Bump version to v0.7.0

Don't use mxid in mention pills
Add support for authenticated media
2024-07-16 11:28:58 +03:00 · 2024-07-15 19:26:09 +03:00 · 2024-07-12 20:09:07 +03:00 · 2024-06-24 21:43:11 +03:00 · 2024-06-24 21:36:38 +03:00 · 2024-06-24 21:28:45 +03:00
36 changed files with 1483 additions and 493 deletions
--- a/.github/workflows/go.yml
+++ b/.github/workflows/go.yml
@ -5,13 +5,20 @@ on: [push, pull_request]
 jobs:
  lint:
    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        go-version: ["1.21", "1.22"]
+    name: Lint ${{ matrix.go-version == '1.22' && '(latest)' || '(old)' }}
+
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4

      - name: Set up Go
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@v5
        with:
-          go-version: "1.20"
+          go-version: ${{ matrix.go-version }}
+          cache: true

      - name: Install libolm
        run: sudo apt-get install libolm-dev libolm3
--- a/.gitignore
+++ b/.gitignore
@ -4,3 +4,6 @@

 *.db*
 *.log*
+
+/mautrix-discord
+/start
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@ -1,6 +1,6 @@
 repos:
  - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.4.0
+    rev: v4.5.0
    hooks:
      - id: trailing-whitespace
        exclude_types: [markdown]
@ -13,3 +13,8 @@ repos:
    hooks:
      - id: go-imports-repo
      - id: go-vet-repo-mod
+
+  - repo: https://github.com/beeper/pre-commit-go
+    rev: v0.3.1
+    hooks:
+      - id: zerolog-ban-msgf
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,3 +1,54 @@
+# v0.7.0 (2024-07-16)
+
+* Bumped minimum Go version to 1.21.
+* Added support for Matrix v1.11 authenticated media.
+  * This also changes how avatars are sent to Discord when using relay webhooks.
+    To keep avatars working, you must configure `public_address` in the *bridge*
+    section of the config and proxy `/mautrix-discord/avatar/*` from that
+    address to the bridge.
+* Added `create-portal` command to create individual portals bypassing the
+  bridging mode. When used in combination with the `if-portal-exists` bridging
+  mode, this can be used to bridge individual channels from a guild.
+* Changed how direct media access works to make it compatible with Discord's
+  signed URL requirement. The new system must be enabled manually, see
+  [docs](https://docs.mau.fi/bridges/go/discord/direct-media.html) for info.
+
+# v0.6.5 (2024-01-16)
+
+* Fixed adding reply embed to webhook sends if the Matrix room is encrypted.
+
+# v0.6.4 (2023-11-16)
+
+* Changed error messages to be sent in a thread if the errored message was in
+  a thread.
+
+# v0.6.3 (2023-10-16)
+
+* Fixed op7 reconnects during connection causing the bridge to get stuck
+  disconnected.
+* Fixed double puppet of recipient joining DM portals when both ends of a DM
+  are using the same bridge.
+
+# v0.6.2 (2023-09-16)
+
+* Added support for double puppeting with arbitrary `as_token`s.
+  See [docs](https://docs.mau.fi/bridges/general/double-puppeting.html#appservice-method-new) for more info.
+* Adjusted markdown parsing rules to allow inline links in normal messages.
+* Fixed panic if redacting an attachment fails.
+* Fixed panic when handling video embeds with no URLs
+  (thanks to [@odrling] in [#110]).
+
+[@odrling]: https://github.com/odrling
+[#110]: https://github.com/mautrix/discord/pull/110
+
+# v0.6.1 (2023-08-16)
+
+* Bumped minimum Go version to 1.20.
+* Fixed all logged-in users being invited to existing portal rooms even if they
+  don't have permission to view the channel on Discord.
+* Fixed gif links not being treated as embeds if the canonical URL is different
+  than the URL in the message body.
+
 # v0.6.0 (2023-07-16)

 * Added initial support for backfilling threads.
--- a/ROADMAP.md
+++ b/ROADMAP.md
@ -1,11 +1,12 @@
 # Features & roadmap
 * Matrix → Discord
-  * [x] Message content
+  * [ ] Message content
    * [x] Plain text
    * [x] Formatted messages
    * [x] Media/files
    * [x] Replies
    * [x] Threads
+    * [ ] Custom emojis
  * [x] Message redactions
  * [x] Reactions
    * [x] Unicode emojis
@ -45,7 +46,7 @@
  * [x] Message deletions
  * [x] Reactions
    * [x] Unicode emojis
-    * [x] Custom emojis (not yet supported on Matrix)
+    * [x] Custom emojis ([MSC4027](https://github.com/matrix-org/matrix-spec-proposals/pull/4027))
  * [x] Avatars
  * [ ] Presence
  * [ ] Typing notifications (currently partial support: DMs work after you type in them)
--- a/attachments.go
+++ b/attachments.go
@ -18,14 +18,13 @@ import (

 	"github.com/bwmarrin/discordgo"
 	"github.com/gabriel-vasile/mimetype"
-
+	"go.mau.fi/util/exsync"
+	"go.mau.fi/util/ffmpeg"
 	"maunium.net/go/mautrix"
 	"maunium.net/go/mautrix/appservice"
 	"maunium.net/go/mautrix/crypto/attachment"
 	"maunium.net/go/mautrix/event"
 	"maunium.net/go/mautrix/id"
-	"maunium.net/go/mautrix/util"
-	"maunium.net/go/mautrix/util/ffmpeg"

 	"go.mau.fi/mautrix-discord/database"
 )
@ -269,7 +268,7 @@ func (br *DiscordBridge) copyAttachmentToMatrix(intent *appservice.IntentAPI, ur
 	returnDBFile = br.DB.File.Get(url, encrypt)
 	if returnDBFile == nil {
 		transferKey := attachmentKey{url, encrypt}
-		once, _ := br.attachmentTransfers.GetOrSet(transferKey, &util.ReturnableOnce[*database.File]{})
+		once, _ := br.attachmentTransfers.GetOrSet(transferKey, &exsync.ReturnableOnce[*database.File]{})
 		returnDBFile, returnErr = once.Do(func() (onceDBFile *database.File, onceErr error) {
 			if isCacheable {
 				onceDBFile = br.DB.File.Get(url, encrypt)
@ -324,19 +323,17 @@ func (br *DiscordBridge) copyAttachmentToMatrix(intent *appservice.IntentAPI, ur
 }

 func (portal *Portal) getEmojiMXCByDiscordID(emojiID, name string, animated bool) id.ContentURI {
-	var url, mimeType, ext string
+	mxc := portal.bridge.DMA.EmojiMXC(emojiID, name, animated)
+	if !mxc.IsEmpty() {
+		return mxc
+	}
+	var url, mimeType string
 	if animated {
 		url = discordgo.EndpointEmojiAnimated(emojiID)
 		mimeType = "image/gif"
-		ext = "gif"
 	} else {
 		url = discordgo.EndpointEmoji(emojiID)
 		mimeType = "image/png"
-		ext = "png"
-	}
-	mxc := portal.bridge.Config.Bridge.MediaPatterns.Emoji(emojiID, ext)
-	if !mxc.IsEmpty() {
-		return mxc
 	}
 	dbFile, err := portal.bridge.copyAttachmentToMatrix(portal.MainIntent(), url, false, AttachmentMeta{
 		AttachmentID: emojiID,
--- a/commands.go
+++ b/commands.go
@ -62,6 +62,7 @@ func (br *DiscordBridge) RegisterCommands() {
 		cmdBridge,
 		cmdUnbridge,
 		cmdDeletePortal,
+		cmdCreatePortal,
 		cmdSetRelay,
 		cmdUnsetRelay,
 		cmdGuilds,
@ -757,7 +758,7 @@ func fnBridge(ce *WrappedCommandEvent) {
 	portal.updateRoomName()
 	portal.updateRoomAvatar()
 	portal.updateRoomTopic()
-	portal.updateSpace()
+	portal.updateSpace(ce.User)
 	portal.UpdateBridgeInfo()
 	state, err := portal.MainIntent().State(portal.MXID)
 	if err != nil {
@ -785,6 +786,45 @@ var cmdUnbridge = &commands.FullHandler{
 	RequiresEventLevel: roomModerator,
 }

+var cmdCreatePortal = &commands.FullHandler{
+	Func: wrapCommand(fnCreatePortal),
+	Name: "create-portal",
+	Help: commands.HelpMeta{
+		Section:     HelpSectionPortalManagement,
+		Description: "Create a portal for a specific channel",
+		Args:        "<_channel ID_>",
+	},
+	RequiresLogin: true,
+}
+
+func fnCreatePortal(ce *WrappedCommandEvent) {
+	meta, err := ce.User.Session.Channel(ce.Args[0])
+	if err != nil {
+		ce.Reply("Failed to get channel info: %v", err)
+		return
+	} else if meta == nil {
+		ce.Reply("Channel not found")
+		return
+	} else if !ce.User.channelIsBridgeable(meta) {
+		ce.Reply("That channel can't be bridged")
+		return
+	}
+	portal := ce.User.GetPortalByMeta(meta)
+	if portal.Guild != nil && portal.Guild.BridgingMode == database.GuildBridgeNothing {
+		ce.Reply("That guild is set to not bridge any messages. Bridge the guild with `$cmdprefix guilds bridge %s` first", portal.Guild.ID)
+		return
+	} else if portal.MXID != "" {
+		ce.Reply("That channel is already bridged: [%s](%s)", portal.Name, portal.MXID.URI(portal.bridge.Config.Homeserver.Domain).MatrixToURL())
+		return
+	}
+	err = portal.CreateMatrixRoom(ce.User, meta)
+	if err != nil {
+		ce.Reply("Failed to create portal: %v", err)
+	} else {
+		ce.Reply("Portal created: [%s](%s)", portal.Name, portal.MXID.URI(portal.bridge.Config.Homeserver.Domain).MatrixToURL())
+	}
+}
+
 var cmdDeletePortal = &commands.FullHandler{
 	Func: wrapCommand(fnUnbridge),
 	Name: "delete-portal",
--- a/config/bridge.go
+++ b/config/bridge.go
@ -25,7 +25,6 @@ import (
 	"github.com/bwmarrin/discordgo"

 	"maunium.net/go/mautrix/bridge/bridgeconfig"
-	"maunium.net/go/mautrix/id"
 )

 type BridgeConfig struct {
@ -38,6 +37,9 @@ type BridgeConfig struct {

 	PortalMessageBuffer int `yaml:"portal_message_buffer"`

+	PublicAddress  string `yaml:"public_address"`
+	AvatarProxyKey string `yaml:"avatar_proxy_key"`
+
 	DeliveryReceipts            bool `yaml:"delivery_receipts"`
 	MessageStatusEvents         bool `yaml:"message_status_events"`
 	MessageErrorNotices         bool `yaml:"message_error_notices"`
@ -55,8 +57,8 @@ type BridgeConfig struct {
 	EnableWebhookAvatars        bool `yaml:"enable_webhook_avatars"`
 	UseDiscordCDNUpload         bool `yaml:"use_discord_cdn_upload"`

-	CacheMedia    string        `yaml:"cache_media"`
-	MediaPatterns MediaPatterns `yaml:"media_patterns"`
+	CacheMedia  string      `yaml:"cache_media"`
+	DirectMedia DirectMedia `yaml:"direct_media"`

 	AnimatedSticker struct {
 		Target string `yaml:"target"`
@ -67,9 +69,7 @@ type BridgeConfig struct {
 		} `yaml:"args"`
 	} `yaml:"animated_sticker"`

-	DoublePuppetServerMap      map[string]string `yaml:"double_puppet_server_map"`
-	DoublePuppetAllowDiscovery bool              `yaml:"double_puppet_allow_discovery"`
-	LoginSharedSecretMap       map[string]string `yaml:"login_shared_secret_map"`
+	DoublePuppetConfig bridgeconfig.DoublePuppetConfig `yaml:",inline"`

 	CommandPrefix      string                           `yaml:"command_prefix"`
 	ManagementRoomText bridgeconfig.ManagementRoomTexts `yaml:"management_room_text"`
@ -85,8 +85,9 @@ type BridgeConfig struct {
 	Encryption bridgeconfig.EncryptionConfig `yaml:"encryption"`

 	Provisioning struct {
-		Prefix       string `yaml:"prefix"`
-		SharedSecret string `yaml:"shared_secret"`
+		Prefix         string `yaml:"prefix"`
+		SharedSecret   string `yaml:"shared_secret"`
+		DebugEndpoints bool   `yaml:"debug_endpoints"`
 	} `yaml:"provisioning"`

 	Permissions bridgeconfig.PermissionConfig `yaml:"permissions"`
@ -97,111 +98,12 @@ type BridgeConfig struct {
 	guildNameTemplate   *template.Template `yaml:"-"`
 }

-type MediaPatterns struct {
-	Enabled        bool   `yaml:"enabled"`
-	TplAttachments string `yaml:"attachments"`
-	TplEmojis      string `yaml:"emojis"`
-	TplStickers    string `yaml:"stickers"`
-	TplAvatars     string `yaml:"avatars"`
-
-	attachments *template.Template `yaml:"-"`
-	emojis      *template.Template `yaml:"-"`
-	stickers    *template.Template `yaml:"-"`
-	avatars     *template.Template `yaml:"-"`
-}
-
-type umMediaPatterns MediaPatterns
-
-func (mp *MediaPatterns) UnmarshalYAML(unmarshal func(interface{}) error) error {
-	err := unmarshal((*umMediaPatterns)(mp))
-	if err != nil {
-		return err
-	}
-	tpl := template.New("media_patterns")
-
-	pairs := []struct {
-		ptr      **template.Template
-		name     string
-		template string
-	}{
-		{&mp.attachments, "attachments", mp.TplAttachments},
-		{&mp.emojis, "emojis", mp.TplEmojis},
-		{&mp.stickers, "stickers", mp.TplStickers},
-		{&mp.avatars, "avatars", mp.TplAvatars},
-	}
-	for _, pair := range pairs {
-		if pair.template == "" {
-			continue
-		}
-		*pair.ptr, err = tpl.New(pair.name).Parse(pair.template)
-		if err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
-type attachmentParams struct {
-	ChannelID    string
-	AttachmentID string
-	FileName     string
-}
-
-type emojiStickerParams struct {
-	ID  string
-	Ext string
-}
-
-type avatarParams struct {
-	UserID   string
-	AvatarID string
-	Ext      string
-}
-
-func (mp *MediaPatterns) execute(tpl *template.Template, params any) id.ContentURI {
-	if tpl == nil || !mp.Enabled {
-		return id.ContentURI{}
-	}
-	var out strings.Builder
-	err := tpl.Execute(&out, params)
-	if err != nil {
-		panic(err)
-	}
-	uri, err := id.ParseContentURI(out.String())
-	if err != nil {
-		panic(err)
-	}
-	return uri
-}
-
-func (mp *MediaPatterns) Attachment(channelID, attachmentID, filename string) id.ContentURI {
-	return mp.execute(mp.attachments, attachmentParams{
-		ChannelID:    channelID,
-		AttachmentID: attachmentID,
-		FileName:     filename,
-	})
-}
-
-func (mp *MediaPatterns) Emoji(emojiID, ext string) id.ContentURI {
-	return mp.execute(mp.emojis, emojiStickerParams{
-		ID:  emojiID,
-		Ext: ext,
-	})
-}
-
-func (mp *MediaPatterns) Sticker(stickerID, ext string) id.ContentURI {
-	return mp.execute(mp.stickers, emojiStickerParams{
-		ID:  stickerID,
-		Ext: ext,
-	})
-}
-
-func (mp *MediaPatterns) Avatar(userID, avatarID, ext string) id.ContentURI {
-	return mp.execute(mp.avatars, avatarParams{
-		UserID:   userID,
-		AvatarID: avatarID,
-		Ext:      ext,
-	})
+type DirectMedia struct {
+	Enabled           bool   `yaml:"enabled"`
+	ServerName        string `yaml:"server_name"`
+	WellKnownResponse string `yaml:"well_known_response"`
+	AllowProxy        bool   `yaml:"allow_proxy"`
+	ServerKey         string `yaml:"server_key"`
 }

 type BackfillLimitPart struct {
@ -272,6 +174,10 @@ func (bc *BridgeConfig) UnmarshalYAML(unmarshal func(interface{}) error) error {

 var _ bridgeconfig.BridgeConfig = (*BridgeConfig)(nil)

+func (bc BridgeConfig) GetDoublePuppetConfig() bridgeconfig.DoublePuppetConfig {
+	return bc.DoublePuppetConfig
+}
+
 func (bc BridgeConfig) GetEncryptionConfig() bridgeconfig.EncryptionConfig {
 	return bc.Encryption
 }
--- a/config/config.go
+++ b/config/config.go
@ -29,7 +29,7 @@ type Config struct {

 func (config *Config) CanAutoDoublePuppet(userID id.UserID) bool {
 	_, homeserver, _ := userID.Parse()
-	_, hasSecret := config.Bridge.LoginSharedSecretMap[homeserver]
+	_, hasSecret := config.Bridge.DoublePuppetConfig.SharedSecretMap[homeserver]

 	return hasSecret
 }
--- a/config/upgrade.go
+++ b/config/upgrade.go
@ -17,16 +17,15 @@
 package config

 import (
+	up "go.mau.fi/util/configupgrade"
+	"go.mau.fi/util/random"
 	"maunium.net/go/mautrix/bridge/bridgeconfig"
-	"maunium.net/go/mautrix/util"
-	up "maunium.net/go/mautrix/util/configupgrade"
+	"maunium.net/go/mautrix/federation"
 )

 func DoUpgrade(helper *up.Helper) {
 	bridgeconfig.Upgrader.DoUpgrade(helper)

-	helper.Copy(up.Str|up.Null, "homeserver", "public_address")
-
 	helper.Copy(up.Str, "bridge", "username_template")
 	helper.Copy(up.Str, "bridge", "displayname_template")
 	helper.Copy(up.Str, "bridge", "channel_name_template")
@ -41,6 +40,12 @@ func DoUpgrade(helper *up.Helper) {
 		helper.Copy(up.Str, "bridge", "private_chat_portal_meta")
 	}
 	helper.Copy(up.Int, "bridge", "startup_private_channel_create_limit")
+	helper.Copy(up.Str|up.Null, "bridge", "public_address")
+	if apkey, ok := helper.Get(up.Str, "bridge", "avatar_proxy_key"); !ok || apkey == "generate" {
+		helper.Set(up.Str, random.String(32), "bridge", "avatar_proxy_key")
+	} else {
+		helper.Copy(up.Str, "bridge", "avatar_proxy_key")
+	}
 	helper.Copy(up.Int, "bridge", "portal_message_buffer")
 	helper.Copy(up.Bool, "bridge", "delivery_receipts")
 	helper.Copy(up.Bool, "bridge", "message_status_events")
@ -58,12 +63,17 @@ func DoUpgrade(helper *up.Helper) {
 	helper.Copy(up.Bool, "bridge", "prefix_webhook_messages")
 	helper.Copy(up.Bool, "bridge", "enable_webhook_avatars")
 	helper.Copy(up.Bool, "bridge", "use_discord_cdn_upload")
-	helper.Copy(up.Bool, "bridge", "media_patterns", "enabled")
 	helper.Copy(up.Str, "bridge", "cache_media")
-	helper.Copy(up.Str|up.Null, "bridge", "media_patterns", "attachments")
-	helper.Copy(up.Str|up.Null, "bridge", "media_patterns", "emojis")
-	helper.Copy(up.Str|up.Null, "bridge", "media_patterns", "stickers")
-	helper.Copy(up.Str|up.Null, "bridge", "media_patterns", "avatars")
+	helper.Copy(up.Bool, "bridge", "direct_media", "enabled")
+	helper.Copy(up.Str, "bridge", "direct_media", "server_name")
+	helper.Copy(up.Str|up.Null, "bridge", "direct_media", "well_known_response")
+	helper.Copy(up.Bool, "bridge", "direct_media", "allow_proxy")
+	if serverKey, ok := helper.Get(up.Str, "bridge", "direct_media", "server_key"); !ok || serverKey == "generate" {
+		serverKey = federation.GenerateSigningKey().SynapseString()
+		helper.Set(up.Str, serverKey, "bridge", "direct_media", "server_key")
+	} else {
+		helper.Copy(up.Str, "bridge", "direct_media", "server_key")
+	}
 	helper.Copy(up.Str, "bridge", "animated_sticker", "target")
 	helper.Copy(up.Int, "bridge", "animated_sticker", "args", "width")
 	helper.Copy(up.Int, "bridge", "animated_sticker", "args", "height")
@ -108,11 +118,12 @@ func DoUpgrade(helper *up.Helper) {

 	helper.Copy(up.Str, "bridge", "provisioning", "prefix")
 	if secret, ok := helper.Get(up.Str, "bridge", "provisioning", "shared_secret"); !ok || secret == "generate" {
-		sharedSecret := util.RandomString(64)
+		sharedSecret := random.String(64)
 		helper.Set(up.Str, sharedSecret, "bridge", "provisioning", "shared_secret")
 	} else {
 		helper.Copy(up.Str, "bridge", "provisioning", "shared_secret")
 	}
+	helper.Copy(up.Bool, "bridge", "provisioning", "debug_endpoints")

 	helper.Copy(up.Map, "bridge", "permissions")
 	//helper.Copy(up.Bool, "bridge", "relay", "enabled")
--- a/custompuppet.go
+++ b/custompuppet.go
@ -1,170 +1,72 @@
 package main

 import (
-	"crypto/hmac"
-	"crypto/sha512"
-	"encoding/hex"
-	"errors"
-	"fmt"
-
-	"maunium.net/go/mautrix"
-	"maunium.net/go/mautrix/appservice"
 	"maunium.net/go/mautrix/id"
 )

-var (
-	ErrNoCustomMXID    = errors.New("no custom mxid set")
-	ErrMismatchingMXID = errors.New("whoami result does not match custom mxid")
-)
-
-func (br *DiscordBridge) newDoublePuppetClient(mxid id.UserID, accessToken string) (*mautrix.Client, error) {
-	_, homeserver, err := mxid.Parse()
-	if err != nil {
-		return nil, err
-	}
-
-	homeserverURL, found := br.Config.Bridge.DoublePuppetServerMap[homeserver]
-	if !found {
-		if homeserver == br.AS.HomeserverDomain {
-			homeserverURL = ""
-		} else if br.Config.Bridge.DoublePuppetAllowDiscovery {
-			resp, err := mautrix.DiscoverClientAPI(homeserver)
-			if err != nil {
-				return nil, fmt.Errorf("failed to find homeserver URL for %s: %v", homeserver, err)
-			}
-
-			homeserverURL = resp.Homeserver.BaseURL
-			br.Log.Debugfln("Discovered URL %s for %s to enable double puppeting for %s", homeserverURL, homeserver, mxid)
-		} else {
-			return nil, fmt.Errorf("double puppeting from %s is not allowed", homeserver)
-		}
-	}
-
-	return br.AS.NewExternalMautrixClient(mxid, accessToken, homeserverURL)
-}
-
-func (puppet *Puppet) clearCustomMXID() {
-	puppet.CustomMXID = ""
-	puppet.AccessToken = ""
-	puppet.customIntent = nil
-	puppet.customUser = nil
-}
-
-func (puppet *Puppet) newCustomIntent() (*appservice.IntentAPI, error) {
-	if puppet.CustomMXID == "" {
-		return nil, ErrNoCustomMXID
-	}
-
-	client, err := puppet.bridge.newDoublePuppetClient(puppet.CustomMXID, puppet.AccessToken)
-	if err != nil {
-		return nil, err
-	}
-
-	ia := puppet.bridge.AS.NewIntentAPI("custom")
-	ia.Client = client
-	ia.Localpart, _, _ = puppet.CustomMXID.Parse()
-	ia.UserID = puppet.CustomMXID
-	ia.IsCustomPuppet = true
-	return ia, nil
-}
-
-func (puppet *Puppet) StartCustomMXID(reloginOnFail bool) error {
-	if puppet.CustomMXID == "" {
-		puppet.clearCustomMXID()
-		return nil
-	}
-
-	intent, err := puppet.newCustomIntent()
-	if err != nil {
-		puppet.clearCustomMXID()
-		return err
-	}
-
-	resp, err := intent.Whoami()
-	if err != nil {
-		if !reloginOnFail || (errors.Is(err, mautrix.MUnknownToken) && !puppet.tryRelogin(err, "initializing double puppeting")) {
-			puppet.clearCustomMXID()
-			return err
-		}
-
-		intent.AccessToken = puppet.AccessToken
-	} else if resp.UserID != puppet.CustomMXID {
-		puppet.clearCustomMXID()
-		return ErrMismatchingMXID
-	}
-
-	puppet.customIntent = intent
-	puppet.customUser = puppet.bridge.GetUserByMXID(puppet.CustomMXID)
-	return nil
-}
-
-func (puppet *Puppet) tryRelogin(cause error, action string) bool {
-	if !puppet.bridge.Config.CanAutoDoublePuppet(puppet.CustomMXID) {
-		return false
-	}
-	log := puppet.log.With().
-		AnErr("cause_error", cause).
-		Str("while_action", action).
-		Logger()
-	log.Debug().Msg("Trying to relogin")
-	accessToken, err := puppet.loginWithSharedSecret(puppet.CustomMXID)
-	if err != nil {
-		log.Error().Err(err).Msg("Failed to relogin")
-		return false
-	}
-	log.Info().Msg("Successfully relogined")
-	puppet.AccessToken = accessToken
-	puppet.Update()
-	return true
-}
-
-func (puppet *Puppet) loginWithSharedSecret(mxid id.UserID) (string, error) {
-	_, homeserver, _ := mxid.Parse()
-	puppet.log.Debug().Str("user_id", mxid.String()).Msg("Logging into double puppet target with shared secret")
-	loginSecret := puppet.bridge.Config.Bridge.LoginSharedSecretMap[homeserver]
-	client, err := puppet.bridge.newDoublePuppetClient(mxid, "")
-	if err != nil {
-		return "", fmt.Errorf("failed to create mautrix client to log in: %v", err)
-	}
-	req := mautrix.ReqLogin{
-		Identifier:               mautrix.UserIdentifier{Type: mautrix.IdentifierTypeUser, User: string(mxid)},
-		DeviceID:                 "Discord Bridge",
-		InitialDeviceDisplayName: "Discord Bridge",
-	}
-	if loginSecret == "appservice" {
-		client.AccessToken = puppet.bridge.AS.Registration.AppToken
-		req.Type = mautrix.AuthTypeAppservice
-	} else {
-		mac := hmac.New(sha512.New, []byte(loginSecret))
-		mac.Write([]byte(mxid))
-		req.Password = hex.EncodeToString(mac.Sum(nil))
-		req.Type = mautrix.AuthTypePassword
-	}
-	resp, err := client.Login(&req)
-	if err != nil {
-		return "", err
-	}
-	return resp.AccessToken, nil
-}
-
 func (puppet *Puppet) SwitchCustomMXID(accessToken string, mxid id.UserID) error {
-	prevCustomMXID := puppet.CustomMXID
 	puppet.CustomMXID = mxid
 	puppet.AccessToken = accessToken
-
+	puppet.Update()
 	err := puppet.StartCustomMXID(false)
 	if err != nil {
 		return err
 	}
-
-	if prevCustomMXID != "" {
-		delete(puppet.bridge.puppetsByCustomMXID, prevCustomMXID)
-	}
-	if puppet.CustomMXID != "" {
-		puppet.bridge.puppetsByCustomMXID[puppet.CustomMXID] = puppet
-	}
-	puppet.bridge.AS.StateStore.MarkRegistered(puppet.CustomMXID)
-	puppet.Update()
 	// TODO leave rooms with default puppet
 	return nil
 }
+
+func (puppet *Puppet) ClearCustomMXID() {
+	save := puppet.CustomMXID != "" || puppet.AccessToken != ""
+	puppet.bridge.puppetsLock.Lock()
+	if puppet.CustomMXID != "" && puppet.bridge.puppetsByCustomMXID[puppet.CustomMXID] == puppet {
+		delete(puppet.bridge.puppetsByCustomMXID, puppet.CustomMXID)
+	}
+	puppet.bridge.puppetsLock.Unlock()
+	puppet.CustomMXID = ""
+	puppet.AccessToken = ""
+	puppet.customIntent = nil
+	puppet.customUser = nil
+	if save {
+		puppet.Update()
+	}
+}
+
+func (puppet *Puppet) StartCustomMXID(reloginOnFail bool) error {
+	newIntent, newAccessToken, err := puppet.bridge.DoublePuppet.Setup(puppet.CustomMXID, puppet.AccessToken, reloginOnFail)
+	if err != nil {
+		puppet.ClearCustomMXID()
+		return err
+	}
+	puppet.bridge.puppetsLock.Lock()
+	puppet.bridge.puppetsByCustomMXID[puppet.CustomMXID] = puppet
+	puppet.bridge.puppetsLock.Unlock()
+	if puppet.AccessToken != newAccessToken {
+		puppet.AccessToken = newAccessToken
+		puppet.Update()
+	}
+	puppet.customIntent = newIntent
+	puppet.customUser = puppet.bridge.GetUserByMXID(puppet.CustomMXID)
+	return nil
+}
+
+func (user *User) tryAutomaticDoublePuppeting() {
+	if !user.bridge.Config.CanAutoDoublePuppet(user.MXID) {
+		return
+	}
+	user.log.Debug().Msg("Checking if double puppeting needs to be enabled")
+	puppet := user.bridge.GetPuppetByID(user.DiscordID)
+	if len(puppet.CustomMXID) > 0 {
+		user.log.Debug().Msg("User already has double-puppeting enabled")
+		// Custom puppet already enabled
+		return
+	}
+	puppet.CustomMXID = user.MXID
+	err := puppet.StartCustomMXID(true)
+	if err != nil {
+		user.log.Warn().Err(err).Msg("Failed to login with shared secret")
+	} else {
+		// TODO leave rooms with default puppet
+		user.log.Debug().Msg("Successfully automatically enabled custom puppet")
+	}
+}
--- a/database/database.go
+++ b/database/database.go
@ -5,10 +5,9 @@ import (

 	_ "github.com/lib/pq"
 	_ "github.com/mattn/go-sqlite3"
+	"go.mau.fi/util/dbutil"
 	"maunium.net/go/maulogger/v2"

-	"maunium.net/go/mautrix/util/dbutil"
-
 	"go.mau.fi/mautrix-discord/database/upgrades"
 )

--- a/database/file.go
+++ b/database/file.go
@ -6,11 +6,10 @@ import (
 	"errors"
 	"time"

+	"go.mau.fi/util/dbutil"
 	log "maunium.net/go/maulogger/v2"
-
 	"maunium.net/go/mautrix/crypto/attachment"
 	"maunium.net/go/mautrix/id"
-	"maunium.net/go/mautrix/util/dbutil"
 )

 type FileQuery struct {
--- a/database/guild.go
+++ b/database/guild.go
@ -6,10 +6,9 @@ import (
 	"fmt"
 	"strings"

+	"go.mau.fi/util/dbutil"
 	log "maunium.net/go/maulogger/v2"
 	"maunium.net/go/mautrix/id"
-
-	"maunium.net/go/mautrix/util/dbutil"
 )

 type GuildBridgingMode int
--- a/database/message.go
+++ b/database/message.go
@ -7,10 +7,9 @@ import (
 	"strings"
 	"time"

+	"go.mau.fi/util/dbutil"
 	log "maunium.net/go/maulogger/v2"
-
 	"maunium.net/go/mautrix/id"
-	"maunium.net/go/mautrix/util/dbutil"
 )

 type MessageQuery struct {
@ -108,7 +107,7 @@ func (mq *MessageQuery) MassInsert(key PortalKey, msgs []Message) {
 	params[0] = key.ChannelID
 	params[1] = key.Receiver
 	for i, msg := range msgs {
-		baseIndex := 2 + i*7
+		baseIndex := 2 + i*8
 		params[baseIndex] = msg.DiscordID
 		params[baseIndex+1] = msg.AttachmentID
 		params[baseIndex+2] = msg.SenderID
--- a/database/portal.go
+++ b/database/portal.go
@ -4,11 +4,9 @@ import (
 	"database/sql"

 	"github.com/bwmarrin/discordgo"
-
+	"go.mau.fi/util/dbutil"
 	log "maunium.net/go/maulogger/v2"
-
 	"maunium.net/go/mautrix/id"
-	"maunium.net/go/mautrix/util/dbutil"
 )

 // language=postgresql
--- a/database/puppet.go
+++ b/database/puppet.go
@ -3,10 +3,9 @@ package database
 import (
 	"database/sql"

+	"go.mau.fi/util/dbutil"
 	log "maunium.net/go/maulogger/v2"
-
 	"maunium.net/go/mautrix/id"
-	"maunium.net/go/mautrix/util/dbutil"
 )

 const (
--- a/database/reaction.go
+++ b/database/reaction.go
@ -4,10 +4,9 @@ import (
 	"database/sql"
 	"errors"

+	"go.mau.fi/util/dbutil"
 	log "maunium.net/go/maulogger/v2"
-
 	"maunium.net/go/mautrix/id"
-	"maunium.net/go/mautrix/util/dbutil"
 )

 type ReactionQuery struct {
--- a/database/role.go
+++ b/database/role.go
@ -4,11 +4,9 @@ import (
 	"database/sql"
 	"errors"

-	log "maunium.net/go/maulogger/v2"
-
-	"maunium.net/go/mautrix/util/dbutil"
-
 	"github.com/bwmarrin/discordgo"
+	"go.mau.fi/util/dbutil"
+	log "maunium.net/go/maulogger/v2"
 )

 type RoleQuery struct {
--- a/database/thread.go
+++ b/database/thread.go
@ -4,10 +4,9 @@ import (
 	"database/sql"
 	"errors"

+	"go.mau.fi/util/dbutil"
 	log "maunium.net/go/maulogger/v2"
-
 	"maunium.net/go/mautrix/id"
-	"maunium.net/go/mautrix/util/dbutil"
 )

 type ThreadQuery struct {
--- a/database/upgrades/upgrades.go
+++ b/database/upgrades/upgrades.go
@ -19,7 +19,7 @@ package upgrades
 import (
 	"embed"

-	"maunium.net/go/mautrix/util/dbutil"
+	"go.mau.fi/util/dbutil"
 )

 var Table dbutil.UpgradeTable
--- a/database/user.go
+++ b/database/user.go
@ -3,10 +3,9 @@ package database
 import (
 	"database/sql"

+	"go.mau.fi/util/dbutil"
 	log "maunium.net/go/maulogger/v2"
-
 	"maunium.net/go/mautrix/id"
-	"maunium.net/go/mautrix/util/dbutil"
 )

 type UserQuery struct {
--- a/database/userportal.go
+++ b/database/userportal.go
@ -5,8 +5,9 @@ import (
 	"errors"
 	"time"

+	"go.mau.fi/util/dbutil"
 	log "maunium.net/go/maulogger/v2"
-	"maunium.net/go/mautrix/util/dbutil"
+	"maunium.net/go/mautrix/id"
 )

 const (
@ -44,6 +45,24 @@ func (u *User) scanUserPortals(rows dbutil.Rows) []UserPortal {
 	return ups
 }

+func (db *Database) GetUsersInPortal(channelID string) []id.UserID {
+	rows, err := db.Query("SELECT user_mxid FROM user_portal WHERE discord_id=$1", channelID)
+	if err != nil {
+		db.Portal.log.Errorln("Failed to get users in portal:", err)
+	}
+	var users []id.UserID
+	for rows.Next() {
+		var mxid id.UserID
+		err = rows.Scan(&mxid)
+		if err != nil {
+			db.Portal.log.Errorln("Failed to scan user in portal:", err)
+		} else {
+			users = append(users, mxid)
+		}
+	}
+	return users
+}
+
 func (u *User) GetPortals() []UserPortal {
 	rows, err := u.db.Query("SELECT discord_id, type, timestamp, in_space FROM user_portal WHERE user_mxid=$1", u.MXID)
 	if err != nil {
--- a/directmedia.go
+++ b/directmedia.go
@ -0,0 +1,658 @@
+// mautrix-discord - A Matrix-Discord puppeting bridge.
+// Copyright (C) 2024 Tulir Asokan
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+package main
+
+import (
+	"context"
+	"crypto/sha256"
+	"encoding/binary"
+	"encoding/hex"
+	"errors"
+	"fmt"
+	"io"
+	"mime"
+	"mime/multipart"
+	"net"
+	"net/http"
+	"net/textproto"
+	"net/url"
+	"os"
+	"strconv"
+	"strings"
+	"sync"
+	"sync/atomic"
+	"time"
+
+	"github.com/bwmarrin/discordgo"
+	"github.com/gorilla/mux"
+	"github.com/rs/zerolog"
+	"maunium.net/go/mautrix"
+	"maunium.net/go/mautrix/federation"
+	"maunium.net/go/mautrix/id"
+
+	"go.mau.fi/mautrix-discord/config"
+	"go.mau.fi/mautrix-discord/database"
+)
+
+type DirectMediaAPI struct {
+	bridge *DiscordBridge
+	ks     *federation.KeyServer
+	cfg    config.DirectMedia
+	log    zerolog.Logger
+	proxy  http.Client
+
+	signatureKey [32]byte
+
+	attachmentCache     map[AttachmentCacheKey]AttachmentCacheValue
+	attachmentCacheLock sync.Mutex
+}
+
+type AttachmentCacheKey struct {
+	ChannelID    uint64
+	AttachmentID uint64
+}
+
+type AttachmentCacheValue struct {
+	URL    string
+	Expiry time.Time
+}
+
+func newDirectMediaAPI(br *DiscordBridge) *DirectMediaAPI {
+	if !br.Config.Bridge.DirectMedia.Enabled {
+		return nil
+	}
+	dma := &DirectMediaAPI{
+		bridge: br,
+		cfg:    br.Config.Bridge.DirectMedia,
+		log:    br.ZLog.With().Str("component", "direct media").Logger(),
+		proxy: http.Client{
+			Transport: &http.Transport{
+				DialContext:         (&net.Dialer{Timeout: 10 * time.Second}).DialContext,
+				TLSHandshakeTimeout: 10 * time.Second,
+				ForceAttemptHTTP2:   false,
+			},
+			Timeout: 60 * time.Second,
+		},
+		attachmentCache: make(map[AttachmentCacheKey]AttachmentCacheValue),
+	}
+	r := br.AS.Router
+
+	parsed, err := federation.ParseSynapseKey(dma.cfg.ServerKey)
+	if err != nil {
+		dma.log.WithLevel(zerolog.FatalLevel).Err(err).Msg("Failed to parse server key")
+		os.Exit(11)
+		return nil
+	}
+	dma.signatureKey = sha256.Sum256(parsed.Priv.Seed())
+	dma.ks = &federation.KeyServer{
+		KeyProvider: &federation.StaticServerKey{
+			ServerName: dma.cfg.ServerName,
+			Key:        parsed,
+		},
+		WellKnownTarget: dma.cfg.WellKnownResponse,
+		Version: federation.ServerVersion{
+			Name:    br.Name,
+			Version: br.Version,
+		},
+	}
+	if dma.ks.WellKnownTarget == "" {
+		dma.ks.WellKnownTarget = fmt.Sprintf("%s:443", dma.cfg.ServerName)
+	}
+	federationRouter := r.PathPrefix("/_matrix/federation").Subrouter()
+	mediaRouter := r.PathPrefix("/_matrix/media").Subrouter()
+	clientMediaRouter := r.PathPrefix("/_matrix/client/v1/media").Subrouter()
+	var reqIDCounter atomic.Uint64
+	middleware := func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			w.Header().Set("Access-Control-Allow-Origin", "*")
+			w.Header().Set("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS")
+			w.Header().Set("Access-Control-Allow-Headers", "X-Requested-With, Content-Type, Authorization")
+			log := dma.log.With().
+				Str("remote_addr", r.RemoteAddr).
+				Str("request_path", r.URL.Path).
+				Uint64("req_id", reqIDCounter.Add(1)).
+				Logger()
+			next.ServeHTTP(w, r.WithContext(log.WithContext(r.Context())))
+		})
+	}
+	mediaRouter.Use(middleware)
+	federationRouter.Use(middleware)
+	clientMediaRouter.Use(middleware)
+	addRoutes := func(version string) {
+		mediaRouter.HandleFunc("/"+version+"/download/{serverName}/{mediaID}", dma.DownloadMedia).Methods(http.MethodGet)
+		mediaRouter.HandleFunc("/"+version+"/download/{serverName}/{mediaID}/{fileName}", dma.DownloadMedia).Methods(http.MethodGet)
+		mediaRouter.HandleFunc("/"+version+"/thumbnail/{serverName}/{mediaID}", dma.DownloadMedia).Methods(http.MethodGet)
+		mediaRouter.HandleFunc("/"+version+"/upload/{serverName}/{mediaID}", dma.UploadNotSupported).Methods(http.MethodPut)
+		mediaRouter.HandleFunc("/"+version+"/upload", dma.UploadNotSupported).Methods(http.MethodPost)
+		mediaRouter.HandleFunc("/"+version+"/create", dma.UploadNotSupported).Methods(http.MethodPost)
+		mediaRouter.HandleFunc("/"+version+"/config", dma.UploadNotSupported).Methods(http.MethodGet)
+		mediaRouter.HandleFunc("/"+version+"/preview_url", dma.PreviewURLNotSupported).Methods(http.MethodGet)
+	}
+	clientMediaRouter.HandleFunc("/download/{serverName}/{mediaID}", dma.DownloadMedia).Methods(http.MethodGet)
+	clientMediaRouter.HandleFunc("/download/{serverName}/{mediaID}/{fileName}", dma.DownloadMedia).Methods(http.MethodGet)
+	clientMediaRouter.HandleFunc("/thumbnail/{serverName}/{mediaID}", dma.DownloadMedia).Methods(http.MethodGet)
+	clientMediaRouter.HandleFunc("/upload/{serverName}/{mediaID}", dma.UploadNotSupported).Methods(http.MethodPut)
+	clientMediaRouter.HandleFunc("/upload", dma.UploadNotSupported).Methods(http.MethodPost)
+	clientMediaRouter.HandleFunc("/create", dma.UploadNotSupported).Methods(http.MethodPost)
+	clientMediaRouter.HandleFunc("/config", dma.UploadNotSupported).Methods(http.MethodGet)
+	clientMediaRouter.HandleFunc("/preview_url", dma.PreviewURLNotSupported).Methods(http.MethodGet)
+	addRoutes("v3")
+	addRoutes("r0")
+	addRoutes("v1")
+	federationRouter.HandleFunc("/v1/media/download/{mediaID}", dma.DownloadMedia).Methods(http.MethodGet)
+	federationRouter.HandleFunc("/v1/version", dma.ks.GetServerVersion).Methods(http.MethodGet)
+	mediaRouter.NotFoundHandler = http.HandlerFunc(dma.UnknownEndpoint)
+	mediaRouter.MethodNotAllowedHandler = http.HandlerFunc(dma.UnsupportedMethod)
+	federationRouter.NotFoundHandler = http.HandlerFunc(dma.UnknownEndpoint)
+	federationRouter.MethodNotAllowedHandler = http.HandlerFunc(dma.UnsupportedMethod)
+	dma.ks.Register(r)
+
+	return dma
+}
+
+func (dma *DirectMediaAPI) makeMXC(data MediaIDData) id.ContentURI {
+	return id.ContentURI{
+		Homeserver: dma.cfg.ServerName,
+		FileID:     data.Wrap().SignedString(dma.signatureKey),
+	}
+}
+
+func parseExpiryTS(addr string) time.Time {
+	parsedURL, err := url.Parse(addr)
+	if err != nil {
+		return time.Time{}
+	}
+	tsBytes, err := hex.DecodeString(parsedURL.Query().Get("ex"))
+	if err != nil || len(tsBytes) != 4 {
+		return time.Time{}
+	}
+	parsedTS := int64(binary.BigEndian.Uint32(tsBytes))
+	if parsedTS > time.Now().Unix() && parsedTS < time.Now().Add(365*24*time.Hour).Unix() {
+		return time.Unix(parsedTS, 0)
+	}
+	return time.Time{}
+}
+
+func (dma *DirectMediaAPI) addAttachmentToCache(channelID uint64, att *discordgo.MessageAttachment) time.Time {
+	attachmentID, err := strconv.ParseUint(att.ID, 10, 64)
+	if err != nil {
+		return time.Time{}
+	}
+	expiry := parseExpiryTS(att.URL)
+	if expiry.IsZero() {
+		expiry = time.Now().Add(24 * time.Hour)
+	}
+	dma.attachmentCache[AttachmentCacheKey{
+		ChannelID:    channelID,
+		AttachmentID: attachmentID,
+	}] = AttachmentCacheValue{
+		URL:    att.URL,
+		Expiry: expiry,
+	}
+	return expiry
+}
+
+func (dma *DirectMediaAPI) AttachmentMXC(channelID, messageID string, att *discordgo.MessageAttachment) (mxc id.ContentURI) {
+	if dma == nil {
+		return
+	}
+	channelIDInt, err := strconv.ParseUint(channelID, 10, 64)
+	if err != nil {
+		dma.log.Warn().Str("channel_id", channelID).Msg("Got non-integer channel ID")
+		return
+	}
+	messageIDInt, err := strconv.ParseUint(messageID, 10, 64)
+	if err != nil {
+		dma.log.Warn().Str("message_id", messageID).Msg("Got non-integer message ID")
+		return
+	}
+	attachmentIDInt, err := strconv.ParseUint(att.ID, 10, 64)
+	if err != nil {
+		dma.log.Warn().Str("attachment_id", att.ID).Msg("Got non-integer attachment ID")
+		return
+	}
+	dma.attachmentCacheLock.Lock()
+	dma.addAttachmentToCache(channelIDInt, att)
+	dma.attachmentCacheLock.Unlock()
+	return dma.makeMXC(&AttachmentMediaData{
+		ChannelID:    channelIDInt,
+		MessageID:    messageIDInt,
+		AttachmentID: attachmentIDInt,
+	})
+}
+
+func (dma *DirectMediaAPI) EmojiMXC(emojiID, name string, animated bool) (mxc id.ContentURI) {
+	if dma == nil {
+		return
+	}
+	emojiIDInt, err := strconv.ParseUint(emojiID, 10, 64)
+	if err != nil {
+		dma.log.Warn().Str("emoji_id", emojiID).Msg("Got non-integer emoji ID")
+		return
+	}
+	return dma.makeMXC(&EmojiMediaData{
+		EmojiMediaDataInner: EmojiMediaDataInner{
+			EmojiID:  emojiIDInt,
+			Animated: animated,
+		},
+		Name: name,
+	})
+}
+
+func (dma *DirectMediaAPI) StickerMXC(stickerID string, format discordgo.StickerFormat) (mxc id.ContentURI) {
+	if dma == nil {
+		return
+	}
+	stickerIDInt, err := strconv.ParseUint(stickerID, 10, 64)
+	if err != nil {
+		dma.log.Warn().Str("sticker_id", stickerID).Msg("Got non-integer sticker ID")
+		return
+	} else if format > 255 || format < 0 {
+		dma.log.Warn().Int("format", int(format)).Msg("Got invalid sticker format")
+		return
+	}
+	return dma.makeMXC(&StickerMediaData{
+		StickerID: stickerIDInt,
+		Format:    byte(format),
+	})
+}
+
+func (dma *DirectMediaAPI) AvatarMXC(guildID, userID, avatarID string) (mxc id.ContentURI) {
+	if dma == nil {
+		return
+	}
+	animated := strings.HasPrefix(avatarID, "a_")
+	avatarIDBytes, err := hex.DecodeString(strings.TrimPrefix(avatarID, "a_"))
+	if err != nil {
+		dma.log.Warn().Str("avatar_id", avatarID).Msg("Got non-hex avatar ID")
+		return
+	} else if len(avatarIDBytes) != 16 {
+		dma.log.Warn().Str("avatar_id", avatarID).Msg("Got invalid avatar ID length")
+		return
+	}
+	avatarIDArray := [16]byte(avatarIDBytes)
+	userIDInt, err := strconv.ParseUint(userID, 10, 64)
+	if err != nil {
+		dma.log.Warn().Str("user_id", userID).Msg("Got non-integer user ID")
+		return
+	}
+	if guildID != "" {
+		guildIDInt, err := strconv.ParseUint(guildID, 10, 64)
+		if err != nil {
+			dma.log.Warn().Str("guild_id", guildID).Msg("Got non-integer guild ID")
+			return
+		}
+		return dma.makeMXC(&GuildMemberAvatarMediaData{
+			GuildID:  guildIDInt,
+			UserID:   userIDInt,
+			AvatarID: avatarIDArray,
+			Animated: animated,
+		})
+	} else {
+		return dma.makeMXC(&UserAvatarMediaData{
+			UserID:   userIDInt,
+			AvatarID: avatarIDArray,
+			Animated: animated,
+		})
+	}
+}
+
+type RespError struct {
+	Code    string
+	Message string
+	Status  int
+}
+
+func (re *RespError) Error() string {
+	return re.Message
+}
+
+var ErrNoUsersWithAccessFound = errors.New("no users found to fetch message")
+var ErrAttachmentNotFound = errors.New("attachment not found")
+
+func (dma *DirectMediaAPI) fetchNewAttachmentURL(ctx context.Context, meta *AttachmentMediaData) (string, time.Time, error) {
+	var client *discordgo.Session
+	channelIDStr := strconv.FormatUint(meta.ChannelID, 10)
+	portal := dma.bridge.GetExistingPortalByID(database.PortalKey{ChannelID: channelIDStr})
+	var users []id.UserID
+	if portal != nil && portal.GuildID != "" {
+		users = dma.bridge.DB.GetUsersInPortal(portal.GuildID)
+	} else {
+		users = dma.bridge.DB.GetUsersInPortal(channelIDStr)
+	}
+	for _, userID := range users {
+		user := dma.bridge.GetCachedUserByMXID(userID)
+		if user == nil || user.Session == nil {
+			continue
+		}
+		perms, err := user.Session.State.UserChannelPermissions(user.DiscordID, channelIDStr)
+		if err == nil && perms&discordgo.PermissionViewChannel == 0 {
+			continue
+		}
+		if client == nil || err == nil {
+			client = user.Session
+			if !client.IsUser {
+				break
+			}
+		}
+	}
+	if client == nil {
+		return "", time.Time{}, ErrNoUsersWithAccessFound
+	}
+	var msgs []*discordgo.Message
+	var err error
+	messageIDStr := strconv.FormatUint(meta.MessageID, 10)
+	if client.IsUser {
+		msgs, err = client.ChannelMessages(channelIDStr, 5, "", "", messageIDStr)
+	} else {
+		var msg *discordgo.Message
+		msg, err = client.ChannelMessage(channelIDStr, messageIDStr)
+		msgs = []*discordgo.Message{msg}
+	}
+	if err != nil {
+		return "", time.Time{}, fmt.Errorf("failed to fetch message: %w", err)
+	}
+	attachmentIDStr := strconv.FormatUint(meta.AttachmentID, 10)
+	var url string
+	var expiry time.Time
+	for _, item := range msgs {
+		for _, att := range item.Attachments {
+			thisExpiry := dma.addAttachmentToCache(meta.ChannelID, att)
+			if att.ID == attachmentIDStr {
+				url = att.URL
+				expiry = thisExpiry
+			}
+		}
+	}
+	if url == "" {
+		return "", time.Time{}, ErrAttachmentNotFound
+	}
+	return url, expiry, nil
+}
+
+func (dma *DirectMediaAPI) GetEmojiInfo(contentURI id.ContentURI) *EmojiMediaData {
+	if dma == nil || contentURI.IsEmpty() || contentURI.Homeserver != dma.cfg.ServerName {
+		return nil
+	}
+	mediaID, err := ParseMediaID(contentURI.FileID, dma.signatureKey)
+	if err != nil {
+		return nil
+	}
+	emojiData, ok := mediaID.Data.(*EmojiMediaData)
+	if !ok {
+		return nil
+	}
+	return emojiData
+
+}
+
+func (dma *DirectMediaAPI) getMediaURL(ctx context.Context, encodedMediaID string) (url string, expiry time.Time, err error) {
+	var mediaID *MediaID
+	mediaID, err = ParseMediaID(encodedMediaID, dma.signatureKey)
+	if err != nil {
+		err = &RespError{
+			Code:    mautrix.MNotFound.ErrCode,
+			Message: err.Error(),
+			Status:  http.StatusNotFound,
+		}
+		return
+	}
+	switch mediaData := mediaID.Data.(type) {
+	case *AttachmentMediaData:
+		dma.attachmentCacheLock.Lock()
+		defer dma.attachmentCacheLock.Unlock()
+		cached, ok := dma.attachmentCache[mediaData.CacheKey()]
+		if ok && time.Until(cached.Expiry) > 5*time.Minute {
+			return cached.URL, cached.Expiry, nil
+		}
+		zerolog.Ctx(ctx).Debug().
+			Uint64("channel_id", mediaData.ChannelID).
+			Uint64("message_id", mediaData.MessageID).
+			Uint64("attachment_id", mediaData.AttachmentID).
+			Msg("Refreshing attachment URL")
+		url, expiry, err = dma.fetchNewAttachmentURL(ctx, mediaData)
+		if err != nil {
+			zerolog.Ctx(ctx).Err(err).Msg("Failed to refresh attachment URL")
+			msg := "Failed to refresh attachment URL"
+			if errors.Is(err, ErrNoUsersWithAccessFound) {
+				msg = "No users found with access to the channel"
+			} else if errors.Is(err, ErrAttachmentNotFound) {
+				msg = "Attachment not found in message. Perhaps it was deleted?"
+			}
+			err = &RespError{
+				Code:    mautrix.MNotFound.ErrCode,
+				Message: msg,
+				Status:  http.StatusNotFound,
+			}
+		} else {
+			zerolog.Ctx(ctx).Debug().Time("expiry", expiry).Msg("Successfully refreshed attachment URL")
+		}
+	case *EmojiMediaData:
+		if mediaData.Animated {
+			url = discordgo.EndpointEmojiAnimated(strconv.FormatUint(mediaData.EmojiID, 10))
+		} else {
+			url = discordgo.EndpointEmoji(strconv.FormatUint(mediaData.EmojiID, 10))
+		}
+	case *StickerMediaData:
+		url = discordgo.EndpointStickerImage(
+			strconv.FormatUint(mediaData.StickerID, 10),
+			discordgo.StickerFormat(mediaData.Format),
+		)
+	case *UserAvatarMediaData:
+		if mediaData.Animated {
+			url = discordgo.EndpointUserAvatarAnimated(
+				strconv.FormatUint(mediaData.UserID, 10),
+				fmt.Sprintf("a_%x", mediaData.AvatarID),
+			)
+		} else {
+			url = discordgo.EndpointUserAvatar(
+				strconv.FormatUint(mediaData.UserID, 10),
+				fmt.Sprintf("%x", mediaData.AvatarID),
+			)
+		}
+	case *GuildMemberAvatarMediaData:
+		if mediaData.Animated {
+			url = discordgo.EndpointGuildMemberAvatarAnimated(
+				strconv.FormatUint(mediaData.GuildID, 10),
+				strconv.FormatUint(mediaData.UserID, 10),
+				fmt.Sprintf("a_%x", mediaData.AvatarID),
+			)
+		} else {
+			url = discordgo.EndpointGuildMemberAvatar(
+				strconv.FormatUint(mediaData.GuildID, 10),
+				strconv.FormatUint(mediaData.UserID, 10),
+				fmt.Sprintf("%x", mediaData.AvatarID),
+			)
+		}
+	default:
+		zerolog.Ctx(ctx).Error().Type("media_data_type", mediaData).Msg("Unrecognized media data struct")
+		err = &RespError{
+			Code:    "M_UNKNOWN",
+			Message: "Unrecognized media data struct",
+			Status:  http.StatusInternalServerError,
+		}
+	}
+	return
+}
+
+func (dma *DirectMediaAPI) proxyDownload(ctx context.Context, w http.ResponseWriter, url, fileName string) {
+	log := zerolog.Ctx(ctx)
+	req, err := http.NewRequest(http.MethodGet, url, nil)
+	if err != nil {
+		log.Err(err).Str("url", url).Msg("Failed to create proxy request")
+		jsonResponse(w, http.StatusInternalServerError, &mautrix.RespError{
+			ErrCode: "M_UNKNOWN",
+			Err:     "Failed to create proxy request",
+		})
+		return
+	}
+	for key, val := range discordgo.DroidDownloadHeaders {
+		req.Header.Set(key, val)
+	}
+	resp, err := dma.proxy.Do(req)
+	defer func() {
+		if resp != nil && resp.Body != nil {
+			_ = resp.Body.Close()
+		}
+	}()
+	if err != nil {
+		log.Err(err).Str("url", url).Msg("Failed to proxy download")
+		jsonResponse(w, http.StatusServiceUnavailable, &mautrix.RespError{
+			ErrCode: "M_UNKNOWN",
+			Err:     "Failed to proxy download",
+		})
+		return
+	} else if resp.StatusCode != http.StatusOK {
+		log.Warn().Str("url", url).Int("status", resp.StatusCode).Msg("Unexpected status code proxying download")
+		jsonResponse(w, resp.StatusCode, &mautrix.RespError{
+			ErrCode: "M_UNKNOWN",
+			Err:     "Unexpected status code proxying download",
+		})
+		return
+	}
+	w.Header()["Content-Type"] = resp.Header["Content-Type"]
+	w.Header()["Content-Length"] = resp.Header["Content-Length"]
+	w.Header()["Last-Modified"] = resp.Header["Last-Modified"]
+	w.Header()["Cache-Control"] = resp.Header["Cache-Control"]
+	contentDisposition := "attachment"
+	switch resp.Header.Get("Content-Type") {
+	case "text/css", "text/plain", "text/csv", "application/json", "application/ld+json", "image/jpeg", "image/gif",
+		"image/png", "image/apng", "image/webp", "image/avif", "video/mp4", "video/webm", "video/ogg", "video/quicktime",
+		"audio/mp4", "audio/webm", "audio/aac", "audio/mpeg", "audio/ogg", "audio/wave", "audio/wav", "audio/x-wav",
+		"audio/x-pn-wav", "audio/flac", "audio/x-flac", "application/pdf":
+		contentDisposition = "inline"
+	}
+	if fileName != "" {
+		contentDisposition = mime.FormatMediaType(contentDisposition, map[string]string{
+			"filename": fileName,
+		})
+	}
+	w.Header().Set("Content-Disposition", contentDisposition)
+	w.WriteHeader(http.StatusOK)
+	_, err = io.Copy(w, resp.Body)
+	if err != nil {
+		log.Debug().Err(err).Msg("Failed to write proxy response")
+	}
+}
+
+func (dma *DirectMediaAPI) DownloadMedia(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+	log := zerolog.Ctx(ctx)
+	isNewFederation := strings.HasPrefix(r.URL.Path, "/_matrix/federation/v1/media/download/")
+	vars := mux.Vars(r)
+	if !isNewFederation && vars["serverName"] != dma.cfg.ServerName {
+		jsonResponse(w, http.StatusNotFound, &mautrix.RespError{
+			ErrCode: mautrix.MNotFound.ErrCode,
+			Err:     fmt.Sprintf("This is a Discord media proxy for %q, other media downloads are not available here", dma.cfg.ServerName),
+		})
+		return
+	}
+	// TODO check destination header in X-Matrix auth when isNewFederation
+
+	url, expiresAt, err := dma.getMediaURL(ctx, vars["mediaID"])
+	if err != nil {
+		var respError *RespError
+		if errors.As(err, &respError) {
+			jsonResponse(w, respError.Status, &mautrix.RespError{
+				ErrCode: respError.Code,
+				Err:     respError.Message,
+			})
+		} else {
+			log.Err(err).Str("media_id", vars["mediaID"]).Msg("Failed to get media URL")
+			jsonResponse(w, http.StatusNotFound, &mautrix.RespError{
+				ErrCode: mautrix.MNotFound.ErrCode,
+				Err:     "Media not found",
+			})
+		}
+		return
+	}
+	if isNewFederation {
+		mp := multipart.NewWriter(w)
+		w.Header().Set("Content-Type", strings.Replace(mp.FormDataContentType(), "form-data", "mixed", 1))
+		var metaPart io.Writer
+		metaPart, err = mp.CreatePart(textproto.MIMEHeader{
+			"Content-Type": {"application/json"},
+		})
+		if err != nil {
+			log.Err(err).Msg("Failed to create multipart metadata field")
+			return
+		}
+		_, err = metaPart.Write([]byte(`{}`))
+		if err != nil {
+			log.Err(err).Msg("Failed to write multipart metadata field")
+			return
+		}
+		_, err = mp.CreatePart(textproto.MIMEHeader{
+			"Location": {url},
+		})
+		if err != nil {
+			log.Err(err).Msg("Failed to create multipart redirect field")
+			return
+		}
+		err = mp.Close()
+		if err != nil {
+			log.Err(err).Msg("Failed to close multipart writer")
+			return
+		}
+		return
+	}
+	// Proxy if the config allows proxying and the request doesn't allow redirects.
+	// In any other case, redirect to the Discord CDN.
+	if dma.cfg.AllowProxy && r.URL.Query().Get("allow_redirect") != "true" {
+		dma.proxyDownload(ctx, w, url, vars["fileName"])
+		return
+	}
+	w.Header().Set("Location", url)
+	expirySeconds := (time.Until(expiresAt) - 5*time.Minute).Seconds()
+	if expiresAt.IsZero() {
+		w.Header().Set("Cache-Control", "public, max-age=31536000, immutable")
+	} else if expirySeconds > 0 {
+		cacheControl := fmt.Sprintf("public, max-age=%d, immutable", int(expirySeconds))
+		w.Header().Set("Cache-Control", cacheControl)
+	} else {
+		w.Header().Set("Cache-Control", "no-store")
+	}
+	w.WriteHeader(http.StatusTemporaryRedirect)
+}
+
+func (dma *DirectMediaAPI) UploadNotSupported(w http.ResponseWriter, r *http.Request) {
+	jsonResponse(w, http.StatusNotImplemented, &mautrix.RespError{
+		ErrCode: mautrix.MUnrecognized.ErrCode,
+		Err:     "This bridge only supports proxying Discord media downloads and does not support media uploads.",
+	})
+}
+
+func (dma *DirectMediaAPI) PreviewURLNotSupported(w http.ResponseWriter, r *http.Request) {
+	jsonResponse(w, http.StatusNotImplemented, &mautrix.RespError{
+		ErrCode: mautrix.MUnrecognized.ErrCode,
+		Err:     "This bridge only supports proxying Discord media downloads and does not support URL previews.",
+	})
+}
+
+func (dma *DirectMediaAPI) UnknownEndpoint(w http.ResponseWriter, r *http.Request) {
+	jsonResponse(w, http.StatusNotFound, &mautrix.RespError{
+		ErrCode: mautrix.MUnrecognized.ErrCode,
+		Err:     "Unrecognized endpoint",
+	})
+}
+
+func (dma *DirectMediaAPI) UnsupportedMethod(w http.ResponseWriter, r *http.Request) {
+	jsonResponse(w, http.StatusMethodNotAllowed, &mautrix.RespError{
+		ErrCode: mautrix.MUnrecognized.ErrCode,
+		Err:     "Invalid method for endpoint",
+	})
+}
--- a/directmedia_id.go
+++ b/directmedia_id.go
@ -0,0 +1,287 @@
+// mautrix-discord - A Matrix-Discord puppeting bridge.
+// Copyright (C) 2024 Tulir Asokan
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+package main
+
+import (
+	"bytes"
+	"crypto/hmac"
+	"crypto/sha256"
+	"encoding/base64"
+	"encoding/binary"
+	"errors"
+	"fmt"
+	"io"
+)
+
+const MediaIDPrefix = "\U0001F408DISCORD"
+const MediaIDVersion = 1
+
+type MediaIDClass uint8
+
+const (
+	MediaIDClassAttachment        MediaIDClass = 1
+	MediaIDClassEmoji             MediaIDClass = 2
+	MediaIDClassSticker           MediaIDClass = 3
+	MediaIDClassUserAvatar        MediaIDClass = 4
+	MediaIDClassGuildMemberAvatar MediaIDClass = 5
+)
+
+type MediaIDData interface {
+	Write(to io.Writer)
+	Read(from io.Reader) error
+	Size() int
+	Wrap() *MediaID
+}
+
+type MediaID struct {
+	Version   uint8
+	TypeClass MediaIDClass
+	Data      MediaIDData
+}
+
+func ParseMediaID(id string, key [32]byte) (*MediaID, error) {
+	data, err := base64.RawURLEncoding.DecodeString(id)
+	if err != nil {
+		return nil, fmt.Errorf("failed to decode base64: %w", err)
+	}
+	hasher := hmac.New(sha256.New, key[:])
+	checksum := data[len(data)-TruncatedHashLength:]
+	data = data[:len(data)-TruncatedHashLength]
+	hasher.Write(data)
+	if !hmac.Equal(checksum, hasher.Sum(nil)[:TruncatedHashLength]) {
+		return nil, ErrMediaIDChecksumMismatch
+	}
+	mid := &MediaID{}
+	err = mid.Read(bytes.NewReader(data))
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse media ID: %w", err)
+	}
+	return mid, nil
+}
+
+const TruncatedHashLength = 16
+
+func (mid *MediaID) SignedString(key [32]byte) string {
+	buf := bytes.NewBuffer(make([]byte, 0, mid.Size()))
+	mid.Write(buf)
+	hasher := hmac.New(sha256.New, key[:])
+	hasher.Write(buf.Bytes())
+	buf.Write(hasher.Sum(nil)[:TruncatedHashLength])
+	return base64.RawURLEncoding.EncodeToString(buf.Bytes())
+}
+
+func (mid *MediaID) Write(to io.Writer) {
+	_, _ = to.Write([]byte(MediaIDPrefix))
+	_ = binary.Write(to, binary.BigEndian, mid.Version)
+	_ = binary.Write(to, binary.BigEndian, mid.TypeClass)
+	mid.Data.Write(to)
+}
+
+func (mid *MediaID) Size() int {
+	return len(MediaIDPrefix) + 2 + mid.Data.Size() + TruncatedHashLength
+}
+
+var (
+	ErrInvalidMediaID          = errors.New("invalid media ID")
+	ErrMediaIDChecksumMismatch = errors.New("invalid checksum in media ID")
+	ErrUnsupportedMediaID      = errors.New("unsupported media ID")
+)
+
+func (mid *MediaID) Read(from io.Reader) error {
+	prefix := make([]byte, len(MediaIDPrefix))
+	_, err := io.ReadFull(from, prefix)
+	if err != nil || !bytes.Equal(prefix, []byte(MediaIDPrefix)) {
+		return fmt.Errorf("%w: prefix not found", ErrInvalidMediaID)
+	}
+	versionAndClass := make([]byte, 2)
+	_, err = io.ReadFull(from, versionAndClass)
+	if err != nil {
+		return fmt.Errorf("%w: version and class not found", ErrInvalidMediaID)
+	} else if versionAndClass[0] != MediaIDVersion {
+		return fmt.Errorf("%w: unknown version %d", ErrUnsupportedMediaID, versionAndClass[0])
+	}
+	switch MediaIDClass(versionAndClass[1]) {
+	case MediaIDClassAttachment:
+		mid.Data = &AttachmentMediaData{}
+	case MediaIDClassEmoji:
+		mid.Data = &EmojiMediaData{}
+	case MediaIDClassSticker:
+		mid.Data = &StickerMediaData{}
+	case MediaIDClassUserAvatar:
+		mid.Data = &UserAvatarMediaData{}
+	case MediaIDClassGuildMemberAvatar:
+		mid.Data = &GuildMemberAvatarMediaData{}
+	default:
+		return fmt.Errorf("%w: unrecognized type class %d", ErrUnsupportedMediaID, versionAndClass[1])
+	}
+	err = mid.Data.Read(from)
+	if err != nil {
+		return fmt.Errorf("failed to parse media ID data: %w", err)
+	}
+	return nil
+}
+
+type AttachmentMediaData struct {
+	ChannelID    uint64
+	MessageID    uint64
+	AttachmentID uint64
+}
+
+func (amd *AttachmentMediaData) Write(to io.Writer) {
+	_ = binary.Write(to, binary.BigEndian, amd)
+}
+
+func (amd *AttachmentMediaData) Read(from io.Reader) (err error) {
+	return binary.Read(from, binary.BigEndian, amd)
+}
+
+func (amd *AttachmentMediaData) Size() int {
+	return binary.Size(amd)
+}
+
+func (amd *AttachmentMediaData) Wrap() *MediaID {
+	return &MediaID{
+		Version:   MediaIDVersion,
+		TypeClass: MediaIDClassAttachment,
+		Data:      amd,
+	}
+}
+
+func (amd *AttachmentMediaData) CacheKey() AttachmentCacheKey {
+	return AttachmentCacheKey{
+		ChannelID:    amd.ChannelID,
+		AttachmentID: amd.AttachmentID,
+	}
+}
+
+type StickerMediaData struct {
+	StickerID uint64
+	Format    uint8
+}
+
+func (smd *StickerMediaData) Write(to io.Writer) {
+	_ = binary.Write(to, binary.BigEndian, smd)
+}
+
+func (smd *StickerMediaData) Read(from io.Reader) error {
+	return binary.Read(from, binary.BigEndian, smd)
+}
+
+func (smd *StickerMediaData) Size() int {
+	return binary.Size(smd)
+}
+
+func (smd *StickerMediaData) Wrap() *MediaID {
+	return &MediaID{
+		Version:   MediaIDVersion,
+		TypeClass: MediaIDClassSticker,
+		Data:      smd,
+	}
+}
+
+type EmojiMediaDataInner struct {
+	EmojiID  uint64
+	Animated bool
+}
+
+type EmojiMediaData struct {
+	EmojiMediaDataInner
+	Name string
+}
+
+func (emd *EmojiMediaData) Write(to io.Writer) {
+	_ = binary.Write(to, binary.BigEndian, &emd.EmojiMediaDataInner)
+	_, _ = to.Write([]byte(emd.Name))
+}
+
+func (emd *EmojiMediaData) Read(from io.Reader) (err error) {
+	err = binary.Read(from, binary.BigEndian, &emd.EmojiMediaDataInner)
+	if err != nil {
+		return
+	}
+	name, err := io.ReadAll(from)
+	if err != nil {
+		return
+	}
+	emd.Name = string(name)
+	return
+}
+
+func (emd *EmojiMediaData) Size() int {
+	return binary.Size(&emd.EmojiMediaDataInner) + len(emd.Name)
+}
+
+func (emd *EmojiMediaData) Wrap() *MediaID {
+	return &MediaID{
+		Version:   MediaIDVersion,
+		TypeClass: MediaIDClassEmoji,
+		Data:      emd,
+	}
+}
+
+type UserAvatarMediaData struct {
+	UserID   uint64
+	Animated bool
+	AvatarID [16]byte
+}
+
+func (uamd *UserAvatarMediaData) Write(to io.Writer) {
+	_ = binary.Write(to, binary.BigEndian, uamd)
+}
+
+func (uamd *UserAvatarMediaData) Read(from io.Reader) error {
+	return binary.Read(from, binary.BigEndian, uamd)
+}
+
+func (uamd *UserAvatarMediaData) Size() int {
+	return binary.Size(uamd)
+}
+
+func (uamd *UserAvatarMediaData) Wrap() *MediaID {
+	return &MediaID{
+		Version:   MediaIDVersion,
+		TypeClass: MediaIDClassUserAvatar,
+		Data:      uamd,
+	}
+}
+
+type GuildMemberAvatarMediaData struct {
+	GuildID  uint64
+	UserID   uint64
+	Animated bool
+	AvatarID [16]byte
+}
+
+func (guamd *GuildMemberAvatarMediaData) Write(to io.Writer) {
+	_ = binary.Write(to, binary.BigEndian, guamd)
+}
+
+func (guamd *GuildMemberAvatarMediaData) Read(from io.Reader) error {
+	return binary.Read(from, binary.BigEndian, guamd)
+}
+
+func (guamd *GuildMemberAvatarMediaData) Size() int {
+	return binary.Size(guamd)
+}
+
+func (guamd *GuildMemberAvatarMediaData) Wrap() *MediaID {
+	return &MediaID{
+		Version:   MediaIDVersion,
+		TypeClass: MediaIDClassGuildMemberAvatar,
+		Data:      guamd,
+	}
+}
--- a/example-config.yaml
+++ b/example-config.yaml
@ -2,9 +2,6 @@
 homeserver:
    # The address that this appservice can use to connect to the homeserver.
    address: https://matrix.example.com
-    # Publicly accessible base URL for media, used for avatars in relay mode.
-    # If not set, the connection address above will be used.
-    public_address: null
    # The domain of the homeserver (also known as server_name, used for MXIDs, etc).
    domain: example.com

@ -113,6 +110,13 @@ bridge:
    # If set to `never`, DM rooms will never have names and avatars set.
    private_chat_portal_meta: default

+    # Publicly accessible base URL that Discord can use to reach the bridge, used for avatars in relay mode.
+    # If not set, avatars will not be bridged. Only the /mautrix-discord/avatar/{server}/{id}/{hash} endpoint is used on this address.
+    # This should not have a trailing slash, the endpoint above will be appended to the provided address.
+    public_address: null
+    # A random key used to sign the avatar URLs. The bridge will only accept requests with a valid signature.
+    avatar_proxy_key: generate
+
    portal_message_buffer: 128

    # Number of private channel portals to create on bridge startup.
@ -168,20 +172,23 @@ bridge:
    # This can be `never` to never cache, `unencrypted` to only cache unencrypted mxc uris, or `always` to cache everything.
    # If you have a media repo that generates non-unique mxc uris, you should set this to never.
    cache_media: unencrypted
-    # Patterns for converting Discord media to custom mxc:// URIs instead of reuploading.
-    # Each of the patterns can be set to null to disable custom URIs for that type of media.
+    # Settings for converting Discord media to custom mxc:// URIs instead of reuploading.
    # More details can be found at https://docs.mau.fi/bridges/go/discord/direct-media.html
-    media_patterns:
+    direct_media:
        # Should custom mxc:// URIs be used instead of reuploading media?
        enabled: false
-        # Pattern for normal message attachments.
-        attachments: mxc://discord-media.mau.dev/attachments|{{.ChannelID}}|{{.AttachmentID}}|{{.FileName}}
-        # Pattern for custom emojis.
-        emojis: mxc://discord-media.mau.dev/emojis|{{.ID}}.{{.Ext}}
-        # Pattern for stickers. Note that animated lottie stickers will not be converted if this is enabled.
-        stickers: mxc://discord-media.mau.dev/stickers|{{.ID}}.{{.Ext}}
-        # Pattern for static user avatars.
-        avatars: mxc://discord-media.mau.dev/avatars|{{.UserID}}|{{.AvatarID}}.{{.Ext}}
+        # The server name to use for the custom mxc:// URIs.
+        # This server name will effectively be a real Matrix server, it just won't implement anything other than media.
+        # You must either set up .well-known delegation from this domain to the bridge, or proxy the domain directly to the bridge.
+        server_name: discord-media.example.com
+        # Optionally a custom .well-known response. This defaults to `server_name:443`
+        well_known_response:
+        # The bridge supports MSC3860 media download redirects and will use them if the requester supports it.
+        # Optionally, you can force redirects and not allow proxying at all by setting this to false.
+        allow_proxy: true
+        # Matrix server signing key to make the federation tester pass, same format as synapse's .signing.key file.
+        # This key is also used to sign the mxc:// URIs to ensure only the bridge can generate them.
+        server_key: generate
    # Settings for converting animated stickers.
    animated_sticker:
        # Format to which animated stickers should be converted.
@ -332,6 +339,8 @@ bridge:
        # Shared secret for authentication. If set to "generate", a random secret will be generated,
        # or if set to "disable", the provisioning API will be disabled.
        shared_secret: generate
+        # Enable debug API at /debug with provisioning authentication.
+        debug_endpoints: false

    # Permissions for using the bridge.
    # Permitted values:
--- a/formatter.go
+++ b/formatter.go
@ -26,13 +26,12 @@ import (
 	"github.com/yuin/goldmark/extension"
 	"github.com/yuin/goldmark/parser"
 	"github.com/yuin/goldmark/util"
+	"go.mau.fi/util/variationselector"
 	"golang.org/x/exp/slices"
-
 	"maunium.net/go/mautrix/event"
 	"maunium.net/go/mautrix/format"
 	"maunium.net/go/mautrix/format/mdext"
 	"maunium.net/go/mautrix/id"
-	"maunium.net/go/mautrix/util/variationselector"
 )

 // escapeFixer is a hacky partial fix for the difference in escaping markdown, used with escapeReplacement
@ -156,11 +155,14 @@ func (br *DiscordBridge) pillConverter(displayname, mxid, eventID string, ctx fo
 	return displayname
 }

+const discordLinkPattern = `https?://[^<\p{Zs}\x{feff}]*[^"'),.:;\]\p{Zs}\x{feff}]`
+
 // Discord links start with http:// or https://, contain at least two characters afterwards,
 // don't contain < or whitespace anywhere, and don't end with "'),.:;]
 //
 // Zero-width whitespace is mostly in the Format category and is allowed, except \uFEFF isn't for some reason
-var discordLinkRegex = regexp.MustCompile(`https?://[^<\p{Zs}\x{feff}]*[^"'),.:;\]\p{Zs}\x{feff}]`)
+var discordLinkRegex = regexp.MustCompile(discordLinkPattern)
+var discordLinkRegexFull = regexp.MustCompile("^" + discordLinkPattern + "$")

 var discordMarkdownEscaper = strings.NewReplacer(
 	`\`, `\\`,
@ -214,6 +216,14 @@ var matrixHTMLParser = &format.HTMLParser{
 		}
 		return fmt.Sprintf("||%s||", text)
 	},
+	LinkConverter: func(text, href string, ctx format.Context) string {
+		if text == href {
+			return text
+		} else if !discordLinkRegexFull.MatchString(href) {
+			return fmt.Sprintf("%s (%s)", escapeDiscordMarkdown(text), escapeDiscordMarkdown(href))
+		}
+		return fmt.Sprintf("[%s](%s)", escapeDiscordMarkdown(text), href)
+	},
 }

 func (portal *Portal) parseMatrixHTML(content *event.MessageEventContent) (string, *discordgo.MessageAllowedMentions) {
--- a/formatter_tag.go
+++ b/formatter_tag.go
@ -30,6 +30,7 @@ import (
 	"github.com/yuin/goldmark/renderer"
 	"github.com/yuin/goldmark/text"
 	"github.com/yuin/goldmark/util"
+	"maunium.net/go/mautrix/id"

 	"go.mau.fi/mautrix-discord/database"
 )
@ -262,11 +263,19 @@ func (r *discordTagHTMLRenderer) renderDiscordMention(w util.BufWriter, source [
 	}
 	switch node := n.(type) {
 	case *astDiscordUserMention:
-		if user := node.portal.bridge.GetUserByID(strconv.FormatInt(node.id, 10)); user != nil {
-			_, _ = fmt.Fprintf(w, `<a href="%s">%s</a>`, user.MXID.URI().MatrixToURL(), user.MXID)
-		} else if puppet := node.portal.bridge.GetPuppetByID(strconv.FormatInt(node.id, 10)); puppet != nil {
-			_, _ = fmt.Fprintf(w, `<a href="%s">%s</a>`, puppet.MXID.URI().MatrixToURL(), puppet.Name)
+		var mxid id.UserID
+		var name string
+		if puppet := node.portal.bridge.GetPuppetByID(strconv.FormatInt(node.id, 10)); puppet != nil {
+			mxid = puppet.MXID
+			name = puppet.Name
 		}
+		if user := node.portal.bridge.GetUserByID(strconv.FormatInt(node.id, 10)); user != nil {
+			mxid = user.MXID
+			if name == "" {
+				name = user.MXID.Localpart()
+			}
+		}
+		_, _ = fmt.Fprintf(w, `<a href="%s">%s</a>`, mxid.URI().MatrixToURL(), name)
 		return
 	case *astDiscordRoleMention:
 		role := node.portal.bridge.DB.Role.GetByID(node.portal.GuildID, strconv.FormatInt(node.id, 10))
--- a/go.mod
+++ b/go.mod
@ -1,42 +1,43 @@
 module go.mau.fi/mautrix-discord

-go 1.19
+go 1.21

 require (
 	github.com/bwmarrin/discordgo v0.27.0
-	github.com/gabriel-vasile/mimetype v1.4.2
+	github.com/gabriel-vasile/mimetype v1.4.3
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510
 	github.com/gorilla/mux v1.8.0
 	github.com/gorilla/websocket v1.5.0
 	github.com/lib/pq v1.10.9
-	github.com/mattn/go-sqlite3 v1.14.17
-	github.com/rs/zerolog v1.29.1
+	github.com/mattn/go-sqlite3 v1.14.22
+	github.com/rs/zerolog v1.31.0
 	github.com/skip2/go-qrcode v0.0.0-20200617195104-da1b6568686e
 	github.com/stretchr/testify v1.8.4
-	github.com/yuin/goldmark v1.5.4
-	golang.org/x/exp v0.0.0-20230713183714-613f0c0eb8a1
-	golang.org/x/sync v0.3.0
+	github.com/yuin/goldmark v1.6.0
+	go.mau.fi/util v0.2.2-0.20231228160422-22fdd4bbddeb
+	golang.org/x/exp v0.0.0-20231219180239-dc181d75b848
+	golang.org/x/sync v0.5.0
 	maunium.net/go/maulogger/v2 v2.4.1
-	maunium.net/go/mautrix v0.15.5-0.20230728182848-1ef656165098
+	maunium.net/go/mautrix v0.16.3-0.20240712164054-e6046fbf432c
 )

 require (
 	github.com/coreos/go-systemd/v22 v22.5.0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/mattn/go-colorable v0.1.12 // indirect
-	github.com/mattn/go-isatty v0.0.14 // indirect
+	github.com/mattn/go-colorable v0.1.13 // indirect
+	github.com/mattn/go-isatty v0.0.19 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/tidwall/gjson v1.14.4 // indirect
+	github.com/tidwall/gjson v1.17.0 // indirect
 	github.com/tidwall/match v1.1.1 // indirect
 	github.com/tidwall/pretty v1.2.0 // indirect
 	github.com/tidwall/sjson v1.2.5 // indirect
 	go.mau.fi/zeroconfig v0.1.2 // indirect
-	golang.org/x/crypto v0.11.0 // indirect
-	golang.org/x/net v0.12.0 // indirect
-	golang.org/x/sys v0.10.0 // indirect
+	golang.org/x/crypto v0.15.0 // indirect
+	golang.org/x/net v0.18.0 // indirect
+	golang.org/x/sys v0.14.0 // indirect
 	gopkg.in/natefinch/lumberjack.v2 v2.2.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	maunium.net/go/mauflag v1.0.0 // indirect
 )

-replace github.com/bwmarrin/discordgo => github.com/beeper/discordgo v0.0.0-20230620222529-2cb9d9280e37
+replace github.com/bwmarrin/discordgo => github.com/beeper/discordgo v0.0.0-20231013182643-f333f2578a3c
--- a/go.sum
+++ b/go.sum
@ -1,12 +1,13 @@
 github.com/DATA-DOG/go-sqlmock v1.5.0 h1:Shsta01QNfFxHCfpW6YH2STWB0MudeXXEWMr20OEh60=
-github.com/beeper/discordgo v0.0.0-20230620222529-2cb9d9280e37 h1:N0c/439VcoHGc+gL1lb3vUjr6vUbXz+vor7SLnBOhJU=
-github.com/beeper/discordgo v0.0.0-20230620222529-2cb9d9280e37/go.mod h1:59+AOzzjmL6onAh62nuLXmn7dJCaC/owDLWbGtjTcFA=
+github.com/DATA-DOG/go-sqlmock v1.5.0/go.mod h1:f/Ixk793poVmq4qj/V1dPUg2JEAKC73Q5eFN3EC/SaM=
+github.com/beeper/discordgo v0.0.0-20231013182643-f333f2578a3c h1:WaJ9eX8eyOBHD8te5t7xzm27uwhfaN94o8vUVFXliyA=
+github.com/beeper/discordgo v0.0.0-20231013182643-f333f2578a3c/go.mod h1:59+AOzzjmL6onAh62nuLXmn7dJCaC/owDLWbGtjTcFA=
 github.com/coreos/go-systemd/v22 v22.5.0 h1:RrqgGjYQKalulkV8NGVIfkXQf6YYmOyiJKk8iXXhfZs=
 github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/gabriel-vasile/mimetype v1.4.2 h1:w5qFW6JKBz9Y393Y4q372O9A7cUSequkh1Q7OhCmWKU=
-github.com/gabriel-vasile/mimetype v1.4.2/go.mod h1:zApsH/mKG4w07erKIaJPFiX0Tsq9BFQgN3qGY5GnNgA=
+github.com/gabriel-vasile/mimetype v1.4.3 h1:in2uUcidCuFcDKtdcBxlR0rJ1+fsokWf+uqxgUFjbI0=
+github.com/gabriel-vasile/mimetype v1.4.3/go.mod h1:d8uq/6HKRL6CGdk+aubisF/M5GcPfT7nKyLpA0lbSSk=
 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4=
 github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ=
@ -16,47 +17,51 @@ github.com/gorilla/websocket v1.5.0 h1:PPwGk2jz7EePpoHN/+ClbZu8SPxiqlu12wZP/3sWm
 github.com/gorilla/websocket v1.5.0/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
 github.com/lib/pq v1.10.9 h1:YXG7RB+JIjhP29X+OtkiDnYaXQwpS4JEWq7dtCCRUEw=
 github.com/lib/pq v1.10.9/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
-github.com/mattn/go-colorable v0.1.12 h1:jF+Du6AlPIjs2BiUiQlKOX0rt3SujHxPnksPKZbaA40=
-github.com/mattn/go-colorable v0.1.12/go.mod h1:u5H1YNBxpqRaxsYJYSkiCWKzEfiAb1Gb520KVy5xxl4=
-github.com/mattn/go-isatty v0.0.14 h1:yVuAays6BHfxijgZPzw+3Zlu5yQgKGP2/hcQbHb7S9Y=
-github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27kJ6hsGG94=
-github.com/mattn/go-sqlite3 v1.14.17 h1:mCRHCLDUBXgpKAqIKsaAaAsrAlbkeomtRFKXh2L6YIM=
-github.com/mattn/go-sqlite3 v1.14.17/go.mod h1:2eHXhiwb8IkHr+BDWZGa96P6+rkvnG63S2DGjv9HUNg=
+github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=
+github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
+github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
+github.com/mattn/go-isatty v0.0.19 h1:JITubQf0MOLdlGRuRq+jtsDlekdYPia9ZFsB8h/APPA=
+github.com/mattn/go-isatty v0.0.19/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
+github.com/mattn/go-sqlite3 v1.14.22 h1:2gZY6PC6kBnID23Tichd1K+Z0oS6nE/XwU+Vz/5o4kU=
+github.com/mattn/go-sqlite3 v1.14.22/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/rs/xid v1.4.0/go.mod h1:trrq9SKmegXys3aeAKXMUTdJsYXVwGY3RLcfgqegfbg=
-github.com/rs/zerolog v1.29.1 h1:cO+d60CHkknCbvzEWxP0S9K6KqyTjrCNUy1LdQLCGPc=
-github.com/rs/zerolog v1.29.1/go.mod h1:Le6ESbR7hc+DP6Lt1THiV8CQSdkkNrd3R0XbEgp3ZBU=
+github.com/rs/xid v1.5.0/go.mod h1:trrq9SKmegXys3aeAKXMUTdJsYXVwGY3RLcfgqegfbg=
+github.com/rs/zerolog v1.31.0 h1:FcTR3NnLWW+NnTwwhFWiJSZr4ECLpqCm6QsEnyvbV4A=
+github.com/rs/zerolog v1.31.0/go.mod h1:/7mN4D5sKwJLZQ2b/znpjC3/GQWY/xaDXUM0kKWRHss=
 github.com/skip2/go-qrcode v0.0.0-20200617195104-da1b6568686e h1:MRM5ITcdelLK2j1vwZ3Je0FKVCfqOLp5zO6trqMLYs0=
 github.com/skip2/go-qrcode v0.0.0-20200617195104-da1b6568686e/go.mod h1:XV66xRDqSt+GTGFMVlhk3ULuV0y9ZmzeVGR4mloJI3M=
 github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
 github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
 github.com/tidwall/gjson v1.14.2/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk=
-github.com/tidwall/gjson v1.14.4 h1:uo0p8EbA09J7RQaflQ1aBRffTR7xedD2bcIVSYxLnkM=
-github.com/tidwall/gjson v1.14.4/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk=
+github.com/tidwall/gjson v1.17.0 h1:/Jocvlh98kcTfpN2+JzGQWQcqrPQwDrVEMApx/M5ZwM=
+github.com/tidwall/gjson v1.17.0/go.mod h1:/wbyibRr2FHMks5tjHJ5F8dMZh3AcwJEMf5vlfC0lxk=
 github.com/tidwall/match v1.1.1 h1:+Ho715JplO36QYgwN9PGYNhgZvoUSc9X2c80KVTi+GA=
 github.com/tidwall/match v1.1.1/go.mod h1:eRSPERbgtNPcGhD8UCthc6PmLEQXEWd3PRB5JTxsfmM=
 github.com/tidwall/pretty v1.2.0 h1:RWIZEg2iJ8/g6fDDYzMpobmaoGh5OLl4AXtGUGPcqCs=
 github.com/tidwall/pretty v1.2.0/go.mod h1:ITEVvHYasfjBbM0u2Pg8T2nJnzm8xPwvNhhsoaGGjNU=
 github.com/tidwall/sjson v1.2.5 h1:kLy8mja+1c9jlljvWTlSazM7cKDRfJuR/bOJhcY5NcY=
 github.com/tidwall/sjson v1.2.5/go.mod h1:Fvgq9kS/6ociJEDnK0Fk1cpYF4FIW6ZF7LAe+6jwd28=
-github.com/yuin/goldmark v1.5.4 h1:2uY/xC0roWy8IBEGLgB1ywIoEJFGmRrX21YQcvGZzjU=
-github.com/yuin/goldmark v1.5.4/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
+github.com/yuin/goldmark v1.6.0 h1:boZcn2GTjpsynOsC0iJHnBWa4Bi0qzfJjthwauItG68=
+github.com/yuin/goldmark v1.6.0/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
+go.mau.fi/util v0.2.2-0.20231228160422-22fdd4bbddeb h1:Is+6vDKgINRy9KHodvi7NElxoDaWA8sc2S3cF3+QWjs=
+go.mau.fi/util v0.2.2-0.20231228160422-22fdd4bbddeb/go.mod h1:tiBX6nxVSOjU89jVQ7wBh3P8KjM26Lv1k7/I5QdSvBw=
 go.mau.fi/zeroconfig v0.1.2 h1:DKOydWnhPMn65GbXZOafgkPm11BvFashZWLct0dGFto=
 go.mau.fi/zeroconfig v0.1.2/go.mod h1:NcSJkf180JT+1IId76PcMuLTNa1CzsFFZ0nBygIQM70=
-golang.org/x/crypto v0.11.0 h1:6Ewdq3tDic1mg5xRO4milcWCfMVQhI4NkqWWvqejpuA=
-golang.org/x/crypto v0.11.0/go.mod h1:xgJhtzW8F9jGdVFWZESrid1U1bjeNy4zgy5cRr/CIio=
-golang.org/x/exp v0.0.0-20230713183714-613f0c0eb8a1 h1:MGwJjxBy0HJshjDNfLsYO8xppfqWlA5ZT9OhtUUhTNw=
-golang.org/x/exp v0.0.0-20230713183714-613f0c0eb8a1/go.mod h1:FXUEEKJgO7OQYeo8N01OfiKP8RXMtf6e8aTskBGqWdc=
-golang.org/x/net v0.12.0 h1:cfawfvKITfUsFCeJIHJrbSxpeu/E81khclypR0GVT50=
-golang.org/x/net v0.12.0/go.mod h1:zEVYFnQC7m/vmpQFELhcD1EWkZlX69l4oqgmer6hfKA=
-golang.org/x/sync v0.3.0 h1:ftCYgMx6zT/asHUrPw8BLLscYtGznsLAnjq5RH9P66E=
-golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
-golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.10.0 h1:SqMFp9UcQJZa+pmYuAKjd9xq1f0j5rLcDIk0mj4qAsA=
-golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/crypto v0.15.0 h1:frVn1TEaCEaZcn3Tmd7Y2b5KKPaZ+I32Q2OA3kYp5TA=
+golang.org/x/crypto v0.15.0/go.mod h1:4ChreQoLWfG3xLDer1WdlH5NdlQ3+mwnQq1YTKY+72g=
+golang.org/x/exp v0.0.0-20231219180239-dc181d75b848 h1:+iq7lrkxmFNBM7xx+Rae2W6uyPfhPeDWD+n+JgppptE=
+golang.org/x/exp v0.0.0-20231219180239-dc181d75b848/go.mod h1:iRJReGqOEeBhDZGkGbynYwcHlctCvnjTYIamk7uXpHI=
+golang.org/x/net v0.18.0 h1:mIYleuAkSbHh0tCv7RvjL3F6ZVbLjq4+R7zbOn3Kokg=
+golang.org/x/net v0.18.0/go.mod h1:/czyP5RqHAH4odGYxBJ1qz0+CE5WZ+2j1YgoEo8F2jQ=
+golang.org/x/sync v0.5.0 h1:60k92dhOjHxJkrqnwsfl8KuaHbn/5dl0lUPUklKo3qE=
+golang.org/x/sync v0.5.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.14.0 h1:Vz7Qs629MkJkGyHxUlRHizWJRG2j8fbQKjELVSNhy7Q=
+golang.org/x/sys v0.14.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/natefinch/lumberjack.v2 v2.2.1 h1:bBRl1b0OH9s/DuPhuXpNl+VtCaJXFZ5/uEFST95x9zc=
@ -67,5 +72,5 @@ maunium.net/go/mauflag v1.0.0 h1:YiaRc0tEI3toYtJMRIfjP+jklH45uDHtT80nUamyD4M=
 maunium.net/go/mauflag v1.0.0/go.mod h1:nLivPOpTpHnpzEh8jEdSL9UqO9+/KBJFmNRlwKfkPeA=
 maunium.net/go/maulogger/v2 v2.4.1 h1:N7zSdd0mZkB2m2JtFUsiGTQQAdP0YeFWT7YMc80yAL8=
 maunium.net/go/maulogger/v2 v2.4.1/go.mod h1:omPuYwYBILeVQobz8uO3XC8DIRuEb5rXYlQSuqrbCho=
-maunium.net/go/mautrix v0.15.5-0.20230728182848-1ef656165098 h1:1MA35IEVXHzgFnJEcgAoawNcDedRZjXoHdwylhPURLs=
-maunium.net/go/mautrix v0.15.5-0.20230728182848-1ef656165098/go.mod h1:dBaDmsnOOBM4a+gKcgefXH73pHGXm+MCJzCs1dXFgrw=
+maunium.net/go/mautrix v0.16.3-0.20240712164054-e6046fbf432c h1:LHjqti3fFzrC8LXkkxxKYlLbuI/CJcwa2JN4Ppg2GK0=
+maunium.net/go/mautrix v0.16.3-0.20240712164054-e6046fbf432c/go.mod h1:gCgLw/4c1a8QsiOWTdUdXlt5cYdE0rJ9wLeZQKPD58Q=
--- a/main.go
+++ b/main.go
@ -18,14 +18,15 @@ package main

 import (
 	_ "embed"
+	"net/http"
 	"sync"

+	"go.mau.fi/util/configupgrade"
+	"go.mau.fi/util/exsync"
 	"golang.org/x/sync/semaphore"
 	"maunium.net/go/mautrix/bridge"
 	"maunium.net/go/mautrix/bridge/commands"
 	"maunium.net/go/mautrix/id"
-	"maunium.net/go/mautrix/util"
-	"maunium.net/go/mautrix/util/configupgrade"

 	"go.mau.fi/mautrix-discord/config"
 	"go.mau.fi/mautrix-discord/database"
@ -48,6 +49,7 @@ type DiscordBridge struct {
 	Config *config.Config
 	DB     *database.Database

+	DMA          *DirectMediaAPI
 	provisioning *ProvisioningAPI

 	usersByMXID map[id.UserID]*User
@ -74,7 +76,7 @@ type DiscordBridge struct {
 	puppetsByCustomMXID map[id.UserID]*Puppet
 	puppetsLock         sync.Mutex

-	attachmentTransfers         *util.SyncMap[attachmentKey, *util.ReturnableOnce[*database.File]]
+	attachmentTransfers         *exsync.Map[attachmentKey, *exsync.ReturnableOnce[*database.File]]
 	parallelAttachmentSemaphore *semaphore.Weighted
 }

@ -104,6 +106,10 @@ func (br *DiscordBridge) Start() {
 	if br.Config.Bridge.Provisioning.SharedSecret != "disable" {
 		br.provisioning = newProvisioningAPI(br)
 	}
+	if br.Config.Bridge.PublicAddress != "" {
+		br.AS.Router.HandleFunc("/mautrix-discord/avatar/{server}/{mediaID}/{checksum}", br.serveMediaProxy).Methods(http.MethodGet)
+	}
+	br.DMA = newDirectMediaAPI(br)
 	br.WaitWebsocketConnected()
 	go br.startUsers()
 }
@ -172,14 +178,14 @@ func main() {
 		puppets:             make(map[string]*Puppet),
 		puppetsByCustomMXID: make(map[id.UserID]*Puppet),

-		attachmentTransfers:         util.NewSyncMap[attachmentKey, *util.ReturnableOnce[*database.File]](),
+		attachmentTransfers:         exsync.NewMap[attachmentKey, *exsync.ReturnableOnce[*database.File]](),
 		parallelAttachmentSemaphore: semaphore.NewWeighted(3),
 	}
 	br.Bridge = bridge.Bridge{
 		Name:              "mautrix-discord",
 		URL:               "https://github.com/mautrix/discord",
 		Description:       "A Matrix-Discord puppeting bridge.",
-		Version:           "0.6.0",
+		Version:           "0.7.0",
 		ProtocolName:      "Discord",
 		BeeperServiceName: "discordgo",
 		BeeperNetworkName: "discord",
--- a/portal.go
+++ b/portal.go
@ -3,9 +3,13 @@ package main
 import (
 	"bytes"
 	"context"
+	"crypto/hmac"
+	"crypto/sha256"
+	"encoding/base64"
 	"encoding/json"
 	"errors"
 	"fmt"
+	"io"
 	"net/http"
 	"reflect"
 	"regexp"
@ -17,7 +21,10 @@ import (

 	"github.com/bwmarrin/discordgo"
 	"github.com/gabriel-vasile/mimetype"
+	"github.com/gorilla/mux"
 	"github.com/rs/zerolog"
+	"go.mau.fi/util/exsync"
+	"go.mau.fi/util/variationselector"
 	"maunium.net/go/mautrix"
 	"maunium.net/go/mautrix/appservice"
 	"maunium.net/go/mautrix/bridge"
@ -26,8 +33,6 @@ import (
 	"maunium.net/go/mautrix/crypto/attachment"
 	"maunium.net/go/mautrix/event"
 	"maunium.net/go/mautrix/id"
-	"maunium.net/go/mautrix/util"
-	"maunium.net/go/mautrix/util/variationselector"

 	"go.mau.fi/mautrix-discord/config"
 	"go.mau.fi/mautrix-discord/database"
@ -62,7 +67,7 @@ type Portal struct {
 	discordMessages chan portalDiscordMessage
 	matrixMessages  chan portalMatrixMessage

-	recentMessages *util.RingBuffer[string, *discordgo.Message]
+	recentMessages *exsync.RingBuffer[string, *discordgo.Message]

 	commands     map[string]*discordgo.ApplicationCommand
 	commandsLock sync.RWMutex
@ -260,7 +265,7 @@ func (br *DiscordBridge) NewPortal(dbPortal *database.Portal) *Portal {
 		discordMessages: make(chan portalDiscordMessage, br.Config.Bridge.PortalMessageBuffer),
 		matrixMessages:  make(chan portalMatrixMessage, br.Config.Bridge.PortalMessageBuffer),

-		recentMessages: util.NewRingBuffer[string, *discordgo.Message](recentMessageBufferSize),
+		recentMessages: exsync.NewRingBuffer[string, *discordgo.Message](recentMessageBufferSize),

 		commands: make(map[string]*discordgo.ApplicationCommand),
 	}
@ -459,7 +464,7 @@ func (portal *Portal) CreateMatrixRoom(user *User, channel *discordgo.Channel) e
 			Content: event.Content{Parsed: &event.JoinRulesEventContent{
 				JoinRule: event.JoinRuleRestricted,
 				Allow: []event.JoinRuleAllow{{
-					RoomID: spaceID,
+					RoomID: portal.Guild.MXID,
 					Type:   event.JoinRuleAllowRoomMembership,
 				}},
 			}},
@ -519,7 +524,7 @@ func (portal *Portal) CreateMatrixRoom(user *User, channel *discordgo.Channel) e
 	if portal.GuildID == "" {
 		user.addPrivateChannelToSpace(portal)
 	} else {
-		portal.updateSpace()
+		portal.updateSpace(user)
 	}
 	portal.ensureUserInvited(user, true)
 	user.syncChatDoublePuppetDetails(portal, true)
@ -884,12 +889,13 @@ func (portal *Portal) handleDiscordMessageUpdate(user *User, msg *discordgo.Mess
 	for _, deletedAttachment := range attachmentMap {
 		resp, err := intent.RedactEvent(portal.MXID, deletedAttachment.MXID)
 		if err != nil {
-			log.Warn().Err(err).
+			log.Err(err).
 				Str("event_id", deletedAttachment.MXID.String()).
 				Msg("Failed to redact attachment")
+		} else {
+			redactions.Str(deletedAttachment.AttachmentID, resp.EventID.String())
 		}
 		deletedAttachment.Delete()
-		redactions.Str(deletedAttachment.AttachmentID, resp.EventID.String())
 	}

 	var converted *ConvertedMessage
@ -1032,9 +1038,12 @@ func (portal *Portal) syncParticipants(source *User, participants []*discordgo.U
 		puppet := portal.bridge.GetPuppetByID(participant.ID)
 		puppet.UpdateInfo(source, participant, nil)

-		user := portal.bridge.GetUserByID(participant.ID)
-		if user != nil {
-			portal.ensureUserInvited(user, false)
+		var user *User
+		if participant.ID != portal.OtherUserID {
+			user = portal.bridge.GetUserByID(participant.ID)
+			if user != nil {
+				portal.ensureUserInvited(user, false)
+			}
 		}

 		if user == nil || !puppet.IntentFor(portal).IsCustomPuppet {
@ -1110,7 +1119,7 @@ func (portal *Portal) getEvent(mxid id.EventID) (*event.Event, error) {
 	if evt.Type == event.EventEncrypted {
 		decryptedEvt, err := portal.bridge.Crypto.Decrypt(evt)
 		if err != nil {
-			return nil, err
+			return nil, fmt.Errorf("failed to decrypt event: %w", err)
 		} else {
 			evt = decryptedEvt
 		}
@ -1171,7 +1180,7 @@ func (portal *Portal) startThreadFromMatrix(sender *User, threadRoot id.EventID)
 	}
 }

-func (portal *Portal) sendErrorMessage(msgType, message string, confirmed bool) id.EventID {
+func (portal *Portal) sendErrorMessage(evt *event.Event, msgType, message string, confirmed bool) id.EventID {
 	if !portal.bridge.Config.Bridge.MessageErrorNotices {
 		return ""
 	}
@ -1182,10 +1191,15 @@ func (portal *Portal) sendErrorMessage(msgType, message string, confirmed bool)
 	if portal.RelayWebhookSecret != "" {
 		message = strings.ReplaceAll(message, portal.RelayWebhookSecret, "<redacted>")
 	}
-	resp, err := portal.sendMatrixMessage(portal.MainIntent(), event.EventMessage, &event.MessageEventContent{
+	content := &event.MessageEventContent{
 		MsgType: event.MsgNotice,
 		Body:    fmt.Sprintf("\u26a0 Your %s %s bridged: %v", msgType, certainty, message),
-	}, nil, 0)
+	}
+	relatable, ok := evt.Content.Parsed.(event.Relatable)
+	if ok && relatable.OptionalGetRelatesTo().GetThreadParent() != "" {
+		content.GetRelatesTo().SetThread(relatable.OptionalGetRelatesTo().GetThreadParent(), evt.ID)
+	}
+	resp, err := portal.sendMatrixMessage(portal.MainIntent(), event.EventMessage, content, nil, 0)
 	if err != nil {
 		portal.log.Warn().Err(err).Msg("Failed to send bridging error message")
 		return ""
@ -1350,7 +1364,7 @@ func (portal *Portal) sendMessageMetrics(evt *event.Event, err error, part strin
 			if humanMessage == "" {
 				humanMessage = err.Error()
 			}
-			portal.sendErrorMessage(msgType, humanMessage, isCertain)
+			portal.sendErrorMessage(evt, msgType, humanMessage, isCertain)
 		}
 		portal.sendStatusEvent(evt.ID, err)
 	} else {
@ -1361,6 +1375,64 @@ func (portal *Portal) sendMessageMetrics(evt *event.Event, err error, part strin
 	}
 }

+func (br *DiscordBridge) serveMediaProxy(w http.ResponseWriter, r *http.Request) {
+	vars := mux.Vars(r)
+	mxc := id.ContentURI{
+		Homeserver: vars["server"],
+		FileID:     vars["mediaID"],
+	}
+	checksum, err := base64.RawURLEncoding.DecodeString(vars["checksum"])
+	if err != nil || len(checksum) != 32 {
+		w.WriteHeader(http.StatusNotFound)
+		return
+	}
+	_, expectedChecksum := br.hashMediaProxyURL(mxc)
+	if !hmac.Equal(checksum, expectedChecksum) {
+		w.WriteHeader(http.StatusNotFound)
+		return
+	}
+	reader, err := br.Bot.Download(mxc)
+	if err != nil {
+		br.ZLog.Warn().Err(err).Msg("Failed to download media to proxy")
+		w.WriteHeader(http.StatusInternalServerError)
+		return
+	}
+	buf := make([]byte, 32*1024)
+	n, err := io.ReadFull(reader, buf)
+	if err != nil && (!errors.Is(err, io.EOF) && !errors.Is(err, io.ErrUnexpectedEOF)) {
+		br.ZLog.Warn().Err(err).Msg("Failed to read first part of media to proxy")
+		w.WriteHeader(http.StatusBadGateway)
+		return
+	}
+	w.Header().Add("Content-Type", http.DetectContentType(buf[:n]))
+	if n < len(buf) {
+		w.Header().Add("Content-Length", strconv.Itoa(n))
+	}
+	w.WriteHeader(http.StatusOK)
+	_, err = w.Write(buf[:n])
+	if err != nil {
+		return
+	}
+	if n >= len(buf) {
+		_, _ = io.CopyBuffer(w, reader, buf)
+	}
+}
+
+func (br *DiscordBridge) hashMediaProxyURL(mxc id.ContentURI) (string, []byte) {
+	path := fmt.Sprintf("/mautrix-discord/avatar/%s/%s/", mxc.Homeserver, mxc.FileID)
+	checksum := hmac.New(sha256.New, []byte(br.Config.Bridge.AvatarProxyKey))
+	checksum.Write([]byte(path))
+	return path, checksum.Sum(nil)
+}
+
+func (br *DiscordBridge) makeMediaProxyURL(mxc id.ContentURI) string {
+	if br.Config.Bridge.PublicAddress == "" {
+		return ""
+	}
+	path, checksum := br.hashMediaProxyURL(mxc)
+	return br.Config.Bridge.PublicAddress + path + base64.RawURLEncoding.EncodeToString(checksum)
+}
+
 func (portal *Portal) getRelayUserMeta(sender *User) (name, avatarURL string) {
 	member := portal.bridge.StateStore.GetMember(portal.MXID, sender.MXID)
 	name = member.Displayname
@ -1368,11 +1440,8 @@ func (portal *Portal) getRelayUserMeta(sender *User) (name, avatarURL string) {
 		name = sender.MXID.String()
 	}
 	mxc := member.AvatarURL.ParseOrIgnore()
-	if !mxc.IsEmpty() {
-		avatarURL = mautrix.BuildURL(
-			portal.bridge.PublicHSAddress,
-			"_matrix", "media", "v3", "download", mxc.Homeserver, mxc.FileID,
-		).String()
+	if !mxc.IsEmpty() && portal.bridge.Config.Bridge.PublicAddress != "" {
+		avatarURL = portal.bridge.makeMediaProxyURL(mxc)
 	}
 	return
 }
@ -1401,13 +1470,9 @@ func cutBody(body string) string {
 }

 func (portal *Portal) convertReplyMessageToEmbed(eventID id.EventID, url string) (*discordgo.MessageEmbed, error) {
-	evt, err := portal.MainIntent().GetEvent(portal.MXID, eventID)
+	evt, err := portal.getEvent(eventID)
 	if err != nil {
-		return nil, fmt.Errorf("failed to fetch event: %w", err)
-	}
-	err = evt.Content.ParseRaw(evt.Type)
-	if err != nil {
-		return nil, fmt.Errorf("failed to parse event content: %w", err)
+		return nil, fmt.Errorf("failed to get reply target event: %w", err)
 	}
 	content, ok := evt.Content.Parsed.(*event.MessageEventContent)
 	if !ok {
@ -1827,13 +1892,15 @@ func (portal *Portal) handleMatrixReaction(sender *User, evt *event.Event) {
 	emojiID := reaction.RelatesTo.Key
 	if strings.HasPrefix(emojiID, "mxc://") {
 		uri, _ := id.ParseContentURI(emojiID)
-		emojiFile := portal.bridge.DB.File.GetEmojiByMXC(uri)
-		if emojiFile == nil || emojiFile.ID == "" || emojiFile.EmojiName == "" {
+		emojiInfo := portal.bridge.DMA.GetEmojiInfo(uri)
+		if emojiInfo != nil {
+			emojiID = fmt.Sprintf("%s:%d", emojiInfo.Name, emojiInfo.EmojiID)
+		} else if emojiFile := portal.bridge.DB.File.GetEmojiByMXC(uri); emojiFile != nil && emojiFile.ID != "" && emojiFile.EmojiName != "" {
+			emojiID = fmt.Sprintf("%s:%s", emojiFile.EmojiName, emojiFile.ID)
+		} else {
 			go portal.sendMessageMetrics(evt, fmt.Errorf("%w %s", errUnknownEmoji, emojiID), "Ignoring")
 			return
 		}
-
-		emojiID = fmt.Sprintf("%s:%s", emojiFile.EmojiName, emojiFile.ID)
 	} else {
 		emojiID = variationselector.FullyQualify(emojiID)
 	}
@ -2314,11 +2381,19 @@ func (portal *Portal) ExpectedSpaceID() id.RoomID {
 	return ""
 }

-func (portal *Portal) updateSpace() bool {
+func (portal *Portal) updateSpace(source *User) bool {
 	if portal.MXID == "" {
 		return false
 	}
 	if portal.Parent != nil {
+		if portal.Parent.MXID != "" {
+			portal.log.Warn().Str("parent_id", portal.ParentID).Msg("Parent portal has no Matrix room, creating...")
+			err := portal.Parent.CreateMatrixRoom(source, nil)
+			if err != nil {
+				portal.log.Err(err).Str("parent_id", portal.ParentID).Msg("Failed to create Matrix room for parent")
+				return false
+			}
+		}
 		return portal.addToSpace(portal.Parent.MXID)
 	} else if portal.Guild != nil {
 		return portal.addToSpace(portal.Guild.MXID)
@ -2409,7 +2484,7 @@ func (portal *Portal) UpdateInfo(source *User, meta *discordgo.Channel) *discord
 	changed = portal.UpdateParent(meta.ParentID) || changed
 	// Private channels are added to the space in User.handlePrivateChannel
 	if portal.GuildID != "" && portal.MXID != "" && portal.ExpectedSpaceID() != portal.InSpace {
-		changed = portal.updateSpace() || changed
+		changed = portal.updateSpace(source) || changed
 	}
 	if changed {
 		portal.UpdateBridgeInfo()
--- a/portal_convert.go
+++ b/portal_convert.go
@ -27,12 +27,11 @@ import (
 	"github.com/bwmarrin/discordgo"
 	"github.com/rs/zerolog"
 	"golang.org/x/exp/slices"
-	"maunium.net/go/mautrix/id"
-
 	"maunium.net/go/mautrix"
 	"maunium.net/go/mautrix/appservice"
 	"maunium.net/go/mautrix/event"
 	"maunium.net/go/mautrix/format"
+	"maunium.net/go/mautrix/id"
 )

 type ConvertedMessage struct {
@ -103,20 +102,16 @@ func (portal *Portal) cleanupConvertedStickerInfo(content *event.MessageEventCon
 }

 func (portal *Portal) convertDiscordSticker(ctx context.Context, intent *appservice.IntentAPI, sticker *discordgo.Sticker) *ConvertedMessage {
-	var mime, ext string
+	var mime string
 	switch sticker.FormatType {
 	case discordgo.StickerFormatTypePNG:
 		mime = "image/png"
-		ext = "png"
 	case discordgo.StickerFormatTypeAPNG:
 		mime = "image/apng"
-		ext = "png"
 	case discordgo.StickerFormatTypeLottie:
 		mime = "application/json"
-		ext = "json"
 	case discordgo.StickerFormatTypeGIF:
 		mime = "image/gif"
-		ext = "gif"
 	default:
 		zerolog.Ctx(ctx).Warn().
 			Int("sticker_format", int(sticker.FormatType)).
@ -130,8 +125,9 @@ func (portal *Portal) convertDiscordSticker(ctx context.Context, intent *appserv
 		},
 	}

-	mxc := portal.bridge.Config.Bridge.MediaPatterns.Sticker(sticker.ID, ext)
-	if mxc.IsEmpty() {
+	mxc := portal.bridge.DMA.StickerMXC(sticker.ID, sticker.FormatType)
+	// TODO add config option to use direct media even for lottie stickers
+	if mxc.IsEmpty() && mime != "application/json" {
 		content = portal.convertDiscordFile(ctx, "sticker", intent, sticker.ID, sticker.URL(), content)
 	} else {
 		content.URL = mxc.CUString()
@ -144,7 +140,7 @@ func (portal *Portal) convertDiscordSticker(ctx context.Context, intent *appserv
 	}
 }

-func (portal *Portal) convertDiscordAttachment(ctx context.Context, intent *appservice.IntentAPI, att *discordgo.MessageAttachment) *ConvertedMessage {
+func (portal *Portal) convertDiscordAttachment(ctx context.Context, intent *appservice.IntentAPI, messageID string, att *discordgo.MessageAttachment) *ConvertedMessage {
 	content := &event.MessageEventContent{
 		Body: att.Filename,
 		Info: &event.FileInfo{
@ -182,7 +178,7 @@ func (portal *Portal) convertDiscordAttachment(ctx context.Context, intent *apps
 	default:
 		content.MsgType = event.MsgFile
 	}
-	mxc := portal.bridge.Config.Bridge.MediaPatterns.Attachment(portal.Key.ChannelID, att.ID, att.Filename)
+	mxc := portal.bridge.DMA.AttachmentMXC(portal.Key.ChannelID, messageID, att)
 	if mxc.IsEmpty() {
 		content = portal.convertDiscordFile(ctx, "attachment", intent, att.ID, att.URL, content)
 	} else {
@ -201,8 +197,18 @@ func (portal *Portal) convertDiscordVideoEmbed(ctx context.Context, intent *apps
 	var proxyURL string
 	if embed.Video != nil {
 		proxyURL = embed.Video.ProxyURL
-	} else {
+	} else if embed.Thumbnail != nil {
 		proxyURL = embed.Thumbnail.ProxyURL
+	} else {
+		zerolog.Ctx(ctx).Warn().Str("embed_url", embed.URL).Msg("No video or thumbnail proxy URL found in embed")
+		return &ConvertedMessage{
+			AttachmentID: attachmentID,
+			Type:         event.EventMessage,
+			Content: &event.MessageEventContent{
+				Body:    "Failed to bridge media: no video or thumbnail proxy URL found in embed",
+				MsgType: event.MsgNotice,
+			},
+		}
 	}
 	dbFile, err := portal.bridge.copyAttachmentToMatrix(intent, proxyURL, portal.Encrypted, NoMeta)
 	if err != nil {
@ -277,7 +283,7 @@ func (portal *Portal) convertDiscordMessage(ctx context.Context, puppet *Puppet,
 		}
 		handledIDs[att.ID] = struct{}{}
 		log := log.With().Str("attachment_id", att.ID).Logger()
-		if part := portal.convertDiscordAttachment(log.WithContext(ctx), intent, att); part != nil {
+		if part := portal.convertDiscordAttachment(log.WithContext(ctx), intent, msg.ID, att); part != nil {
 			parts = append(parts, part)
 		}
 	}
@ -621,9 +627,14 @@ func getEmbedType(msg *discordgo.Message, embed *discordgo.MessageEmbed) BridgeE
 }

 func isPlainGifMessage(msg *discordgo.Message) bool {
-	return len(msg.Embeds) == 1 && msg.Embeds[0].URL == msg.Content &&
-		((msg.Embeds[0].Type == discordgo.EmbedTypeGifv && msg.Embeds[0].Video != nil) ||
-			(msg.Embeds[0].Type == discordgo.EmbedTypeImage && msg.Embeds[0].Image == nil && msg.Embeds[0].Thumbnail != nil))
+	if len(msg.Embeds) != 1 {
+		return false
+	}
+	embed := msg.Embeds[0]
+	isGifVideo := embed.Type == discordgo.EmbedTypeGifv && embed.Video != nil
+	isGifImage := embed.Type == discordgo.EmbedTypeImage && embed.Image == nil && embed.Thumbnail != nil
+	contentIsOnlyURL := msg.Content == embed.URL || discordLinkRegexFull.MatchString(msg.Content)
+	return contentIsOnlyURL && (isGifVideo || isGifImage)
 }

 func (portal *Portal) convertDiscordMentions(msg *discordgo.Message, syncGhosts bool) *event.Mentions {
@ -668,7 +679,7 @@ func (portal *Portal) convertDiscordTextMessage(ctx context.Context, intent *app
 		htmlParts = append(htmlParts, fmt.Sprintf(msgInteractionTemplateHTML, puppet.MXID, puppet.Name, msg.Interaction.Name))
 	}
 	if msg.Content != "" && !isPlainGifMessage(msg) {
-		htmlParts = append(htmlParts, portal.renderDiscordMarkdownOnlyHTML(msg.Content, false))
+		htmlParts = append(htmlParts, portal.renderDiscordMarkdownOnlyHTML(msg.Content, true))
 	}
 	previews := make([]*BeeperLinkPreview, 0)
 	for i, embed := range msg.Embeds {
--- a/provisioning.go
+++ b/provisioning.go
@ -7,6 +7,7 @@ import (
 	"errors"
 	"net"
 	"net/http"
+	_ "net/http/pprof"
 	"strings"
 	"time"

@ -71,6 +72,13 @@ func newProvisioningAPI(br *DiscordBridge) *ProvisioningAPI {
 	r.HandleFunc("/v1/guilds/{guildID}", p.guildsBridge).Methods(http.MethodPost)
 	r.HandleFunc("/v1/guilds/{guildID}", p.guildsUnbridge).Methods(http.MethodDelete)

+	if p.bridge.Config.Bridge.Provisioning.DebugEndpoints {
+		p.log.Debugln("Enabling debug API at /debug")
+		r := p.bridge.AS.Router.PathPrefix("/debug").Subrouter()
+		r.Use(p.authMiddleware)
+		r.PathPrefix("/pprof").Handler(http.DefaultServeMux)
+	}
+
 	return p
 }

--- a/puppet.go
+++ b/puppet.go
@ -217,27 +217,23 @@ func (puppet *Puppet) UpdateName(info *discordgo.User) bool {
 }

 func (br *DiscordBridge) reuploadUserAvatar(intent *appservice.IntentAPI, guildID, userID, avatarID string) (id.ContentURI, string, error) {
-	var downloadURL, ext string
+	var downloadURL string
 	if guildID == "" {
-		downloadURL = discordgo.EndpointUserAvatar(userID, avatarID)
-		ext = "png"
 		if strings.HasPrefix(avatarID, "a_") {
 			downloadURL = discordgo.EndpointUserAvatarAnimated(userID, avatarID)
-			ext = "gif"
+		} else {
+			downloadURL = discordgo.EndpointUserAvatar(userID, avatarID)
 		}
 	} else {
-		downloadURL = discordgo.EndpointGuildMemberAvatar(guildID, userID, avatarID)
-		ext = "png"
 		if strings.HasPrefix(avatarID, "a_") {
 			downloadURL = discordgo.EndpointGuildMemberAvatarAnimated(guildID, userID, avatarID)
-			ext = "gif"
+		} else {
+			downloadURL = discordgo.EndpointGuildMemberAvatar(guildID, userID, avatarID)
 		}
 	}
-	if guildID == "" {
-		url := br.Config.Bridge.MediaPatterns.Avatar(userID, avatarID, ext)
-		if !url.IsEmpty() {
-			return url, downloadURL, nil
-		}
+	url := br.DMA.AvatarMXC(guildID, userID, avatarID)
+	if !url.IsEmpty() {
+		return url, downloadURL, nil
 	}
 	copied, err := br.copyAttachmentToMatrix(intent, downloadURL, false, AttachmentMeta{
 		AttachmentID: fmt.Sprintf("avatar/%s/%s/%s", guildID, userID, avatarID),
--- a/user.go
+++ b/user.go
@ -17,8 +17,7 @@ import (
 	"github.com/bwmarrin/discordgo"
 	"github.com/gorilla/websocket"
 	"github.com/rs/zerolog"
-	"maunium.net/go/mautrix/util/dbutil"
-
+	"go.mau.fi/util/dbutil"
 	"maunium.net/go/mautrix"
 	"maunium.net/go/mautrix/appservice"
 	"maunium.net/go/mautrix/bridge"
@ -101,7 +100,7 @@ func discordToZeroLevel(level int) zerolog.Level {

 func init() {
 	discordgo.Logger = func(msgL, caller int, format string, a ...interface{}) {
-		discordLog.WithLevel(discordToZeroLevel(msgL)).Caller(caller+1).Msgf(strings.TrimSpace(format), a...)
+		discordLog.WithLevel(discordToZeroLevel(msgL)).Caller(caller+1).Msgf(strings.TrimSpace(format), a...) // zerolog-allow-msgf
 	}
 }

@ -196,6 +195,12 @@ func (br *DiscordBridge) GetCachedUserByID(id string) *User {
 	return br.usersByID[id]
 }

+func (br *DiscordBridge) GetCachedUserByMXID(userID id.UserID) *User {
+	br.usersLock.Lock()
+	defer br.usersLock.Unlock()
+	return br.usersByMXID[userID]
+}
+
 func (br *DiscordBridge) NewUser(dbUser *database.User) *User {
 	user := &User{
 		User:   dbUser,
@ -369,37 +374,6 @@ func (user *User) GetDMSpaceRoom() id.RoomID {
 	return user.getSpaceRoom(&user.DMSpaceRoom, "Direct Messages", "Your Discord direct messages", user.GetSpaceRoom())
 }

-func (user *User) tryAutomaticDoublePuppeting() {
-	user.Lock()
-	defer user.Unlock()
-
-	if !user.bridge.Config.CanAutoDoublePuppet(user.MXID) {
-		return
-	}
-
-	user.log.Debug().Msg("Checking if double puppeting needs to be enabled")
-
-	puppet := user.bridge.GetPuppetByID(user.DiscordID)
-	if puppet.CustomMXID != "" {
-		user.log.Debug().Msg("User already has double-puppeting enabled")
-		return
-	}
-
-	accessToken, err := puppet.loginWithSharedSecret(user.MXID)
-	if err != nil {
-		user.log.Warn().Err(err).Msg("Failed to login with shared secret")
-		return
-	}
-
-	err = puppet.SwitchCustomMXID(accessToken, user.MXID)
-	if err != nil {
-		puppet.log.Warn().Err(err).Msg("Failed to switch to auto-logined custom puppet")
-		return
-	}
-
-	user.log.Info().Msg("Successfully automatically enabled custom puppet")
-}
-
 func (user *User) ViewingChannel(portal *Portal) bool {
 	if portal.GuildID != "" || !user.Session.IsUser {
 		return false
@ -580,7 +554,7 @@ func (user *User) Connect() error {
 	}
 	userDiscordLog := user.log.With().Str("component", "discordgo").Logger()
 	session.Logger = func(msgL, caller int, format string, a ...interface{}) {
-		userDiscordLog.WithLevel(discordToZeroLevel(msgL)).Caller(caller+1).Msgf(strings.TrimSpace(format), a...)
+		userDiscordLog.WithLevel(discordToZeroLevel(msgL)).Caller(caller+1).Msgf(strings.TrimSpace(format), a...) // zerolog-allow-msgf
 	}
 	if !session.IsUser {
 		session.Identify.Intents = BotIntents
@ -589,7 +563,15 @@ func (user *User) Connect() error {

 	user.Session = session

-	return user.Session.Open()
+	for {
+		err = user.Session.Open()
+		if errors.Is(err, discordgo.ErrImmediateDisconnect) {
+			user.log.Warn().Err(err).Msg("Retrying initial connection in 5 seconds")
+			time.Sleep(5 * time.Second)
+			continue
+		}
+		return err
+	}
 }

 func (user *User) eventHandlerSync(rawEvt any) {
@ -960,8 +942,11 @@ func (user *User) handleGuild(meta *discordgo.Guild, timestamp time.Time, isInSp
 	guild.UpdateInfo(user, meta)
 	if len(meta.Channels) > 0 {
 		for _, ch := range meta.Channels {
+			if !user.channelIsBridgeable(ch) {
+				continue
+			}
 			portal := user.GetPortalByMeta(ch)
-			if guild.BridgingMode >= database.GuildBridgeEverything && portal.MXID == "" && user.channelIsBridgeable(ch) {
+			if guild.BridgingMode >= database.GuildBridgeEverything && portal.MXID == "" {
 				err := portal.CreateMatrixRoom(user, ch)
 				if err != nil {
 					user.log.Error().Err(err).
Author	SHA1	Message	Date
Tulir Asokan	ce1f401ddc	Bump version to v0.7.0	2024-07-16 11:28:58 +03:00
Tulir Asokan	2f5b3fcbfb	Don't use mxid in mention pills	2024-07-15 19:26:09 +03:00
Tulir Asokan	035f2a408b	Add support for authenticated media	2024-07-12 20:09:07 +03:00
Tulir Asokan	a126a36249	Add create-portal command	2024-06-24 21:43:11 +03:00
Tulir Asokan	1fef7a0ee2	Create category space if necessary when creating channel room	2024-06-24 21:36:38 +03:00
Tulir Asokan	2da2aa47e9	Always use guild room for join rule	2024-06-24 21:28:45 +03:00
Tulir Asokan	a6d9e62b49	Add support for MSC3916 endpoints for direct media	2024-05-31 21:45:50 +03:00
Tulir Asokan	8d01c30014	Fix finding client to fetch messages through	2024-02-18 23:41:25 +02:00
Tulir Asokan	2a7a2c3895	Parse expiry from URL	2024-02-18 23:41:25 +02:00
Tulir Asokan	23ae2d314f	Update changelog	2024-02-18 23:26:03 +02:00
Tulir Asokan	737e4c89e0	Update minimum Go version	2024-02-18 23:12:35 +02:00
Tulir Asokan	9402d0d291	Fix mass inserting messages	2024-02-18 23:11:31 +02:00
Tulir Asokan	d0e3d2966a	Redo direct media access with URL refreshing (#135 )	2024-02-18 23:10:19 +02:00
Tulir Asokan	a5813a9d78	Bump version to v0.6.5	2024-01-16 16:19:53 +02:00
Tulir Asokan	5de499a3b5	Reuse existing getEvent function	2024-01-06 11:11:39 +02:00
Tulir Asokan	3f5484c73e	Add support for encrypted events in webhook replies Obviously won't help if the encryption hardening options are enabled, because the point of those is to prevent the bridge from decrypting old messages. Fixes #131	2024-01-06 11:09:31 +02:00
Tulir Asokan	8035a2d3a1	Update actions and run on both supported Go versions [skip cd]	2023-12-28 17:26:36 +01:00
Sumner Evans	f69c02acb6	pre-commit: ban Msgf() from zerolog Signed-off-by: Sumner Evans <sumner@beeper.com>	2023-12-24 11:26:41 -07:00
Tulir Asokan	8c8cfa8f6b	Update dependencies	2023-12-24 20:25:05 +02:00
Toni Spets	643d4c6e39	Expose debug API with pprof Runs along the provisioning API with same authentication.	2023-12-05 12:11:57 +02:00
Tulir Asokan	c013873d1c	Bump version to v0.6.4	2023-11-16 15:29:23 +02:00
Tulir Asokan	394c0a05d3	Update dependencies	2023-11-16 15:27:12 +02:00
Tulir Asokan	2138b6115f	Update .gitignore	2023-11-08 17:45:43 +02:00
Tulir Asokan	5b8473b3de	Send error messages in thread if applicable	2023-11-08 17:45:17 +02:00
Tulir Asokan	45359853de	Bump version to v0.6.3	2023-10-16 13:27:01 +03:00
Tulir Asokan	a51ed70f45	Update dependencies	2023-10-16 13:22:40 +03:00
Tulir Asokan	d9e1292a9e	Update changelog	2023-10-13 21:32:54 +03:00
Tulir Asokan	0f35e27d81	Update discordgo to fix handling op7 while connecting	2023-10-13 21:31:38 +03:00
Tulir Asokan	318d6f3fe6	Try to avoid syncing other user into DM portals	2023-10-03 17:22:29 +03:00
Tulir Asokan	b0a7cbca13	Update custom emoji status in roadmap	2023-10-03 17:22:25 +03:00
Tulir Asokan	308f47e2fa	Bump version to v0.6.2	2023-09-16 10:34:07 -04:00
Florian Badie	2c396e553e	Fix "video" embeds with missing video URLs (#110 )	2023-09-01 08:22:53 +00:00
Tulir Asokan	c710ea18aa	Don't panic if redacting attachment fails	2023-08-29 11:43:36 +03:00
Tulir Asokan	185f9a8963	Move double puppeting login code to mautrix-go	2023-08-22 19:01:08 +03:00
Tulir Asokan	345391f8b1	Allow inline links in normal messages	2023-08-17 20:46:18 +03:00
Tulir Asokan	fb6d89a88f	Bump version to v0.6.1	2023-08-17 00:57:00 +03:00
Tulir Asokan	acaaa9f0f8	Update dependencies	2023-08-17 00:54:38 +03:00
Tulir Asokan	2ec3b0ebce	Update discordgo	2023-08-04 18:42:02 +03:00
Tulir Asokan	802ec555d6	Update discordgo to remove need to fetch own member info manually	2023-08-04 14:16:36 +03:00
Tulir Asokan	84a6fbc571	Move channelIsBridgeable check when syncing guild channels Fixes #107	2023-08-04 13:47:25 +03:00
Tulir Asokan	0391750fea	Fix handling gifs where canonical URL is different	2023-08-03 00:17:15 +03:00