingleLookupRequest
 import io.kamax.mxisd.lookup.ThreePidMapping
 import io.kamax.mxisd.lookup.fetcher.IRemoteIdentityServerFetcher
 import io.kamax.mxisd.matrix.IdentityServerUtils
 import org.apache.http.HttpEntity
 import org.apache.http.HttpResponse
 import org.apache.http.client.HttpClient
 import org.apache.http.client.entity.EntityBuilder
 import org.apache.http.client.methods.HttpPost
 import org.apache.http.entity.ContentType
 import org.apache.http.impl.client.HttpClients
 import org.slf4j.Logger
 import org.slf4j.LoggerFactory
 import org.springframework.context.annotation.Lazy
 import org.springframework.context.annotation.Scope
 import org.springframework.stereotype.Component
@Component
@Scope("prototype")
@Lazy
 public class RemoteIdentityServerFetcher implements IRemoteIdentityServerFetcher {
    private Logger log = LoggerFactory.getLogger(RemoteIdentityServerFetcher.class)
    private JsonSlurper json = new JsonSlurper()
    @Override
    boolean isUsable(String remote) {
        return IdentityServerUtils.isUsable(remote)
    }
    @Override
    Optional<SingleLookupReply> find(String remote, SingleLookupRequest request) {
        log.info("Looking up {} 3PID {} using {}", request.getType(), request.getThreePid(), remote)
        HttpURLConnection rootSrvConn = (HttpURLConnection) new URL(
                "${remote}/_matrix/identity/api/v1/lookup?medium=${request.getType()}&address=${request.getThreePid()}"
        ).openConnection()
        try {
            String outputRaw = rootSrvConn.getInputStream().getText()
            def output = json.parseText(outputRaw)
            if (output['address']) {
                log.info("Found 3PID mapping: {}", output)
                return Optional.of(SingleLookupReply.fromRecursive(request, outputRaw))
            }
            log.info("Empty 3PID mapping from {}", remote)
            return Optional.empty()
        } catch (IOException e) {
            log.warn("Error looking up 3PID mapping {}: {}", request.getThreePid(), e.getMessage())
            return Optional.empty()
        } catch (JsonException e) {
            log.warn("Invalid JSON answer from {}", remote)
            return Optional.empty()
        }
    }
    @Override
    List<ThreePidMapping> find(String remote, List<ThreePidMapping> mappings) {
        List<ThreePidMapping> mappingsFound = new ArrayList<>()
        ClientBulkLookupRequest mappingRequest = new ClientBulkLookupRequest()
        mappingRequest.setMappings(mappings)
        String url = "${remote}/_matrix/identity/api/v1/bulk_lookup"
        HttpClient client = HttpClients.createDefault()
        try {
            HttpPost request = new HttpPost(url)
            request.setEntity(
                    EntityBuilder.create()
                            .setText(JsonOutput.toJson(mappingRequest))
                            .setContentType(ContentType.APPLICATION_JSON)
                            .build()
            )
            HttpResponse response = client.execute(request)
            try {
                if (response.getStatusLine().getStatusCode() != 200) {
                    log.info("Could not perform lookup at {} due to HTTP return code: {}", url, response.getStatusLine().getStatusCode())
                    return mappingsFound
                }
                HttpEntity entity = response.getEntity()
                if (entity != null) {
                    ClientBulkLookupRequest input = (ClientBulkLookupRequest) json.parseText(entity.getContent().getText())
                    for (List<String> mappingRaw : input.getThreepids()) {
                        ThreePidMapping mapping = new ThreePidMapping()
                        mapping.setMedium(mappingRaw.get(0))
                        mapping.setValue(mappingRaw.get(1))
                        mapping.setMxid(mappingRaw.get(2))
                        mappingsFound.add(mapping)
                    }
                } else {
                    log.info("HTTP response from {} was empty", remote)
                }
                return mappingsFound
            } finally {
                response.close()
            }
        } finally {
            client.close()
        }
    }
 }
--- a/src/main/groovy/io/kamax/mxisd/lookup/strategy/RecursivePriorityLookupStrategy.groovy
+++ b/src/main/groovy/io/kamax/mxisd/lookup/strategy/RecursivePriorityLookupStrategy.groovy
@@ -1,210 +0,0 @@
 /*
 * mxisd - Matrix Identity Server Daemon
 * Copyright (C) 2017 Maxime Dor
 *
 * https://max.kamax.io/
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Affero General Public License as
 * published by the Free Software Foundation, either version 3 of the
 * License, or (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Affero General Public License for more details.
 *
 * You should have received a copy of the GNU Affero General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 package io.kamax.mxisd.lookup.strategy
 import edazdarevic.commons.net.CIDRUtils
 import io.kamax.mxisd.config.RecursiveLookupConfig
 import io.kamax.mxisd.lookup.*
 import io.kamax.mxisd.lookup.fetcher.IBridgeFetcher
 import io.kamax.mxisd.lookup.provider.IThreePidProvider
 import org.slf4j.Logger
 import org.slf4j.LoggerFactory
 import org.springframework.beans.factory.InitializingBean
 import org.springframework.beans.factory.annotation.Autowired
 import org.springframework.stereotype.Component
 import java.util.function.Predicate
 import java.util.stream.Collectors
@Component
 class RecursivePriorityLookupStrategy implements LookupStrategy, InitializingBean {
    private Logger log = LoggerFactory.getLogger(RecursivePriorityLookupStrategy.class)
    @Autowired
    private RecursiveLookupConfig recursiveCfg
    @Autowired
    private List<IThreePidProvider> providers
    @Autowired
    private IBridgeFetcher bridge
    private List<CIDRUtils> allowedCidr = new ArrayList<>()
    @Override
    void afterPropertiesSet() throws Exception {
        log.info("Found ${providers.size()} providers")
        providers.sort(new Comparator<IThreePidProvider>() {
            @Override
            int compare(IThreePidProvider o1, IThreePidProvider o2) {
                return Integer.compare(o2.getPriority(), o1.getPriority())
            }
        })
        log.info("Recursive lookup enabled: {}", recursiveCfg.isEnabled())
        for (String cidr : recursiveCfg.getAllowedCidr()) {
            log.info("{} is allowed for recursion", cidr)
            allowedCidr.add(new CIDRUtils(cidr))
        }
    }
    boolean isAllowedForRecursive(String source) {
        boolean canRecurse = false
        if (recursiveCfg.isEnabled()) {
            log.debug("Checking {} CIDRs for recursion", allowedCidr.size())
            for (CIDRUtils cidr : allowedCidr) {
                if (cidr.isInRange(source)) {
                    log.debug("{} is in range {}, allowing recursion", source, cidr.getNetworkAddress())
                    canRecurse = true
                    break
                } else {
                    log.debug("{} is not in range {}", source, cidr.getNetworkAddress())
                }
            }
        }
        return canRecurse
    }
    List<IThreePidProvider> listUsableProviders(ALookupRequest request) {
        return listUsableProviders(request, false);
    }
    List<IThreePidProvider> listUsableProviders(ALookupRequest request, boolean forceRecursive) {
        List<IThreePidProvider> usableProviders = new ArrayList<>()
        boolean canRecurse = forceRecursive || isAllowedForRecursive(request.getRequester())
        log.info("Host {} allowed for recursion: {}", request.getRequester(), canRecurse)
        for (IThreePidProvider provider : providers) {
            if (provider.isEnabled() && (provider.isLocal() || canRecurse || forceRecursive)) {
                usableProviders.add(provider)
            }
        }
        return usableProviders
    }
    @Override
    List<IThreePidProvider> getLocalProviders() {
        return providers.stream().filter(new Predicate<IThreePidProvider>() {
            @Override
            boolean test(IThreePidProvider iThreePidProvider) {
                return iThreePidProvider.isEnabled() && iThreePidProvider.isLocal()
            }
        }).collect(Collectors.toList())
    }
    List<IThreePidProvider> getRemoteProviders() {
        return providers.stream().filter(new Predicate<IThreePidProvider>() {
            @Override
            boolean test(IThreePidProvider iThreePidProvider) {
                return iThreePidProvider.isEnabled() && !iThreePidProvider.isLocal()
            }
        }).collect(Collectors.toList())
    }
    private static SingleLookupRequest build(String medium, String address) {
        SingleLookupRequest req = new SingleLookupRequest();
        req.setType(medium)
        req.setThreePid(address)
        req.setRequester("Internal")
        return req;
    }
    @Override
    Optional<SingleLookupReply> find(String medium, String address, boolean recursive) {
        return find(build(medium, address), recursive)
    }
    @Override
    Optional<SingleLookupReply> findLocal(String medium, String address) {
        return find(build(medium, address), getLocalProviders())
    }
    @Override
    Optional<SingleLookupReply> findRemote(String medium, String address) {
        return find(build(medium, address), getRemoteProviders())
    }
    Optional<SingleLookupReply> find(SingleLookupRequest request, boolean forceRecursive) {
        return find(request, listUsableProviders(request, forceRecursive));
    }
    Optional<SingleLookupReply> find(SingleLookupRequest request, List<IThreePidProvider> providers) {
        for (IThreePidProvider provider : providers) {
            Optional<SingleLookupReply> lookupDataOpt = provider.find(request)
            if (lookupDataOpt.isPresent()) {
                return lookupDataOpt
            }
        }
        if (
        recursiveCfg.getBridge() != null &&
                recursiveCfg.getBridge().getEnabled() &&
                (!recursiveCfg.getBridge().getRecursiveOnly() || isAllowedForRecursive(request.getRequester()))
        ) {
            log.info("Using bridge failover for lookup")
            return bridge.find(request)
        }
        return Optional.empty()
    }
    @Override
    Optional<SingleLookupReply> find(SingleLookupRequest request) {
        return find(request, false)
    }
    @Override
    Optional<SingleLookupReply> findRecursive(SingleLookupRequest request) {
        return find(request, true)
    }
    @Override
    List<ThreePidMapping> find(BulkLookupRequest request) {
        List<ThreePidMapping> mapToDo = new ArrayList<>(request.getMappings())
        List<ThreePidMapping> mapFoundAll = new ArrayList<>()
        for (IThreePidProvider provider : listUsableProviders(request)) {
            if (mapToDo.isEmpty()) {
                log.info("No more mappings to lookup")
                break
            } else {
                log.info("{} mappings remaining overall", mapToDo.size())
            }
            log.info("Using provider {} for remaining mappings", provider.getClass().getSimpleName())
            List<ThreePidMapping> mapFound = provider.populate(mapToDo)
            log.info("Provider {} returned {} mappings", provider.getClass().getSimpleName(), mapFound.size())
            mapFoundAll.addAll(mapFound)
            mapToDo.removeAll(mapFound)
        }
        return mapFoundAll
    }
 }
--- a/src/main/groovy/io/kamax/mxisd/signature/SignatureManager.groovy
+++ b/src/main/groovy/io/kamax/mxisd/signature/SignatureManager.groovy
@@ -1,78 +0,0 @@
 /*
 * mxisd - Matrix Identity Server Daemon
 * Copyright (C) 2017 Maxime Dor
 *
 * https://max.kamax.io/
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Affero General Public License as
 * published by the Free Software Foundation, either version 3 of the
 * License, or (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Affero General Public License for more details.
 *
 * You should have received a copy of the GNU Affero General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 package io.kamax.mxisd.signature
 import com.google.gson.JsonObject
 import io.kamax.mxisd.config.ServerConfig
 import io.kamax.mxisd.key.KeyManager
 import net.i2p.crypto.eddsa.EdDSAEngine
 import org.json.JSONObject
 import org.springframework.beans.factory.InitializingBean
 import org.springframework.beans.factory.annotation.Autowired
 import org.springframework.stereotype.Component
 import java.security.MessageDigest
@Component
 class SignatureManager implements InitializingBean {
    @Autowired
    private KeyManager keyMgr
    @Autowired
    private ServerConfig srvCfg
    private EdDSAEngine signEngine
    private String sign(String message) {
        byte[] signRaw = signEngine.signOneShot(message.getBytes())
        return Base64.getEncoder().encodeToString(signRaw)
    }
    JSONObject signMessageJson(String message) {
        String sign = sign(message)
        JSONObject keySignature = new JSONObject()
        keySignature.put("ed25519:${keyMgr.getCurrentIndex()}", sign)
        JSONObject signature = new JSONObject()
        signature.put("${srvCfg.getName()}", keySignature)
        return signature
    }
    JsonObject signMessageGson(String message) {
        String sign = sign(message)
        JsonObject keySignature = new JsonObject()
        keySignature.addProperty("ed25519:${keyMgr.getCurrentIndex()}", sign)
        JsonObject signature = new JsonObject()
        signature.add("${srvCfg.getName()}", keySignature);
        return signature
    }
    @Override
    void afterPropertiesSet() throws Exception {
        signEngine = new EdDSAEngine(MessageDigest.getInstance(keyMgr.getSpecs().getHashAlgorithm()))
        signEngine.initSign(keyMgr.getPrivateKey(keyMgr.getCurrentIndex()))
    }
 }
--- a/src/main/groovy/io/kamax/mxisd/threepid/notification/email/EmailNotificationGenerator.java
+++ b/src/main/groovy/io/kamax/mxisd/threepid/notification/email/EmailNotificationGenerator.java
@@ -1,154 +0,0 @@
 /*
 * mxisd - Matrix Identity Server Daemon
 * Copyright (C) 2017 Maxime Dor
 *
 * https://max.kamax.io/
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Affero General Public License as
 * published by the Free Software Foundation, either version 3 of the
 * License, or (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Affero General Public License for more details.
 *
 * You should have received a copy of the GNU Affero General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 package io.kamax.mxisd.threepid.notification.email;
 import io.kamax.mxisd.ThreePid;
 import io.kamax.mxisd.config.MatrixConfig;
 import io.kamax.mxisd.config.ServerConfig;
 import io.kamax.mxisd.config.threepid.medium.EmailConfig;
 import io.kamax.mxisd.config.threepid.medium.EmailTemplateConfig;
 import io.kamax.mxisd.controller.v1.IdentityAPIv1;
 import io.kamax.mxisd.exception.InternalServerError;
 import io.kamax.mxisd.invitation.IThreePidInviteReply;
 import io.kamax.mxisd.threepid.session.IThreePidSession;
 import org.apache.commons.io.IOUtils;
 import org.apache.commons.lang.StringUtils;
 import org.apache.commons.lang.WordUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.ApplicationContext;
 import org.springframework.stereotype.Component;
 import java.io.FileInputStream;
 import java.io.IOException;
 import java.io.InputStream;
 import java.nio.charset.StandardCharsets;
@Component
 public class EmailNotificationGenerator implements IEmailNotificationGenerator {
    private Logger log = LoggerFactory.getLogger(EmailNotificationGenerator.class);
    private EmailConfig cfg;
    private EmailTemplateConfig templateCfg;
    private MatrixConfig mxCfg;
    private ServerConfig srvCfg;
    @Autowired
    private ApplicationContext app;
    @Autowired
    public EmailNotificationGenerator(EmailTemplateConfig templateCfg, EmailConfig cfg, MatrixConfig mxCfg, ServerConfig srvCfg) {
        this.cfg = cfg;
        this.templateCfg = templateCfg;
        this.mxCfg = mxCfg;
        this.srvCfg = srvCfg;
    }
    @Override
    public String getId() {
        return "template";
    }
    private String getTemplateContent(String location) {
        try {
            InputStream is = StringUtils.startsWith(location, "classpath:") ?
                    app.getResource(location).getInputStream() : new FileInputStream(location);
            return IOUtils.toString(is, StandardCharsets.UTF_8);
        } catch (IOException e) {
            throw new InternalServerError("Unable to read template content at " + location + ": " + e.getMessage());
        }
    }
    private String populateCommon(String content, ThreePid recipient) {
        String domainPretty = WordUtils.capitalizeFully(mxCfg.getDomain());
        content = content.replace("%DOMAIN%", mxCfg.getDomain());
        content = content.replace("%DOMAIN_PRETTY%", domainPretty);
        content = content.replace("%FROM_EMAIL%", cfg.getIdentity().getFrom());
        content = content.replace("%FROM_NAME%", cfg.getIdentity().getName());
        content = content.replace("%RECIPIENT_MEDIUM%", recipient.getMedium());
        content = content.replace("%RECIPIENT_ADDRESS%", recipient.getAddress());
        return content;
    }
    private String getTemplateAndPopulate(String location, ThreePid recipient) {
        return populateCommon(getTemplateContent(location), recipient);
    }
    @Override
    public String getForInvite(IThreePidInviteReply invite) {
        ThreePid tpid = new ThreePid(invite.getInvite().getMedium(), invite.getInvite().getAddress());
        String templateBody = getTemplateAndPopulate(templateCfg.getInvite(), tpid);
        String senderName = invite.getInvite().getProperties().getOrDefault("sender_display_name", "");
        String senderNameOrId = StringUtils.defaultIfBlank(senderName, invite.getInvite().getSender().getId());
        String roomName = invite.getInvite().getProperties().getOrDefault("room_name", "");
        String roomNameOrId = StringUtils.defaultIfBlank(roomName, invite.getInvite().getRoomId());
        templateBody = templateBody.replace("%SENDER_ID%", invite.getInvite().getSender().getId());
        templateBody = templateBody.replace("%SENDER_NAME%", senderName);
        templateBody = templateBody.replace("%SENDER_NAME_OR_ID%", senderNameOrId);
        templateBody = templateBody.replace("%INVITE_MEDIUM%", tpid.getMedium());
        templateBody = templateBody.replace("%INVITE_ADDRESS%", tpid.getAddress());
        templateBody = templateBody.replace("%ROOM_ID%", invite.getInvite().getRoomId());
        templateBody = templateBody.replace("%ROOM_NAME%", roomName);
        templateBody = templateBody.replace("%ROOM_NAME_OR_ID%", roomNameOrId);
        return templateBody;
    }
    @Override
    public String getForValidation(IThreePidSession session) {
        log.info("Generating notification content for 3PID Session validation");
        String templateBody = getTemplateAndPopulate(templateCfg.getSession().getValidation().getLocal(), session.getThreePid());
        // FIXME should have a global link builder, most likely in the SDK?
        String validationLink = srvCfg.getPublicUrl() + IdentityAPIv1.BASE +
                "/validate/" + session.getThreePid().getMedium() +
                "/submitToken?sid=" + session.getId() + "&client_secret=" + session.getSecret() +
                "&token=" + session.getToken();
        templateBody = templateBody.replace("%VALIDATION_LINK%", validationLink);
        templateBody = templateBody.replace("%VALIDATION_TOKEN%", session.getToken());
        return templateBody;
    }
    @Override
    public String getForRemoteValidation(IThreePidSession session) {
        log.info("Generating notification content for remote-only 3PID session");
        String templateBody = getTemplateAndPopulate(templateCfg.getSession().getValidation().getRemote(), session.getThreePid());
        // FIXME should have a global link builder, most likely in the SDK?
        String validationLink = srvCfg.getPublicUrl() + IdentityAPIv1.BASE +
                "/validate/" + session.getThreePid().getMedium() +
                "/submitToken?sid=" + session.getId() + "&client_secret=" + session.getSecret() +
                "&token=" + session.getToken();
        templateBody = templateBody.replace("%VALIDATION_LINK%", validationLink);
        templateBody = templateBody.replace("%VALIDATION_TOKEN%", session.getToken());
        return templateBody;
    }
 }
--- a/src/main/groovy/io/kamax/mxisd/threepid/notification/email/EmailNotificationHandler.java
+++ b/src/main/groovy/io/kamax/mxisd/threepid/notification/email/EmailNotificationHandler.java
@@ -1,87 +0,0 @@
 /*
 * mxisd - Matrix Identity Server Daemon
 * Copyright (C) 2017 Maxime Dor
 *
 * https://max.kamax.io/
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Affero General Public License as
 * published by the Free Software Foundation, either version 3 of the
 * License, or (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Affero General Public License for more details.
 *
 * You should have received a copy of the GNU Affero General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 package io.kamax.mxisd.threepid.notification.email;
 import io.kamax.matrix.ThreePidMedium;
 import io.kamax.mxisd.config.threepid.medium.EmailConfig;
 import io.kamax.mxisd.exception.ConfigurationException;
 import io.kamax.mxisd.invitation.IThreePidInviteReply;
 import io.kamax.mxisd.notification.INotificationHandler;
 import io.kamax.mxisd.threepid.connector.email.IEmailConnector;
 import io.kamax.mxisd.threepid.session.IThreePidSession;
 import org.apache.commons.lang.StringUtils;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Component;
 import java.util.List;
@Component
 public class EmailNotificationHandler implements INotificationHandler {
    private EmailConfig cfg;
    private IEmailNotificationGenerator generator;
    private IEmailConnector connector;
    @Autowired
    public EmailNotificationHandler(EmailConfig cfg, List<IEmailNotificationGenerator> generators, List<IEmailConnector> connectors) {
        this.cfg = cfg;
        generator = generators.stream()
                .filter(o -> StringUtils.equals(cfg.getGenerator(), o.getId()))
                .findFirst()
                .orElseThrow(() -> new ConfigurationException("Email notification generator [" + cfg.getGenerator() + "] could not be found"));
        connector = connectors.stream()
                .filter(o -> StringUtils.equals(cfg.getConnector(), o.getId()))
                .findFirst()
                .orElseThrow(() -> new ConfigurationException("Email sender connector [" + cfg.getConnector() + "] could not be found"));
    }
    @Override
    public String getMedium() {
        return ThreePidMedium.Email.getId();
    }
    private void send(String recipient, String content) {
        connector.send(
                cfg.getIdentity().getFrom(),
                cfg.getIdentity().getName(),
                recipient,
                content
        );
    }
    @Override
    public void sendForInvite(IThreePidInviteReply invite) {
        send(invite.getInvite().getAddress(), generator.getForInvite(invite));
    }
    @Override
    public void sendForValidation(IThreePidSession session) {
        send(session.getThreePid().getAddress(), generator.getForValidation(session));
    }
    @Override
    public void sendForRemoteValidation(IThreePidSession session) {
        send(session.getThreePid().getAddress(), generator.getForRemoteValidation(session));
    }
 }
--- a/src/main/groovy/io/kamax/mxisd/MatrixIdentityServerApplication.groovy
+++ b/src/main/groovy/io/kamax/mxisd/MatrixIdentityServerApplication.groovy
@@ -18,16 +18,16 @@
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
-package io.kamax.mxisd
+package io.kamax.mxisd;
-import org.springframework.boot.SpringApplication
+import org.springframework.boot.SpringApplication;
-import org.springframework.boot.autoconfigure.SpringBootApplication
+import org.springframework.boot.autoconfigure.SpringBootApplication;
@SpringBootApplication
-class MatrixIdentityServerApplication {
+public class MatrixIdentityServerApplication {
-    static void main(String[] args) throws Exception {
+    public static void main(String[] args) {
-        SpringApplication.run(MatrixIdentityServerApplication.class, args)
+        SpringApplication.run(MatrixIdentityServerApplication.class, args);
    }
 }
--- a/src/main/groovy/io/kamax/mxisd/UserID.java
+++ b/src/main/groovy/io/kamax/mxisd/UserID.java
--- a/src/main/groovy/io/kamax/mxisd/UserIdType.java
+++ b/src/main/groovy/io/kamax/mxisd/UserIdType.java
--- a/src/main/java/io/kamax/mxisd/as/AppServiceHandler.java
+++ b/src/main/java/io/kamax/mxisd/as/AppServiceHandler.java
@@ -0,0 +1,102 @@
 /*
 * mxisd - Matrix Identity Server Daemon
 * Copyright (C) 2018 Kamax Sarl
 *
 * https://www.kamax.io/
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Affero General Public License as
 * published by the Free Software Foundation, either version 3 of the
 * License, or (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Affero General Public License for more details.
 *
 * You should have received a copy of the GNU Affero General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 package io.kamax.mxisd.as;
 import com.google.gson.JsonObject;
 import io.kamax.matrix.MatrixID;
 import io.kamax.matrix._MatrixID;
 import io.kamax.matrix._ThreePid;
 import io.kamax.matrix.event.EventKey;
 import io.kamax.matrix.json.GsonUtil;
 import io.kamax.mxisd.backend.sql.synapse.Synapse;
 import io.kamax.mxisd.config.MatrixConfig;
 import io.kamax.mxisd.notification.NotificationManager;
 import io.kamax.mxisd.profile.ProfileManager;
 import org.apache.commons.lang.StringUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Component;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
@Component
 public class AppServiceHandler {
    private final Logger log = LoggerFactory.getLogger(AppServiceHandler.class);
    private MatrixConfig cfg;
    private ProfileManager profiler;
    private NotificationManager notif;
    private Synapse synapse;
    @Autowired
    public AppServiceHandler(MatrixConfig cfg, ProfileManager profiler, NotificationManager notif, Synapse synapse) {
        this.cfg = cfg;
        this.profiler = profiler;
        this.notif = notif;
        this.synapse = synapse;
    }
    public void processTransaction(List<JsonObject> eventsJson) {
        eventsJson.forEach(ev -> {
            if (!StringUtils.equals("m.room.member", GsonUtil.getStringOrNull(ev, "type"))) {
                return;
            }
            if (!StringUtils.equals("invite", GsonUtil.getStringOrNull(ev, "membership"))) {
                return;
            }
            String roomId = GsonUtil.getStringOrNull(ev, "room_id");
            _MatrixID sender = MatrixID.asAcceptable(GsonUtil.getStringOrNull(ev, "sender"));
            EventKey.StateKey.findString(ev).ifPresent(id -> {
                _MatrixID mxid = MatrixID.asAcceptable(id);
                if (!StringUtils.equals(mxid.getDomain(), cfg.getDomain())) {
                    log.debug("Ignoring invite for {}: not a local user");
                    return;
                }
                log.info("Got invite for {}", id);
                boolean wasSent = false;
                for (_ThreePid tpid : profiler.getThreepids(mxid)) {
                    if (!StringUtils.equals("email", tpid.getMedium())) {
                        continue;
                    }
                    log.info("Found an email address to notify about room invitation: {}", tpid.getAddress());
                    Map<String, String> properties = new HashMap<>();
                    profiler.getDisplayName(sender).ifPresent(name -> properties.put("sender_display_name", name));
                    synapse.getRoomName(roomId).ifPresent(name -> properties.put("room_name", name));
                    IMatrixIdInvite inv = new MatrixIdInvite(roomId, sender, mxid, tpid.getMedium(), tpid.getAddress(), properties);
                    notif.sendForInvite(inv);
                    wasSent = true;
                }
                log.info("Was notification sent? {}", wasSent);
            });
        });
    }
 }
--- a/src/main/java/io/kamax/mxisd/as/IMatrixIdInvite.java
+++ b/src/main/java/io/kamax/mxisd/as/IMatrixIdInvite.java
@@ -0,0 +1,30 @@
 /*
 * mxisd - Matrix Identity Server Daemon
 * Copyright (C) 2018 Kamax Sarl
 *
 * https://www.kamax.io/
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Affero General Public License as
 * published by the Free Software Foundation, either version 3 of the
 * License, or (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Affero General Public License for more details.
 *
 * You should have received a copy of the GNU Affero General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 package io.kamax.mxisd.as;
 import io.kamax.matrix._MatrixID;
 import io.kamax.mxisd.invitation.IThreePidInvite;
 public interface IMatrixIdInvite extends IThreePidInvite {
    _MatrixID getInvitee();
 }
--- a/src/main/java/io/kamax/mxisd/as/MatrixIdInvite.java
+++ b/src/main/java/io/kamax/mxisd/as/MatrixIdInvite.java
@@ -0,0 +1,77 @@
 /*
 * mxisd - Matrix Identity Server Daemon
 * Copyright (C) 2018 Kamax Sarl
 *
 * https://www.kamax.io/
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Affero General Public License as
 * published by the Free Software Foundation, either version 3 of the
 * License, or (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Affero General Public License for more details.
 *
 * You should have received a copy of the GNU Affero General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 package io.kamax.mxisd.as;
 import io.kamax.matrix._MatrixID;
 import java.util.HashMap;
 import java.util.Map;
 import java.util.Objects;
 public class MatrixIdInvite implements IMatrixIdInvite {
    private String roomId;
    private _MatrixID sender;
    private _MatrixID invitee;
    private String medium;
    private String address;
    private Map<String, String> properties;
    public MatrixIdInvite(String roomId, _MatrixID sender, _MatrixID invitee, String medium, String address, Map<String, String> properties) {
        this.roomId = Objects.requireNonNull(roomId);
        this.sender = Objects.requireNonNull(sender);
        this.invitee = Objects.requireNonNull(invitee);
        this.medium = Objects.requireNonNull(medium);
        this.address = Objects.requireNonNull(address);
        this.properties = new HashMap<>(Objects.requireNonNull(properties));
    }
    @Override
    public _MatrixID getSender() {
        return sender;
    }
    @Override
    public String getMedium() {
        return medium;
    }
    @Override
    public String getAddress() {
        return address;
    }
    @Override
    public _MatrixID getInvitee() {
        return invitee;
    }
    @Override
    public String getRoomId() {
        return roomId;
    }
    @Override
    public Map<String, String> getProperties() {
        return properties;
    }
 }
--- a/src/main/groovy/io/kamax/mxisd/auth/AuthManager.java
+++ b/src/main/groovy/io/kamax/mxisd/auth/AuthManager.java
@@ -21,8 +21,9 @@
 package io.kamax.mxisd.auth;
 import io.kamax.matrix.MatrixID;
 import io.kamax.matrix.ThreePid;
 import io.kamax.matrix._MatrixID;
-import io.kamax.mxisd.ThreePid;
+import io.kamax.matrix._ThreePid;
 import io.kamax.mxisd.UserIdType;
 import io.kamax.mxisd.auth.provider.AuthenticatorProvider;
 import io.kamax.mxisd.auth.provider.BackendAuthResult;
@@ -52,7 +53,7 @@ public class AuthManager {
    private InvitationManager invMgr;
    public UserAuthResult authenticate(String id, String password) {
-        _MatrixID mxid = new MatrixID(id);
+        _MatrixID mxid = MatrixID.asAcceptable(id);
        for (AuthenticatorProvider provider : providers) {
            if (!provider.isEnabled()) {
                continue;
@@ -63,22 +64,22 @@ public class AuthManager {
                String mxId;
                if (UserIdType.Localpart.is(result.getId().getType())) {
-                    mxId = new MatrixID(result.getId().getValue(), mxCfg.getDomain()).getId();
+                    mxId = MatrixID.from(result.getId().getValue(), mxCfg.getDomain()).acceptable().getId();
                } else if (UserIdType.MatrixID.is(result.getId().getType())) {
-                    mxId = new MatrixID(result.getId().getValue()).getId();
+                    mxId = MatrixID.asAcceptable(result.getId().getValue()).getId();
                } else {
                    log.warn("Unsupported User ID type {} for backend {}", result.getId().getType(), provider.getClass().getSimpleName());
                    continue;
                }
-                UserAuthResult authResult = new UserAuthResult().success(mxId, result.getProfile().getDisplayName());
+                UserAuthResult authResult = new UserAuthResult().success(result.getProfile().getDisplayName());
-                for (ThreePid pid : result.getProfile().getThreePids()) {
+                for (_ThreePid pid : result.getProfile().getThreePids()) {
                    authResult.withThreePid(pid.getMedium(), pid.getAddress());
                }
                log.info("{} was authenticated by {}, publishing 3PID mappings, if any", id, provider.getClass().getSimpleName());
                for (ThreePid pid : authResult.getThreePids()) {
                    log.info("Processing {} for {}", pid, id);
-                    invMgr.publishMappingIfInvited(new ThreePidMapping(pid, authResult.getMxid()));
+                    invMgr.publishMappingIfInvited(new ThreePidMapping(pid, mxId));
                }
                invMgr.lookupMappingsForInvites();
--- a/src/main/groovy/io/kamax/mxisd/auth/UserAuthResult.java
+++ b/src/main/groovy/io/kamax/mxisd/auth/UserAuthResult.java
@@ -20,31 +20,30 @@
 package io.kamax.mxisd.auth;
-import io.kamax.matrix.ThreePidMedium;
+import io.kamax.matrix.ThreePid;
 import io.kamax.mxisd.ThreePid;
 import java.util.ArrayList;
 import java.util.Collections;
-import java.util.List;
+import java.util.HashSet;
 import java.util.Set;
 public class UserAuthResult {
    private boolean success;
    private String mxid;
    private String displayName;
-    private List<ThreePid> threePids = new ArrayList<>();
+    private String photo;
    private Set<ThreePid> threePids = new HashSet<>();
    public UserAuthResult failure() {
        success = false;
        mxid = null;
        displayName = null;
        photo = null;
        threePids.clear();
        return this;
    }
-    public UserAuthResult success(String mxid, String displayName) {
+    public UserAuthResult success(String displayName) {
        setSuccess(true);
        setMxid(mxid);
        setDisplayName(displayName);
        return this;
@@ -58,14 +57,6 @@ public class UserAuthResult {
        this.success = success;
    }
    public String getMxid() {
        return mxid;
    }
    public void setMxid(String mxid) {
        this.mxid = mxid;
    }
    public String getDisplayName() {
        return displayName;
    }
@@ -74,8 +65,12 @@ public class UserAuthResult {
        this.displayName = displayName;
    }
-    public UserAuthResult withThreePid(ThreePidMedium medium, String address) {
+    public String getPhoto() {
-        return withThreePid(medium.getId(), address);
+        return photo;
    }
    public void setPhoto(String photo) {
        this.photo = photo;
    }
    public UserAuthResult withThreePid(String medium, String address) {
@@ -84,8 +79,8 @@ public class UserAuthResult {
        return this;
    }
-    public List<ThreePid> getThreePids() {
+    public Set<ThreePid> getThreePids() {
-        return Collections.unmodifiableList(threePids);
+        return Collections.unmodifiableSet(threePids);
    }
 }
--- a/src/main/groovy/io/kamax/mxisd/auth/provider/AuthenticatorProvider.java
+++ b/src/main/groovy/io/kamax/mxisd/auth/provider/AuthenticatorProvider.java
--- a/src/main/groovy/io/kamax/mxisd/auth/provider/BackendAuthResult.java
+++ b/src/main/groovy/io/kamax/mxisd/auth/provider/BackendAuthResult.java
@@ -20,25 +20,25 @@
 package io.kamax.mxisd.auth.provider;
-import io.kamax.mxisd.ThreePid;
+import io.kamax.matrix.ThreePid;
 import io.kamax.mxisd.UserID;
 import io.kamax.mxisd.UserIdType;
-import java.util.ArrayList;
+import java.util.HashSet;
-import java.util.List;
+import java.util.Set;
 public class BackendAuthResult {
    public static class BackendAuthProfile {
        private String displayName;
-        private List<ThreePid> threePids = new ArrayList<>();
+        private Set<ThreePid> threePids = new HashSet<>();
        public String getDisplayName() {
            return displayName;
        }
-        public List<ThreePid> getThreePids() {
+        public Set<ThreePid> getThreePids() {
            return threePids;
        }
    }
@@ -49,20 +49,26 @@ public class BackendAuthResult {
        return r;
    }
    public void fail() {
        success = false;
    }
    public static BackendAuthResult success(String id, UserIdType type, String displayName) {
        return success(id, type.getId(), displayName);
    }
    public static BackendAuthResult success(String id, String type, String displayName) {
        BackendAuthResult r = new BackendAuthResult();
-        r.success = true;
+        r.succeed(id, type, displayName);
        r.id = new UserID(type, id);
        r.profile = new BackendAuthProfile();
        r.profile.displayName = displayName;
        return r;
    }
    public void succeed(String id, String type, String displayName) {
        this.success = true;
        this.id = new UserID(type, id);
        this.profile.displayName = displayName;
    }
    private Boolean success;
    private UserID id;
    private BackendAuthProfile profile = new BackendAuthProfile();
--- a/src/main/java/io/kamax/mxisd/backend/firebase/GoogleFirebaseAuthenticator.java
+++ b/src/main/java/io/kamax/mxisd/backend/firebase/GoogleFirebaseAuthenticator.java
@@ -0,0 +1,163 @@
 /*
 * mxisd - Matrix Identity Server Daemon
 * Copyright (C) 2017 Maxime Dor
 *
 * https://max.kamax.io/
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Affero General Public License as
 * published by the Free Software Foundation, either version 3 of the
 * License, or (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Affero General Public License for more details.
 *
 * You should have received a copy of the GNU Affero General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 package io.kamax.mxisd.backend.firebase;
 import com.google.firebase.auth.UserInfo;
 import com.google.i18n.phonenumbers.NumberParseException;
 import com.google.i18n.phonenumbers.PhoneNumberUtil;
 import io.kamax.matrix.ThreePid;
 import io.kamax.matrix.ThreePidMedium;
 import io.kamax.matrix._MatrixID;
 import io.kamax.mxisd.UserIdType;
 import io.kamax.mxisd.auth.provider.AuthenticatorProvider;
 import io.kamax.mxisd.auth.provider.BackendAuthResult;
 import org.apache.commons.lang.StringUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import java.util.concurrent.CountDownLatch;
 import java.util.concurrent.TimeUnit;
 public class GoogleFirebaseAuthenticator extends GoogleFirebaseBackend implements AuthenticatorProvider {
    private Logger log = LoggerFactory.getLogger(GoogleFirebaseAuthenticator.class);
    private PhoneNumberUtil phoneUtil = PhoneNumberUtil.getInstance();
    public GoogleFirebaseAuthenticator(boolean isEnabled, String credsPath, String db) {
        super(isEnabled, "AuthenticationProvider", credsPath, db);
    }
    private void waitOnLatch(BackendAuthResult result, CountDownLatch l, String purpose) {
        try {
            l.await(30, TimeUnit.SECONDS);
        } catch (InterruptedException e) {
            log.warn("Interrupted while waiting for " + purpose);
            result.fail();
        }
    }
    private void toEmail(BackendAuthResult result, String email) {
        if (StringUtils.isBlank(email)) {
            return;
        }
        result.withThreePid(new ThreePid(ThreePidMedium.Email.getId(), email));
    }
    private void toMsisdn(BackendAuthResult result, String phoneNumber) {
        if (StringUtils.isBlank(phoneNumber)) {
            return;
        }
        try {
            String number = phoneUtil.format(
                    phoneUtil.parse(
                            phoneNumber,
                            null // No default region
                    ),
                    PhoneNumberUtil.PhoneNumberFormat.E164
            ).substring(1); // We want without the leading +
            result.withThreePid(new ThreePid(ThreePidMedium.PhoneNumber.getId(), number));
        } catch (NumberParseException e) {
            log.warn("Invalid phone number: {}", phoneNumber);
        }
    }
    private void waitOnLatch(CountDownLatch l) {
        try {
            l.await(30, TimeUnit.SECONDS);
        } catch (InterruptedException e) {
            log.warn("Interrupted while waiting for Firebase auth check");
        }
    }
    @Override
    public BackendAuthResult authenticate(_MatrixID mxid, String password) {
        if (!isEnabled()) {
            throw new IllegalStateException();
        }
        log.info("Trying to authenticate {}", mxid);
        final BackendAuthResult result = BackendAuthResult.failure();
        String localpart = mxid.getLocalPart();
        CountDownLatch l = new CountDownLatch(1);
        getFirebase().verifyIdToken(password).addOnSuccessListener(token -> {
            try {
                if (!StringUtils.equals(localpart, token.getUid())) {
                    log.info("Failure to authenticate {}: Matrix ID localpart '{}' does not match Firebase UID '{}'", mxid, localpart, token.getUid());
                    result.fail();
                    return;
                }
                result.succeed(mxid.getId(), UserIdType.MatrixID.getId(), token.getName());
                log.info("{} was successfully authenticated", mxid);
                log.info("Fetching profile for {}", mxid);
                CountDownLatch userRecordLatch = new CountDownLatch(1);
                getFirebase().getUser(token.getUid()).addOnSuccessListener(user -> {
                    try {
                        toEmail(result, user.getEmail());
                        toMsisdn(result, user.getPhoneNumber());
                        for (UserInfo info : user.getProviderData()) {
                            toEmail(result, info.getEmail());
                            toMsisdn(result, info.getPhoneNumber());
                        }
                        log.info("Got {} 3PIDs in profile", result.getProfile().getThreePids().size());
                    } finally {
                        userRecordLatch.countDown();
                    }
                }).addOnFailureListener(e -> {
                    try {
                        log.warn("Unable to fetch Firebase user profile for {}", mxid);
                        result.fail();
                    } finally {
                        userRecordLatch.countDown();
                    }
                });
                waitOnLatch(result, userRecordLatch, "Firebase user profile");
            } finally {
                l.countDown();
            }
        }).addOnFailureListener(e -> {
            try {
                if (e instanceof IllegalArgumentException) {
                    log.info("Failure to authenticate {}: invalid firebase token", mxid);
                } else {
                    log.info("Failure to authenticate {}: {}", mxid, e.getMessage(), e);
                    log.info("Exception", e);
                }
                result.fail();
            } finally {
                l.countDown();
            }
        });
        waitOnLatch(result, l, "Firebase auth check");
        return result;
    }
 }
--- a/src/main/java/io/kamax/mxisd/backend/firebase/GoogleFirebaseBackend.java
+++ b/src/main/java/io/kamax/mxisd/backend/firebase/GoogleFirebaseBackend.java
@@ -0,0 +1,88 @@
 /*
 * mxisd - Matrix Identity Server Daemon
 * Copyright (C) 2017 Maxime Dor
 *
 * https://max.kamax.io/
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Affero General Public License as
 * published by the Free Software Foundation, either version 3 of the
 * License, or (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Affero General Public License for more details.
 *
 * You should have received a copy of the GNU Affero General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 package io.kamax.mxisd.backend.firebase;
 import com.google.firebase.FirebaseApp;
 import com.google.firebase.FirebaseOptions;
 import com.google.firebase.auth.FirebaseAuth;
 import com.google.firebase.auth.FirebaseCredential;
 import com.google.firebase.auth.FirebaseCredentials;
 import com.google.firebase.database.FirebaseDatabase;
 import org.apache.commons.lang.StringUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import java.io.FileInputStream;
 import java.io.IOException;
 public class GoogleFirebaseBackend {
    private Logger log = LoggerFactory.getLogger(GoogleFirebaseBackend.class);
    private boolean isEnabled;
    private FirebaseAuth fbAuth;
    protected FirebaseDatabase fbDb;
    GoogleFirebaseBackend(boolean isEnabled, String name, String credsPath, String db) {
        this.isEnabled = isEnabled;
        if (!isEnabled) {
            return;
        }
        try {
            FirebaseApp fbApp = FirebaseApp.initializeApp(getOpts(credsPath, db), name);
            fbAuth = FirebaseAuth.getInstance(fbApp);
            FirebaseDatabase.getInstance(fbApp);
            log.info("Google Firebase Authentication is ready");
        } catch (IOException e) {
            throw new RuntimeException("Error when initializing Firebase", e);
        }
    }
    private FirebaseCredential getCreds(String credsPath) throws IOException {
        if (StringUtils.isNotBlank(credsPath)) {
            return FirebaseCredentials.fromCertificate(new FileInputStream(credsPath));
        } else {
            return FirebaseCredentials.applicationDefault();
        }
    }
    private FirebaseOptions getOpts(String credsPath, String db) throws IOException {
        if (StringUtils.isBlank(db)) {
            throw new IllegalArgumentException("Firebase database is not configured");
        }
        return new FirebaseOptions.Builder()
                .setCredential(getCreds(credsPath))
                .setDatabaseUrl(db)
                .build();
    }
    FirebaseAuth getFirebase() {
        return fbAuth;
    }
    public boolean isEnabled() {
        return isEnabled;
    }
 }
--- a/src/main/java/io/kamax/mxisd/backend/firebase/GoogleFirebaseProvider.java
+++ b/src/main/java/io/kamax/mxisd/backend/firebase/GoogleFirebaseProvider.java
@@ -0,0 +1,132 @@
 /*
 * mxisd - Matrix Identity Server Daemon
 * Copyright (C) 2017 Maxime Dor
 *
 * https://max.kamax.io/
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Affero General Public License as
 * published by the Free Software Foundation, either version 3 of the
 * License, or (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Affero General Public License for more details.
 *
 * You should have received a copy of the GNU Affero General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 package io.kamax.mxisd.backend.firebase;
 import com.google.firebase.auth.UserRecord;
 import com.google.firebase.tasks.OnFailureListener;
 import com.google.firebase.tasks.OnSuccessListener;
 import io.kamax.matrix.MatrixID;
 import io.kamax.matrix.ThreePidMedium;
 import io.kamax.mxisd.lookup.SingleLookupReply;
 import io.kamax.mxisd.lookup.SingleLookupRequest;
 import io.kamax.mxisd.lookup.ThreePidMapping;
 import io.kamax.mxisd.lookup.provider.IThreePidProvider;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Optional;
 import java.util.concurrent.CountDownLatch;
 import java.util.concurrent.TimeUnit;
 public class GoogleFirebaseProvider extends GoogleFirebaseBackend implements IThreePidProvider {
    private Logger log = LoggerFactory.getLogger(GoogleFirebaseProvider.class);
    private String domain;
    public GoogleFirebaseProvider(boolean isEnabled, String credsPath, String db, String domain) {
        super(isEnabled, "ThreePidProvider", credsPath, db);
        this.domain = domain;
    }
    private String getMxid(UserRecord record) {
        return new MatrixID(record.getUid(), domain).getId();
    }
    @Override
    public boolean isLocal() {
        return true;
    }
    @Override
    public int getPriority() {
        return 25;
    }
    private void waitOnLatch(CountDownLatch l) {
        try {
            l.await(30, TimeUnit.SECONDS);
        } catch (InterruptedException e) {
            log.warn("Interrupted while waiting for Firebase auth check");
        }
    }
    private Optional<UserRecord> findInternal(String medium, String address) {
        final UserRecord[] r = new UserRecord[1];
        CountDownLatch l = new CountDownLatch(1);
        OnSuccessListener<UserRecord> success = result -> {
            log.info("Found 3PID match for {}:{} - UID is {}", medium, address, result.getUid());
            r[0] = result;
            l.countDown();
        };
        OnFailureListener failure = e -> {
            log.info("No 3PID match for {}:{} - {}", medium, address, e.getMessage());
            r[0] = null;
            l.countDown();
        };
        if (ThreePidMedium.Email.is(medium)) {
            log.info("Performing E-mail 3PID lookup for {}", address);
            getFirebase().getUserByEmail(address)
                    .addOnSuccessListener(success)
                    .addOnFailureListener(failure);
            waitOnLatch(l);
        } else if (ThreePidMedium.PhoneNumber.is(medium)) {
            log.info("Performing msisdn 3PID lookup for {}", address);
            getFirebase().getUserByPhoneNumber(address)
                    .addOnSuccessListener(success)
                    .addOnFailureListener(failure);
            waitOnLatch(l);
        } else {
            log.info("{} is not a supported 3PID medium", medium);
            r[0] = null;
        }
        return Optional.ofNullable(r[0]);
    }
    @Override
    public Optional<SingleLookupReply> find(SingleLookupRequest request) {
        Optional<UserRecord> urOpt = findInternal(request.getType(), request.getThreePid());
        return urOpt.map(userRecord -> new SingleLookupReply(request, getMxid(userRecord)));
    }
    @Override
    public List<ThreePidMapping> populate(List<ThreePidMapping> mappings) {
        List<ThreePidMapping> results = new ArrayList<>();
        mappings.parallelStream().forEach(o -> {
            Optional<UserRecord> urOpt = findInternal(o.getMedium(), o.getValue());
            if (urOpt.isPresent()) {
                ThreePidMapping result = new ThreePidMapping();
                result.setMedium(o.getMedium());
                result.setValue(o.getValue());
                result.setMxid(getMxid(urOpt.get()));
                results.add(result);
            }
        });
        return results;
    }
 }
--- a/src/main/groovy/io/kamax/mxisd/backend/ldap/LdapAuthProvider.java
+++ b/src/main/groovy/io/kamax/mxisd/backend/ldap/LdapAuthProvider.java
@@ -20,10 +20,17 @@
 package io.kamax.mxisd.backend.ldap;
 import com.google.i18n.phonenumbers.NumberParseException;
 import com.google.i18n.phonenumbers.PhoneNumberUtil;
 import io.kamax.matrix.ThreePid;
 import io.kamax.matrix.ThreePidMedium;
 import io.kamax.matrix._MatrixID;
 import io.kamax.mxisd.UserIdType;
 import io.kamax.mxisd.auth.provider.AuthenticatorProvider;
 import io.kamax.mxisd.auth.provider.BackendAuthResult;
 import io.kamax.mxisd.config.MatrixConfig;
 import io.kamax.mxisd.config.ldap.LdapConfig;
 import io.kamax.mxisd.util.GsonUtil;
 import org.apache.commons.lang.StringUtils;
 import org.apache.directory.api.ldap.model.cursor.CursorException;
 import org.apache.directory.api.ldap.model.cursor.CursorLdapReferralException;
@@ -35,17 +42,25 @@ import org.apache.directory.api.ldap.model.message.SearchScope;
 import org.apache.directory.ldap.client.api.LdapConnection;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Component;
 import java.io.IOException;
 import java.util.HashSet;
 import java.util.List;
 import java.util.Optional;
 import java.util.Set;
@Component
-public class LdapAuthProvider extends LdapGenericBackend implements AuthenticatorProvider {
+public class LdapAuthProvider extends LdapBackend implements AuthenticatorProvider {
    private Logger log = LoggerFactory.getLogger(LdapAuthProvider.class);
-    private String getUidAttribute() {
+    private PhoneNumberUtil phoneUtil = PhoneNumberUtil.getInstance();
-        return getCfg().getAttribute().getUid().getValue();
+
    @Autowired
    public LdapAuthProvider(LdapConfig cfg, MatrixConfig mxCfg) {
        super(cfg, mxCfg);
    }
    @Override
@@ -53,41 +68,57 @@ public class LdapAuthProvider extends LdapGenericBackend implements Authenticato
        return getCfg().isEnabled();
    }
    private Optional<String> getMsisdn(String phoneNumber) {
        try { // FIXME export into dedicated ThreePid class within SDK (copy from Firebase Auth)
            return Optional.of(phoneUtil.format(
                    phoneUtil.parse(
                            phoneNumber,
                            null // No default region
                    ),
                    PhoneNumberUtil.PhoneNumberFormat.E164
            ).substring(1)); // We want without the leading +
        } catch (NumberParseException e) {
            log.warn("Invalid phone number: {}", phoneNumber);
            return Optional.empty();
        }
    }
    @Override
    public BackendAuthResult authenticate(_MatrixID mxid, String password) {
        log.info("Performing auth for {}", mxid);
-        LdapConnection conn = getConn();
+
-        try {
+        try (LdapConnection conn = getConn()) {
            bind(conn);
-            String uidType = getCfg().getAttribute().getUid().getType();
+            String uidType = getAt().getUid().getType();
-            String userFilterValue = StringUtils.equals(LdapThreePidProvider.UID, uidType) ? mxid.getLocalPart() : mxid.getId();
+            String userFilterValue = StringUtils.equals(LdapBackend.UID, uidType) ? mxid.getLocalPart() : mxid.getId();
            if (StringUtils.isBlank(userFilterValue)) {
                log.warn("Username is empty, failing auth");
                return BackendAuthResult.failure();
            }
-            String userFilter = "(" + getCfg().getAttribute().getUid().getValue() + "=" + userFilterValue + ")";
+            String userFilter = "(" + getUidAtt() + "=" + userFilterValue + ")";
-            if (!StringUtils.isBlank(getCfg().getAuth().getFilter())) {
+            userFilter = buildWithFilter(userFilter, getCfg().getAuth().getFilter());
-                userFilter = "(&" + getCfg().getAuth().getFilter() + userFilter + ")";
+
-            }
+            Set<String> attributes = new HashSet<>();
-            EntryCursor cursor = conn.search(getCfg().getConn().getBaseDn(), userFilter, SearchScope.SUBTREE, getUidAttribute(), getCfg().getAttribute().getName());
+            attributes.add(getUidAtt());
-            try {
+            attributes.add(getAt().getName());
            getAt().getThreepid().forEach((k, v) -> attributes.addAll(v));
            String[] attArray = new String[attributes.size()];
            attributes.toArray(attArray);
            log.debug("Base DN: {}", getBaseDn());
            log.debug("Query: {}", userFilter);
            log.debug("Attributes: {}", GsonUtil.build().toJson(attArray));
            try (EntryCursor cursor = conn.search(getBaseDn(), userFilter, SearchScope.SUBTREE, attArray)) {
                while (cursor.next()) {
                    Entry entry = cursor.get();
                    String dn = entry.getDn().getName();
                    log.info("Checking possible match, DN: {}", dn);
-                    Attribute attribute = entry.get(getUidAttribute());
+                    if (!getAttribute(entry, getUidAtt()).isPresent()) {
                    if (attribute == null) {
                        log.info("DN {}: no attribute {}, skpping", dn, getUidAttribute());
                        continue;
                    }
                    String data = attribute.get().toString();
                    if (data.length() < 1) {
                        log.info("DN {}: empty attribute {}, skipping", getUidAttribute());
                        continue;
                    }
@@ -99,31 +130,40 @@ public class LdapAuthProvider extends LdapGenericBackend implements Authenticato
                        return BackendAuthResult.failure();
                    }
-                    Attribute nameAttribute = entry.get(getCfg().getAttribute().getName());
+                    Attribute nameAttribute = entry.get(getAt().getName());
                    String name = nameAttribute != null ? nameAttribute.get().toString() : null;
                    log.info("Authentication successful for {}", entry.getDn().getName());
                    log.info("DN {} is a valid match", dn);
                    // TODO should we canonicalize the MXID?
-                    return BackendAuthResult.success(mxid.getId(), UserIdType.MatrixID, name);
+                    BackendAuthResult result = BackendAuthResult.success(mxid.getId(), UserIdType.MatrixID, name);
                    log.info("Processing 3PIDs for profile");
                    getAt().getThreepid().forEach((k, v) -> {
                        log.info("Processing 3PID type {}", k);
                        v.forEach(attId -> {
                            List<String> values = getAttributes(entry, attId);
                            log.info("\tAttribute {} has {} value(s)", attId, values.size());
                            getAttributes(entry, attId).forEach(tpidValue -> {
                                if (ThreePidMedium.PhoneNumber.is(k)) {
                                    tpidValue = getMsisdn(tpidValue).orElse(tpidValue);
                                }
                                result.withThreePid(new ThreePid(k, tpidValue));
                            });
                        });
                    });
                    log.info("Found {} 3PIDs", result.getProfile().getThreePids().size());
                    return result;
                }
            } catch (CursorLdapReferralException e) {
                log.warn("Entity for {} is only available via referral, skipping", mxid);
            } finally {
                cursor.close();
            }
            log.info("No match were found for {}", mxid);
            return BackendAuthResult.failure();
        } catch (LdapException | IOException | CursorException e) {
            throw new RuntimeException(e);
        } finally {
            try {
                conn.close();
            } catch (IOException e) {
                throw new RuntimeException(e);
            }
        }
    }
--- a/src/main/java/io/kamax/mxisd/backend/ldap/LdapBackend.java
+++ b/src/main/java/io/kamax/mxisd/backend/ldap/LdapBackend.java
@@ -0,0 +1,172 @@
 /*
 * mxisd - Matrix Identity Server Daemon
 * Copyright (C) 2017 Kamax Sarl
 *
 * https://www.kamax.io/
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Affero General Public License as
 * published by the Free Software Foundation, either version 3 of the
 * License, or (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Affero General Public License for more details.
 *
 * You should have received a copy of the GNU Affero General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 package io.kamax.mxisd.backend.ldap;
 import io.kamax.matrix._MatrixID;
 import io.kamax.mxisd.config.MatrixConfig;
 import io.kamax.mxisd.config.ldap.LdapConfig;
 import org.apache.commons.lang.StringUtils;
 import org.apache.directory.api.ldap.model.entry.Attribute;
 import org.apache.directory.api.ldap.model.entry.AttributeUtils;
 import org.apache.directory.api.ldap.model.entry.Entry;
 import org.apache.directory.api.ldap.model.exception.LdapException;
 import org.apache.directory.ldap.client.api.LdapConnection;
 import org.apache.directory.ldap.client.api.LdapNetworkConnection;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import javax.naming.NamingEnumeration;
 import javax.naming.NamingException;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.List;
 import java.util.Optional;
 public abstract class LdapBackend {
    public static final String UID = "uid";
    public static final String MATRIX_ID = "mxid";
    private Logger log = LoggerFactory.getLogger(LdapBackend.class);
    private LdapConfig cfg;
    private MatrixConfig mxCfg;
    public LdapBackend(LdapConfig cfg, MatrixConfig mxCfg) {
        this.cfg = cfg;
        this.mxCfg = mxCfg;
    }
    protected LdapConfig getCfg() {
        return cfg;
    }
    protected String getBaseDn() {
        return cfg.getConnection().getBaseDn();
    }
    protected LdapConfig.Attribute getAt() {
        return cfg.getAttribute();
    }
    protected String getUidAtt() {
        return getAt().getUid().getValue();
    }
    protected synchronized LdapConnection getConn() {
        return new LdapNetworkConnection(cfg.getConnection().getHost(), cfg.getConnection().getPort(), cfg.getConnection().isTls());
    }
    protected void bind(LdapConnection conn) throws LdapException {
        if (StringUtils.isBlank(cfg.getConnection().getBindDn()) && StringUtils.isBlank(cfg.getConnection().getBindPassword())) {
            conn.anonymousBind();
        } else {
            conn.bind(cfg.getConnection().getBindDn(), cfg.getConnection().getBindPassword());
        }
    }
    protected String buildWithFilter(String base, String filter) {
        if (StringUtils.isBlank(filter)) {
            return base;
        } else {
            return "(&" + filter + base + ")";
        }
    }
    public static String buildOrQuery(String value, List<String> attributes) {
        if (attributes.size() < 1) {
            throw new IllegalArgumentException();
        }
        StringBuilder builder = new StringBuilder();
        builder.append("(|");
        attributes.forEach(s -> {
            builder.append("(");
            builder.append(s).append("=").append(value).append(")");
        });
        builder.append(")");
        return builder.toString();
    }
    public static String buildOrQuery(String value, String... attributes) {
        return buildOrQuery(value, Arrays.asList(attributes));
    }
    public String buildOrQueryWithFilter(String filter, String value, String... attributes) {
        return buildWithFilter(buildOrQuery(value, attributes), filter);
    }
    public String buildMatrixIdFromUid(String uid) {
        String uidType = getCfg().getAttribute().getUid().getType();
        if (StringUtils.equals(UID, uidType)) {
            return "@" + uid + ":" + mxCfg.getDomain();
        } else if (StringUtils.equals(MATRIX_ID, uidType)) {
            return uid;
        } else {
            throw new IllegalArgumentException("Bind type " + uidType + " is not supported");
        }
    }
    public String buildUidFromMatrixId(_MatrixID mxId) {
        String uidType = getCfg().getAttribute().getUid().getType();
        if (StringUtils.equals(UID, uidType)) {
            return mxId.getLocalPart();
        } else if (StringUtils.equals(MATRIX_ID, uidType)) {
            return mxId.getId();
        } else {
            throw new IllegalArgumentException("Bind type " + uidType + " is not supported");
        }
    }
    public Optional<String> getAttribute(Entry entry, String attName) {
        Attribute attribute = entry.get(attName);
        if (attribute == null) {
            return Optional.empty();
        }
        String value = attribute.get().toString();
        if (StringUtils.isBlank(value)) {
            log.info("DN {}: empty attribute {}, skipping", attName);
            return Optional.empty();
        }
        return Optional.of(value);
    }
    public List<String> getAttributes(Entry entry, String attName) {
        List<String> values = new ArrayList<>();
        javax.naming.directory.Attribute att = AttributeUtils.toAttributes(entry).get(attName);
        if (att == null) {
            return values;
        }
        try {
            NamingEnumeration<?> list = att.getAll();
            while (list.hasMore()) {
                values.add(list.next().toString());
            }
        } catch (NamingException e) {
            log.warn("Error while processing LDAP attribute {}, result could be incomplete!", attName, e);
        }
        return values;
    }
 }
--- a/src/main/java/io/kamax/mxisd/backend/ldap/LdapDirectoryProvider.java
+++ b/src/main/java/io/kamax/mxisd/backend/ldap/LdapDirectoryProvider.java
@@ -0,0 +1,123 @@
 /*
 * mxisd - Matrix Identity Server Daemon
 * Copyright (C) 2017 Maxime Dor
 *
 * https://max.kamax.io/
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Affero General Public License as
 * published by the Free Software Foundation, either version 3 of the
 * License, or (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Affero General Public License for more details.
 *
 * You should have received a copy of the GNU Affero General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 package io.kamax.mxisd.backend.ldap;
 import io.kamax.mxisd.config.MatrixConfig;
 import io.kamax.mxisd.config.ldap.LdapConfig;
 import io.kamax.mxisd.controller.directory.v1.io.UserDirectorySearchResult;
 import io.kamax.mxisd.directory.IDirectoryProvider;
 import io.kamax.mxisd.exception.InternalServerError;
 import io.kamax.mxisd.util.GsonUtil;
 import org.apache.directory.api.ldap.model.cursor.CursorException;
 import org.apache.directory.api.ldap.model.cursor.CursorLdapReferralException;
 import org.apache.directory.api.ldap.model.cursor.EntryCursor;
 import org.apache.directory.api.ldap.model.entry.Entry;
 import org.apache.directory.api.ldap.model.exception.LdapException;
 import org.apache.directory.api.ldap.model.message.SearchScope;
 import org.apache.directory.ldap.client.api.LdapConnection;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Component;
 import java.io.IOException;
 import java.util.ArrayList;
 import java.util.List;
@Component
 public class LdapDirectoryProvider extends LdapBackend implements IDirectoryProvider {
    private Logger log = LoggerFactory.getLogger(LdapDirectoryProvider.class);
    @Autowired
    public LdapDirectoryProvider(LdapConfig cfg, MatrixConfig mxCfg) {
        super(cfg, mxCfg);
    }
    @Override
    public boolean isEnabled() {
        return getCfg().isEnabled();
    }
    protected UserDirectorySearchResult search(String query, List<String> attributes) {
        UserDirectorySearchResult result = new UserDirectorySearchResult();
        result.setLimited(false);
        try (LdapConnection conn = getConn()) {
            bind(conn);
            LdapConfig.Attribute atCfg = getCfg().getAttribute();
            attributes = new ArrayList<>(attributes);
            attributes.add(getUidAtt());
            String[] attArray = new String[attributes.size()];
            attributes.toArray(attArray);
            String searchQuery = buildOrQueryWithFilter(getCfg().getDirectory().getFilter(), "*" + query + "*", attArray);
            log.debug("Base DN: {}", getBaseDn());
            log.debug("Query: {}", searchQuery);
            log.debug("Attributes: {}", GsonUtil.build().toJson(attArray));
            try (EntryCursor cursor = conn.search(getBaseDn(), searchQuery, SearchScope.SUBTREE, attArray)) {
                while (cursor.next()) {
                    Entry entry = cursor.get();
                    log.info("Found possible match, DN: {}", entry.getDn().getName());
                    getAttribute(entry, getUidAtt()).ifPresent(uid -> {
                        log.info("DN {} is a valid match", entry.getDn().getName());
                        try {
                            UserDirectorySearchResult.Result entryResult = new UserDirectorySearchResult.Result();
                            entryResult.setUserId(buildMatrixIdFromUid(uid));
                            getAttribute(entry, atCfg.getName()).ifPresent(entryResult::setDisplayName);
                            result.addResult(entryResult);
                        } catch (IllegalArgumentException e) {
                            log.warn("Bind was found but type {} is not supported", atCfg.getUid().getType());
                        }
                    });
                }
            }
        } catch (CursorLdapReferralException e) {
            log.warn("An entry is only available via referral, skipping");
        } catch (IOException | LdapException | CursorException e) {
            throw new InternalServerError(e);
        }
        return result;
    }
    @Override
    public UserDirectorySearchResult searchByDisplayName(String query) {
        log.info("Performing LDAP directory search on display name using '{}'", query);
        List<String> attributes = new ArrayList<>();
        attributes.add(getAt().getName());
        attributes.addAll(getCfg().getDirectory().getAttribute().getOther());
        return search(query, attributes);
    }
    @Override
    public UserDirectorySearchResult searchBy3pid(String query) {
        log.info("Performing LDAP directory search on 3PIDs using '{}'", query);
        List<String> attributes = new ArrayList<>();
        attributes.add(getAt().getName());
        getCfg().getAttribute().getThreepid().forEach((k, v) -> attributes.addAll(v));
        return search(query, attributes);
    }
 }
--- a/src/main/java/io/kamax/mxisd/backend/ldap/LdapProfileProvider.java
+++ b/src/main/java/io/kamax/mxisd/backend/ldap/LdapProfileProvider.java
@@ -0,0 +1,154 @@
 /*
 * mxisd - Matrix Identity Server Daemon
 * Copyright (C) 2018 Kamax Sarl
 *
 * https://www.kamax.io/
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Affero General Public License as
 * published by the Free Software Foundation, either version 3 of the
 * License, or (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Affero General Public License for more details.
 *
 * You should have received a copy of the GNU Affero General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 package io.kamax.mxisd.backend.ldap;
 import io.kamax.matrix.ThreePid;
 import io.kamax.matrix._MatrixID;
 import io.kamax.matrix._ThreePid;
 import io.kamax.mxisd.config.MatrixConfig;
 import io.kamax.mxisd.config.ldap.LdapConfig;
 import io.kamax.mxisd.exception.InternalServerError;
 import io.kamax.mxisd.profile.ProfileProvider;
 import org.apache.directory.api.ldap.model.cursor.CursorException;
 import org.apache.directory.api.ldap.model.cursor.CursorLdapReferralException;
 import org.apache.directory.api.ldap.model.cursor.EntryCursor;
 import org.apache.directory.api.ldap.model.entry.Entry;
 import org.apache.directory.api.ldap.model.exception.LdapException;
 import org.apache.directory.api.ldap.model.message.SearchScope;
 import org.apache.directory.ldap.client.api.LdapConnection;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Component;
 import java.io.IOException;
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.List;
 import java.util.Optional;
@Component
 public class LdapProfileProvider extends LdapBackend implements ProfileProvider {
    private transient Logger log = LoggerFactory.getLogger(LdapProfileProvider.class);
    @Autowired
    public LdapProfileProvider(LdapConfig cfg, MatrixConfig mxCfg) {
        super(cfg, mxCfg);
    }
    @Override
    public boolean isEnabled() {
        return getCfg().isEnabled();
    }
    @Override
    public Optional<String> getDisplayName(_MatrixID userId) {
        try (LdapConnection conn = getConn()) {
            bind(conn);
            String searchQuery = buildOrQueryWithFilter(getCfg().getProfile().getFilter(), buildUidFromMatrixId(userId), getUidAtt());
            log.debug("Base DN: {}", getBaseDn());
            log.debug("Query: {}", searchQuery);
            try (EntryCursor cursor = conn.search(getBaseDn(), searchQuery, SearchScope.SUBTREE, getAt().getName())) {
                while (cursor.next()) {
                    Entry entry = cursor.get();
                    log.info("Found possible match, DN: {}", entry.getDn().getName());
                    Optional<String> v = getAttribute(entry, getAt().getName()).flatMap(uid -> {
                        log.info("DN {} is a valid match", entry.getDn().getName());
                        try {
                            return getAttribute(entry, getAt().getName());
                        } catch (IllegalArgumentException e) {
                            log.warn("Bind was found but type {} is not supported", getAt().getUid().getType());
                            return Optional.empty();
                        }
                    });
                    if (v.isPresent()) {
                        log.info("DN {} is the final match", entry.getDn().getName());
                        return v;
                    }
                }
            }
        } catch (CursorLdapReferralException e) {
            log.warn("An entry is only available via referral, skipping");
        } catch (IOException | LdapException | CursorException e) {
            throw new InternalServerError(e);
        }
        return Optional.empty();
    }
    @Override
    public List<_ThreePid> getThreepids(_MatrixID userId) {
        String uid = buildUidFromMatrixId(userId);
        log.info("Looking for display name of {}", uid);
        List<_ThreePid> threePids = new ArrayList<>();
        try (LdapConnection conn = getConn()) {
            bind(conn);
            log.debug("Base DN: {}", getBaseDn());
            getCfg().getAttribute().getThreepid().forEach((medium, attributes) -> {
                String[] attArray = new String[attributes.size()];
                attributes.toArray(attArray);
                String searchQuery = buildOrQueryWithFilter(getCfg().getProfile().getFilter(), uid, getUidAtt());
                log.debug("Query for 3PID {}: {}", medium, searchQuery);
                try (EntryCursor cursor = conn.search(getBaseDn(), searchQuery, SearchScope.SUBTREE, attArray)) {
                    while (cursor.next()) {
                        Entry entry = cursor.get();
                        log.info("Found possible match, DN: {}", entry.getDn().getName());
                        try {
                            attributes.stream()
                                    .flatMap(at -> getAttributes(entry, at).stream())
                                    .forEach(address -> {
                                        log.info("Found 3PID: {} - {}", medium, address);
                                        threePids.add(new ThreePid(medium, address));
                                    });
                        } catch (IllegalArgumentException e) {
                            log.warn("Bind was found but type {} is not supported", getAt().getUid().getType());
                        }
                    }
                } catch (CursorLdapReferralException e) {
                    log.warn("An entry is only available via referral, skipping");
                } catch (IOException | LdapException | CursorException e) {
                    throw new InternalServerError(e);
                }
            });
        } catch (IOException | LdapException e) {
            throw new InternalServerError(e);
        }
        return threePids;
    }
    @Override
    public List<String> getRoles(_MatrixID userId) {
        return Collections.emptyList();
    }
 }
--- a/src/main/java/io/kamax/mxisd/backend/ldap/LdapThreePidProvider.java
+++ b/src/main/java/io/kamax/mxisd/backend/ldap/LdapThreePidProvider.java
@@ -0,0 +1,145 @@
 /*
 * mxisd - Matrix Identity Server Daemon
 * Copyright (C) 2017 Maxime Dor
 *
 * https://max.kamax.io/
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Affero General Public License as
 * published by the Free Software Foundation, either version 3 of the
 * License, or (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Affero General Public License for more details.
 *
 * You should have received a copy of the GNU Affero General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 package io.kamax.mxisd.backend.ldap;
 import io.kamax.mxisd.config.MatrixConfig;
 import io.kamax.mxisd.config.ldap.LdapConfig;
 import io.kamax.mxisd.exception.InternalServerError;
 import io.kamax.mxisd.lookup.SingleLookupReply;
 import io.kamax.mxisd.lookup.SingleLookupRequest;
 import io.kamax.mxisd.lookup.ThreePidMapping;
 import io.kamax.mxisd.lookup.provider.IThreePidProvider;
 import io.kamax.mxisd.util.GsonUtil;
 import org.apache.directory.api.ldap.model.cursor.CursorException;
 import org.apache.directory.api.ldap.model.cursor.CursorLdapReferralException;
 import org.apache.directory.api.ldap.model.cursor.EntryCursor;
 import org.apache.directory.api.ldap.model.entry.Entry;
 import org.apache.directory.api.ldap.model.exception.LdapException;
 import org.apache.directory.api.ldap.model.message.SearchScope;
 import org.apache.directory.ldap.client.api.LdapConnection;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.stereotype.Component;
 import java.io.IOException;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Optional;
@Component
 public class LdapThreePidProvider extends LdapBackend implements IThreePidProvider {
    private Logger log = LoggerFactory.getLogger(LdapThreePidProvider.class);
    public LdapThreePidProvider(LdapConfig cfg, MatrixConfig mxCfg) {
        super(cfg, mxCfg);
    }
    @Override
    public boolean isEnabled() {
        return getCfg().isEnabled();
    }
    @Override
    public boolean isLocal() {
        return true;
    }
    @Override
    public int getPriority() {
        return 20;
    }
    private Optional<String> lookup(LdapConnection conn, String medium, String value) {
        Optional<String> tPidQueryOpt = getCfg().getIdentity().getQuery(medium);
        if (!tPidQueryOpt.isPresent()) {
            log.warn("{} is not a configured 3PID type for LDAP lookup", medium);
            return Optional.empty();
        }
        // we merge 3PID specific query with global/specific filter, if one exists.
        String tPidQuery = tPidQueryOpt.get().replaceAll(getCfg().getIdentity().getToken(), value);
        String searchQuery = buildWithFilter(tPidQuery, getCfg().getIdentity().getFilter());
        log.debug("Base DN: {}", getBaseDn());
        log.debug("Query: {}", searchQuery);
        log.debug("Attributes: {}", GsonUtil.build().toJson(getUidAtt()));
        try (EntryCursor cursor = conn.search(getBaseDn(), searchQuery, SearchScope.SUBTREE, getUidAtt())) {
            while (cursor.next()) {
                Entry entry = cursor.get();
                log.info("Found possible match, DN: {}", entry.getDn().getName());
                Optional<String> data = getAttribute(entry, getUidAtt());
                if (!data.isPresent()) {
                    continue;
                }
                log.info("DN {} is a valid match", entry.getDn().getName());
                return Optional.of(buildMatrixIdFromUid(data.get()));
            }
        } catch (CursorLdapReferralException e) {
            log.warn("3PID {} is only available via referral, skipping", value);
        } catch (IOException | LdapException | CursorException e) {
            throw new InternalServerError(e);
        }
        return Optional.empty();
    }
    @Override
    public Optional<SingleLookupReply> find(SingleLookupRequest request) {
        log.info("Performing LDAP lookup {} of type {}", request.getThreePid(), request.getType());
        try (LdapConnection conn = getConn()) {
            bind(conn);
            return lookup(conn, request.getType(), request.getThreePid()).map(id -> new SingleLookupReply(request, id));
        } catch (LdapException | IOException e) {
            throw new InternalServerError(e);
        }
    }
    @Override
    public List<ThreePidMapping> populate(List<ThreePidMapping> mappings) {
        log.info("Looking up {} mappings", mappings.size());
        List<ThreePidMapping> mappingsFound = new ArrayList<>();
        try (LdapConnection conn = getConn()) {
            bind(conn);
            for (ThreePidMapping mapping : mappings) {
                try {
                    lookup(conn, mapping.getMedium(), mapping.getValue()).ifPresent(id -> {
                        mapping.setMxid(id);
                        mappingsFound.add(mapping);
                    });
                } catch (IllegalArgumentException e) {
                    log.warn("{} is not a supported 3PID type for LDAP lookup", mapping.getMedium());
                }
            }
        } catch (LdapException | IOException e) {
            throw new InternalServerError(e);
        }
        return mappingsFound;
    }
 }
--- a/src/main/java/io/kamax/mxisd/backend/ldap/netiq/NetIqLdapAuthProvider.java
+++ b/src/main/java/io/kamax/mxisd/backend/ldap/netiq/NetIqLdapAuthProvider.java
@@ -0,0 +1,41 @@
 /*
 * mxisd - Matrix Identity Server Daemon
 * Copyright (C) 2018 Kamax Sàrl
 *
 * https://www.kamax.io/
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Affero General Public License as
 * published by the Free Software Foundation, either version 3 of the
 * License, or (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Affero General Public License for more details.
 *
 * You should have received a copy of the GNU Affero General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 package io.kamax.mxisd.backend.ldap.netiq;
 import io.kamax.mxisd.backend.ldap.LdapAuthProvider;
 import io.kamax.mxisd.config.MatrixConfig;
 import io.kamax.mxisd.config.ldap.netiq.NetIqLdapConfig;
 import org.springframework.stereotype.Component;
@Component
 public class NetIqLdapAuthProvider extends LdapAuthProvider {
    public NetIqLdapAuthProvider(NetIqLdapConfig cfg, MatrixConfig mxCfg) {
        super(cfg, mxCfg);
    }
    // FIXME this is duplicated in the other NetIQ classes, due to the Matrix ID generation code that was not abstracted
    @Override
    public String buildMatrixIdFromUid(String uid) {
        return super.buildMatrixIdFromUid(uid).toLowerCase();
    }
 }
--- a/src/main/java/io/kamax/mxisd/backend/ldap/netiq/NetIqLdapDirectoryProvider.java
+++ b/src/main/java/io/kamax/mxisd/backend/ldap/netiq/NetIqLdapDirectoryProvider.java
@@ -0,0 +1,41 @@
 /*
 * mxisd - Matrix Identity Server Daemon
 * Copyright (C) 2018 Kamax Sàrl
 *
 * https://www.kamax.io/
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Affero General Public License as
 * published by the Free Software Foundation, either version 3 of the
 * License, or (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Affero General Public License for more details.
 *
 * You should have received a copy of the GNU Affero General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 package io.kamax.mxisd.backend.ldap.netiq;
 import io.kamax.mxisd.backend.ldap.LdapDirectoryProvider;
 import io.kamax.mxisd.config.MatrixConfig;
 import io.kamax.mxisd.config.ldap.netiq.NetIqLdapConfig;
 import org.springframework.stereotype.Component;
@Component
 public class NetIqLdapDirectoryProvider extends LdapDirectoryProvider {
    public NetIqLdapDirectoryProvider(NetIqLdapConfig cfg, MatrixConfig mxCfg) {
        super(cfg, mxCfg);
    }
    // FIXME this is duplicated in the other NetIQ classes, due to the Matrix ID generation code that was not abstracted
    @Override
    public String buildMatrixIdFromUid(String uid) {
        return super.buildMatrixIdFromUid(uid).toLowerCase();
    }
 }
--- a/src/main/java/io/kamax/mxisd/backend/ldap/netiq/NetIqLdapProfileProvider.java
+++ b/src/main/java/io/kamax/mxisd/backend/ldap/netiq/NetIqLdapProfileProvider.java
@@ -0,0 +1,50 @@
 /*
 * mxisd - Matrix Identity Server Daemon
 * Copyright (C) 2018 Kamax Sarl
 *
 * https://www.kamax.io/
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Affero General Public License as
 * published by the Free Software Foundation, either version 3 of the
 * License, or (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Affero General Public License for more details.
 *
 * You should have received a copy of the GNU Affero General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 package io.kamax.mxisd.backend.ldap.netiq;
 import io.kamax.matrix._MatrixID;
 import io.kamax.mxisd.backend.ldap.LdapProfileProvider;
 import io.kamax.mxisd.config.MatrixConfig;
 import io.kamax.mxisd.config.ldap.LdapConfig;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Component;
@Component
 public class NetIqLdapProfileProvider extends LdapProfileProvider {
    @Autowired
    public NetIqLdapProfileProvider(LdapConfig cfg, MatrixConfig mxCfg) {
        super(cfg, mxCfg);
    }
    // FIXME this is duplicated in the other NetIQ classes, due to the Matrix ID generation code that was not abstracted
    @Override
    public String buildMatrixIdFromUid(String uid) {
        return super.buildMatrixIdFromUid(uid).toLowerCase();
    }
    // FIXME this is duplicated in the other NetIQ classes, due to the Matrix ID generation code that was not abstracted
    @Override
    public String buildUidFromMatrixId(_MatrixID mxid) {
        return super.buildUidFromMatrixId(mxid).toLowerCase();
    }
 }
--- a/src/main/java/io/kamax/mxisd/backend/ldap/netiq/NetIqLdapThreePidProvider.java
+++ b/src/main/java/io/kamax/mxisd/backend/ldap/netiq/NetIqLdapThreePidProvider.java
@@ -0,0 +1,41 @@
 /*
 * mxisd - Matrix Identity Server Daemon
 * Copyright (C) 2018 Kamax Sàrl
 *
 * https://www.kamax.io/
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Affero General Public License as
 * published by the Free Software Foundation, either version 3 of the
 * License, or (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Affero General Public License for more details.
 *
 * You should have received a copy of the GNU Affero General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 package io.kamax.mxisd.backend.ldap.netiq;
 import io.kamax.mxisd.backend.ldap.LdapThreePidProvider;
 import io.kamax.mxisd.config.MatrixConfig;
 import io.kamax.mxisd.config.ldap.netiq.NetIqLdapConfig;
 import org.springframework.stereotype.Component;
@Component
 public class NetIqLdapThreePidProvider extends LdapThreePidProvider {
    public NetIqLdapThreePidProvider(NetIqLdapConfig cfg, MatrixConfig mxCfg) {
        super(cfg, mxCfg);
    }
    // FIXME this is duplicated in the other NetIQ classes, due to the Matrix ID generation code that was not abstracted
    @Override
    public String buildMatrixIdFromUid(String uid) {
        return super.buildMatrixIdFromUid(uid).toLowerCase();
    }
 }
--- a/src/main/java/io/kamax/mxisd/backend/memory/MemoryIdentityStore.java
+++ b/src/main/java/io/kamax/mxisd/backend/memory/MemoryIdentityStore.java
@@ -0,0 +1,178 @@
 /*
 * mxisd - Matrix Identity Server Daemon
 * Copyright (C) 2018 Kamax Sarl
 *
 * https://www.kamax.io/
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Affero General Public License as
 * published by the Free Software Foundation, either version 3 of the
 * License, or (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Affero General Public License for more details.
 *
 * You should have received a copy of the GNU Affero General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 package io.kamax.mxisd.backend.memory;
 import io.kamax.matrix.MatrixID;
 import io.kamax.matrix.ThreePid;
 import io.kamax.matrix._MatrixID;
 import io.kamax.matrix._ThreePid;
 import io.kamax.mxisd.UserIdType;
 import io.kamax.mxisd.auth.provider.AuthenticatorProvider;
 import io.kamax.mxisd.auth.provider.BackendAuthResult;
 import io.kamax.mxisd.config.MatrixConfig;
 import io.kamax.mxisd.config.memory.MemoryIdentityConfig;
 import io.kamax.mxisd.config.memory.MemoryStoreConfig;
 import io.kamax.mxisd.config.memory.MemoryThreePid;
 import io.kamax.mxisd.controller.directory.v1.io.UserDirectorySearchResult;
 import io.kamax.mxisd.directory.IDirectoryProvider;
 import io.kamax.mxisd.lookup.SingleLookupReply;
 import io.kamax.mxisd.lookup.SingleLookupRequest;
 import io.kamax.mxisd.lookup.ThreePidMapping;
 import io.kamax.mxisd.lookup.provider.IThreePidProvider;
 import io.kamax.mxisd.profile.ProfileProvider;
 import org.apache.commons.lang.StringUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Component;
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.List;
 import java.util.Optional;
 import java.util.function.Function;
 import java.util.function.Predicate;
@Component
 public class MemoryIdentityStore implements AuthenticatorProvider, IDirectoryProvider, IThreePidProvider, ProfileProvider {
    private final Logger logger = LoggerFactory.getLogger(MemoryIdentityStore.class);
    private final MatrixConfig mxCfg;
    private final MemoryStoreConfig cfg;
    @Autowired
    public MemoryIdentityStore(MatrixConfig mxCfg, MemoryStoreConfig cfg) {
        this.mxCfg = mxCfg;
        this.cfg = cfg;
    }
    public Optional<MemoryIdentityConfig> findByUsername(String username) {
        return cfg.getIdentities().stream()
                .filter(id -> StringUtils.equals(id.getUsername(), username))
                .findFirst();
    }
    @Override
    public boolean isEnabled() {
        return cfg.isEnabled();
    }
    @Override
    public Optional<String> getDisplayName(_MatrixID mxid) {
        return findByUsername(mxid.getLocalPart()).map(MemoryIdentityConfig::getDisplayName);
    }
    private UserDirectorySearchResult search(
            Predicate<MemoryIdentityConfig> predicate,
            Function<MemoryIdentityConfig, UserDirectorySearchResult.Result> mapper
    ) {
        UserDirectorySearchResult search = new UserDirectorySearchResult();
        cfg.getIdentities().stream().filter(predicate).map(mapper).forEach(search::addResult);
        return search;
    }
    @Override
    public UserDirectorySearchResult searchByDisplayName(String query) {
        return search(
                entry -> StringUtils.containsIgnoreCase(entry.getUsername(), query),
                entry -> {
                    UserDirectorySearchResult.Result result = new UserDirectorySearchResult.Result();
                    result.setUserId(MatrixID.from(entry.getUsername(), mxCfg.getDomain()).acceptable().getId());
                    result.setDisplayName(entry.getUsername());
                    return result;
                }
        );
    }
    @Override
    public UserDirectorySearchResult searchBy3pid(String query) {
        return search(
                entry -> entry.getThreepids().stream()
                        .anyMatch(tpid -> StringUtils.containsIgnoreCase(tpid.getAddress(), query)),
                entry -> {
                    UserDirectorySearchResult.Result result = new UserDirectorySearchResult.Result();
                    result.setUserId(MatrixID.from(entry.getUsername(), mxCfg.getDomain()).acceptable().getId());
                    result.setDisplayName(entry.getUsername());
                    return result;
                }
        );
    }
    @Override
    public List<_ThreePid> getThreepids(_MatrixID mxid) {
        List<_ThreePid> l = new ArrayList<>();
        findByUsername(mxid.getLocalPart()).ifPresent(c -> l.addAll(c.getThreepids()));
        return l;
    }
    @Override
    public List<String> getRoles(_MatrixID mxid) {
        List<String> l = new ArrayList<>();
        findByUsername(mxid.getLocalPart()).ifPresent(c -> l.addAll(c.getRoles()));
        return l;
    }
    @Override
    public boolean isLocal() {
        return true;
    }
    @Override
    public int getPriority() {
        return Integer.MAX_VALUE;
    }
    @Override
    public Optional<SingleLookupReply> find(SingleLookupRequest request) {
        logger.info("Performing lookup {} of type {}", request.getThreePid(), request.getType());
        ThreePid req = new ThreePid(request.getType(), request.getThreePid());
        for (MemoryIdentityConfig id : cfg.getIdentities()) {
            for (MemoryThreePid threepid : id.getThreepids()) {
                if (req.equals(new ThreePid(threepid.getMedium(), threepid.getAddress()))) {
                    return Optional.of(new SingleLookupReply(request, new MatrixID(id.getUsername(), mxCfg.getDomain())));
                }
            }
        }
        return Optional.empty();
    }
    @Override
    public List<ThreePidMapping> populate(List<ThreePidMapping> mappings) {
        return Collections.emptyList();
    }
    @Override
    public BackendAuthResult authenticate(_MatrixID mxid, String password) {
        return findByUsername(mxid.getLocalPart()).map(id -> {
            if (!StringUtils.equals(id.getUsername(), mxid.getLocalPart())) {
                return BackendAuthResult.failure();
            } else {
                BackendAuthResult result = new BackendAuthResult();
                id.getThreepids().forEach(tpid -> result.withThreePid(new ThreePid(tpid.getMedium(), tpid.getAddress())));
                result.succeed(mxid.getId(), UserIdType.MatrixID.getId(), "");
                return result;
            }
        }).orElseGet(BackendAuthResult::failure);
    }
 }
--- a/src/main/groovy/io/kamax/mxisd/backend/rest/LookupBulkResponseJson.java
+++ b/src/main/groovy/io/kamax/mxisd/backend/rest/LookupBulkResponseJson.java
--- a/src/main/groovy/io/kamax/mxisd/backend/rest/LookupSingleRequestJson.java
+++ b/src/main/groovy/io/kamax/mxisd/backend/rest/LookupSingleRequestJson.java
--- a/src/main/groovy/io/kamax/mxisd/backend/rest/LookupSingleResponseJson.java
+++ b/src/main/groovy/io/kamax/mxisd/backend/rest/LookupSingleResponseJson.java
--- a/src/main/groovy/io/kamax/mxisd/backend/rest/RestAuthProvider.java
+++ b/src/main/groovy/io/kamax/mxisd/backend/rest/RestAuthProvider.java
--- a/src/main/groovy/io/kamax/mxisd/backend/rest/RestAuthRequestJson.java
+++ b/src/main/groovy/io/kamax/mxisd/backend/rest/RestAuthRequestJson.java
--- a/src/main/java/io/kamax/mxisd/backend/rest/RestDirectoryProvider.java
+++ b/src/main/java/io/kamax/mxisd/backend/rest/RestDirectoryProvider.java
@@ -0,0 +1,84 @@
 /*
 * mxisd - Matrix Identity Server Daemon
 * Copyright (C) 2017 Maxime Dor
 *
 * https://max.kamax.io/
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Affero General Public License as
 * published by the Free Software Foundation, either version 3 of the
 * License, or (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Affero General Public License for more details.
 *
 * You should have received a copy of the GNU Affero General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 package io.kamax.mxisd.backend.rest;
 import io.kamax.matrix.MatrixID;
 import io.kamax.mxisd.config.MatrixConfig;
 import io.kamax.mxisd.config.rest.RestBackendConfig;
 import io.kamax.mxisd.controller.directory.v1.io.UserDirectorySearchRequest;
 import io.kamax.mxisd.controller.directory.v1.io.UserDirectorySearchResult;
 import io.kamax.mxisd.directory.IDirectoryProvider;
 import io.kamax.mxisd.exception.InternalServerError;
 import io.kamax.mxisd.util.RestClientUtils;
 import org.apache.commons.io.IOUtils;
 import org.apache.commons.lang.StringUtils;
 import org.apache.http.client.methods.CloseableHttpResponse;
 import org.springframework.stereotype.Component;
 import java.io.IOException;
 import java.nio.charset.StandardCharsets;
@Component
 public class RestDirectoryProvider extends RestProvider implements IDirectoryProvider {
    private MatrixConfig mxCfg;
    public RestDirectoryProvider(RestBackendConfig cfg, MatrixConfig mxCfg) {
        super(cfg);
        this.mxCfg = mxCfg;
    }
    @Override
    public boolean isEnabled() {
        return cfg.isEnabled() && StringUtils.isNotBlank(cfg.getEndpoints().getDirectory());
    }
    private UserDirectorySearchResult search(String by, String query) {
        UserDirectorySearchRequest request = new UserDirectorySearchRequest(query);
        request.setBy(by);
        try (CloseableHttpResponse httpResponse = client.execute(RestClientUtils.post(cfg.getEndpoints().getDirectory(), request))) {
            int status = httpResponse.getStatusLine().getStatusCode();
            if (status < 200 || status >= 300) {
                throw new InternalServerError("REST backend: Error: " + IOUtils.toString(httpResponse.getEntity().getContent(), StandardCharsets.UTF_8));
            }
            UserDirectorySearchResult response = parser.parse(httpResponse, UserDirectorySearchResult.class);
            for (UserDirectorySearchResult.Result result : response.getResults()) {
                result.setUserId(new MatrixID(result.getUserId(), mxCfg.getDomain()).getId());
            }
            return response;
        } catch (IOException e) {
            throw new InternalServerError("REST backend: I/O error: " + e.getMessage());
        }
    }
    @Override
    public UserDirectorySearchResult searchByDisplayName(String query) {
        return search("name", query);
    }
    @Override
    public UserDirectorySearchResult searchBy3pid(String query) {
        return search("threepid", query);
    }
 }
--- a/src/main/groovy/io/kamax/mxisd/backend/rest/RestProvider.java
+++ b/src/main/groovy/io/kamax/mxisd/backend/rest/RestProvider.java
--- a/src/main/groovy/io/kamax/mxisd/backend/rest/RestThreePidProvider.java
+++ b/src/main/groovy/io/kamax/mxisd/backend/rest/RestThreePidProvider.java
--- a/src/main/java/io/kamax/mxisd/backend/sql/SqlConnectionPool.java
+++ b/src/main/java/io/kamax/mxisd/backend/sql/SqlConnectionPool.java
@@ -0,0 +1,59 @@
 /*
 * mxisd - Matrix Identity Server Daemon
 * Copyright (C) 2017 Kamax Sarl
 *
 * https://www.kamax.io/
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Affero General Public License as
 * published by the Free Software Foundation, either version 3 of the
 * License, or (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Affero General Public License for more details.
 *
 * You should have received a copy of the GNU Affero General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 package io.kamax.mxisd.backend.sql;
 import com.mchange.v2.c3p0.ComboPooledDataSource;
 import io.kamax.mxisd.config.sql.SqlConfig;
 import java.sql.Connection;
 import java.sql.SQLException;
 public class SqlConnectionPool {
    public interface SqlFunction<T, R> {
        R run(T connection) throws SQLException;
    }
    private ComboPooledDataSource ds;
    public SqlConnectionPool(SqlConfig cfg) {
        ds = new ComboPooledDataSource();
        ds.setJdbcUrl("jdbc:" + cfg.getType() + ":" + cfg.getConnection());
        ds.setMinPoolSize(1);
        ds.setMaxPoolSize(10);
        ds.setAcquireIncrement(2);
    }
    public Connection get() throws SQLException {
        return ds.getConnection();
    }
    public <T> T withConnFunction(SqlFunction<Connection, T> function) {
        try (Connection conn = get()) {
            return function.run(conn);
        } catch (SQLException e) {
            throw new RuntimeException(e);
        }
    }
 }
--- a/src/main/java/io/kamax/mxisd/backend/sql/SqlProfileProvider.java
+++ b/src/main/java/io/kamax/mxisd/backend/sql/SqlProfileProvider.java
@@ -0,0 +1,105 @@
 /*
 * mxisd - Matrix Identity Server Daemon
 * Copyright (C) 2018 Kamax Sarl
 *
 * https://www.kamax.io/
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Affero General Public License as
 * published by the Free Software Foundation, either version 3 of the
 * License, or (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Affero General Public License for more details.
 *
 * You should have received a copy of the GNU Affero General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 package io.kamax.mxisd.backend.sql;
 import io.kamax.matrix.ThreePid;
 import io.kamax.matrix._MatrixID;
 import io.kamax.matrix._ThreePid;
 import io.kamax.mxisd.config.sql.SqlConfig;
 import io.kamax.mxisd.profile.ProfileProvider;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import java.sql.Connection;
 import java.sql.PreparedStatement;
 import java.sql.ResultSet;
 import java.sql.SQLException;
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.List;
 import java.util.Optional;
 public abstract class SqlProfileProvider implements ProfileProvider {
    private Logger log = LoggerFactory.getLogger(SqlProfileProvider.class);
    private SqlConfig.Profile cfg;
    private SqlConnectionPool pool;
    public SqlProfileProvider(SqlConfig cfg) {
        this.cfg = cfg.getProfile();
        this.pool = new SqlConnectionPool(cfg);
    }
    @Override
    public boolean isEnabled() {
        return cfg.isEnabled();
    }
    @Override
    public Optional<String> getDisplayName(_MatrixID user) {
        String stmtSql = cfg.getDisplayName().getQuery();
        try (Connection conn = pool.get()) {
            try (PreparedStatement stmt = conn.prepareStatement(stmtSql)) {
                stmt.setString(1, user.getId());
                try (ResultSet rSet = stmt.executeQuery()) {
                    if (!rSet.next()) {
                        return Optional.empty();
                    }
                    return Optional.ofNullable(rSet.getString(1));
                }
            }
        } catch (SQLException e) {
            throw new RuntimeException(e);
        }
    }
    @Override
    public List<_ThreePid> getThreepids(_MatrixID user) {
        List<_ThreePid> threepids = new ArrayList<>();
        String stmtSql = cfg.getThreepid().getQuery();
        try (Connection conn = pool.get()) {
            PreparedStatement stmt = conn.prepareStatement(stmtSql);
            stmt.setString(1, user.getId());
            ResultSet rSet = stmt.executeQuery();
            while (rSet.next()) {
                String medium = rSet.getString(1);
                String address = rSet.getString(2);
                threepids.add(new ThreePid(medium, address));
            }
            return threepids;
        } catch (SQLException e) {
            throw new RuntimeException(e);
        }
    }
    @Override
    public List<String> getRoles(_MatrixID user) {
        return Collections.emptyList();
    }
 }
--- a/src/main/groovy/io/kamax/mxisd/backend/sql/SqlThreePidProvider.java
+++ b/src/main/groovy/io/kamax/mxisd/backend/sql/SqlThreePidProvider.java
@@ -1,8 +1,8 @@
 /*
 * mxisd - Matrix Identity Server Daemon
- * Copyright (C) 2017 Maxime Dor
+ * Copyright (C) 2017 Kamax Sarl
 *
- * https://max.kamax.io/
+ * https://www.kamax.io/
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Affero General Public License as
@@ -22,7 +22,7 @@ package io.kamax.mxisd.backend.sql;
 import io.kamax.matrix.MatrixID;
 import io.kamax.mxisd.config.MatrixConfig;
-import io.kamax.mxisd.config.sql.SqlProviderConfig;
+import io.kamax.mxisd.config.sql.SqlConfig;
 import io.kamax.mxisd.lookup.SingleLookupReply;
 import io.kamax.mxisd.lookup.SingleLookupRequest;
 import io.kamax.mxisd.lookup.ThreePidMapping;
@@ -30,24 +30,29 @@ import io.kamax.mxisd.lookup.provider.IThreePidProvider;
 import org.apache.commons.lang.StringUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Component;
-import java.sql.*;
+import java.sql.Connection;
 import java.sql.PreparedStatement;
 import java.sql.ResultSet;
 import java.sql.SQLException;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Optional;
-@Component
+public abstract class SqlThreePidProvider implements IThreePidProvider {
 public class SqlThreePidProvider implements IThreePidProvider {
    private Logger log = LoggerFactory.getLogger(SqlThreePidProvider.class);
-    @Autowired
+    private SqlConfig cfg;
    private MatrixConfig mxCfg;
-    @Autowired
+    private SqlConnectionPool pool;
-    private SqlProviderConfig cfg;
+
    public SqlThreePidProvider(SqlConfig cfg, MatrixConfig mxCfg) {
        this.cfg = cfg;
        this.pool = new SqlConnectionPool(cfg);
        this.mxCfg = mxCfg;
    }
    @Override
    public boolean isEnabled() {
@@ -64,20 +69,17 @@ public class SqlThreePidProvider implements IThreePidProvider {
        return 20;
    }
    private Connection getConn() throws SQLException {
        return DriverManager.getConnection("jdbc:" + cfg.getType() + ":" + cfg.getConnection());
    }
    @Override
    public Optional<SingleLookupReply> find(SingleLookupRequest request) {
        log.info("SQL lookup");
        String stmtSql = StringUtils.defaultIfBlank(cfg.getIdentity().getMedium().get(request.getType()), cfg.getIdentity().getQuery());
        log.info("SQL query: {}", stmtSql);
-        try (PreparedStatement stmt = getConn().prepareStatement(stmtSql)) {
+        try (Connection conn = pool.get()) {
            try (PreparedStatement stmt = conn.prepareStatement(stmtSql)) {
                stmt.setString(1, request.getType().toLowerCase());
                stmt.setString(2, request.getThreePid().toLowerCase());
-            ResultSet rSet = stmt.executeQuery();
+                try (ResultSet rSet = stmt.executeQuery()) {
                    while (rSet.next()) {
                        String uid = rSet.getString("uid");
                        log.info("Found match: {}", uid);
@@ -95,6 +97,8 @@ public class SqlThreePidProvider implements IThreePidProvider {
                    log.info("No match found in SQL");
                    return Optional.empty();
                }
            }
        } catch (SQLException e) {
            throw new RuntimeException(e);
        }
--- a/src/main/java/io/kamax/mxisd/backend/sql/generic/GenericSqlAuthProvider.java
+++ b/src/main/java/io/kamax/mxisd/backend/sql/generic/GenericSqlAuthProvider.java
@@ -1,8 +1,8 @@
 /*
 * mxisd - Matrix Identity Server Daemon
- * Copyright (C) 2017 Maxime Dor
+ * Copyright (C) 2017 Kamax Sarl
 *
- * https://max.kamax.io/
+ * https://www.kamax.io/
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Affero General Public License as
@@ -18,13 +18,12 @@
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
-package io.kamax.mxisd.backend.sql;
+package io.kamax.mxisd.backend.sql.generic;
 import io.kamax.matrix._MatrixID;
 import io.kamax.mxisd.auth.provider.AuthenticatorProvider;
 import io.kamax.mxisd.auth.provider.BackendAuthResult;
-import io.kamax.mxisd.config.ServerConfig;
+import io.kamax.mxisd.config.sql.generic.GenericSqlProviderConfig;
 import io.kamax.mxisd.config.sql.SqlProviderConfig;
 import io.kamax.mxisd.invitation.InvitationManager;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -32,22 +31,19 @@ import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Component;
@Component
-public class SqlAuthProvider implements AuthenticatorProvider {
+public class GenericSqlAuthProvider implements AuthenticatorProvider {
-    private Logger log = LoggerFactory.getLogger(SqlAuthProvider.class);
+    private Logger log = LoggerFactory.getLogger(GenericSqlAuthProvider.class);
    @Autowired
-    private ServerConfig srvCfg;
+    private GenericSqlProviderConfig cfg;
    @Autowired
    private SqlProviderConfig cfg;
    @Autowired
    private InvitationManager invMgr;
    @Override
    public boolean isEnabled() {
-        return cfg.isEnabled();
+        return cfg.getAuth().isEnabled();
    }
    @Override
--- a/src/main/java/io/kamax/mxisd/backend/sql/generic/GenericSqlDirectoryProvider.java
+++ b/src/main/java/io/kamax/mxisd/backend/sql/generic/GenericSqlDirectoryProvider.java
@@ -0,0 +1,115 @@
 /*
 * mxisd - Matrix Identity Server Daemon
 * Copyright (C) 2017 Kamax Sarl
 *
 * https://www.kamax.io/
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Affero General Public License as
 * published by the Free Software Foundation, either version 3 of the
 * License, or (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Affero General Public License for more details.
 *
 * You should have received a copy of the GNU Affero General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 package io.kamax.mxisd.backend.sql.generic;
 import io.kamax.matrix.MatrixID;
 import io.kamax.mxisd.backend.sql.SqlConnectionPool;
 import io.kamax.mxisd.config.MatrixConfig;
 import io.kamax.mxisd.config.sql.SqlConfig;
 import io.kamax.mxisd.config.sql.generic.GenericSqlProviderConfig;
 import io.kamax.mxisd.controller.directory.v1.io.UserDirectorySearchResult;
 import io.kamax.mxisd.directory.IDirectoryProvider;
 import io.kamax.mxisd.exception.InternalServerError;
 import org.apache.commons.lang.StringUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import java.sql.Connection;
 import java.sql.PreparedStatement;
 import java.sql.ResultSet;
 import java.sql.SQLException;
 import java.util.Optional;
 import static io.kamax.mxisd.controller.directory.v1.io.UserDirectorySearchResult.Result;
 public abstract class GenericSqlDirectoryProvider implements IDirectoryProvider {
    private Logger log = LoggerFactory.getLogger(GenericSqlDirectoryProvider.class);
    protected SqlConfig cfg;
    protected MatrixConfig mxCfg;
    private SqlConnectionPool pool;
    public GenericSqlDirectoryProvider(SqlConfig cfg, MatrixConfig mxCfg) {
        this.cfg = cfg;
        this.pool = new SqlConnectionPool(cfg);
        this.mxCfg = mxCfg;
    }
    @Override
    public boolean isEnabled() {
        return cfg.getDirectory().isEnabled();
    }
    protected void setParameters(PreparedStatement stmt, String searchTerm) throws SQLException {
        for (int i = 1; i <= stmt.getParameterMetaData().getParameterCount(); i++) {
            stmt.setString(i, searchTerm);
        }
    }
    protected Optional<Result> processRow(ResultSet rSet) throws SQLException {
        Result item = new Result();
        item.setUserId(rSet.getString(1));
        item.setDisplayName(rSet.getString(2));
        return Optional.of(item);
    }
    public UserDirectorySearchResult search(String searchTerm, GenericSqlProviderConfig.Query query) {
        try (Connection conn = pool.get()) {
            log.info("Will execute query: {}", query.getValue());
            try (PreparedStatement stmt = conn.prepareStatement(query.getValue())) {
                setParameters(stmt, searchTerm);
                try (ResultSet rSet = stmt.executeQuery()) {
                    UserDirectorySearchResult result = new UserDirectorySearchResult();
                    result.setLimited(false);
                    while (rSet.next()) {
                        processRow(rSet).ifPresent(e -> {
                            if (StringUtils.equalsIgnoreCase("localpart", query.getType())) {
                                e.setUserId(new MatrixID(e.getUserId(), mxCfg.getDomain()).getId());
                            }
                            result.addResult(e);
                        });
                    }
                    return result;
                }
            }
        } catch (SQLException e) {
            throw new InternalServerError(e);
        }
    }
    @Override
    public UserDirectorySearchResult searchByDisplayName(String searchTerm) {
        log.info("Searching users by display name using '{}'", searchTerm);
        return search(searchTerm, cfg.getDirectory().getQuery().getName());
    }
    @Override
    public UserDirectorySearchResult searchBy3pid(String searchTerm) {
        log.info("Searching users by 3PID using '{}'", searchTerm);
        return search(searchTerm, cfg.getDirectory().getQuery().getThreepid());
    }
 }
--- a/src/main/java/io/kamax/mxisd/backend/sql/generic/GenericSqlProfileProvider.java
+++ b/src/main/java/io/kamax/mxisd/backend/sql/generic/GenericSqlProfileProvider.java
@@ -1,8 +1,8 @@
 /*
 * mxisd - Matrix Identity Server Daemon
- * Copyright (C) 2017 Maxime Dor
+ * Copyright (C) 2018 Kamax Sarl
 *
- * https://max.kamax.io/
+ * https://www.kamax.io/
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Affero General Public License as
@@ -18,27 +18,17 @@
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
-package io.kamax.mxisd.lookup
+package io.kamax.mxisd.backend.sql.generic;
-class SingleLookupRequest extends ALookupRequest {
+import io.kamax.mxisd.backend.sql.SqlProfileProvider;
 import io.kamax.mxisd.config.sql.generic.GenericSqlProviderConfig;
 import org.springframework.stereotype.Component;
-    private String type
+@Component
-    private String threePid
+public class GenericSqlProfileProvider extends SqlProfileProvider {
-    String getType() {
+    public GenericSqlProfileProvider(GenericSqlProviderConfig cfg) {
-        return type
+        super(cfg);
    }
    void setType(String type) {
        this.type = type
    }
    String getThreePid() {
        return threePid
    }
    void setThreePid(String threePid) {
        this.threePid = threePid
    }
 }
--- a/src/main/java/io/kamax/mxisd/backend/sql/generic/GenericSqlThreePidProvider.java
+++ b/src/main/java/io/kamax/mxisd/backend/sql/generic/GenericSqlThreePidProvider.java
@@ -0,0 +1,37 @@
 /*
 * mxisd - Matrix Identity Server Daemon
 * Copyright (C) 2017 Kamax Sarl
 *
 * https://www.kamax.io/
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Affero General Public License as
 * published by the Free Software Foundation, either version 3 of the
 * License, or (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Affero General Public License for more details.
 *
 * You should have received a copy of the GNU Affero General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 package io.kamax.mxisd.backend.sql.generic;
 import io.kamax.mxisd.backend.sql.SqlThreePidProvider;
 import io.kamax.mxisd.config.MatrixConfig;
 import io.kamax.mxisd.config.sql.generic.GenericSqlProviderConfig;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Component;
@Component
 public class GenericSqlThreePidProvider extends SqlThreePidProvider {
    @Autowired
    public GenericSqlThreePidProvider(GenericSqlProviderConfig cfg, MatrixConfig mxCfg) {
        super(cfg, mxCfg);
    }
 }
--- a/src/main/java/io/kamax/mxisd/backend/sql/synapse/Synapse.java
+++ b/src/main/java/io/kamax/mxisd/backend/sql/synapse/Synapse.java
@@ -0,0 +1,55 @@
 /*
 * mxisd - Matrix Identity Server Daemon
 * Copyright (C) 2018 Kamax Sarl
 *
 * https://www.kamax.io/
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Affero General Public License as
 * published by the Free Software Foundation, either version 3 of the
 * License, or (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Affero General Public License for more details.
 *
 * You should have received a copy of the GNU Affero General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 package io.kamax.mxisd.backend.sql.synapse;
 import io.kamax.mxisd.backend.sql.SqlConnectionPool;
 import io.kamax.mxisd.config.sql.synapse.SynapseSqlProviderConfig;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Component;
 import java.sql.PreparedStatement;
 import java.sql.ResultSet;
 import java.util.Optional;
@Component
 public class Synapse {
    private SqlConnectionPool pool;
    @Autowired
    public Synapse(SynapseSqlProviderConfig sqlCfg) {
        this.pool = new SqlConnectionPool(sqlCfg);
    }
    public Optional<String> getRoomName(String id) {
        return pool.withConnFunction(conn -> {
            PreparedStatement stmt = conn.prepareStatement(SynapseQueries.getRoomName());
            stmt.setString(1, id);
            ResultSet rSet = stmt.executeQuery();
            if (!rSet.next()) {
                return Optional.empty();
            }
            return Optional.ofNullable(rSet.getString(1));
        });
    }
 }
--- a/src/main/java/io/kamax/mxisd/backend/sql/synapse/SynapseQueries.java
+++ b/src/main/java/io/kamax/mxisd/backend/sql/synapse/SynapseQueries.java
@@ -0,0 +1,74 @@
 /*
 * mxisd - Matrix Identity Server Daemon
 * Copyright (C) 2018 Kamax Sarl
 *
 * https://www.kamax.io/
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Affero General Public License as
 * published by the Free Software Foundation, either version 3 of the
 * License, or (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Affero General Public License for more details.
 *
 * You should have received a copy of the GNU Affero General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 package io.kamax.mxisd.backend.sql.synapse;
 import io.kamax.mxisd.exception.ConfigurationException;
 import org.apache.commons.lang.StringUtils;
 public class SynapseQueries {
    public static String getUserId(String type, String domain) {
        if (StringUtils.equals("sqlite", type)) {
            return "'@' || p.user_id || ':" + domain + "'";
        } else if (StringUtils.equals("postgresql", type)) {
            return "concat('@',p.user_id,':" + domain + "')";
        } else {
            throw new ConfigurationException("Invalid Synapse SQL type: " + type);
        }
    }
    public static String getDisplayName() {
        return "SELECT displayname FROM profiles WHERE user_id = ?";
    }
    public static String getThreepids() {
        return "SELECT medium, address FROM user_threepids WHERE user_id = ?";
    }
    public static String findByDisplayName(String type, String domain) {
        if (StringUtils.equals("sqlite", type)) {
            return "select " + getUserId(type, domain) + ", displayname from profiles p where displayname like ?";
        } else if (StringUtils.equals("postgresql", type)) {
            return "select " + getUserId(type, domain) + ", displayname from profiles p where displayname ilike ?";
        } else {
            throw new ConfigurationException("Invalid Synapse SQL type: " + type);
        }
    }
    public static String findByThreePidAddress(String type, String domain) {
        if (StringUtils.equals("sqlite", type)) {
            return "select t.user_id, p.displayname " +
                    "from user_threepids t JOIN profiles p on t.user_id = " + getUserId(type, domain) + " " +
                    "where t.address like ?";
        } else if (StringUtils.equals("postgresql", type)) {
            return "select t.user_id, p.displayname " +
                    "from user_threepids t JOIN profiles p on t.user_id = " + getUserId(type, domain) + " " +
                    "where t.address ilike ?";
        } else {
            throw new ConfigurationException("Invalid Synapse SQL type: " + type);
        }
    }
    public static String getRoomName() {
        return "select r.name from room_names r, events e, (select r1.room_id,max(e1.origin_server_ts) ts from room_names r1, events e1 where r1.event_id = e1.event_id group by r1.room_id) rle where e.origin_server_ts = rle.ts and r.event_id = e.event_id and r.room_id = ?";
    }
 }
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Max Dor	cdb56aec1f	Add documentation for new AS Notification/Profile feature	2018-10-16 21:28:38 +02:00
Max Dor	407138e972	Add LDAP support Matrix ID room invites notifications	2018-10-16 21:28:38 +02:00
Max Dor	3eee4eaccf	Add extra placeholders for Matrix ID room invites notifications - Sender display name, if available - Room name, if available	2018-10-16 21:28:38 +02:00
Max Dor	b3aefbed77	Add support for 3PID notification for Matrix ID room invites - Experimental feature - Via AS API	2018-10-16 21:28:38 +02:00
Max Dor	843fa04f19	Update links to new repo org	2018-10-12 16:21:29 +02:00
Max Dor	f7d1a300f1	Fix #69	2018-10-10 02:10:48 +02:00
Max Dor	f16eb264be	Fix for #72	2018-10-10 01:59:15 +02:00
Max Dor	f29014be1f	Fix some logging statements	2018-09-30 17:41:18 +02:00
Max Dor	0c0feab0c0	Improve docs	2018-09-19 22:29:20 +02:00
Max Dor	dd313881db	Fix repositories order Repositories are attempted in order listed. This change optimize the order so central repos are attempting before custom ones.	2018-09-19 22:28:25 +02:00
Max Dor	feb37112b2	Add on/off switch for 3PID in directory lookups	2018-08-15 11:25:41 +02:00
Max Dor	1ab8a27fda	Add on/off switch for bulk lookups	2018-08-12 02:16:14 +02:00
Max Dor	deafc420a5	Properly handle leading @ in search (Fix #79 )	2018-06-22 01:42:07 +02:00
Felix Schäfer	fce15f0e29	Use server.name instead of matrix.domain in Docs (#81 ) Enhance documentation to talk about server.name in DNS override for auth	2018-06-07 13:55:54 +02:00
Max Dor	5b5893f407	Fix typo in doc	2018-06-02 22:16:33 +02:00
Max Dor	f55d5fbc80	Make central IS opt-in (#80 )	2018-05-31 13:24:00 +02:00
Max Dor	b613415dc4	Fix doc layout (cosmetic)	2018-05-18 01:47:43 +02:00
Max Dor	0549d23d21	Add LDAP TLS config value in logs	2018-05-16 15:42:24 +02:00
Max Dor	b493ccd479	De-duplicate results from Identity stores in Directory searches	2018-04-26 01:45:04 +02:00
Max Dor	03e72ba155	Use the correct domain (server name) for signatures	2018-04-22 19:27:52 +02:00
Max Dor	32a3444a9e	Document the correct property for SQL usernames	2018-04-22 00:39:18 +02:00
Max Dor	78a25c21ba	Code maintenance - Switch to HttpClient for remote fetcher - Don't fail for remote binding on matrix.org	2018-04-13 08:14:09 +02:00
Max Dor	ef80f4aa30	Documentation enhancements (#73 )	2018-04-13 03:26:33 +02:00
Max Dor	1e413af019	Fix crypto A recent change in synapse shown that the various classes handling crypto were broken. All the crypto code has been refactored in the SDK and the local code has been adapted.	2018-04-11 23:37:33 +02:00
Max Dor	a0f8af820e	Fix minor regression with Auth feature and REST/Memory backend See https://matrix.to/#/!NPRUEisLjcaMtHIzDr:kamax.io/$1523216730848820dFUZX:matrix.org	2018-04-08 22:05:36 +02:00
Max Dor	5ef145212a	Support access tokens in headers (Fix #65 ) (#70 )	2018-04-02 17:26:03 +02:00
Max Dor	91ccb75fa1	Properly handle invalid characters in identifiers for Wordpress	2018-04-02 14:36:23 +02:00
Max Dor	ac6f549618	Support 3PID in memory identity store profile	2018-03-30 18:31:22 +02:00
Max Dor	7f9c7aa76d	Fix Synapse SQL directory provider class name	2018-03-25 23:19:45 +02:00
Max Dor	02688942fd	Enforce host present in DNS override config to avoid request loop	2018-03-25 19:31:52 +02:00
Max Dor	48668bcd92	Support of Directory for in-memory Identity store	2018-03-25 19:30:42 +02:00
Max Dor	a9627121fa	Enchanced profile management (#68 ) * Proof of concept of adding 3PIDs data to user profile * Document reverse proxy apache config * Support for Matrix Gateway project roles' endpoint * Fix conflicting ThreePid object defined in SDK and mxisd projects	2018-03-25 01:20:59 +01:00
Max Dor	3fc86465f8	Wordpress identity store (#67 )	2018-03-23 17:14:59 +01:00
Max Dor	d93b546e3c	Improved Travis-CI config - Use default JDK - Cache management for faster builds	2018-03-21 18:21:49 +01:00
Maxime Dor	ea15f24d41	Be clear about which LDAP config/backend is picked up	2018-03-21 02:32:00 +01:00
Max Dor	290a32d640	Merge pull request #66 from kamax-io/max/federation-discovery-enhancement Better federation auto-discovery	2018-03-15 00:14:20 +01:00
Maxime Dor	10f9126cb6	Better federation auto-discovery - Use the new status check endpoint at /_matrix/identity/api/v1 - Enforce DNS SRV existence before asking remote server for data	2018-03-11 18:28:48 +01:00
Maxime Dor	c3385b38dc	Update to latest SDK	2018-03-09 23:58:16 +01:00
adrnam	61fec4aec7	3PID authentication (#60 ) Fix for #49	2018-03-08 18:29:03 +01:00
Max Dor	1db76139a9	Invite resolution enhancements (#63 ) * Make invite resolution process configurable * Add warning in logs if invite resolution is not recursive	2018-03-05 10:00:09 +01:00
Max Dor	a27858082c	Add support for NetIQ as a LDAP backend (#61 )	2018-03-03 00:28:15 +01:00
Maxime Dor	ea08a80504	Respect 3PID session policy for remote sending with phone numbers	2018-03-02 23:27:19 +01:00
Maxime Dor	cb3130d365	Send phone number in response body when creating 3PID session If missing, Riot will show "undefined" instead of the number.	2018-03-02 23:26:33 +01:00
Maxime Dor	7189a4b100	Prepare for kamax-io/matrix-java-sdk#23	2018-02-27 18:30:36 +01:00
adrnam	f71cdbf83e	Clarified configuration comments (#54 )	2018-02-23 19:40:08 +01:00
Maxime Dor	665a284f4b	Clarify wording	2018-02-21 17:22:11 +01:00
Maxime Dor	5e142eb41d	Add some more LDAP debug entries	2018-01-28 18:02:03 +01:00
Maxime Dor	9fede41904	Add documentation for nginx config	2018-01-21 14:36:44 +01:00
Maxime Dor	5871bb6609	Set proper backend for Synapse SQL	2018-01-18 23:40:46 +01:00
Maxime Dor	5dbaca643a	Fix #42	2017-12-31 13:02:41 +01:00
Maxime Dor	bf9576f9c3	Optimize Dockerfile statements order for caching	2017-12-25 08:54:38 +01:00
Maxime Dor	773f38d349	Properly mark REST Directory provider as component (Fix #48 )	2017-12-23 17:43:03 +01:00
kiorky	6a5a4b3c1c	Fix Docker build (#44 )	2017-12-22 02:48:31 +01:00
Maxime Dor	7fff2448a1	Improve the docker experience - Only one env variable to configure on first usage - Auto-generate a default config - Improve doc	2017-12-16 19:58:11 +01:00
Maxime Dor	6571ff76b1	Take LDAP filter into account when doing 3PID lookups	2017-12-16 19:17:22 +01:00
Maxime Dor	16690a0329	Enforce baseDn for LDAP provider	2017-12-06 20:31:06 +01:00
Maxime Dor	6ac593f0fa	Fix typo	2017-12-02 20:13:25 +01:00
Maxime Dor	1581ab9e07	Better logic (cosmetic) for default 3PID notification providers	2017-11-30 02:44:21 +01:00
Maxime Dor	a1adca72e8	Properly select raw notification handler by default	2017-11-26 16:30:42 +01:00
Maxime Dor	e2b3920840	Directory: document HS exclusion config option	2017-11-22 19:40:16 +01:00
Maxime Dor	aaa742f6d2	LDAP: Properly handle multi-value attributes	2017-11-17 16:51:16 +01:00
Maxime Dor	959feb686c	Improve auth doc	2017-11-16 22:35:16 +01:00
Maxime Dor	d9c5c5056a	Improve getting started wording	2017-11-15 21:01:33 +01:00
Maxime Dor	83fafdcfeb	Add config option to disable HS lookup for directory searches	2017-11-06 11:16:22 +01:00
Maxime Dor	e916ecd08b	Properly handle Synapse as an Identity provider	2017-10-30 17:43:22 +01:00
Maxime Dor	1461d8ef6c	Add fixme to prevent using mxisd DB as synapse identity store	2017-10-30 16:42:00 +01:00
Maxime Dor	19c1214e4a	Fix release version extraction from git tags	2017-10-25 00:40:43 +02:00
Maxime Dor	b976f69c39	Fix systemd log format	2017-10-17 15:59:16 +02:00
Maxime Dor	3675da4a0f	Specify that LDAP now supports profile auto-fill	2017-10-11 21:08:10 +02:00
Max Dor	077955d538	Set theme jekyll-theme-cayman	2017-10-09 19:18:37 +02:00
Maxime Dor	9af0cd3615	Support for profile auto-fill with LDAP	2017-10-08 04:22:38 +02:00
Maxime Dor	2bf68538c3	Fix typo, broken links	2017-10-08 03:41:45 +02:00
Maxime Dor	6c02e478d9	Add donate link	2017-10-07 18:50:17 +02:00
Maxime Dor	284da779f9	Fix typo	2017-10-07 18:39:13 +02:00
Maxime Dor	af161296b3	Be clear about profile auto-fill in LDAP auth	2017-10-07 18:27:47 +02:00
Maxime Dor	6317acd7fc	Add missing links	2017-10-07 18:02:47 +02:00
Maxime Dor	30260af1f2	More documentation	2017-10-07 17:59:55 +02:00
Maxime Dor	3b697e86ac	Various error handling improvements and user feedback	2017-10-07 06:15:57 +02:00
Maxime Dor	b4f0645257	Handle Homeservers not implementing the directory endpoint	2017-10-06 14:12:43 +02:00
Maxime Dor	0e48edf86e	Properly handle session next url	2017-10-06 14:10:08 +02:00
Maxime Dor	7e92bfa474	Add warning not to use built-in configuration file	2017-10-05 21:42:02 +02:00
Maxime Dor	851e0c9d94	Properly build remote 3PID token request	2017-10-05 16:04:29 +02:00
Maxime Dor	ac1cbc4265	Fix redirect with thymleaf	2017-10-05 16:03:59 +02:00
Maxime Dor	62711ee12e	Improve README	2017-10-02 20:07:22 +02:00
Maxime Dor	3954be2f08	Fix recursive logic	2017-10-02 18:03:57 +02:00
Maxime Dor	640512eb27	Line wrap	2017-10-02 16:14:26 +02:00
Maxime Dor	40705b5d47	Improved documentation	2017-10-02 16:10:22 +02:00
Maxime Dor	642d560ba9	Fix spelling	2017-10-02 03:46:30 +02:00
Maxime Dor	b6e86f5b2e	Proper order of sections	2017-10-02 03:44:32 +02:00
Maxime Dor	4a99ec5531	Lots of new awesome documentation	2017-10-02 03:42:23 +02:00
Max Dor	9079bb25cc	Merge pull request #34 from kamax-io/directory-integration Directory integration	2017-10-01 22:04:58 +02:00
Maxime Dor	88e86cd0d5	Improve Directory documentation	2017-10-01 21:09:18 +02:00
Maxime Dor	8662b3f39f	Stable implementation of Directory integration - Documentation - Allow to specific other attributes in LDAP to include in the search	2017-10-01 19:36:11 +02:00
Maxime Dor	d0aac5ac52	User Directory support in REST Backend	2017-10-01 18:13:01 +02:00
Maxime Dor	c702a34aab	Fix regression due to bad replace	2017-10-01 16:10:05 +02:00
Maxime Dor	786e4a8f91	Prepare REST backend for directory flow	2017-10-01 02:21:48 +02:00
Maxime Dor	8d0b0edad2	Clarify some items thanks to users feedback	2017-10-01 00:06:03 +02:00
Maxime Dor	88a37c52c0	Skeleton for User directory setup instructions	2017-09-30 00:56:16 +02:00
Maxime Dor	52e4a65c3c	Fix query generation	2017-09-30 00:27:36 +02:00
Maxime Dor	69ecef0155	Refactored directory package to include API version	2017-09-29 22:13:51 +02:00
Maxime Dor	f7984bd36e	LDAP Directory search support	2017-09-29 20:54:08 +02:00
Maxime Dor	f735b3b730	Merge branch 'master' into directory-integration	2017-09-29 05:43:52 +02:00
Maxime Dor	b6008a41f2	Be consistent with DNS overwrite (always a URL)	2017-09-29 05:38:58 +02:00
Maxime Dor	ed2d13decf	Don't mix up configs	2017-09-29 05:34:21 +02:00
Maxime Dor	4f3ecc19f3	Directory integration prototype using Google Firebase auth + Synapse SQL	2017-09-29 02:52:05 +02:00
Maxime Dor	c816217b22	Send new invite notification to same user if rooms are different	2017-09-28 02:45:01 +02:00
Maxime Dor	182f3c4bc3	Skeleton for HS User directory integration	2017-09-27 04:37:45 +02:00
Maxime Dor	2e7b5d2a87	Refactor packages (cosmetic)	2017-09-27 03:59:45 +02:00
Max Dor	09208d55d7	Merge pull request #33 from kamax-io/email-connector-sendgrid Email connector sendgrid	2017-09-27 03:33:13 +02:00
Maxime Dor	05c76a657e	Fix extra placeholders in smtp sender	2017-09-27 03:30:53 +02:00
Maxime Dor	f3bbc7c7c6	Add support for SendGrid as Email notification handler	2017-09-27 01:55:37 +02:00
Maxime Dor	61addd297a	Use the correct formatting for MSISDN	2017-09-26 04:26:39 +02:00
Maxime Dor	1de0951733	Support 3PID listing during auth with Google Firebase	2017-09-26 03:11:15 +02:00
Maxime Dor	d348ebd813	Improved README to point to dedicated documents	2017-09-25 18:25:58 +02:00
Maxime Dor	0499c10a2c	Better sample config, better README	2017-09-25 18:20:18 +02:00
Maxime Dor	13e248c71e	Do not enforce Twilio config by default	2017-09-25 18:04:21 +02:00
Maxime Dor	d221b2c5de	Fix groovy rollback issue	2017-09-25 17:56:06 +02:00
Maxime Dor	3a1900cbb2	Add link to 3PID session documentation	2017-09-25 17:15:37 +02:00
Max Dor	9f1867a030	Merge pull request #32 from kamax-io/phone_numbers-validation Phone numbers validation	2017-09-25 17:12:59 +02:00
Maxime Dor	a061241291	Use relative links	2017-09-25 17:11:58 +02:00
Maxime Dor	fefa81e935	Add link to phone numbers in TOC	2017-09-25 17:06:39 +02:00
Maxime Dor	1e77bf43c6	Add documentation to validate phone numbers	2017-09-25 17:03:50 +02:00
Maxime Dor	c73bbf675e	First prototype to validate phone numbers	2017-09-25 05:53:07 +02:00
Maxime Dor	6c2e65ace5	Code formatting, cosmetic	2017-09-25 02:35:16 +02:00
Maxime Dor	33263d3cff	Bye bye Groovy, you won't be missed :(	2017-09-25 02:31:31 +02:00
Maxime Dor	af19fed6e7	More links to specific config docs	2017-09-25 00:15:30 +02:00
Maxime Dor	246dc4f8d1	Add web views link	2017-09-25 00:10:25 +02:00
Maxime Dor	31efa3e33f	More 3PID sessions configuration documentation	2017-09-25 00:08:58 +02:00
Maxime Dor	bee2a5129b	Fix inconsistencies into DNS library	2017-09-24 21:29:14 +02:00
Maxime Dor	f1e78af80b	Fix empty JSON object on empty lookup results	2017-09-24 21:12:49 +02:00
Max Dor	e0022e549e	Merge pull request #31 from kamax-io/binding-validation 3PID sessions support (email only)	2017-09-24 05:26:37 +02:00