Handle logged out OAuth apex

Basic /authorize framework for cloud auth
Merge branch 'main' of github.com:outline/outline into oauth-server
2026-06-14 03:45:00 +03:00 · 2025-04-28 19:43:17 -04:00 · 2025-04-28 17:56:53 -04:00 · 2025-04-27 20:12:44 -04:00 · 2025-04-26 18:00:52 -04:00 · 2025-04-26 17:25:04 -04:00
97 changed files with 1365 additions and 2222 deletions
@@ -1,4 +1,3 @@
-import uniq from "lodash/uniq";
 import { observer } from "mobx-react";
 import * as React from "react";
 import { Controller, useForm } from "react-hook-form";
@@ -19,7 +18,6 @@ import Switch from "~/components/Switch";
 import Text from "~/components/Text";
 import useBoolean from "~/hooks/useBoolean";
 import useCurrentTeam from "~/hooks/useCurrentTeam";
-import useStores from "~/hooks/useStores";
 import { EmptySelectValue } from "~/types";

 const IconPicker = React.lazy(() => import("~/components/IconPicker"));
@@ -32,26 +30,6 @@ export interface FormData {
  permission: CollectionPermission | undefined;
 }

-const useIconColor = (collection?: Collection) => {
-  const { collections } = useStores();
-  const hasMultipleCollections = collections.orderedData.length > 1;
-  const collectionColors = uniq(
-    collections.orderedData.map((c) => c.color).filter(Boolean)
-  ) as string[];
-
-  const iconColor = React.useMemo(
-    () =>
-      collection?.color ??
-      // If all the existing collections have the same color, use that color,
-      // otherwise pick a random color from the palette
-      (hasMultipleCollections && collectionColors.length === 1
-        ? collectionColors[0]
-        : randomElement(colorPalette)),
-    [collection?.color]
-  );
-  return iconColor;
-};
-
 export const CollectionForm = observer(function CollectionForm_({
  handleSubmit,
  collection,
@@ -64,7 +42,11 @@ export const CollectionForm = observer(function CollectionForm_({

  const [hasOpenedIconPicker, setHasOpenedIconPicker] = useBoolean(false);

-  const iconColor = useIconColor(collection);
+  const iconColor = React.useMemo(
+    () => collection?.color ?? randomElement(colorPalette),
+    [collection?.color]
+  );
+
  const fallbackIcon = <Icon value="collection" color={iconColor} />;

  const {
@@ -6,18 +6,15 @@ import { toast } from "sonner";
 import styled from "styled-components";
 import { richExtensions } from "@shared/editor/nodes";
 import { s } from "@shared/styles";
-import { ProsemirrorHelper } from "@shared/utils/ProsemirrorHelper";
 import { CollectionValidation } from "@shared/validations";
 import Collection from "~/models/Collection";
-import Document from "~/models/Document";
 import Editor from "~/components/Editor";
 import LoadingIndicator from "~/components/LoadingIndicator";
-import Text from "~/components/Text";
 import { withUIExtensions } from "~/editor/extensions";
 import useCurrentUser from "~/hooks/useCurrentUser";
 import usePolicy from "~/hooks/usePolicy";
 import useStores from "~/hooks/useStores";
-import { Properties } from "~/types";
+import Text from "./Text";

 const extensions = withUIExtensions(richExtensions);

@@ -25,8 +22,8 @@ type Props = {
  collection: Collection;
 };

-function Overview({ collection }: Props) {
-  const { documents, collections } = useStores();
+function CollectionDescription({ collection }: Props) {
+  const { collections } = useStores();
  const { t } = useTranslation();
  const user = useCurrentUser({ rejectOnEmpty: true });
  const can = usePolicy(collection);
@@ -57,24 +54,6 @@ function Overview({ collection }: Props) {
    [childOffsetHeight]
  );

-  const onCreateLink = React.useCallback(
-    async (params: Properties<Document>) => {
-      const newDocument = await documents.create(
-        {
-          collectionId: collection.id,
-          data: ProsemirrorHelper.getEmptyDocument(),
-          ...params,
-        },
-        {
-          publish: true,
-        }
-      );
-
-      return newDocument.url;
-    },
-    [collection, documents]
-  );
-
  return (
    <>
      {collections.isSaving && <LoadingIndicator />}
@@ -86,7 +65,6 @@ function Overview({ collection }: Props) {
            placeholder={`${t("Add a description")}…`}
            extensions={extensions}
            maxLength={CollectionValidation.maxDescriptionLength}
-            onCreateLink={onCreateLink}
            canUpdate={can.update}
            readOnly={!can.update}
            userId={user.id}
@@ -105,4 +83,4 @@ const Placeholder = styled(Text)`
  min-height: 27px;
 `;

-export default observer(Overview);
+export default observer(CollectionDescription);
@@ -321,7 +321,6 @@ const Container = styled(Flex)<ContainerProps>`
  z-index: ${depths.mobileSidebar};
  max-width: 80%;
  min-width: 280px;
-  padding-left: var(--sal);
  ${fadeOnDesktopBackgrounded()}

  @media print {
@@ -38,10 +38,10 @@ function StarredLink({ star }: Props) {
  const { ui, collections, documents } = useStores();
  const [menuOpen, handleMenuOpen, handleMenuClose] = useBoolean();
  const { documentId, collectionId } = star;
-  const collection = collectionId ? collections.get(collectionId) : undefined;
+  const collection = collections.get(collectionId);
  const locationSidebarContext = useLocationSidebarContext();
  const sidebarContext = starredSidebarContext(
-    star.documentId ?? star.collectionId ?? ""
+    star.documentId ?? star.collectionId
  );
  const [expanded, setExpanded] = useState(
    (star.documentId
@@ -41,7 +41,6 @@ function useKeyboardShortcuts({
  useKeyDown(
    (ev) =>
      isModKey(ev) &&
-      !popover.visible &&
      ev.code === "KeyF" &&
      // Keyboard handler is through the AppMenu on Desktop v1.2.0+
      !(Desktop.bridge && "onFindInPage" in Desktop.bridge),
@@ -7,7 +7,6 @@ import { isCode } from "@shared/editor/lib/isCode";
 import { findParentNode } from "@shared/editor/queries/findParentNode";
 import { EditorStyleHelper } from "@shared/editor/styles/EditorStyleHelper";
 import { depths, s } from "@shared/styles";
-import { getSafeAreaInsets } from "@shared/utils/browser";
 import { HEADER_HEIGHT } from "~/components/Header";
 import { Portal } from "~/components/Portal";
 import useEventListener from "~/hooks/useEventListener";
@@ -242,16 +241,12 @@ const FloatingToolbar = React.forwardRef(function FloatingToolbar_(

    if (props.active) {
      const rect = document.body.getBoundingClientRect();
-      const safeAreaInsets = getSafeAreaInsets();
-
      return (
        <ReactPortal>
          <MobileWrapper
            ref={menuRef}
            style={{
-              bottom: `calc(100% - ${
-                height - rect.y - safeAreaInsets.bottom
-              }px)`,
+              bottom: `calc(100% - ${height - rect.y}px)`,
            }}
          >
            {props.children}
@@ -6,7 +6,6 @@ import { v4 } from "uuid";
 import { EmbedDescriptor } from "@shared/editor/embeds";
 import { MenuItem } from "@shared/editor/types";
 import { MentionType } from "@shared/types";
-import { isUrl } from "@shared/utils/urls";
 import Integration from "~/models/Integration";
 import useCurrentUser from "~/hooks/useCurrentUser";
 import useStores from "~/hooks/useStores";
@@ -30,9 +29,9 @@ export const PasteMenu = observer(({ pastedText, embeds, ...props }: Props) => {
  const user = useCurrentUser({ rejectOnEmpty: false });

  let mentionType: MentionType | undefined;
+  const url = pastedText ? new URL(pastedText) : undefined;

-  if (pastedText && isUrl(pastedText)) {
-    const url = new URL(pastedText);
+  if (url) {
    const integration = integrations.find((intg: Integration) =>
      isURLMentionable({ url, integration: intg })
    );
@@ -2,8 +2,7 @@ import Extension from "@shared/editor/lib/Extension";
 import { InputRule } from "@shared/editor/lib/InputRule";

 const rightArrow = new InputRule(/->$/, "→");
-// Note that the suppression of pipe here prevents conflict with table creation rule.
-const emdash = new InputRule(/(?:^|[^\|])(--)$/, "—");
+const emdash = new InputRule(/--$/, "—");
 const oneHalf = new InputRule(/(?:^|\s)(1\/2)$/, "½");
 const threeQuarters = new InputRule(/(?:^|\s)(3\/4)$/, "¾");
 const copyright = new InputRule(/\(c\)$/, "©️");
@@ -67,7 +67,7 @@ export default function formattingMenuItems(
      shortcut: `${metaDisplay}+B`,
      icon: <BoldIcon />,
      active: isMarkActive(schema.marks.strong),
-      visible: !isCodeBlock && (!isMobile || !isEmpty),
+      visible: !isCode && (!isMobile || !isEmpty),
    },
    {
      name: "em",
@@ -75,7 +75,7 @@ export default function formattingMenuItems(
      shortcut: `${metaDisplay}+I`,
      icon: <ItalicIcon />,
      active: isMarkActive(schema.marks.em),
-      visible: !isCodeBlock && (!isMobile || !isEmpty),
+      visible: !isCode && (!isMobile || !isEmpty),
    },
    {
      name: "strikethrough",
@@ -83,7 +83,7 @@ export default function formattingMenuItems(
      shortcut: `${metaDisplay}+D`,
      icon: <StrikethroughIcon />,
      active: isMarkActive(schema.marks.strikethrough),
-      visible: !isCodeBlock && (!isMobile || !isEmpty),
+      visible: !isCode && (!isMobile || !isEmpty),
    },
    {
      tooltip: dictionary.mark,
@@ -331,16 +331,6 @@ export default class Document extends ArchivableModel implements Searchable {
    );
  }

-  /**
-   * Returns the documents that link to this document.
-   *
-   * @returns documents that link to this document
-   */
-  @computed
-  get backlinks(): Document[] {
-    return this.store.getBacklinkedDocuments(this.id);
-  }
-
  /**
   * Returns users that have been individually given access to the document.
   *
@@ -22,7 +22,7 @@ class Star extends Model {
  document?: Document;

  /** The collection ID that is starred. */
-  collectionId?: string;
+  collectionId: string;

  /** The collection that is starred. */
  @Relation(() => Collection, { onDelete: "cascade" })
@@ -20,6 +20,7 @@ import Collection from "~/models/Collection";
 import { Action } from "~/components/Actions";
 import CenteredContent from "~/components/CenteredContent";
 import { CollectionBreadcrumb } from "~/components/CollectionBreadcrumb";
+import CollectionDescription from "~/components/CollectionDescription";
 import Heading from "~/components/Heading";
 import CollectionIcon from "~/components/Icons/CollectionIcon";
 import InputSearchPage from "~/components/InputSearchPage";
@@ -45,7 +46,6 @@ import DropToImport from "./components/DropToImport";
 import Empty from "./components/Empty";
 import MembershipPreview from "./components/MembershipPreview";
 import Notices from "./components/Notices";
-import Overview from "./components/Overview";
 import ShareButton from "./components/ShareButton";

 const IconPicker = React.lazy(() => import("~/components/IconPicker"));
@@ -66,6 +66,7 @@ const CollectionScene = observer(function _CollectionScene() {
  const location = useLocation();
  const { t } = useTranslation();
  const { documents, collections, ui } = useStores();
+  const [isFetching, setFetching] = React.useState(false);
  const [error, setError] = React.useState<Error | undefined>();
  const currentPath = location.pathname;
  const [, setLastVisitedPath] = useLastVisitedPath();
@@ -119,16 +120,21 @@ const CollectionScene = observer(function _CollectionScene() {

  React.useEffect(() => {
    async function fetchData() {
-      try {
-        setError(undefined);
-        await collections.fetch(id);
-      } catch (err) {
-        setError(err);
+      if ((!can || !collection) && !error && !isFetching) {
+        try {
+          setError(undefined);
+          setFetching(true);
+          await collections.fetch(id);
+        } catch (err) {
+          setError(err);
+        } finally {
+          setFetching(false);
+        }
      }
    }

    void fetchData();
-  }, []);
+  }, [collections, isFetching, collection, error, id, can]);

  useCommandBarActions([editCollection], [ui.activeCollectionId ?? "none"]);

@@ -259,7 +265,7 @@ const CollectionScene = observer(function _CollectionScene() {
                path={collectionPath(collection.path, CollectionPath.Overview)}
              >
                {hasOverview ? (
-                  <Overview collection={collection} />
+                  <CollectionDescription collection={collection} />
                ) : (
                  <Redirect
                    to={{
@@ -18,7 +18,7 @@ type Props = {
 };

 function References({ document }: Props) {
-  const { documents } = useStores();
+  const { collections, documents } = useStores();
  const user = useCurrentUser();
  const location = useLocation();
  const locationSidebarContext = useLocationSidebarContext();
@@ -27,8 +27,10 @@ function References({ document }: Props) {
    void documents.fetchBacklinks(document.id);
  }, [documents, document.id]);

-  const backlinks = document.backlinks;
-  const collection = document.collection;
+  const backlinks = documents.getBacklinkedDocuments(document.id);
+  const collection = document.collectionId
+    ? collections.get(document.collectionId)
+    : undefined;
  const children = collection
    ? collection.getChildrenForDocument(document.id)
    : [];
@@ -4,7 +4,6 @@ import styled from "styled-components";
 import Flex from "@shared/components/Flex";
 import { s } from "@shared/styles";
 import { parseDomain } from "@shared/utils/domains";
-import type OAuthClient from "~/models/oauth/OAuthClient";
 import ButtonLarge from "~/components/ButtonLarge";
 import ChangeLanguage from "~/components/ChangeLanguage";
 import Heading from "~/components/Heading";
@@ -17,7 +16,6 @@ import { useLoggedInSessions } from "~/hooks/useLoggedInSessions";
 import useQuery from "~/hooks/useQuery";
 import useRequest from "~/hooks/useRequest";
 import { client } from "~/utils/ApiClient";
-import { BadRequestError, NotFoundError } from "~/utils/errors";
 import isCloudHosted from "~/utils/isCloudHosted";
 import { detectLanguage } from "~/utils/language";
 import Login from "./Login";
@@ -68,17 +66,12 @@ function Authorize() {
    scope,
  } = Object.fromEntries(params);
  const [scopes] = React.useState(() => scope?.split(" ") ?? []);
-  const { error: clientError, data: response } = useRequest<{
-    data: OAuthClient;
-  }>(() => client.post("/oauthClients.info", { clientId, redirectUri }), true);
+  const { error: clientError, data: response } = useRequest(
+    () => client.post("/oauthClients.info", { clientId }),
+    true
+  );

  const handleCancel = () => {
-    if (redirectUri && !clientError) {
-      const url = new URL(redirectUri);
-      url.searchParams.set("error", "access_denied");
-      window.location.href = url.toString();
-      return;
-    }
    if (window.history.length) {
      window.history.back();
    } else {
@@ -103,7 +96,6 @@ function Authorize() {
    !redirectUri && "redirect_uri",
    !responseType && "response_type",
    !scope && "scope",
-    !state && "state",
  ].filter(Boolean);

  if (missingParams.length || clientError) {
@@ -111,20 +103,13 @@ function Authorize() {
      <Background>
        <Centered>
          <StyledHeading>{t("An error occurred")}</StyledHeading>
-          {clientError instanceof NotFoundError ? (
+          {clientError ? (
            <Text as="p" type="secondary">
              {t(
                "The OAuth client could not be found, please check the provided client ID"
              )}
              <Pre>{clientId}</Pre>
            </Text>
-          ) : clientError instanceof BadRequestError ? (
-            <Text as="p" type="secondary">
-              {t(
-                "The OAuth client could not be loaded, please check the redirect URI is valid"
-              )}
-              <Pre>{redirectUri}</Pre>
-            </Text>
          ) : (
            <Text as="p" type="secondary">
              {t("Required OAuth parameters are missing")}
@@ -80,16 +80,11 @@ const Application = observer(function Application({ oauthClient }: Props) {
    async (data: FormData) => {
      try {
        await oauthClient.save(data);
-        toast.success(
-          oauthClient.published
-            ? t("Application published")
-            : t("Application updated")
-        );
      } catch (error) {
        toast.error(error.message);
      }
    },
-    [oauthClient, t]
+    [oauthClient]
  );

  const handleRotateSecret = React.useCallback(async () => {
@@ -178,6 +173,7 @@ const Application = observer(function Application({ oauthClient }: Props) {
          <Input
            type="text"
            {...register("description", {
+              required: true,
              maxLength: OAuthClientValidation.maxDescriptionLength,
            })}
            flex
@@ -186,13 +186,6 @@ export default class CollectionsStore extends Store<Collection> {
      statusFilter: [CollectionStatusFilter.Archived],
    });

-  get(id: string): Collection | undefined {
-    return (
-      this.data.get(id) ??
-      this.orderedData.find((collection) => id.endsWith(collection.urlId))
-    );
-  }
-
  @computed
  get archived(): Collection[] {
    return orderBy(this.orderedData, "archivedAt", "desc").filter(
@@ -279,14 +279,19 @@ export default class DocumentsStore extends Store<Document> {

  @action
  fetchBacklinks = async (documentId: string): Promise<void> => {
-    const documents = await this.fetchAll({
+    const res = await client.post(`/documents.list`, {
      backlinkDocumentId: documentId,
    });
+    invariant(res?.data, "Document list not available");
+    const { data } = res;

    runInAction("DocumentsStore#fetchBacklinks", () => {
+      data.forEach(this.add);
+      this.addPolicies(res.policies);
+
      this.backlinks.set(
        documentId,
-        documents.map((doc) => doc.id)
+        data.map((doc: Partial<Document>) => doc.id)
      );
    });
  };
@@ -295,8 +300,8 @@ export default class DocumentsStore extends Store<Document> {
    const documentIds = this.backlinks.get(documentId) || [];
    return orderBy(
      compact(documentIds.map((id) => this.data.get(id))),
-      "title",
-      "asc"
+      "updatedAt",
+      "desc"
    );
  }

@@ -48,18 +48,18 @@
    "> 0.25%, not dead"
  ],
  "dependencies": {
-    "@aws-sdk/client-s3": "3.803.0",
-    "@aws-sdk/lib-storage": "3.803.0",
-    "@aws-sdk/s3-presigned-post": "3.803.0",
-    "@aws-sdk/s3-request-presigner": "3.803.0",
-    "@aws-sdk/signature-v4-crt": "^3.803.0",
-    "@babel/core": "^7.27.1",
-    "@babel/plugin-proposal-decorators": "^7.27.1",
-    "@babel/plugin-transform-class-properties": "^7.27.1",
-    "@babel/plugin-transform-destructuring": "^7.27.1",
-    "@babel/plugin-transform-regenerator": "^7.27.1",
-    "@babel/preset-env": "^7.27.1",
-    "@babel/preset-react": "^7.27.1",
+    "@aws-sdk/client-s3": "3.787.0",
+    "@aws-sdk/lib-storage": "3.787.0",
+    "@aws-sdk/s3-presigned-post": "3.787.0",
+    "@aws-sdk/s3-request-presigner": "3.787.0",
+    "@aws-sdk/signature-v4-crt": "^3.787.0",
+    "@babel/core": "^7.26.10",
+    "@babel/plugin-proposal-decorators": "^7.25.9",
+    "@babel/plugin-transform-class-properties": "^7.25.9",
+    "@babel/plugin-transform-destructuring": "^7.25.9",
+    "@babel/plugin-transform-regenerator": "^7.27.0",
+    "@babel/preset-env": "^7.26.9",
+    "@babel/preset-react": "^7.26.3",
    "@benrbray/prosemirror-math": "^0.2.2",
    "@bull-board/api": "^6.7.10",
    "@bull-board/koa": "^6.7.10",
@@ -141,7 +141,7 @@
    "jsdom": "^22.1.0",
    "jsonwebtoken": "^9.0.0",
    "jszip": "^3.10.1",
-    "katex": "^0.16.22",
+    "katex": "^0.16.21",
    "kbar": "0.1.0-beta.41",
    "koa": "^2.16.1",
    "koa-body": "^6.0.1",
@@ -175,7 +175,7 @@
    "passport-oauth2": "^1.8.0",
    "passport-slack-oauth2": "^1.2.0",
    "patch-package": "^7.0.2",
-    "pg": "^8.15.6",
+    "pg": "^8.14.1",
    "pg-tsquery": "^8.4.2",
    "pluralize": "^8.0.0",
    "png-chunks-extract": "^1.0.0",
@@ -208,9 +208,9 @@
    "react-helmet-async": "^2.0.5",
    "react-hook-form": "^7.54.2",
    "react-i18next": "^12.3.1",
-    "react-medium-image-zoom": "5.2.14",
+    "react-medium-image-zoom": "5.2.13",
    "react-merge-refs": "^2.1.1",
-    "react-portal": "^4.3.0",
+    "react-portal": "^4.2.2",
    "react-router-dom": "^5.3.4",
    "react-virtualized-auto-sizer": "^1.0.26",
    "react-waypoint": "^10.3.0",
@@ -228,7 +228,6 @@
    "sequelize": "^6.37.3",
    "sequelize-cli": "^6.6.2",
    "sequelize-encrypted": "^1.0.0",
-    "sequelize-strict-attributes": "^1.0.2",
    "sequelize-typescript": "^2.1.6",
    "slug": "^5.3.0",
    "slugify": "^1.6.6",
@@ -249,9 +248,9 @@
    "umzug": "^3.8.2",
    "utility-types": "^3.11.0",
    "uuid": "^8.3.2",
-    "validator": "13.15.0",
+    "validator": "13.12.0",
    "vaul": "^1.1.2",
-    "vite": "^6.3.4",
+    "vite": "^6.3.3",
    "vite-plugin-pwa": "^0.21.2",
    "winston": "^3.17.0",
    "ws": "^7.5.10",
@@ -263,8 +262,8 @@
    "zod": "^3.24.2"
  },
  "devDependencies": {
-    "@babel/cli": "^7.27.1",
-    "@babel/preset-typescript": "^7.27.1",
+    "@babel/cli": "^7.27.0",
+    "@babel/preset-typescript": "^7.27.0",
    "@faker-js/faker": "^8.4.1",
    "@relative-ci/agent": "^4.3.0",
    "@testing-library/react": "^12.0.0",
@@ -329,7 +328,7 @@
    "@types/tmp": "^0.2.6",
    "@types/turndown": "^5.0.5",
    "@types/utf8": "^3.0.3",
-    "@types/validator": "^13.15.0",
+    "@types/validator": "^13.12.1",
    "@types/yauzl": "^2.10.3",
    "@typescript-eslint/eslint-plugin": "^6.21.0",
    "@typescript-eslint/parser": "^6.21.0",
@@ -358,7 +357,7 @@
    "jest-environment-jsdom": "^29.7.0",
    "jest-fetch-mock": "^3.0.3",
    "lint-staged": "^13.3.0",
-    "nodemon": "^3.1.10",
+    "nodemon": "^3.1.9",
    "postinstall-postinstall": "^2.1.0",
    "prettier": "^2.8.8",
    "react-refresh": "^0.14.2",
@@ -77,14 +77,14 @@ router.get(
      { transaction }
    );

-    transaction.afterCommit(async () => {
-      if (workspace.logoUrl) {
-        await new UploadLinearWorkspaceLogoTask().schedule({
+    if (workspace.logoUrl) {
+      transaction.afterCommit(async () => {
+        await UploadLinearWorkspaceLogoTask.schedule({
          integrationId: integration.id,
          logoUrl: workspace.logoUrl,
        });
-      }
-    });
+      });
+    }

    ctx.redirect(LinearUtils.successUrl());
  }
@@ -66,6 +66,6 @@ export class NotionImportsProcessor extends ImportsProcessor<IntegrationService.
  protected async scheduleTask(
    importTask: ImportTask<IntegrationService.Notion>
  ): Promise<void> {
-    await new NotionAPIImportTask().schedule({ importTaskId: importTask.id });
+    await NotionAPIImportTask.schedule({ importTaskId: importTask.id });
  }
 }
@@ -77,7 +77,7 @@ export default class NotionAPIImportTask extends APIImportTask<IntegrationServic
  protected async scheduleNextTask(
    importTask: ImportTask<IntegrationService.Notion>
  ) {
-    await new NotionAPIImportTask().schedule({ importTaskId: importTask.id });
+    await NotionAPIImportTask.schedule({ importTaskId: importTask.id });
    return;
  }

@@ -288,7 +288,7 @@ export class NotionConverter {
      if (item.mention.type === "link_mention") {
        return {
          type: "text",
-          text: item.plain_text || item.mention.link_mention.href,
+          text: item.plain_text,
          marks: [
            {
              type: "link",
@@ -302,7 +302,7 @@ export class NotionConverter {
      if (item.mention.type === "link_preview") {
        return {
          type: "text",
-          text: item.plain_text || item.mention.link_preview.url,
+          text: item.plain_text,
          marks: [
            {
              type: "link",
@@ -314,14 +314,14 @@ export class NotionConverter {
        };
      }

-      if (item.plain_text) {
-        return {
-          type: "text",
-          text: item.plain_text,
-        };
+      if (!item.plain_text) {
+        return undefined;
      }

-      return undefined;
+      return {
+        type: "text",
+        text: item.plain_text,
+      };
    }

    if (item.type === "equation") {
@@ -336,20 +336,20 @@ export class NotionConverter {
      };
    }

-    if (item.text.content) {
-      return {
-        type: "text",
-        text: item.text.content,
-        marks: [
-          ...mapAttrs(),
-          ...(item.text.link
-            ? [{ type: "link", attrs: { href: item.text.link.url } }]
-            : []),
-        ].filter(Boolean),
-      };
+    if (!item.text.content) {
+      return undefined;
    }

-    return undefined;
+    return {
+      type: "text",
+      text: item.text.content,
+      marks: [
+        ...mapAttrs(),
+        ...(item.text.link
+          ? [{ type: "link", attrs: { href: item.text.link.url } }]
+          : []),
+      ].filter(Boolean),
+    };
  }

  private static rich_text_to_plaintext(item: RichTextItemResponse) {
@@ -29,12 +29,8 @@ describe("WebhookProcessor", () => {

    await processor.perform(event);

-    expect(
-      jest.mocked(DeliverWebhookTask.prototype.schedule)
-    ).toHaveBeenCalled();
-    expect(
-      jest.mocked(DeliverWebhookTask.prototype.schedule)
-    ).toHaveBeenCalledWith({
+    expect(DeliverWebhookTask.schedule).toHaveBeenCalled();
+    expect(DeliverWebhookTask.schedule).toHaveBeenCalledWith({
      event,
      subscriptionId: subscription.id,
    });
@@ -57,9 +53,7 @@ describe("WebhookProcessor", () => {

    await processor.perform(event);

-    expect(
-      jest.mocked(DeliverWebhookTask.prototype.schedule)
-    ).toHaveBeenCalledTimes(0);
+    expect(DeliverWebhookTask.schedule).toHaveBeenCalledTimes(0);
  });

  it("it schedules a delivery for the event for each subscription", async () => {
@@ -85,21 +79,13 @@ describe("WebhookProcessor", () => {

    await processor.perform(event);

-    expect(
-      jest.mocked(DeliverWebhookTask.prototype.schedule)
-    ).toHaveBeenCalled();
-    expect(
-      jest.mocked(DeliverWebhookTask.prototype.schedule)
-    ).toHaveBeenCalledTimes(2);
-    expect(
-      jest.mocked(DeliverWebhookTask.prototype.schedule)
-    ).toHaveBeenCalledWith({
+    expect(DeliverWebhookTask.schedule).toHaveBeenCalled();
+    expect(DeliverWebhookTask.schedule).toHaveBeenCalledTimes(2);
+    expect(DeliverWebhookTask.schedule).toHaveBeenCalledWith({
      event,
      subscriptionId: subscription.id,
    });
-    expect(
-      jest.mocked(DeliverWebhookTask.prototype.schedule)
-    ).toHaveBeenCalledWith({
+    expect(DeliverWebhookTask.schedule).toHaveBeenCalledWith({
      event,
      subscriptionId: subscriptionTwo.id,
    });
@@ -24,10 +24,7 @@ export default class WebhookProcessor extends BaseProcessor {

    await Promise.all(
      applicableSubscriptions.map((subscription) =>
-        new DeliverWebhookTask().schedule({
-          event,
-          subscriptionId: subscription.id,
-        })
+        DeliverWebhookTask.schedule({ event, subscriptionId: subscription.id })
      )
    );
  }
@@ -1,3 +1,4 @@
+import invariant from "invariant";
 import { Op, WhereOptions } from "sequelize";
 import isUUID from "validator/lib/isUUID";
 import { UrlHelper } from "@shared/utils/UrlHelper";
@@ -21,8 +22,8 @@ type Props = {

 type Result = {
  document: Document;
-  share: Share | null;
-  collection: Collection | null;
+  share?: Share;
+  collection?: Collection | null;
 };

 export default async function loadDocument({
@@ -32,9 +33,9 @@ export default async function loadDocument({
  user,
  includeState,
 }: Props): Promise<Result> {
-  let document: Document | null = null;
-  let collection: Collection | null = null;
-  let share: Share | null = null;
+  let document;
+  let collection;
+  let share;

  if (!shareId && !(id && user)) {
    throw AuthenticationError(`Authentication or shareId required`);
@@ -71,7 +72,20 @@ export default async function loadDocument({
      where: whereClause,
      include: [
        {
-          model: Document.scope("withDrafts"),
+          // unscoping here allows us to return unpublished documents
+          model: Document.unscoped(),
+          include: [
+            {
+              model: User,
+              as: "createdBy",
+              paranoid: false,
+            },
+            {
+              model: User,
+              as: "updatedBy",
+              paranoid: false,
+            },
+          ],
          required: true,
          as: "document",
        },
@@ -115,13 +129,14 @@ export default async function loadDocument({
    const canReadDocument = user && can(user, "read", document);

    if (canReadDocument) {
+      // Cannot use document.collection here as it does not include the
+      // documentStructure by default through the relationship.
      if (document.collectionId) {
-        collection = await Collection.scope("withDocumentStructure").findByPk(
-          document.collectionId,
-          {
-            rejectOnEmpty: true,
-          }
-        );
+        collection = await Collection.findByPk(document.collectionId);
+
+        if (!collection) {
+          throw NotFoundError("Collection could not be found for document");
+        }
      }

      return {
@@ -140,15 +155,11 @@ export default async function loadDocument({

    // It is possible to disable sharing at the collection so we must check
    if (document.collectionId) {
-      collection = await Collection.scope("withDocumentStructure").findByPk(
-        document.collectionId,
-        {
-          rejectOnEmpty: true,
-        }
-      );
+      collection = await Collection.findByPk(document.collectionId);
    }
+    invariant(collection, "collection not found");

-    if (!collection?.sharing) {
+    if (!collection.sharing) {
      throw AuthorizationError();
    }

@@ -1,3 +1,4 @@
+import invariant from "invariant";
 import { Transaction } from "sequelize";
 import { createContext } from "@server/context";
 import { traceFunction } from "@server/logging/tracing";
@@ -23,7 +24,7 @@ type Props = {
  /** Position of moved document within document structure */
  index?: number;
  /** The IP address of the user moving the document */
-  ip: string | null;
+  ip: string;
  /** The database transaction to run within */
  transaction?: Transaction;
 };
@@ -65,21 +66,16 @@ async function documentMover({
    result.documents.push(document);
  } else {
    // Load the current and the next collection upfront and lock them
-    const collection = await Collection.scope("withDocumentStructure").findByPk(
-      document.collectionId!,
-      {
-        transaction,
-        lock: Transaction.LOCK.UPDATE,
-        paranoid: false,
-      }
-    );
+    const collection = await Collection.findByPk(document.collectionId!, {
+      transaction,
+      lock: Transaction.LOCK.UPDATE,
+      paranoid: false,
+    });

    let newCollection = collection;
    if (collectionChanged) {
      if (collectionId) {
-        newCollection = await Collection.scope(
-          "withDocumentStructure"
-        ).findByPk(collectionId, {
+        newCollection = await Collection.findByPk(collectionId, {
          transaction,
          lock: Transaction.LOCK.UPDATE,
        });
@@ -148,14 +144,12 @@ async function documentMover({

      if (collectionId) {
        // Reload the collection to get relationship data
-        newCollection = await Collection.scope([
-          {
-            method: ["withMembership", user.id],
-          },
-        ]).findByPk(collectionId, {
+        newCollection = await Collection.scope({
+          method: ["withMembership", user.id],
+        }).findByPk(collectionId, {
          transaction,
-          rejectOnEmpty: true,
        });
+        invariant(newCollection, "Collection not found");

        result.collections.push(newCollection);

@@ -4,11 +4,9 @@ import DeleteAttachmentTask from "@server/queues/tasks/DeleteAttachmentTask";
 import { buildAttachment, buildDocument } from "@server/test/factories";
 import documentPermanentDeleter from "./documentPermanentDeleter";

-jest.mock("@server/queues/tasks/DeleteAttachmentTask");
-
-beforeEach(() => {
-  jest.resetAllMocks();
-});
+jest.mock("@server/queues/tasks/DeleteAttachmentTask", () => ({
+  schedule: jest.fn(),
+}));

 describe("documentPermanentDeleter", () => {
  it("should destroy documents", async () => {
@@ -62,9 +60,7 @@ describe("documentPermanentDeleter", () => {
    await document.save();
    const countDeletedDoc = await documentPermanentDeleter([document]);
    expect(countDeletedDoc).toEqual(1);
-    expect(
-      jest.mocked(DeleteAttachmentTask.prototype.schedule)
-    ).toHaveBeenCalledTimes(2);
+    expect(DeleteAttachmentTask.schedule).toHaveBeenCalledTimes(2);
    expect(
      await Document.unscoped().count({
        where: {
@@ -67,7 +67,7 @@ export default async function documentPermanentDeleter(documents: Document[]) {
            "commands",
            `Attachment ${attachmentId} scheduled for deletion`
          );
-          await new DeleteAttachmentTask().schedule({
+          await DeleteAttachmentTask.schedule({
            attachmentId,
            teamId: document.teamId,
          });
@@ -56,5 +56,5 @@ export default async function userSuspender({
    }
  );

-  await new CleanupDemotedUserTask().schedule({ userId: user.id });
+  await CleanupDemotedUserTask.schedule({ userId: user.id });
 }
@@ -1,29 +0,0 @@
-"use strict";
-
-const { execFileSync } = require("child_process");
-const path = require("path");
-
-/** @type {import('sequelize-cli').Migration} */
-module.exports = {
-  async up() {
-    if (
-      process.env.NODE_ENV === "test" ||
-      process.env.DEPLOYMENT === "hosted"
-    ) {
-      return;
-    }
-
-    const scriptName = path.basename(__filename);
-    const scriptPath = path.join(
-      process.cwd(),
-      "build",
-      `server/scripts/${scriptName}`
-    );
-
-    execFileSync("node", [scriptPath], { stdio: "inherit" });
-  },
-
-  async down() {
-    // noop
-  },
-};
@@ -16,7 +16,7 @@ beforeEach(() => {
 });

 describe("#url", () => {
-  it("should return correct url for the collection", () => {
+  test("should return correct url for the collection", () => {
    const collection = new Collection({
      id: "1234",
    });
@@ -25,7 +25,7 @@ describe("#url", () => {
 });

 describe("getDocumentParents", () => {
-  it("should return array of parent document ids", async () => {
+  test("should return array of parent document ids", async () => {
    const parent = await buildDocument();
    const document = await buildDocument();
    const collection = await buildCollection({
@@ -41,7 +41,7 @@ describe("getDocumentParents", () => {
    expect(result ? result[0] : undefined).toBe(parent.id);
  });

-  it("should return array of parent document ids", async () => {
+  test("should return array of parent document ids", async () => {
    const parent = await buildDocument();
    const document = await buildDocument();
    const collection = await buildCollection({
@@ -56,7 +56,7 @@ describe("getDocumentParents", () => {
    expect(result?.length).toBe(0);
  });

-  it("should not error if documentStructure is empty", async () => {
+  test("should not error if documentStructure is empty", async () => {
    const parent = await buildDocument();
    await buildDocument();
    const collection = await buildCollection();
@@ -66,7 +66,7 @@ describe("getDocumentParents", () => {
 });

 describe("getDocumentTree", () => {
-  it("should return document tree", async () => {
+  test("should return document tree", async () => {
    const document = await buildDocument();
    const collection = await buildCollection({
      documentStructure: [await document.toNavigationNode()],
@@ -76,7 +76,7 @@ describe("getDocumentTree", () => {
    );
  });

-  it("should return nested documents in tree", async () => {
+  test("should return nested documents in tree", async () => {
    const parent = await buildDocument();
    const document = await buildDocument();
    const collection = await buildCollection({
@@ -99,7 +99,7 @@ describe("getDocumentTree", () => {
 });

 describe("#addDocumentToStructure", () => {
-  it("should add as last element without index", async () => {
+  test("should add as last element without index", async () => {
    const collection = await buildCollection();
    const id = uuidv4();
    const newDocument = await buildDocument({
@@ -117,7 +117,7 @@ describe("#addDocumentToStructure", () => {
    expect(collection.documentStructure!.length).toBe(1);
  });

-  it("should add with an index", async () => {
+  test("should add with an index", async () => {
    const collection = await buildCollection();
    const id = uuidv4();
    const newDocument = await buildDocument({
@@ -131,7 +131,7 @@ describe("#addDocumentToStructure", () => {
    expect(collection.documentStructure![0].id).toBe(id);
  });

-  it("should add as a child if with parent", async () => {
+  test("should add as a child if with parent", async () => {
    const collection = await buildCollection();
    const document = await buildDocument({ collectionId: collection.id });
    await collection.reload();
@@ -150,7 +150,7 @@ describe("#addDocumentToStructure", () => {
    expect(collection.documentStructure![0].children[0].id).toBe(id);
  });

-  it("should add as a child if with parent with index", async () => {
+  test("should add as a child if with parent with index", async () => {
    const collection = await buildCollection();
    const document = await buildDocument({ collectionId: collection.id });
    await collection.reload();
@@ -176,7 +176,7 @@ describe("#addDocumentToStructure", () => {
    expect(collection.documentStructure![0].children[0].id).toBe(id);
  });

-  it("should add the document along with its nested document(s)", async () => {
+  test("should add the document along with its nested document(s)", async () => {
    const collection = await buildCollection();

    const document = await buildDocument({
@@ -204,7 +204,7 @@ describe("#addDocumentToStructure", () => {
    );
  });

-  it("should add the document along with its archived nested document(s)", async () => {
+  test("should add the document along with its archived nested document(s)", async () => {
    const collection = await buildCollection();

    const document = await buildDocument({
@@ -237,7 +237,7 @@ describe("#addDocumentToStructure", () => {
    );
  });
  describe("options: documentJson", () => {
-    it("should append supplied json over document's own", async () => {
+    test("should append supplied json over document's own", async () => {
      const collection = await buildCollection();
      const id = uuidv4();
      const newDocument = await buildDocument({
@@ -268,7 +268,7 @@ describe("#addDocumentToStructure", () => {
 });

 describe("#updateDocument", () => {
-  it("should update root document's data", async () => {
+  test("should update root document's data", async () => {
    const collection = await buildCollection();
    const document = await buildDocument({ collectionId: collection.id });
    await collection.reload();
@@ -279,7 +279,7 @@ describe("#updateDocument", () => {
    expect(collection.documentStructure![0].title).toBe("Updated title");
  });

-  it("should update child document's data", async () => {
+  test("should update child document's data", async () => {
    const collection = await buildCollection();
    const document = await buildDocument({ collectionId: collection.id });
    await collection.reload();
@@ -297,7 +297,7 @@ describe("#updateDocument", () => {
    newDocument.title = "Updated title";
    await newDocument.save();
    await collection.updateDocument(newDocument);
-    const reloaded = await collection.reload();
+    const reloaded = await Collection.findByPk(collection.id);
    expect(reloaded!.documentStructure![0].children[0].title).toBe(
      "Updated title"
    );
@@ -305,7 +305,7 @@ describe("#updateDocument", () => {
 });

 describe("#removeDocument", () => {
-  it("should save if removing", async () => {
+  test("should save if removing", async () => {
    const collection = await buildCollection();
    const document = await buildDocument({ collectionId: collection.id });
    await collection.reload();
@@ -315,7 +315,7 @@ describe("#removeDocument", () => {
    expect(collection.save).toBeCalled();
  });

-  it("should remove documents from root", async () => {
+  test("should remove documents from root", async () => {
    const collection = await buildCollection();
    const document = await buildDocument({ collectionId: collection.id });
    await collection.reload();
@@ -331,7 +331,7 @@ describe("#removeDocument", () => {
    expect(collectionDocuments.count).toBe(0);
  });

-  it("should remove a document with child documents", async () => {
+  test("should remove a document with child documents", async () => {
    const collection = await buildCollection();
    const document = await buildDocument({ collectionId: collection.id });
    await collection.reload();
@@ -359,7 +359,7 @@ describe("#removeDocument", () => {
    expect(collectionDocuments.count).toBe(0);
  });

-  it("should remove a child document", async () => {
+  test("should remove a child document", async () => {
    const collection = await buildCollection();
    const document = await buildDocument({ collectionId: collection.id });
    await collection.reload();
@@ -380,7 +380,7 @@ describe("#removeDocument", () => {
    expect(collection.documentStructure![0].children.length).toBe(1);
    // Remove the document
    await collection.deleteDocument(newDocument);
-    const reloaded = await collection.reload();
+    const reloaded = await Collection.findByPk(collection.id);
    expect(reloaded!.documentStructure!.length).toBe(1);
    expect(reloaded!.documentStructure![0].children.length).toBe(0);
    const collectionDocuments = await Document.findAndCountAll({
@@ -393,7 +393,7 @@ describe("#removeDocument", () => {
 });

 describe("#membershipUserIds", () => {
-  it("should return collection and group memberships", async () => {
+  test("should return collection and group memberships", async () => {
    const team = await buildTeam();
    const teamId = team.id;
    // Make 6 users
@@ -464,53 +464,47 @@ describe("#membershipUserIds", () => {
 });

 describe("#findByPk", () => {
-  it("should return collection with collection Id", async () => {
+  test("should return collection with collection Id", async () => {
    const collection = await buildCollection();
    const response = await Collection.findByPk(collection.id);
    expect(response!.id).toBe(collection.id);
  });

-  it("should not return documentStructure by default", async () => {
-    const collection = await buildCollection();
-    const response = await Collection.findByPk(collection.id);
-    expect(() => response!.documentStructure).toThrow();
-  });
-
-  it("should return collection when urlId is present", async () => {
+  test("should return collection when urlId is present", async () => {
    const collection = await buildCollection();
    const id = `${slugify(collection.name)}-${collection.urlId}`;
    const response = await Collection.findByPk(id);
    expect(response!.id).toBe(collection.id);
  });

-  it("should return collection when urlId is present, but missing slug", async () => {
+  test("should return collection when urlId is present, but missing slug", async () => {
    const collection = await buildCollection();
    const id = collection.urlId;
    const response = await Collection.findByPk(id);
    expect(response!.id).toBe(collection.id);
  });

-  it("should return null when incorrect uuid type", async () => {
+  test("should return null when incorrect uuid type", async () => {
    const collection = await buildCollection();
    const response = await Collection.findByPk(collection.id + "-incorrect");
    expect(response).toBe(null);
  });

-  it("should return null when incorrect urlId length", async () => {
+  test("should return null when incorrect urlId length", async () => {
    const collection = await buildCollection();
    const id = `${slugify(collection.name)}-${collection.urlId}incorrect`;
    const response = await Collection.findByPk(id);
    expect(response).toBe(null);
  });

-  it("should return null when no collection is found with uuid", async () => {
+  test("should return null when no collection is found with uuid", async () => {
    const response = await Collection.findByPk(
      "a9e71a81-7342-4ea3-9889-9b9cc8f667da"
    );
    expect(response).toBe(null);
  });

-  it("should return null when no collection is found with urlId", async () => {
+  test("should return null when no collection is found with urlId", async () => {
    const id = `${slugify("test collection")}-${randomstring.generate(15)}`;
    const response = await Collection.findByPk(id);
    expect(response).toBe(null);
@@ -37,7 +37,6 @@ import {
  AllowNull,
  BeforeCreate,
  BeforeUpdate,
-  DefaultScope,
 } from "sequelize-typescript";
 import isUUID from "validator/lib/isUUID";
 import type { CollectionSort, ProsemirrorData } from "@shared/types";
@@ -70,11 +69,6 @@ type AdditionalFindOptions = {
  rejectOnEmpty?: boolean | Error;
 };

-@DefaultScope(() => ({
-  attributes: {
-    exclude: ["documentStructure"],
-  },
-}))
@Scopes(() => ({
  withAllMemberships: {
    include: [
@@ -127,12 +121,6 @@ type AdditionalFindOptions = {
      },
    ],
  }),
-  withDocumentStructure: () => ({
-    attributes: {
-      // resets to include the documentStructure column
-      exclude: [],
-    },
-  }),
  withMembership: (userId: string) => {
    if (!userId) {
      return {};
@@ -250,7 +238,6 @@ class Collection extends ParanoidModel<
  @Column
  maintainerApprovalRequired: boolean;

-  @Default(null)
  @Column(DataType.JSONB)
  documentStructure: NavigationNode[] | null;

@@ -11,6 +11,7 @@ import {
  buildUser,
  buildGuestUser,
 } from "@server/test/factories";
+import Collection from "./Collection";
 import UserMembership from "./UserMembership";

 beforeEach(() => {
@@ -95,8 +96,10 @@ describe("#delete", () => {

    await document.delete(user);
    const [newDocument, newCollection] = await Promise.all([
-      document.reload({ paranoid: false }),
-      collection.reload(),
+      Document.findByPk(document.id, {
+        paranoid: false,
+      }),
+      Collection.findByPk(collection.id),
    ]);

    expect(newDocument?.lastModifiedById).toEqual(user.id);
@@ -13,9 +13,9 @@ import {
  Transaction,
  Op,
  FindOptions,
+  ScopeOptions,
  WhereOptions,
  EmptyResultError,
-  Sequelize,
 } from "sequelize";
 import {
  ForeignKey,
@@ -72,20 +72,12 @@ import Length from "./validators/Length";

 export const DOCUMENT_VERSION = 2;

-// If content (JSON) is null then we still need to return the state column (BINARY)
-// as it's used as a fallback for content deserialization for older documents.
-// This can be removed if content is 100% backfilled.
-const stateIfContentEmpty = Sequelize.literal(
-  `CASE WHEN document.content IS NULL THEN document.state ELSE NULL END AS state`
-);
-
 type AdditionalFindOptions = {
  userId?: string;
  includeState?: boolean;
  rejectOnEmpty?: boolean | Error;
 };

-// @ts-expect-error Type 'Literal' is not assignable to type 'string | ProjectionAlias'.
@DefaultScope(() => ({
  include: [
    {
@@ -110,14 +102,27 @@ type AdditionalFindOptions = {
    },
  },
  attributes: {
-    include: [stateIfContentEmpty],
+    exclude: ["state"],
  },
 }))
-// @ts-expect-error Type 'Literal' is not assignable to type 'string | ProjectionAlias'.
@Scopes(() => ({
+  withCollectionPermissions: (userId: string, paranoid = true) => ({
+    include: [
+      {
+        attributes: ["id", "permission", "sharing", "teamId", "deletedAt"],
+        model: userId
+          ? Collection.scope({
+              method: ["withMembership", userId],
+            })
+          : Collection,
+        as: "collection",
+        paranoid,
+      },
+    ],
+  }),
  withoutState: {
    attributes: {
-      include: [stateIfContentEmpty],
+      exclude: ["state"],
    },
  },
  withCollection: {
@@ -131,7 +136,7 @@ type AdditionalFindOptions = {
  withState: {
    attributes: {
      // resets to include the state column
-      include: [],
+      exclude: [],
    },
  },
  withDrafts: {
@@ -164,25 +169,13 @@ type AdditionalFindOptions = {
      ],
    };
  },
-  withMembership: (userId: string, paranoid = true) => {
+  withMembership: (userId: string) => {
    if (!userId) {
      return {};
    }

    return {
      include: [
-        {
-          model: userId
-            ? Collection.scope([
-                "defaultScope",
-                {
-                  method: ["withMembership", userId],
-                },
-              ])
-            : Collection,
-          as: "collection",
-          paranoid,
-        },
        {
          association: "memberships",
          where: {
@@ -426,13 +419,10 @@ class Document extends ArchivableModel<
      return;
    }

-    const collection = await Collection.scope("withDocumentStructure").findByPk(
-      model.collectionId,
-      {
-        transaction,
-        lock: Transaction.LOCK.UPDATE,
-      }
-    );
+    const collection = await Collection.findByPk(model.collectionId, {
+      transaction,
+      lock: Transaction.LOCK.UPDATE,
+    });
    if (!collection) {
      return;
    }
@@ -453,9 +443,7 @@ class Document extends ArchivableModel<
    }

    return this.sequelize!.transaction(async (transaction: Transaction) => {
-      const collection = await Collection.scope(
-        "withDocumentStructure"
-      ).findByPk(model.collectionId!, {
+      const collection = await Collection.findByPk(model.collectionId!, {
        transaction,
        lock: transaction.LOCK.UPDATE,
      });
@@ -649,19 +637,21 @@ class Document extends ArchivableModel<
    return uniq(membershipUserIds);
  }

-  static withMembershipScope(
-    userId: string,
-    options?: FindOptions<Document> & { includeDrafts?: boolean }
-  ) {
+  static defaultScopeWithUser(userId: string) {
+    const collectionScope: Readonly<ScopeOptions> = {
+      method: ["withCollectionPermissions", userId],
+    };
+    const viewScope: Readonly<ScopeOptions> = {
+      method: ["withViews", userId],
+    };
+    const membershipScope: Readonly<ScopeOptions> = {
+      method: ["withMembership", userId],
+    };
    return this.scope([
-      options?.includeDrafts ? "withDrafts" : "defaultScope",
-      "withoutState",
-      {
-        method: ["withViews", userId],
-      },
-      {
-        method: ["withMembership", userId, options?.paranoid],
-      },
+      "defaultScope",
+      collectionScope,
+      viewScope,
+      membershipScope,
    ]);
  }

@@ -695,12 +685,14 @@ class Document extends ArchivableModel<
    // almost every endpoint needs the collection membership to determine policy permissions.
    const scope = this.scope([
      "withDrafts",
-      options.includeState ? "withState" : "withoutState",
+      {
+        method: ["withCollectionPermissions", userId, rest.paranoid],
+      },
      {
        method: ["withViews", userId],
      },
      {
-        method: ["withMembership", userId, rest.paranoid],
+        method: ["withMembership", userId],
      },
    ]);

@@ -758,6 +750,9 @@ class Document extends ArchivableModel<
    const user = userId ? await User.findByPk(userId) : null;
    const documents = await this.scope([
      "withDrafts",
+      {
+        method: ["withCollectionPermissions", userId, rest.paranoid],
+      },
      {
        method: ["withViews", userId],
      },
@@ -943,9 +938,7 @@ class Document extends ArchivableModel<
    }

    if (!this.template && this.collectionId) {
-      const collection = await Collection.scope(
-        "withDocumentStructure"
-      ).findByPk(this.collectionId, {
+      const collection = await Collection.findByPk(this.collectionId, {
        transaction,
        lock: Transaction.LOCK.UPDATE,
      });
@@ -1012,13 +1005,10 @@ class Document extends ArchivableModel<

    await this.sequelize.transaction(async (transaction: Transaction) => {
      const collection = this.collectionId
-        ? await Collection.scope("withDocumentStructure").findByPk(
-            this.collectionId,
-            {
-              transaction,
-              lock: transaction.LOCK.UPDATE,
-            }
-          )
+        ? await Collection.findByPk(this.collectionId, {
+            transaction,
+            lock: transaction.LOCK.UPDATE,
+          })
        : undefined;

      if (collection) {
@@ -1049,13 +1039,10 @@ class Document extends ArchivableModel<
  archive = async (user: User, options?: FindOptions) => {
    const { transaction } = { ...options };
    const collection = this.collectionId
-      ? await Collection.scope("withDocumentStructure").findByPk(
-          this.collectionId,
-          {
-            transaction,
-            lock: transaction?.LOCK.UPDATE,
-          }
-        )
+      ? await Collection.findByPk(this.collectionId, {
+          transaction,
+          lock: transaction?.LOCK.UPDATE,
+        })
      : undefined;

    if (collection) {
@@ -1076,7 +1063,7 @@ class Document extends ArchivableModel<
  ) => {
    const { transaction } = { ...options };
    const collection = collectionId
-      ? await Collection.scope("withDocumentStructure").findByPk(collectionId, {
+      ? await Collection.findByPk(collectionId, {
          transaction,
          lock: transaction?.LOCK.UPDATE,
        })
@@ -1128,9 +1115,7 @@ class Document extends ArchivableModel<
      let deleted = false;

      if (!this.template && this.collectionId) {
-        const collection = await Collection.scope(
-          "withDocumentStructure"
-        ).findByPk(this.collectionId!, {
+        const collection = await Collection.findByPk(this.collectionId!, {
          transaction,
          lock: transaction.LOCK.UPDATE,
          paranoid: false,
@@ -408,7 +408,7 @@ class Team extends ParanoidModel<
      });

      if (attachment) {
-        await new DeleteAttachmentTask().schedule({
+        await DeleteAttachmentTask.schedule({
          attachmentId: attachment.id,
          teamId: model.id,
        });
@@ -717,7 +717,7 @@ class User extends ParanoidModel<
      });

      if (attachment) {
-        await new DeleteAttachmentTask().schedule({
+        await DeleteAttachmentTask.schedule({
          attachmentId: attachment.id,
          teamId: model.teamId,
        });
@@ -1,9 +1,7 @@
-import { DocumentPermission, NotificationEventType } from "@shared/types";
-import { UserMembership } from "@server/models";
+import { NotificationEventType } from "@shared/types";
 import {
  buildComment,
  buildDocument,
-  buildDraftDocument,
  buildSubscription,
  buildUser,
 } from "@server/test/factories";
@@ -56,78 +54,6 @@ describe("NotificationHelper", () => {
      expect(recipients[0].id).toEqual(notificationEnabledUser.id);
    });

-    it("should only return users who have notification enabled for comment creation and are subscribed to the document in case of new thread in draft", async () => {
-      const documentAuthor = await buildUser();
-
-      // create a draft
-      const document = await buildDraftDocument({
-        userId: documentAuthor.id,
-        teamId: documentAuthor.teamId,
-        collectionId: null,
-      });
-
-      // add a bunch of users as direct members
-      const user = await buildUser({
-        teamId: document.teamId,
-        notificationSettings: { [NotificationEventType.CreateComment]: true },
-      });
-      const user2 = await buildUser({
-        teamId: document.teamId,
-        notificationSettings: { [NotificationEventType.CreateComment]: true },
-      });
-      const user3 = await buildUser({
-        teamId: document.teamId,
-        notificationSettings: { [NotificationEventType.CreateComment]: true },
-      });
-      await UserMembership.create({
-        documentId: document.id,
-        userId: user.id,
-        permission: DocumentPermission.Read,
-        createdById: user.id,
-      });
-      await UserMembership.create({
-        documentId: document.id,
-        userId: user2.id,
-        permission: DocumentPermission.Read,
-        createdById: user.id,
-      });
-      await UserMembership.create({
-        documentId: document.id,
-        userId: user3.id,
-        permission: DocumentPermission.Read,
-        createdById: user.id,
-      });
-
-      // Add a subscription for only one of those users
-      await Promise.all([
-        buildSubscription({
-          userId: user.id,
-        }),
-        buildSubscription({
-          userId: user2.id,
-        }),
-        buildSubscription({
-          userId: user3.id,
-          documentId: document.id,
-        }),
-      ]);
-
-      const comment = await buildComment({
-        documentId: document.id,
-        userId: documentAuthor.id,
-      });
-
-      const recipients =
-        await NotificationHelper.getCommentNotificationRecipients(
-          document,
-          comment,
-          comment.createdById
-        );
-
-      expect(recipients.length).toEqual(1);
-      expect(recipients[0].id).toEqual(user3.id);
-    });
-
    it("should only return users who have notification enabled for comment creation and are in the thread in case of child comment", async () => {
      const documentAuthor = await buildUser();
      const document = await buildDocument({
@@ -193,16 +193,10 @@ export default class NotificationHelper {
            [Op.ne]: actorId,
          },
          event: SubscriptionType.Document,
-          ...(document.collectionId
-            ? {
-                [Op.or]: [
-                  { collectionId: document.collectionId },
-                  { documentId: document.id },
-                ],
-              }
-            : {
-                documentId: document.id,
-              }),
+          [Op.or]: [
+            { collectionId: document.collectionId },
+            { documentId: document.id },
+          ],
        },
        include: [
          {
@@ -182,9 +182,18 @@ export default class SearchHelper {
      },
    ];

-    return Document.withMembershipScope(user.id, {
-      includeDrafts: true,
-    }).findAll({
+    return Document.scope([
+      "withDrafts",
+      {
+        method: ["withViews", user.id],
+      },
+      {
+        method: ["withCollectionPermissions", user.id],
+      },
+      {
+        method: ["withMembership", user.id],
+      },
+    ]).findAll({
      where,
      subQuery: false,
      order: [["updatedAt", "DESC"]],
@@ -264,7 +273,18 @@ export default class SearchHelper {

      // Final query to get associated document data
      const [documents, count] = await Promise.all([
-        Document.withMembershipScope(user.id, { includeDrafts: true }).findAll({
+        Document.scope([
+          "withDrafts",
+          {
+            method: ["withViews", user.id],
+          },
+          {
+            method: ["withCollectionPermissions", user.id],
+          },
+          {
+            method: ["withMembership", user.id],
+          },
+        ]).findAll({
          where: {
            teamId: user.teamId,
            id: map(results, "id"),
@@ -17,7 +17,7 @@ export default class AvatarProcessor extends BaseProcessor {
      });

      if (user.avatarUrl) {
-        await new UploadUserAvatarTask().schedule({
+        await UploadUserAvatarTask.schedule({
          userId: event.userId,
          avatarUrl: user.avatarUrl,
        });
@@ -30,7 +30,7 @@ export default class AvatarProcessor extends BaseProcessor {
      });

      if (team.avatarUrl) {
-        await new UploadTeamAvatarTask().schedule({
+        await UploadTeamAvatarTask.schedule({
          teamId: event.teamId,
          avatarUrl: team.avatarUrl,
        });
@@ -12,7 +12,7 @@ export default class CollectionsProcessor extends BaseProcessor {
  ];

  async perform(event: CollectionEvent) {
-    await new DetachDraftsFromCollectionTask().schedule({
+    await DetachDraftsFromCollectionTask.schedule({
      collectionId: event.collectionId,
      actorId: event.actorId,
      ip: event.ip,
@@ -27,7 +27,7 @@ export default class DocumentSubscriptionProcessor extends BaseProcessor {
  async perform(event: ReceivedEvent) {
    switch (event.name) {
      case "collections.remove_user": {
-        await new CollectionSubscriptionRemoveUserTask().schedule(event);
+        await CollectionSubscriptionRemoveUserTask.schedule(event);
        return;
      }

@@ -35,7 +35,7 @@ export default class DocumentSubscriptionProcessor extends BaseProcessor {
        return this.handleRemoveGroupFromCollection(event);

      case "documents.remove_user": {
-        await new DocumentSubscriptionRemoveUserTask().schedule(event);
+        await DocumentSubscriptionRemoveUserTask.schedule(event);
        return;
      }

@@ -57,11 +57,11 @@ export default class DocumentSubscriptionProcessor extends BaseProcessor {
      async (groupUsers) => {
        await Promise.all(
          groupUsers.map((groupUser) =>
-            new CollectionSubscriptionRemoveUserTask().schedule({
+            CollectionSubscriptionRemoveUserTask.schedule({
              ...event,
              name: "collections.remove_user",
              userId: groupUser.userId,
-            } as CollectionUserEvent)
+            })
          )
        );
      }
@@ -79,11 +79,11 @@ export default class DocumentSubscriptionProcessor extends BaseProcessor {
      async (groupUsers) => {
        await Promise.all(
          groupUsers.map((groupUser) =>
-            new DocumentSubscriptionRemoveUserTask().schedule({
+            DocumentSubscriptionRemoveUserTask.schedule({
              ...event,
              name: "documents.remove_user",
              userId: groupUser.userId,
-            } as DocumentUserEvent)
+            })
          )
        );
      }
@@ -20,12 +20,12 @@ export default class FileOperationCreatedProcessor extends BaseProcessor {
    if (fileOperation.type === FileOperationType.Import) {
      switch (fileOperation.format) {
        case FileOperationFormat.MarkdownZip:
-          await new ImportMarkdownZipTask().schedule({
+          await ImportMarkdownZipTask.schedule({
            fileOperationId: event.modelId,
          });
          break;
        case FileOperationFormat.JSON:
-          await new ImportJSONTask().schedule({
+          await ImportJSONTask.schedule({
            fileOperationId: event.modelId,
          });
          break;
@@ -36,17 +36,17 @@ export default class FileOperationCreatedProcessor extends BaseProcessor {
    if (fileOperation.type === FileOperationType.Export) {
      switch (fileOperation.format) {
        case FileOperationFormat.HTMLZip:
-          await new ExportHTMLZipTask().schedule({
+          await ExportHTMLZipTask.schedule({
            fileOperationId: event.modelId,
          });
          break;
        case FileOperationFormat.MarkdownZip:
-          await new ExportMarkdownZipTask().schedule({
+          await ExportMarkdownZipTask.schedule({
            fileOperationId: event.modelId,
          });
          break;
        case FileOperationFormat.JSON:
-          await new ExportJSONTask().schedule({
+          await ExportJSONTask.schedule({
            fileOperationId: event.modelId,
          });
          break;
@@ -20,7 +20,7 @@ export default class IntegrationCreatedProcessor extends BaseProcessor {
    }

    // Store the available issue sources in the integration record.
-    await new CacheIssueSourcesTask().schedule({
+    await CacheIssueSourcesTask.schedule({
      integrationId: integration.id,
    });

@@ -62,25 +62,25 @@ export default class NotificationsProcessor extends BaseProcessor {
      return;
    }

-    await new DocumentPublishedNotificationsTask().schedule(event);
+    await DocumentPublishedNotificationsTask.schedule(event);
  }

  async documentAddUser(event: DocumentUserEvent) {
    if (!event.data.isNew || event.userId === event.actorId) {
      return;
    }
-    await new DocumentAddUserNotificationsTask().schedule(event);
+    await DocumentAddUserNotificationsTask.schedule(event);
  }

  async documentAddGroup(event: DocumentGroupEvent) {
    if (!event.data.isNew) {
      return;
    }
-    await new DocumentAddGroupNotificationsTask().schedule(event);
+    await DocumentAddGroupNotificationsTask.schedule(event);
  }

  async revisionCreated(event: RevisionEvent) {
-    await new RevisionCreatedNotificationsTask().schedule(event);
+    await RevisionCreatedNotificationsTask.schedule(event);
  }

  async collectionCreated(event: CollectionEvent) {
@@ -93,7 +93,7 @@ export default class NotificationsProcessor extends BaseProcessor {
      return;
    }

-    await new CollectionCreatedNotificationsTask().schedule(event);
+    await CollectionCreatedNotificationsTask.schedule(event);
  }

  async collectionAddUser(event: CollectionUserEvent) {
@@ -101,14 +101,14 @@ export default class NotificationsProcessor extends BaseProcessor {
      return;
    }

-    await new CollectionAddUserNotificationsTask().schedule(event);
+    await CollectionAddUserNotificationsTask.schedule(event);
  }

  async commentCreated(event: CommentEvent) {
-    await new CommentCreatedNotificationsTask().schedule(event);
+    await CommentCreatedNotificationsTask.schedule(event);
  }

  async commentUpdated(event: CommentEvent) {
-    await new CommentUpdatedNotificationsTask().schedule(event);
+    await CommentUpdatedNotificationsTask.schedule(event);
  }
 }
@@ -37,7 +37,7 @@ export default class RevisionsProcessor extends BaseProcessor {
          return;
        }

-        await new DocumentUpdateTextTask().schedule(event);
+        await DocumentUpdateTextTask.schedule(event);

        const user = await User.findByPk(event.actorId, {
          paranoid: false,
@@ -6,6 +6,6 @@ export default class UserDemotedProcessor extends BaseProcessor {
  static applicableEvents: TEvent["name"][] = ["users.demote"];

  async perform(event: UserEvent) {
-    await new CleanupDemotedUserTask().schedule({ userId: event.userId });
+    await CleanupDemotedUserTask.schedule({ userId: event.userId });
  }
 }
@@ -325,9 +325,7 @@ export default abstract class APIImportTask<
        ([url, attachment]) => ({ attachmentId: attachment.id, url })
      );
      // publish task after attachments are persisted in DB.
-      const job = await new UploadAttachmentsForImportTask().schedule(
-        uploadItems
-      );
+      const job = await UploadAttachmentsForImportTask.schedule(uploadItems);
      await job.finished();
    } catch (err) {
      // upload attachments failure is not critical enough to fail the whole import.
@@ -21,7 +21,7 @@ export default abstract class BaseTask<T extends Record<string, any>> {
  static cron: TaskSchedule | undefined;

  /**
-   * Schedule this task type to be processed asynchronously by a worker.
+   * Schedule this task type to be processed asyncronously by a worker.
   *
   * @param props Properties to be used by the task
   * @returns A promise that resolves once the job is placed on the task queue
@@ -39,23 +39,6 @@ export default abstract class BaseTask<T extends Record<string, any>> {
    );
  }

-  /**
-   * Schedule this task type to be processed asynchronously by a worker.
-   *
-   * @param props Properties to be used by the task
-   * @param options Job options such as priority and retry strategy, as defined by Bull.
-   * @returns A promise that resolves once the job is placed on the task queue
-   */
-  public schedule(props: T, options?: JobOptions): Promise<Job> {
-    return taskQueue.add(
-      {
-        name: this.constructor.name,
-        props,
-      },
-      { ...options, ...this.options }
-    );
-  }
-
  /**
   * Execute the task.
   *
@@ -29,7 +29,7 @@ export default class CleanupDeletedTeamsTask extends BaseTask<Props> {
    });

    for (const team of teams) {
-      await new CleanupDeletedTeamTask().schedule({
+      await CleanupDeletedTeamTask.schedule({
        teamId: team.id,
      });
    }
@@ -7,7 +7,7 @@ import BaseTask from "./BaseTask";
 type Props = {
  collectionId: string;
  actorId: string;
-  ip: string | null;
+  ip: string;
 };

 export default class DetachDraftsFromCollectionTask extends BaseTask<Props> {
@@ -1,6 +1,6 @@
 import { Op } from "sequelize";
 import { GroupUser } from "@server/models";
-import { DocumentGroupEvent, DocumentUserEvent } from "@server/types";
+import { DocumentGroupEvent } from "@server/types";
 import BaseTask, { TaskPriority } from "./BaseTask";
 import DocumentAddUserNotificationsTask from "./DocumentAddUserNotificationsTask";

@@ -19,12 +19,11 @@ export default class DocumentAddGroupNotificationsTask extends BaseTask<Document
      async (groupUsers) => {
        await Promise.all(
          groupUsers.map(async (groupUser) => {
-            await new DocumentAddUserNotificationsTask().schedule({
+            await DocumentAddUserNotificationsTask.schedule({
              ...event,
-              name: "documents.add_user",
              modelId: event.data.membershipId,
              userId: groupUser.userId,
-            } as DocumentUserEvent);
+            });
          })
        );
      }
@@ -12,7 +12,7 @@ type Props = {
  sourceMetadata: Pick<Required<SourceMetadata>, "fileName" | "mimeType">;
  publish?: boolean;
  collectionId?: string;
-  parentDocumentId?: string | null;
+  parentDocumentId?: string;
  ip: string;
  key: string;
 };
@@ -171,8 +171,7 @@ export default abstract class ExportDocumentTreeTask extends ExportTask {
  /**
   * Generates a map of document urls to their path in the zip file.
   *
-   * @param collections The collections to generate the path map for.
-   * @param format The format of the exported documents.
+   * @param collections
   */
  private createPathMap(
    collections: Collection[],
@@ -44,13 +44,11 @@ export default abstract class ExportTask extends BaseTask<Props> {
      ? [fileOperation.collectionId]
      : await user.collectionIds();

-    const collections = await Collection.scope("withDocumentStructure").findAll(
-      {
-        where: {
-          id: collectionIds,
-        },
-      }
-    );
+    const collections = await Collection.findAll({
+      where: {
+        id: collectionIds,
+      },
+    });

    let filePath: string | undefined;

@@ -38,7 +38,7 @@ export default class UpdateTeamsAttachmentsSizeTask extends BaseTask<Props> {
        const teamIds = rows.map((row) => row.teamId);

        for (const teamId of teamIds) {
-          await new UpdateTeamAttachmentsSizeTask().schedule({ teamId });
+          await UpdateTeamAttachmentsSizeTask.schedule({ teamId });
        }
      }
    );
@@ -166,7 +166,7 @@ router.post(
      )
    );

-    const job = await new UploadAttachmentFromUrlTask().schedule({
+    const job = await UploadAttachmentFromUrlTask.schedule({
      attachmentId: attachment.id,
      url,
    });
@@ -135,7 +135,7 @@ router.post("auth.info", auth(), async (ctx: APIContext<T.AuthInfoReq>) => {
  // If the user did not _just_ sign in then we need to check if they continue
  // to have access to the workspace they are signed into.
  if (user.lastSignedInAt && user.lastSignedInAt < subHours(new Date(), 1)) {
-    await new ValidateSSOAccessTask().schedule({ userId: user.id });
+    await ValidateSSOAccessTask.schedule({ userId: user.id });
  }

  ctx.body = {
@@ -140,11 +140,9 @@ router.post(
  async (ctx: APIContext<T.CollectionsDocumentsReq>) => {
    const { id } = ctx.input.body;
    const { user } = ctx.state.auth;
-    const collection = await Collection.scope([
-      {
-        method: ["withMembership", user.id],
-      },
-    ]).findByPk(id);
+    const collection = await Collection.scope({
+      method: ["withMembership", user.id],
+    }).findByPk(id);

    authorize(user, "readDocument", collection);

@@ -29,8 +29,7 @@ const cronHandler = async (ctx: APIContext<T.CronSchemaReq>) => {
  for (const name in tasks) {
    const TaskClass = tasks[name];
    if (TaskClass.cron === period) {
-      // @ts-expect-error We won't instantiate an abstract class
-      await new TaskClass().schedule({ limit });
+      await TaskClass.schedule({ limit });

      // Backwards compatibility for installations that have not set up
      // cron jobs periods other than daily.
@@ -39,15 +38,13 @@ const cronHandler = async (ctx: APIContext<T.CronSchemaReq>) => {
      !receivedPeriods.has(TaskSchedule.Minute) &&
      (period === TaskSchedule.Hour || period === TaskSchedule.Day)
    ) {
-      // @ts-expect-error We won't instantiate an abstract class
-      await new TaskClass().schedule({ limit });
+      await TaskClass.schedule({ limit });
    } else if (
      TaskClass.cron === TaskSchedule.Hour &&
      !receivedPeriods.has(TaskSchedule.Hour) &&
      period === TaskSchedule.Day
    ) {
-      // @ts-expect-error We won't instantiate an abstract class
-      await new TaskClass().schedule({ limit });
+      await TaskClass.schedule({ limit });
    }
  }

@@ -977,7 +977,7 @@ describe("#documents.list", () => {
    const res = await server.post("/api/documents.list", {
      body: {
        token: user.getJwtToken(),
-        collectionId: document.collectionId,
+        collection: document.collectionId,
      },
    });
    const body = await res.json();
@@ -1013,7 +1013,7 @@ describe("#documents.list", () => {
    const res = await server.post("/api/documents.list", {
      body: {
        token: user.getJwtToken(),
-        collectionId: collection.id,
+        collection: collection.id,
      },
    });
    const body = await res.json();
@@ -133,19 +133,15 @@ router.post(
    // if a specific collection is passed then we need to check auth to view it
    if (collectionId) {
      where[Op.and].push({ collectionId: [collectionId] });
-      const collection = await Collection.scope([
-        sort === "index" ? "withDocumentStructure" : "defaultScope",
-        {
-          method: ["withMembership", user.id],
-        },
-      ]).findByPk(collectionId);
-
+      const collection = await Collection.scope({
+        method: ["withMembership", user.id],
+      }).findByPk(collectionId);
      authorize(user, "readDocument", collection);

      // index sort is special because it uses the order of the documents in the
      // collection.documentStructure rather than a database column
      if (sort === "index") {
-        documentIds = (collection.documentStructure || [])
+        documentIds = (collection?.documentStructure || [])
          .map((node) => node.id)
          .slice(ctx.state.pagination.offset, ctx.state.pagination.limit);
        where[Op.and].push({ id: documentIds });
@@ -272,7 +268,7 @@ router.post(
    }

    const [documents, total] = await Promise.all([
-      Document.withMembershipScope(user.id).findAll({
+      Document.defaultScopeWithUser(user.id).findAll({
        where,
        order: [
          [
@@ -352,7 +348,7 @@ router.post(
      };
    }

-    const documents = await Document.withMembershipScope(user.id).findAll({
+    const documents = await Document.defaultScopeWithUser(user.id).findAll({
      where,
      order: [
        [
@@ -401,11 +397,15 @@ router.post(
    const membershipScope: Readonly<ScopeOptions> = {
      method: ["withMembership", user.id],
    };
+    const collectionScope: Readonly<ScopeOptions> = {
+      method: ["withCollectionPermissions", user.id],
+    };
    const viewScope: Readonly<ScopeOptions> = {
      method: ["withViews", user.id],
    };
    const documents = await Document.scope([
      membershipScope,
+      collectionScope,
      viewScope,
      "withDrafts",
    ]).findAll({
@@ -539,9 +539,7 @@ router.post(
      delete where.updatedAt;
    }

-    const documents = await Document.withMembershipScope(user.id, {
-      includeDrafts: true,
-    }).findAll({
+    const documents = await Document.defaultScopeWithUser(user.id).findAll({
      where,
      order: [[sort, direction]],
      offset: ctx.state.pagination.offset,
@@ -1541,7 +1539,7 @@ router.post(
      acl,
    });

-    const job = await new DocumentImportTask().schedule({
+    const job = await DocumentImportTask.schedule({
      key,
      sourceMetadata: {
        fileName,
@@ -1551,7 +1549,6 @@ router.post(
      collectionId,
      parentDocumentId,
      publish,
-      ip: ctx.request.ip,
    });
    const response: DocumentImportTaskResponse = await job.finished();
    if ("error" in response) {
@@ -2035,7 +2032,13 @@ router.post(
    const collectionIds = await user.collectionIds({
      paranoid: false,
    });
-    const documents = await Document.scope("withDrafts").findAll({
+    const collectionScope: Readonly<ScopeOptions> = {
+      method: ["withCollectionPermissions", user.id],
+    };
+    const documents = await Document.scope([
+      collectionScope,
+      "withDrafts",
+    ]).findAll({
      attributes: ["id"],
      where: {
        deletedAt: {
@@ -2059,7 +2062,7 @@ router.post(
    });

    if (documents.length) {
-      await new EmptyTrashTask().schedule({
+      await EmptyTrashTask.schedule({
        documentIds: documents.map((doc) => doc.id),
      });
    }
@@ -24,7 +24,6 @@ router.post(
  async (ctx: APIContext<T.GroupMembershipsListReq>) => {
    const { groupId } = ctx.input.body;
    const { user } = ctx.state.auth;
-    const userId = user.id;

    const memberships = await GroupMembership.findAll({
      where: {
@@ -45,7 +44,7 @@ router.post(
              association: "groupUsers",
              required: true,
              where: {
-                userId,
+                userId: user.id,
              },
            },
          ],
@@ -58,9 +57,11 @@ router.post(
    const documentIds = memberships
      .map((p) => p.documentId)
      .filter(Boolean) as string[];
-    const documents = await Document.withMembershipScope(userId, {
-      includeDrafts: true,
-    }).findAll({
+    const documents = await Document.scope([
+      "withDrafts",
+      { method: ["withMembership", user.id] },
+      { method: ["withCollectionPermissions", user.id] },
+    ]).findAll({
      where: {
        id: documentIds,
      },
@@ -1,19 +0,0 @@
-// Jest Snapshot v1, https://goo.gl/fbAQLP
-
-exports[`oauthAuthentications.delete should require authentication 1`] = `
-{
-  "error": "authentication_required",
-  "message": "Authentication required",
-  "ok": false,
-  "status": 401,
-}
-`;
-
-exports[`oauthAuthentications.list should require authentication 1`] = `
-{
-  "error": "authentication_required",
-  "message": "Authentication required",
-  "ok": false,
-  "status": 401,
-}
-`;
@@ -1,194 +0,0 @@
-import { OAuthClient, OAuthAuthentication } from "@server/models";
-import {
-  buildOAuthAuthentication,
-  buildTeam,
-  buildUser,
-} from "@server/test/factories";
-import { getTestServer } from "@server/test/support";
-
-const server = getTestServer();
-
-describe("oauthAuthentications.list", () => {
-  it("should require authentication", async () => {
-    const res = await server.post("/api/oauthAuthentications.list");
-    const body = await res.json();
-    expect(res.status).toEqual(401);
-    expect(body).toMatchSnapshot();
-  });
-
-  it("should return list of oauth authentications for user", async () => {
-    const team = await buildTeam();
-    const user = await buildUser({ teamId: team.id });
-    const oauthClient = await OAuthClient.create({
-      teamId: team.id,
-      createdById: user.id,
-      name: "Test Client",
-      redirectUris: ["https://example.com/callback"],
-    });
-
-    await buildOAuthAuthentication({
-      oauthClientId: oauthClient.id,
-      user,
-      scope: ["read"],
-    });
-
-    const res = await server.post("/api/oauthAuthentications.list", {
-      body: {
-        token: user.getJwtToken(),
-      },
-    });
-
-    const body = await res.json();
-    expect(res.status).toEqual(200);
-    expect(body.data.length).toEqual(1);
-    expect(body.data[0].id).toBeDefined();
-    expect(body.data[0].oauthClient.name).toEqual("Test Client");
-    expect(body.policies).toBeDefined();
-  });
-
-  it("should only return authentications for requesting user", async () => {
-    const team = await buildTeam();
-    const user = await buildUser({ teamId: team.id });
-    const anotherUser = await buildUser({ teamId: team.id });
-    const oauthClient = await OAuthClient.create({
-      teamId: team.id,
-      createdById: user.id,
-      name: "Test Client",
-      redirectUris: ["https://example.com/callback"],
-    });
-
-    await buildOAuthAuthentication({
-      oauthClientId: oauthClient.id,
-      user: anotherUser,
-      scope: ["read"],
-    });
-
-    const res = await server.post("/api/oauthAuthentications.list", {
-      body: {
-        token: user.getJwtToken(),
-      },
-    });
-
-    const body = await res.json();
-    expect(res.status).toEqual(200);
-    expect(body.data.length).toEqual(0);
-  });
-});
-
-describe("oauthAuthentications.delete", () => {
-  it("should require authentication", async () => {
-    const res = await server.post("/api/oauthAuthentications.delete");
-    const body = await res.json();
-    expect(res.status).toEqual(401);
-    expect(body).toMatchSnapshot();
-  });
-
-  it("should delete all authentications for a client without scope", async () => {
-    const team = await buildTeam();
-    const user = await buildUser({ teamId: team.id });
-    const oauthClient = await OAuthClient.create({
-      teamId: team.id,
-      createdById: user.id,
-      name: "Test Client",
-      redirectUris: ["https://example.com/callback"],
-    });
-
-    await buildOAuthAuthentication({
-      oauthClientId: oauthClient.id,
-      user,
-      scope: ["read"],
-    });
-
-    const res = await server.post("/api/oauthAuthentications.delete", {
-      body: {
-        token: user.getJwtToken(),
-        oauthClientId: oauthClient.id,
-      },
-    });
-
-    const body = await res.json();
-    expect(res.status).toEqual(200);
-    expect(body.success).toBe(true);
-
-    const auths = await OAuthAuthentication.findAll({
-      where: {
-        userId: user.id,
-        oauthClientId: oauthClient.id,
-      },
-    });
-    expect(auths.length).toEqual(0);
-  });
-
-  it("should delete matching authentications for a client with scope", async () => {
-    const team = await buildTeam();
-    const user = await buildUser({ teamId: team.id });
-    const oauthClient = await OAuthClient.create({
-      teamId: team.id,
-      createdById: user.id,
-      name: "Test Client",
-      redirectUris: ["https://example.com/callback"],
-    });
-
-    await buildOAuthAuthentication({
-      oauthClientId: oauthClient.id,
-      user,
-      scope: ["read"],
-    });
-    await buildOAuthAuthentication({
-      oauthClientId: oauthClient.id,
-      user,
-      scope: ["write"],
-    });
-
-    const res = await server.post("/api/oauthAuthentications.delete", {
-      body: {
-        token: user.getJwtToken(),
-        oauthClientId: oauthClient.id,
-        scope: ["read"],
-      },
-    });
-
-    const body = await res.json();
-    expect(res.status).toEqual(200);
-    expect(body.success).toBe(true);
-
-    const auths = await OAuthAuthentication.findAll({
-      where: {
-        userId: user.id,
-        oauthClientId: oauthClient.id,
-      },
-    });
-    expect(auths.length).toEqual(1);
-    expect(auths[0].scope[0]).toEqual("write");
-  });
-
-  it("should only delete authentications for requesting user", async () => {
-    const team = await buildTeam();
-    const user = await buildUser({ teamId: team.id });
-    const anotherUser = await buildUser({ teamId: team.id });
-    const oauthClient = await OAuthClient.create({
-      teamId: team.id,
-      createdById: user.id,
-      name: "Test Client",
-      redirectUris: ["https://example.com/callback"],
-    });
-
-    const otherAuth = await buildOAuthAuthentication({
-      oauthClientId: oauthClient.id,
-      user: anotherUser,
-      scope: ["read"],
-    });
-
-    await server.post("/api/oauthAuthentications.delete", {
-      body: {
-        token: user.getJwtToken(),
-        oauthClientId: oauthClient.id,
-        scope: "read",
-      },
-    });
-
-    // Verify other user's auth still exists
-    const auth = await OAuthAuthentication.findByPk(otherAuth.id);
-    expect(auth).not.toBeNull();
-  });
-});
@@ -66,12 +66,12 @@ router.post(
  transaction(),
  async (ctx: APIContext<T.OAuthAuthenticationsDeleteReq>) => {
    const { user } = ctx.state.auth;
-    const { oauthClientId, scope } = ctx.input.body;
+    const { oauthClientId, scope } = ctx.request.body;
    const oauthAuthentications = await OAuthAuthentication.findAll({
      where: {
        userId: user.id,
        oauthClientId,
-        ...(scope ? { scope } : {}),
+        scope,
      },
      transaction: ctx.state.transaction,
    });
@@ -148,46 +148,6 @@ describe("oauthClients.info", () => {
    expect(body.data.id).toBeUndefined();
    expect(body.data.redirectUris).toBeUndefined();
  });
-
-  it("should validate redirectUri parameter", async () => {
-    const team = await buildTeam();
-    const admin = await buildAdmin({ teamId: team.id });
-    const user = await buildUser();
-
-    const client = await OAuthClient.create({
-      teamId: team.id,
-      createdById: admin.id,
-      name: "Test Client",
-      redirectUris: [
-        "https://example.com/callback",
-        "https://another.com/callback",
-      ],
-      published: true,
-    });
-
-    // Test with valid redirectUri
-    const validRes = await server.post("/api/oauthClients.info", {
-      body: {
-        token: user.getJwtToken(),
-        clientId: client.clientId,
-        redirectUri: "https://example.com/callback",
-      },
-    });
-
-    const validBody = await validRes.json();
-    expect(validRes.status).toEqual(200);
-    expect(validBody.data.name).toEqual("Test Client");
-
-    // Test with invalid redirectUri
-    const invalidRes = await server.post("/api/oauthClients.info", {
-      body: {
-        token: user.getJwtToken(),
-        clientId: client.clientId,
-        redirectUri: "https://malicious.com/callback",
-      },
-    });
-    expect(invalidRes.status).toEqual(400);
-  });
 });

 describe("oauthClients.create", () => {
@@ -1,6 +1,5 @@
 import Router from "koa-router";
 import { UserRole } from "@shared/types";
-import { ValidationError } from "@server/errors";
 import auth from "@server/middlewares/authentication";
 import { rateLimiter } from "@server/middlewares/rateLimiter";
 import { transaction } from "@server/middlewares/transaction";
@@ -50,7 +49,7 @@ router.post(
  auth(),
  validate(T.OAuthClientsInfoSchema),
  async (ctx: APIContext<T.OAuthClientsInfoReq>) => {
-    const { id, clientId, redirectUri } = ctx.input.body;
+    const { id, clientId } = ctx.input.body;
    const { user } = ctx.state.auth;

    const oauthClient = await OAuthClient.findOne({
@@ -59,10 +58,6 @@ router.post(
    });
    authorize(user, "read", oauthClient);

-    if (redirectUri && !oauthClient.redirectUris.includes(redirectUri)) {
-      throw ValidationError("redirect_uri is invalid");
-    }
-
    const isInternalApp = oauthClient.teamId === user.teamId;

    ctx.body = {
@@ -10,8 +10,6 @@ export const OAuthClientsInfoSchema = BaseSchema.extend({

      /** OAuth clientId */
      clientId: z.string().optional(),
-
-      redirectUri: z.string().optional(),
    })
    .refine((data) => data.id || data.clientId, {
      message: "Either id or clientId is required",
@@ -113,7 +113,7 @@ router.post(
      user.collectionIds(),
    ]);

-    const documents = await Document.withMembershipScope(user.id).findAll({
+    const documents = await Document.defaultScopeWithUser(user.id).findAll({
      where: {
        id: pins.map((pin) => pin.documentId),
        collectionId: collectionIds,
@@ -54,11 +54,7 @@ router.post(
      });
      authorize(user, "read", document);

-      const collection = document.collectionId
-        ? await Collection.scope("withDocumentStructure").findByPk(
-            document.collectionId
-          )
-        : undefined;
+      const collection = await document.$get("collection");
      const parentIds = collection?.getDocumentParents(documentId);
      const parentShare = parentIds
        ? await Share.scope({
@@ -94,7 +94,7 @@ router.post(
      .map((star) => star.documentId)
      .filter(Boolean) as string[];
    const documents = documentIds.length
-      ? await Document.withMembershipScope(user.id).findAll({
+      ? await Document.defaultScopeWithUser(user.id).findAll({
          where: {
            id: documentIds,
            collectionId: collectionIds,
@@ -1,4 +1,5 @@
 import Router from "koa-router";
+
 import { Op, Sequelize } from "sequelize";
 import auth from "@server/middlewares/authentication";
 import { transaction } from "@server/middlewares/transaction";
@@ -45,8 +46,14 @@ router.post(
    const documentIds = memberships
      .map((p) => p.documentId)
      .filter(Boolean) as string[];
-    const documents = await Document.findByIds(documentIds, {
-      userId: user.id,
+    const documents = await Document.scope([
+      "withDrafts",
+      { method: ["withMembership", user.id] },
+      { method: ["withCollectionPermissions", user.id] },
+    ]).findAll({
+      where: {
+        id: documentIds,
+      },
    });

    const policies = presentPolicies(user, [...documents, ...memberships]);
@@ -25,7 +25,7 @@ const oauth = new OAuth2Server({

 router.post(
  "/authorize",
-  rateLimiter(RateLimiterStrategy.OneHundredPerHour),
+  rateLimiter(RateLimiterStrategy.FiftyPerHour),
  auth(),
  async (ctx) => {
    const { user } = ctx.state.auth;
@@ -42,8 +42,7 @@ router.post(
    const response = new OAuth2Server.Response(ctx.response);

    const authorizationCode = await oauth.authorize(request, response, {
-      // Require state to prevent CSRF attacks
-      allowEmptyState: false,
+      allowEmptyState: true,
      authorizationCodeLifetime:
        OAuthAuthorizationCode.authorizationCodeLifetime,
      authenticateHandler: {
@@ -67,39 +66,35 @@ router.post(
  }
 );

-router.post(
-  "/token",
-  rateLimiter(RateLimiterStrategy.OneHundredPerHour),
-  async (ctx) => {
-    // Note: These objects are mutated by the OAuth2Server library
-    const request = new OAuth2Server.Request(ctx.request);
-    const response = new OAuth2Server.Response(ctx.response);
-    const token = await oauth.token(request, response, {
-      accessTokenLifetime: OAuthAuthentication.accessTokenLifetime,
-      refreshTokenLifetime: OAuthAuthentication.refreshTokenLifetime,
-    });
+router.post("/token", async (ctx) => {
+  // Note: These objects are mutated by the OAuth2Server library
+  const request = new OAuth2Server.Request(ctx.request);
+  const response = new OAuth2Server.Response(ctx.response);
+  const token = await oauth.token(request, response, {
+    accessTokenLifetime: OAuthAuthentication.accessTokenLifetime,
+    refreshTokenLifetime: OAuthAuthentication.refreshTokenLifetime,
+  });

-    if (response.headers) {
-      ctx.set(response.headers);
-    }
-
-    ctx.body = {
-      access_token: token.accessToken,
-      refresh_token: token.refreshToken,
-      // OAuth2 spec says that the expires_in should be in seconds.
-      expires_in: token.accessTokenExpiresAt
-        ? Math.round((token.accessTokenExpiresAt.getTime() - Date.now()) / 1000)
-        : undefined,
-      token_type: "Bearer",
-      // OAuth2 spec says that the scope should be a space-separated list.
-      scope: token.scope?.join(" "),
-    };
+  if (response.headers) {
+    ctx.set(response.headers);
  }
-);
+
+  ctx.body = {
+    access_token: token.accessToken,
+    refresh_token: token.refreshToken,
+    // OAuth2 spec says that the expires_in should be in seconds.
+    expires_in: token.accessTokenExpiresAt
+      ? Math.round((token.accessTokenExpiresAt.getTime() - Date.now()) / 1000)
+      : undefined,
+    token_type: "Bearer",
+    // OAuth2 spec says that the scope should be a space-separated list.
+    scope: token.scope?.join(" "),
+  };
+});

 router.post(
  "/revoke",
-  rateLimiter(RateLimiterStrategy.OneHundredPerHour),
+  rateLimiter(RateLimiterStrategy.FiftyPerHour),
  validate(T.TokenRevokeSchema),
  transaction(),
  async (ctx: APIContext<T.TokenRevokeReq>) => {
@@ -1,127 +0,0 @@
-import "./bootstrap";
-import fractionalIndex from "fractional-index";
-import { Sequelize, Transaction } from "sequelize";
-import { Collection, Team } from "@server/models";
-import { sequelize } from "@server/storage/database";
-
-const limit = 100;
-
-class CollectionIndexCollisionResolver {
-  private teamId: string;
-  private currDuplicateIndex: string | null = null;
-  private currDuplicateGroup: Collection[] = [];
-  private resolvedCollisionsCount: number = 0;
-
-  constructor(teamId: string) {
-    this.teamId = teamId;
-  }
-
-  public async process() {
-    await sequelize.transaction(async (transaction) => {
-      await this.processPage(0, transaction);
-      // edge case of last batch
-      await this.resolveDuplicates({ transaction });
-    });
-  }
-
-  private async processPage(
-    page: number,
-    transaction: Transaction
-  ): Promise<void> {
-    console.log(
-      `Resolve collection index collisions for team ${this.teamId}… page ${page}`
-    );
-
-    const collections = await Collection.unscoped().findAll({
-      where: { teamId: this.teamId },
-      attributes: ["id", "index"],
-      limit,
-      offset: page * limit,
-      order: [
-        Sequelize.literal('"collection"."index" collate "C"'), // ensure duplicates are in sequential order
-        ["updatedAt", "DESC"], // fallback as a tie breaker
-      ],
-      lock: Transaction.LOCK.UPDATE,
-      transaction,
-    });
-
-    if (!collections.length) {
-      return;
-    }
-
-    let idx = 0;
-
-    while (idx < collections.length) {
-      const collection = collections[idx];
-
-      if (collection.index === this.currDuplicateIndex) {
-        // still in the same duplicate group.
-        this.currDuplicateGroup.push(collection);
-      } else {
-        // current collection index is different from the previous one; resolve duplicates, if applicable.
-        await this.resolveDuplicates({
-          nextCollection: collection,
-          transaction,
-        });
-        // reset the duplicate index and group.
-        this.currDuplicateIndex = collection.index;
-        this.currDuplicateGroup = [collection];
-      }
-
-      idx++;
-    }
-
-    return collections.length === limit
-      ? this.processPage(page + 1, transaction)
-      : undefined;
-  }
-
-  private async resolveDuplicates({
-    nextCollection,
-    transaction,
-  }: {
-    nextCollection?: Collection;
-    transaction: Transaction;
-  }) {
-    if (this.currDuplicateGroup.length <= 1) {
-      // no action needed when there aren't more than 1 item in a group.
-      return;
-    }
-
-    let prevIndex = this.currDuplicateGroup[0].index;
-    const endIndex = nextCollection?.index ?? null;
-
-    // First collection in a duplicate group can retain its index.
-    for (let idx = 1; idx < this.currDuplicateGroup.length; idx++) {
-      const collection = this.currDuplicateGroup[idx];
-      const newIndex = fractionalIndex(prevIndex, endIndex);
-
-      console.log(`New index for collection ${collection.id} = ${newIndex}`);
-
-      collection.index = newIndex;
-      await collection.save({ silent: true, hooks: false, transaction });
-
-      prevIndex = newIndex;
-    }
-
-    this.resolvedCollisionsCount += this.currDuplicateGroup.length - 1;
-  }
-}
-
-export default async function main(exit = false) {
-  await Team.findAllInBatches<Team>({ batchLimit: 5 }, async (teams) => {
-    for (const team of teams) {
-      const resolver = new CollectionIndexCollisionResolver(team.id);
-      await resolver.process();
-    }
-  });
-
-  if (exit) {
-    process.exit(0);
-  }
-}
-
-// In the test suite we import the script rather than run via node CLI
-if (process.env.NODE_ENV !== "test") {
-  void main(true);
-}
@@ -7,8 +7,7 @@ export default function init() {
    for (const name in tasks) {
      const TaskClass = tasks[name];
      if (TaskClass.cron === schedule) {
-        // @ts-expect-error We won't instantiate an abstract class
-        await new TaskClass().schedule({ limit: 10000 });
+        await TaskClass.schedule({ limit: 10000 });
      }
    }
  }
@@ -4,7 +4,6 @@ import cookie from "cookie";
 import Koa from "koa";
 import IO from "socket.io";
 import { createAdapter } from "socket.io-redis";
-import env from "@server/env";
 import { AuthenticationError } from "@server/errors";
 import Logger from "@server/logging/Logger";
 import Metrics from "@server/logging/Metrics";
@@ -39,8 +38,7 @@ export default function init(
    pingInterval: 15000,
    pingTimeout: 30000,
    cors: {
-      // Included for completeness, though CORS does not apply to websocket transport.
-      origin: env.isCloudHosted ? "*" : env.URL,
+      origin: "*",
      methods: ["GET", "POST"],
    },
  });
@@ -62,16 +60,6 @@ export default function init(
    "upgrade",
    function (req: IncomingMessage, socket: Duplex, head: Buffer) {
      if (req.url?.startsWith(path) && ioHandleUpgrade) {
-        // For on-premise deployments, ensure the websocket origin matches the deployed URL.
-        // In cloud-hosted we support any origin for custom domains.
-        if (
-          !env.isCloudHosted &&
-          (!req.headers.origin || !env.URL.startsWith(req.headers.origin))
-        ) {
-          socket.end(`HTTP/1.1 400 Bad Request\r\n`);
-          return;
-        }
-
        ioHandleUpgrade(req, socket, head);
        return;
      }
@@ -1,6 +1,5 @@
 import path from "path";
 import { InferAttributes, InferCreationAttributes } from "sequelize";
-import sequelizeStrictAttributes from "sequelize-strict-attributes";
 import { Sequelize } from "sequelize-typescript";
 import { Umzug, SequelizeStorage, MigrationError } from "umzug";
 import env from "@server/env";
@@ -24,7 +23,7 @@ export function createDatabaseInstance(
  }
 ): Sequelize {
  try {
-    const instance = new Sequelize(databaseUrl, {
+    return new Sequelize(databaseUrl, {
      logging: (msg) =>
        process.env.DEBUG?.includes("database") &&
        Logger.debug("database", msg),
@@ -48,8 +47,6 @@ export function createDatabaseInstance(
      },
      schema,
    });
-    sequelizeStrictAttributes(instance);
-    return instance;
  } catch (error) {
    Logger.fatal(
      "Could not connect to database",
@@ -310,7 +310,7 @@ export async function buildCollection(
    overrides.permission = CollectionPermission.ReadWrite;
  }

-  return Collection.scope("withDocumentStructure").create({
+  return Collection.create({
    name: faker.lorem.words(2),
    description: faker.lorem.words(4),
    createdById: overrides.userId,
@@ -416,9 +416,7 @@ export async function buildDocument(

  if (overrides.collectionId && overrides.publishedAt !== null) {
    collection = collection
-      ? await Collection.scope("withDocumentStructure").findByPk(
-          overrides.collectionId
-        )
+      ? await Collection.findByPk(overrides.collectionId)
      : undefined;

    await collection?.addDocumentToStructure(document, 0);
@@ -758,19 +756,15 @@ export async function buildOAuthAuthorizationCode(
 }

 export async function buildOAuthAuthentication({
-  oauthClientId,
  user,
  scope,
 }: {
-  oauthClientId?: string;
  user: User;
  scope: string[];
 }) {
-  const oauthClient = oauthClientId
-    ? await OAuthClient.findByPk(oauthClientId, { rejectOnEmpty: true })
-    : await buildOAuthClient({
-        teamId: user.teamId,
-      });
+  const oauthClient = await buildOAuthClient({
+    teamId: user.teamId,
+  });
  const oauthInterfaceClient = {
    id: oauthClient.clientId,
    grants: ["authorization_code"],
@@ -191,7 +191,7 @@
            "code": false,
            "color": "default"
          },
-          "plain_text": "",
+          "plain_text": "http://github.com/outline/",
          "href": "http://github.com/outline/"
        }
      ],
@@ -506,4 +506,4 @@
      "color": "default"
    }
  }
-]
+]
@@ -11,6 +11,7 @@ export async function collectionIndexing(
    where: {
      teamId,
    },
+    attributes: ["id", "index", "name", "teamId"],
    transaction,
  });

@@ -1,8 +1,8 @@
-import crypto from "crypto";
 import {
  RefreshTokenModel,
  AuthorizationCodeModel,
 } from "@node-oauth/oauth2-server";
+import rs from "randomstring";
 import { Required } from "utility-types";
 import { Scope } from "@shared/types";
 import { isUrl } from "@shared/utils/urls";
@@ -41,21 +41,17 @@ export const OAuthInterface: RefreshTokenModel &
  grants: ["authorization_code", "refresh_token"],

  async generateAccessToken() {
-    return `${OAuthAuthentication.accessTokenPrefix}${crypto
-      .randomBytes(32)
-      .toString("hex")}`;
+    return `${OAuthAuthentication.accessTokenPrefix}${rs.generate(32)}`;
  },

  async generateRefreshToken() {
-    return `${OAuthAuthentication.refreshTokenPrefix}${crypto
-      .randomBytes(32)
-      .toString("hex")}`;
+    return `${OAuthAuthentication.refreshTokenPrefix}${rs.generate(32)}`;
  },

  async generateAuthorizationCode() {
-    return `${OAuthAuthorizationCode.authorizationCodePrefix}${crypto
-      .randomBytes(32)
-      .toString("hex")}`;
+    return `${OAuthAuthorizationCode.authorizationCodePrefix}${rs.generate(
+      32
+    )}`;
  },

  async getAccessToken(accessToken: string) {
@@ -143,12 +139,10 @@ export const OAuthInterface: RefreshTokenModel &
  },

  async saveToken(token, client, user) {
-    const {
-      accessToken,
-      refreshToken,
-      accessTokenExpiresAt,
-      refreshTokenExpiresAt,
-    } = token;
+    const accessToken = token.accessToken;
+    const refreshToken = token.refreshToken;
+    const accessTokenExpiresAt = token.accessTokenExpiresAt;
+    const refreshTokenExpiresAt = token.refreshTokenExpiresAt;
    const accessTokenHash = hash(accessToken);
    const refreshTokenHash = refreshToken ? hash(refreshToken) : undefined;

@@ -239,13 +233,13 @@ export const OAuthInterface: RefreshTokenModel &
   * @returns True if the URI is valid, false otherwise.
   */
  async validateRedirectUri(uri, client) {
-    if (uri.includes("#") || uri.includes("*")) {
+    if (uri.includes("#")) {
      return false;
    }
    if (!client.redirectUris?.includes(uri)) {
      return false;
    }
-    if (!isUrl(uri, { requireHttps: true })) {
+    if (!isUrl(uri)) {
      return false;
    }

@@ -99,7 +99,10 @@ export const getDocumentPermission = async ({
  documentId: string;
  skipMembershipId?: string;
 }): Promise<DocumentPermission | undefined> => {
-  const document = await Document.findByPk(documentId, { userId });
+  const document = await Document.scope({
+    method: ["withCollectionPermissions", userId],
+  }).findOne({ where: { id: documentId } });
+
  const permissions: DocumentPermission[] = [];

  const collection = document?.collection;
@@ -1,11 +1,6 @@
 import { GapCursor } from "prosemirror-gapcursor";
-import { Node, NodeType, Slice } from "prosemirror-model";
-import {
-  Command,
-  EditorState,
-  TextSelection,
-  Transaction,
-} from "prosemirror-state";
+import { Node, NodeType } from "prosemirror-model";
+import { Command, EditorState, TextSelection } from "prosemirror-state";
 import {
  CellSelection,
  addRow,
@@ -16,16 +11,11 @@ import {
  addColumn,
  deleteRow,
  deleteColumn,
-  deleteTable,
 } from "prosemirror-tables";
 import { ProsemirrorHelper } from "../../utils/ProsemirrorHelper";
 import { CSVHelper } from "../../utils/csv";
 import { chainTransactions } from "../lib/chainTransactions";
-import {
-  getCellsInColumn,
-  isHeaderEnabled,
-  isTableSelected,
-} from "../queries/table";
+import { getCellsInColumn, isHeaderEnabled } from "../queries/table";
 import { TableLayout } from "../types";
 import { collapseSelection } from "./collapseSelection";

@@ -54,11 +44,11 @@ export function createTable({
  };
 }

-export function createTableInner(
+function createTableInner(
  state: EditorState,
  rowsCount: number,
  colsCount: number,
-  colWidth?: number,
+  colWidth: number,
  withHeaderRow = true,
  cellContent?: Node
 ) {
@@ -554,46 +544,3 @@ export function moveOutOfTable(direction: 1 | -1): Command {
    return false;
  };
 }
-
-/**
- * A command that deletes the entire table if all cells are selected.
- *
- * @returns The command
- */
-export function deleteTableIfSelected(): Command {
-  return (state, dispatch): boolean => {
-    if (isTableSelected(state)) {
-      return deleteTable(state, dispatch);
-    }
-    return false;
-  };
-}
-
-export function deleteCellSelection(
-  state: EditorState,
-  dispatch?: (tr: Transaction) => void
-): boolean {
-  const sel = state.selection;
-  if (!(sel instanceof CellSelection)) {
-    return false;
-  }
-  if (dispatch) {
-    const tr = state.tr;
-    const baseContent = tableNodeTypes(state.schema).cell.createAndFill()!
-      .content;
-    sel.forEachCell((cell, pos) => {
-      if (!cell.content.eq(baseContent)) {
-        tr.replace(
-          tr.mapping.map(pos + 1),
-          tr.mapping.map(pos + cell.nodeSize - 1),
-          new Slice(baseContent, 0, 0)
-        );
-      }
-    });
-    if (tr.docChanged) {
-      dispatch(tr);
-      return true;
-    }
-  }
-  return false;
-}
@@ -55,7 +55,7 @@ const mathStyle = (props: Props) => css`
    cursor: auto;
    white-space: pre-wrap;
    overflow-x: auto;
-    overflow-y: hidden;
+    overflow-y: none;
  }

  .math-node.empty-math .math-render::before {
@@ -198,12 +198,6 @@ export const codeLanguages: Record<string, CodeLanguage> = {
    label: "Powershell",
    loader: () => import("refractor/lang/powershell").then((m) => m.default),
  },
-  promql: {
-    lang: "promql",
-    label: "PromQL",
-    // @ts-expect-error PromQL is not in types but exists
-    loader: () => import("refractor/lang/promql").then((m) => m.default),
-  },
  protobuf: {
    lang: "protobuf",
    label: "Protobuf",
@@ -5,6 +5,12 @@ import {
  mathSchemaSpec,
 } from "@benrbray/prosemirror-math";
 import { PluginSimple } from "markdown-it";
+import {
+  chainCommands,
+  deleteSelection,
+  selectNodeBackward,
+  joinBackward,
+} from "prosemirror-commands";
 import {
  NodeSpec,
  NodeType,
@@ -45,7 +51,12 @@ export default class Math extends Node {
  keys({ type }: { type: NodeType }) {
    return {
      "Mod-Space": insertMathCmd(type),
-      Backspace: mathBackspaceCmd,
+      Backspace: chainCommands(
+        deleteSelection,
+        mathBackspaceCmd,
+        joinBackward,
+        selectNodeBackward
+      ),
    };
  }

@@ -1,7 +1,5 @@
 import { chainCommands } from "prosemirror-commands";
-import { InputRule } from "prosemirror-inputrules";
 import { NodeSpec, Node as ProsemirrorNode } from "prosemirror-model";
-import { TextSelection } from "prosemirror-state";
 import {
  addColumnAfter,
  addRowAfter,
@@ -24,10 +22,7 @@ import {
  setTableAttr,
  deleteColSelection,
  deleteRowSelection,
-  deleteCellSelection,
  moveOutOfTable,
-  createTableInner,
-  deleteTableIfSelected,
 } from "../commands/table";
 import { MarkdownSerializerState } from "../lib/markdown/serializer";
 import { FixTablesPlugin } from "../plugins/FixTables";
@@ -98,34 +93,14 @@ export default class Table extends Node {
      "Shift-Tab": goToNextCell(-1),
      "Mod-Enter": addRowAndMoveSelection(),
      "Mod-Backspace": chainCommands(
-        deleteCellSelection,
        deleteColSelection(),
-        deleteRowSelection(),
-        deleteTableIfSelected()
-      ),
-      Backspace: chainCommands(
-        deleteCellSelection,
-        deleteColSelection(),
-        deleteRowSelection(),
-        deleteTableIfSelected()
+        deleteRowSelection()
      ),
      ArrowDown: moveOutOfTable(1),
      ArrowUp: moveOutOfTable(-1),
    };
  }

-  inputRules() {
-    return [
-      new InputRule(/^(\|--)$/, (state, _, start, end) => {
-        const nodes = createTableInner(state, 2, 2);
-        const tr = state.tr.replaceWith(start - 1, end, nodes).scrollIntoView();
-        const resolvedPos = tr.doc.resolve(start + 1);
-        tr.setSelection(TextSelection.near(resolvedPos));
-        return tr;
-      }),
-    ];
-  }
-
  toMarkdown(state: MarkdownSerializerState, node: ProsemirrorNode) {
    state.renderTable(node);
    state.closeBlock(node);
@@ -56,8 +56,8 @@ export const basicExtensions: Nodes = [
  Emoji,
  Text,
  SimpleImage,
-  Code,
  Bold,
+  Code,
  Italic,
  Underline,
  Link,
@@ -6,30 +6,6 @@ import {
  selectedRect,
 } from "prosemirror-tables";

-/**
- * Checks if the current selection is a column selection.
- * @param state The editor state.
- * @returns True if the selection is a column selection, false otherwise.
- */
-export function isColSelection(state: EditorState): boolean {
-  if (state.selection instanceof CellSelection) {
-    return state.selection.isColSelection();
-  }
-  return false;
-}
-
-/**
- * Checks if the current selection is a row selection.
- * @param state The editor state.
- * @returns True if the selection is a row selection, false otherwise.
- */
-export function isRowSelection(state: EditorState): boolean {
-  if (state.selection instanceof CellSelection) {
-    return state.selection.isRowSelection();
-  }
-  return false;
-}
-
 export function getColumnIndex(state: EditorState): number | undefined {
  if (state.selection instanceof CellSelection) {
    if (state.selection.isColSelection()) {
@@ -86,18 +62,13 @@ export function getCellsInRow(index: number) {
  };
 }

-/**
- * Check if a specific column is selected in the editor.
- *
- * @param state The editor state
- * @param index The index of the column to check
- * @returns Boolean indicating if the column is selected
- */
 export function isColumnSelected(index: number) {
  return (state: EditorState): boolean => {
-    if (isColSelection(state)) {
-      const rect = selectedRect(state);
-      return rect.left <= index && rect.right > index;
+    if (state.selection instanceof CellSelection) {
+      if (state.selection.isColSelection()) {
+        const rect = selectedRect(state);
+        return rect.left <= index && rect.right > index;
+      }
    }

    return false;
@@ -135,42 +106,28 @@ export function isHeaderEnabled(
  return true;
 }

-/**
- * Check if a specific row is selected in the editor.
- *
- * @param state The editor state
- * @param index The index of the row to check
- * @returns Boolean indicating if the row is selected
- */
 export function isRowSelected(index: number) {
  return (state: EditorState): boolean => {
-    if (isRowSelection(state)) {
-      const rect = selectedRect(state);
-      return rect.top <= index && rect.bottom > index;
+    if (state.selection instanceof CellSelection) {
+      if (state.selection.isRowSelection()) {
+        const rect = selectedRect(state);
+        return rect.top <= index && rect.bottom > index;
+      }
    }

    return false;
  };
 }

-/**
- * Check if an entire table is selected in the editor.
- *
- * @param state The editor state
- * @returns Boolean indicating if the table is selected
- */
 export function isTableSelected(state: EditorState): boolean {
-  if (state.selection instanceof CellSelection) {
-    const rect = selectedRect(state);
+  const rect = selectedRect(state);

-    return (
-      rect.top === 0 &&
-      rect.left === 0 &&
-      rect.bottom === rect.map.height &&
-      rect.right === rect.map.width &&
-      !state.selection.empty
-    );
-  }
-
-  return false;
+  return (
+    rect.top === 0 &&
+    rect.left === 0 &&
+    rect.bottom === rect.map.height &&
+    rect.right === rect.map.width &&
+    !state.selection.empty &&
+    state.selection instanceof CellSelection
+  );
 }
@@ -172,6 +172,8 @@
  "Deleting": "Deleting",
  "Are you sure about that? Deleting the <em>{{collectionName}}</em> collection is permanent and cannot be restored, however all published documents within will be moved to the trash.": "Are you sure about that? Deleting the <em>{{collectionName}}</em> collection is permanent and cannot be restored, however all published documents within will be moved to the trash.",
  "Also, <em>{{collectionName}}</em> is being used as the start view – deleting it will reset the start view to the Home page.": "Also, <em>{{collectionName}}</em> is being used as the start view – deleting it will reset the start view to the Home page.",
+  "Sorry, an error occurred saving the collection": "Sorry, an error occurred saving the collection",
+  "Add a description": "Add a description",
  "Type a command or search": "Type a command or search",
  "Choose a template": "Choose a template",
  "Are you sure you want to permanently delete this entire comment thread?": "Are you sure you want to permanently delete this entire comment thread?",
@@ -616,8 +618,6 @@
  "{{ groupsCount }} groups with access": "{{ groupsCount }} group with access",
  "{{ groupsCount }} groups with access_plural": "{{ groupsCount }} groups with access",
  "Archived by {{userName}}": "Archived by {{userName}}",
-  "Sorry, an error occurred saving the collection": "Sorry, an error occurred saving the collection",
-  "Add a description": "Add a description",
  "Share": "Share",
  "Overview": "Overview",
  "Recently updated": "Recently updated",
@@ -840,7 +840,6 @@
  "Already have an account? Go to <1>login</1>.": "Already have an account? Go to <1>login</1>.",
  "An error occurred": "An error occurred",
  "The OAuth client could not be found, please check the provided client ID": "The OAuth client could not be found, please check the provided client ID",
-  "The OAuth client could not be loaded, please check the redirect URI is valid": "The OAuth client could not be loaded, please check the redirect URI is valid",
  "Required OAuth parameters are missing": "Required OAuth parameters are missing",
  "Authorize": "Authorize",
  "{{ appName }} wants to access {{ teamName }}": "{{ appName }} wants to access {{ teamName }}",
@@ -888,8 +887,6 @@
  "Manage which third-party and internal applications have been granted access to your {{ appName }} account.": "Manage which third-party and internal applications have been granted access to your {{ appName }} account.",
  "API": "API",
  "API keys can be used to authenticate with the API and programatically control\n          your workspace's data. For more details see the <em>developer documentation</em>.": "API keys can be used to authenticate with the API and programatically control\n          your workspace's data. For more details see the <em>developer documentation</em>.",
-  "Application published": "Application published",
-  "Application updated": "Application updated",
  "Client secret rotated": "Client secret rotated",
  "Rotate secret": "Rotate secret",
  "Rotating the client secret will invalidate the current secret. Make sure to update any applications using these credentials.": "Rotating the client secret will invalidate the current secret. Make sure to update any applications using these credentials.",
@@ -113,11 +113,4 @@ export default createGlobalStyle<Props>`
    outline-offset: -1px;
    outline-width: initial;
  }
-
-  :root {
-    --sat: env(safe-area-inset-top);
-    --sar: env(safe-area-inset-right);
-    --sab: env(safe-area-inset-bottom);
-    --sal: env(safe-area-inset-left);
-  }
 `;
@@ -7,16 +7,6 @@ import {
  faWebAwesome,
  faXTwitter,
  faBluesky,
-  faGithub,
-  faGitlab,
-  faDiscord,
-  faDocker,
-  faCodepen,
-  faDropbox,
-  faPaypal,
-  faShopify,
-  faSwift,
-  faSlack,
 } from "@fortawesome/free-brands-svg-icons";
 import {
  faBagShopping,
@@ -561,16 +551,6 @@ export class IconLibrary {
        faPython,
        faXTwitter,
        faBluesky,
-        faGithub,
-        faGitlab,
-        faDiscord,
-        faDocker,
-        faCodepen,
-        faDropbox,
-        faPaypal,
-        faShopify,
-        faSwift,
-        faSlack,
      ].map((icon) => [
        icon.iconName,
        {
@@ -13,32 +13,6 @@ export function isTouchDevice(): boolean {
  return window.matchMedia?.("(hover: none) and (pointer: coarse)")?.matches;
 }

-/**
- * Returns the safe area insets for the current device.
- */
-export function getSafeAreaInsets(): {
-  top: number;
-  right: number;
-  bottom: number;
-  left: number;
-} {
-  // Check if CSS environment variables are supported
-  const style = getComputedStyle(document.documentElement);
-  const supportsEnv = window.CSS?.supports?.("top", "env(safe-area-inset-top)");
-
-  if (supportsEnv) {
-    return {
-      top: parseFloat(style.getPropertyValue("--sat") || "0"),
-      right: parseFloat(style.getPropertyValue("--sar") || "0"),
-      bottom: parseFloat(style.getPropertyValue("--sab") || "0"),
-      left: parseFloat(style.getPropertyValue("--sal") || "0"),
-    };
-  }
-
-  // Fallback to zero if not supported
-  return { top: 0, right: 0, bottom: 0, left: 0 };
-}
-
 /**
 * Returns true if the client is running on a Mac.
 */
@@ -98,15 +98,7 @@ export function isCollectionUrl(url: string) {
 * @param options Parsing options.
 * @returns True if a url, false otherwise.
 */
-export function isUrl(
-  text: string,
-  options?: {
-    /** Require the url to have a hostname. */
-    requireHostname?: boolean;
-    /** Require the url not to use HTTP, custom protocols are ok. */
-    requireHttps?: boolean;
-  }
-) {
+export function isUrl(text: string, options?: { requireHostname: boolean }) {
  if (text.match(/\n/)) {
    return false;
  }
@@ -121,9 +113,6 @@ export function isUrl(
    if (url.hostname) {
      return true;
    }
-    if (options?.requireHttps && url.protocol === "http:") {
-      return false;
-    }

    return (
      url.protocol !== "" &&
@@ -94,9 +94,6 @@ export default () =>
          modifyURLPrefix: {
            "": `${environment.CDN_URL ?? ""}/static/`,
          },
-          skipWaiting: true,
-          clientsClaim: true,
-          cleanupOutdatedCaches: true,
          runtimeCaching: [
            {
              urlPattern: /api\/urls\.unfurl$/,
@@ -112,34 +109,6 @@ export default () =>
                },
              },
            },
-            {
-              urlPattern: /api\/attachments\.redirect/,
-              handler: "CacheFirst",
-              options: {
-                cacheName: "attachments-redirect-cache",
-                expiration: {
-                  maxEntries: 100,
-                  maxAgeSeconds: 120, // 120 seconds
-                },
-                cacheableResponse: {
-                  statuses: [0, 200, 302], // Include redirects
-                },
-              },
-            },
-            {
-              urlPattern: /api\/files\.get/,
-              handler: "CacheFirst",
-              options: {
-                cacheName: "files-cache",
-                expiration: {
-                  maxEntries: 50,
-                  maxAgeSeconds: 604800, // 7 days
-                },
-                cacheableResponse: {
-                  statuses: [0, 200, 206], // Include partial content for range requests
-                },
-              },
-            },
          ],
        },
        manifest: {
Author	SHA1	Message	Date
Tom Moor	5bba32e984	Handle logged out OAuth apex	2025-04-28 19:43:17 -04:00
Tom Moor	5a5682f071	Basic /authorize framework for cloud auth	2025-04-28 17:56:53 -04:00
Tom Moor	17f54c0ed0	Merge branch 'main' of github.com:outline/outline into oauth-server	2025-04-27 20:12:44 -04:00
Tom Moor	1330724c75	test	2025-04-26 18:00:52 -04:00
Tom Moor	5ca9fc9b44	Add processor to revoke external tokens when OAuthClient is unpublished	2025-04-26 17:25:04 -04:00
Tom Moor	4c7bc07b28	fix: Delete OAuth authentications when client is deleted	2025-04-26 17:14:43 -04:00
Tom Moor	a033b08c83	tsc	2025-04-26 16:59:34 -04:00
Tom Moor	f7d5d25247	OAuth token management screen (#8953 )	2025-04-26 16:13:27 -04:00
Tom Moor	234e2d84ed	Make token lifetimes configurable at installation level	2025-04-26 09:44:58 -04:00
Tom Moor	4389ac0d1d	Merge main	2025-04-26 09:12:57 -04:00
Tom Moor	f60f5fd66d	Merge main	2025-04-22 21:29:53 -04:00
Tom Moor	bee61ce1ef	PR feedback	2025-04-22 21:19:16 -04:00
Tom Moor	20f5e953b7	Add PKCE parameters to /authorize	2025-04-15 21:20:08 -04:00
Tom Moor	c2968a671c	Add /oauth/revoke endpoint	2025-04-09 19:50:26 -04:00
Tom Moor	98959dc330	refactor: add OAuthClient.findByClientId	2025-04-08 09:16:55 -04:00
Tom Moor	7fc305b5d5	fix: Prevent OAuth tokens from creating webhooks	2025-04-07 20:47:29 -04:00
Tom Moor	1b90ab85e7	Add PKCE support	2025-04-07 20:29:43 -04:00
Tom Moor	4faf1b8570	fix: Guard authorization with unpublished client	2025-04-07 20:25:12 -04:00
Tom Moor	c61bc5dedb	fix: Cannot authorize with code grant	2025-04-07 20:23:42 -04:00
Tom Moor	3afde6962b	Merge branch 'main' of github.com:outline/outline into oauth-server	2025-04-07 14:43:19 -04:00
Tom Moor	cf7c97e9d6	Authentication middleware tests	2025-04-06 11:47:14 -04:00
Tom Moor	6298d7b31b	PR feedback	2025-04-06 10:01:10 -04:00
Tom Moor	99ec9c1627	refactors	2025-04-06 09:58:33 -04:00
Tom Moor	fdc53b91f8	Restore translations	2025-04-06 08:56:46 -04:00
Tom Moor	eb3f74cf21	self review	2025-04-06 00:42:15 -04:00
Tom Moor	8656c21e14	lint	2025-04-06 00:26:43 -04:00
Tom Moor	24fd606a86	Improve validation	2025-04-06 00:16:42 -04:00
Tom Moor	fe9a548490	Add OAuthClient icon to list, related Avatar refactor	2025-04-06 00:08:29 -04:00
Tom Moor	f71afc2bf5	refactor	2025-04-05 23:12:14 -04:00
Tom Moor	9e7dd5b4f7	refactor	2025-04-05 22:42:34 -04:00
Tom Moor	021e431195	Add rotate secret functionality	2025-04-05 22:22:44 -04:00
Tom Moor	2136be9327	scope validation	2025-04-05 20:16:06 -04:00
Tom Moor	581502f7e2	Add rate limiting on endpoints	2025-04-05 19:05:43 -04:00
Tom Moor	75447cd782	scope formalization	2025-04-05 18:55:00 -04:00
Tom Moor	fee3e7d0c3	Add additional read scopes	2025-04-05 18:05:49 -04:00
Tom Moor	aed55c7cfd	Readable scopes	2025-04-05 18:01:15 -04:00
Tom Moor	180d17e173	OAuth client edit flow	2025-04-05 17:49:29 -04:00
Tom Moor	aa60f5ccea	Bring error handling to spec for oauth endpoints	2025-04-05 09:51:39 -04:00
Tom Moor	ea79883e04	Add constraints and indexes to migration	2025-04-05 00:14:56 -04:00
Tom Moor	e9afc1d91f	Add avatar upload	2025-04-04 23:40:28 -04:00
Tom Moor	ed47b9eda0	fix authorize form	2025-04-04 23:14:41 -04:00
Tom Moor	5a19182757	Add menu, remove published option on self-hosted	2025-04-04 22:40:52 -04:00
Tom Moor	51b3971d21	New app modal	2025-04-04 22:06:47 -04:00
Tom Moor	057a1bbc7f	Add developer to authorize page	2025-04-04 21:09:30 -04:00
Tom Moor	1289f5f3be	Add tasks and processors	2025-04-04 19:01:54 -04:00
Tom Moor	429de07820	Add oauthClients endpoints	2025-04-04 18:47:07 -04:00
Tom Moor	68489973e0	Disable Authorize button on submit	2025-04-04 17:54:30 -04:00
Tom Moor	4dbd5b3617	fix: post-login redirect should include query string	2025-04-04 17:38:23 -04:00
Tom Moor	f9fe1cc308	Merge main	2025-04-04 13:11:30 -04:00
Tom Moor	fe03ba8710	scope-mapping	2025-04-04 13:10:27 -04:00
Tom Moor	d13770ddf9	Authorize styling, scope conversion	2025-04-03 22:24:46 -04:00
Tom Moor	b7425fefc6	Add cancel button	2025-04-03 21:53:03 -04:00
Tom Moor	79df4b030b	Styling of Authorize page	2025-04-03 21:43:04 -04:00
Tom Moor	24eaeca47e	Refactor out of plugin	2025-04-03 21:08:28 -04:00
Tom Moor	db0deb6997	debugging	2025-04-02 09:45:56 -04:00
Tom Moor	9f21e57335	/authorize skeleton	2025-04-02 07:28:56 -04:00
Tom Moor	fa6b83382b	Add interface	2025-04-01 22:13:26 -04:00
Tom Moor	b86475360f	Move models to plugin	2025-04-01 07:38:30 -04:00
Tom Moor	9b179a2612	Change scope to array	2025-03-31 21:42:38 -04:00
Tom Moor	7afe69e22a	Add token prefixes	2025-03-31 21:14:13 -04:00
Tom Moor	2ac19e3938	Add OAuthAuthentication	2025-03-31 21:04:01 -04:00
Tom Moor	a25968d4a7	Add OAuthAuthorizationCode	2025-03-31 20:49:51 -04:00
Tom Moor	87b8e5daeb	Add OAuthClient	2025-03-31 20:44:31 -04:00
Tom Moor	94a862ce01	Base migrations	2025-03-31 19:27:28 -04:00