fix: ExportDocumentTreeTask needs documentStructure

Add PromQL as a code highlighting option in the editor (#9146 )
* Add PromQL as a code highlighting option in the editor * Update code.ts --------- Co-authored-by: codegen-sh[bot] <131295404+codegen-sh[bot]@users.noreply.github.com> Co-authored-by: Tom Moor <tom@getoutline.com>
2026-06-13 19:35:02 +03:00 · 2025-05-07 19:38:30 -04:00 · 2025-05-07 19:11:47 -04:00 · 2025-05-07 18:49:33 -04:00 · 2025-05-07 09:00:42 -04:00 · 2025-05-07 07:47:57 -04:00
95 changed files with 2213 additions and 1352 deletions
@@ -1,3 +1,4 @@
+import uniq from "lodash/uniq";
 import { observer } from "mobx-react";
 import * as React from "react";
 import { Controller, useForm } from "react-hook-form";
@@ -18,6 +19,7 @@ import Switch from "~/components/Switch";
 import Text from "~/components/Text";
 import useBoolean from "~/hooks/useBoolean";
 import useCurrentTeam from "~/hooks/useCurrentTeam";
+import useStores from "~/hooks/useStores";
 import { EmptySelectValue } from "~/types";

 const IconPicker = React.lazy(() => import("~/components/IconPicker"));
@@ -30,6 +32,26 @@ export interface FormData {
  permission: CollectionPermission | undefined;
 }

+const useIconColor = (collection?: Collection) => {
+  const { collections } = useStores();
+  const hasMultipleCollections = collections.orderedData.length > 1;
+  const collectionColors = uniq(
+    collections.orderedData.map((c) => c.color).filter(Boolean)
+  ) as string[];
+
+  const iconColor = React.useMemo(
+    () =>
+      collection?.color ??
+      // If all the existing collections have the same color, use that color,
+      // otherwise pick a random color from the palette
+      (hasMultipleCollections && collectionColors.length === 1
+        ? collectionColors[0]
+        : randomElement(colorPalette)),
+    [collection?.color]
+  );
+  return iconColor;
+};
+
 export const CollectionForm = observer(function CollectionForm_({
  handleSubmit,
  collection,
@@ -42,11 +64,7 @@ export const CollectionForm = observer(function CollectionForm_({

  const [hasOpenedIconPicker, setHasOpenedIconPicker] = useBoolean(false);

-  const iconColor = React.useMemo(
-    () => collection?.color ?? randomElement(colorPalette),
-    [collection?.color]
-  );
-
+  const iconColor = useIconColor(collection);
  const fallbackIcon = <Icon value="collection" color={iconColor} />;

  const {
@@ -321,6 +321,7 @@ const Container = styled(Flex)<ContainerProps>`
  z-index: ${depths.mobileSidebar};
  max-width: 80%;
  min-width: 280px;
+  padding-left: var(--sal);
  ${fadeOnDesktopBackgrounded()}

  @media print {
@@ -38,10 +38,10 @@ function StarredLink({ star }: Props) {
  const { ui, collections, documents } = useStores();
  const [menuOpen, handleMenuOpen, handleMenuClose] = useBoolean();
  const { documentId, collectionId } = star;
-  const collection = collections.get(collectionId);
+  const collection = collectionId ? collections.get(collectionId) : undefined;
  const locationSidebarContext = useLocationSidebarContext();
  const sidebarContext = starredSidebarContext(
-    star.documentId ?? star.collectionId
+    star.documentId ?? star.collectionId ?? ""
  );
  const [expanded, setExpanded] = useState(
    (star.documentId
@@ -7,6 +7,7 @@ import { isCode } from "@shared/editor/lib/isCode";
 import { findParentNode } from "@shared/editor/queries/findParentNode";
 import { EditorStyleHelper } from "@shared/editor/styles/EditorStyleHelper";
 import { depths, s } from "@shared/styles";
+import { getSafeAreaInsets } from "@shared/utils/browser";
 import { HEADER_HEIGHT } from "~/components/Header";
 import { Portal } from "~/components/Portal";
 import useEventListener from "~/hooks/useEventListener";
@@ -241,12 +242,16 @@ const FloatingToolbar = React.forwardRef(function FloatingToolbar_(

    if (props.active) {
      const rect = document.body.getBoundingClientRect();
+      const safeAreaInsets = getSafeAreaInsets();
+
      return (
        <ReactPortal>
          <MobileWrapper
            ref={menuRef}
            style={{
-              bottom: `calc(100% - ${height - rect.y}px)`,
+              bottom: `calc(100% - ${
+                height - rect.y - safeAreaInsets.bottom
+              }px)`,
            }}
          >
            {props.children}
@@ -6,6 +6,7 @@ import { v4 } from "uuid";
 import { EmbedDescriptor } from "@shared/editor/embeds";
 import { MenuItem } from "@shared/editor/types";
 import { MentionType } from "@shared/types";
+import { isUrl } from "@shared/utils/urls";
 import Integration from "~/models/Integration";
 import useCurrentUser from "~/hooks/useCurrentUser";
 import useStores from "~/hooks/useStores";
@@ -29,9 +30,9 @@ export const PasteMenu = observer(({ pastedText, embeds, ...props }: Props) => {
  const user = useCurrentUser({ rejectOnEmpty: false });

  let mentionType: MentionType | undefined;
-  const url = pastedText ? new URL(pastedText) : undefined;

-  if (url) {
+  if (pastedText && isUrl(pastedText)) {
+    const url = new URL(pastedText);
    const integration = integrations.find((intg: Integration) =>
      isURLMentionable({ url, integration: intg })
    );
@@ -2,7 +2,8 @@ import Extension from "@shared/editor/lib/Extension";
 import { InputRule } from "@shared/editor/lib/InputRule";

 const rightArrow = new InputRule(/->$/, "→");
-const emdash = new InputRule(/--$/, "—");
+// Note that the suppression of pipe here prevents conflict with table creation rule.
+const emdash = new InputRule(/(?:^|[^\|])(--)$/, "—");
 const oneHalf = new InputRule(/(?:^|\s)(1\/2)$/, "½");
 const threeQuarters = new InputRule(/(?:^|\s)(3\/4)$/, "¾");
 const copyright = new InputRule(/\(c\)$/, "©️");
@@ -67,7 +67,7 @@ export default function formattingMenuItems(
      shortcut: `${metaDisplay}+B`,
      icon: <BoldIcon />,
      active: isMarkActive(schema.marks.strong),
-      visible: !isCode && (!isMobile || !isEmpty),
+      visible: !isCodeBlock && (!isMobile || !isEmpty),
    },
    {
      name: "em",
@@ -75,7 +75,7 @@ export default function formattingMenuItems(
      shortcut: `${metaDisplay}+I`,
      icon: <ItalicIcon />,
      active: isMarkActive(schema.marks.em),
-      visible: !isCode && (!isMobile || !isEmpty),
+      visible: !isCodeBlock && (!isMobile || !isEmpty),
    },
    {
      name: "strikethrough",
@@ -83,7 +83,7 @@ export default function formattingMenuItems(
      shortcut: `${metaDisplay}+D`,
      icon: <StrikethroughIcon />,
      active: isMarkActive(schema.marks.strikethrough),
-      visible: !isCode && (!isMobile || !isEmpty),
+      visible: !isCodeBlock && (!isMobile || !isEmpty),
    },
    {
      tooltip: dictionary.mark,
@@ -331,6 +331,16 @@ export default class Document extends ArchivableModel implements Searchable {
    );
  }

+  /**
+   * Returns the documents that link to this document.
+   *
+   * @returns documents that link to this document
+   */
+  @computed
+  get backlinks(): Document[] {
+    return this.store.getBacklinkedDocuments(this.id);
+  }
+
  /**
   * Returns users that have been individually given access to the document.
   *
@@ -22,7 +22,7 @@ class Star extends Model {
  document?: Document;

  /** The collection ID that is starred. */
-  collectionId: string;
+  collectionId?: string;

  /** The collection that is starred. */
  @Relation(() => Collection, { onDelete: "cascade" })
@@ -6,15 +6,18 @@ import { toast } from "sonner";
 import styled from "styled-components";
 import { richExtensions } from "@shared/editor/nodes";
 import { s } from "@shared/styles";
+import { ProsemirrorHelper } from "@shared/utils/ProsemirrorHelper";
 import { CollectionValidation } from "@shared/validations";
 import Collection from "~/models/Collection";
+import Document from "~/models/Document";
 import Editor from "~/components/Editor";
 import LoadingIndicator from "~/components/LoadingIndicator";
+import Text from "~/components/Text";
 import { withUIExtensions } from "~/editor/extensions";
 import useCurrentUser from "~/hooks/useCurrentUser";
 import usePolicy from "~/hooks/usePolicy";
 import useStores from "~/hooks/useStores";
-import Text from "./Text";
+import { Properties } from "~/types";

 const extensions = withUIExtensions(richExtensions);

@@ -22,8 +25,8 @@ type Props = {
  collection: Collection;
 };

-function CollectionDescription({ collection }: Props) {
-  const { collections } = useStores();
+function Overview({ collection }: Props) {
+  const { documents, collections } = useStores();
  const { t } = useTranslation();
  const user = useCurrentUser({ rejectOnEmpty: true });
  const can = usePolicy(collection);
@@ -54,6 +57,24 @@ function CollectionDescription({ collection }: Props) {
    [childOffsetHeight]
  );

+  const onCreateLink = React.useCallback(
+    async (params: Properties<Document>) => {
+      const newDocument = await documents.create(
+        {
+          collectionId: collection.id,
+          data: ProsemirrorHelper.getEmptyDocument(),
+          ...params,
+        },
+        {
+          publish: true,
+        }
+      );
+
+      return newDocument.url;
+    },
+    [collection, documents]
+  );
+
  return (
    <>
      {collections.isSaving && <LoadingIndicator />}
@@ -65,6 +86,7 @@ function CollectionDescription({ collection }: Props) {
            placeholder={`${t("Add a description")}…`}
            extensions={extensions}
            maxLength={CollectionValidation.maxDescriptionLength}
+            onCreateLink={onCreateLink}
            canUpdate={can.update}
            readOnly={!can.update}
            userId={user.id}
@@ -83,4 +105,4 @@ const Placeholder = styled(Text)`
  min-height: 27px;
 `;

-export default observer(CollectionDescription);
+export default observer(Overview);
@@ -20,7 +20,6 @@ import Collection from "~/models/Collection";
 import { Action } from "~/components/Actions";
 import CenteredContent from "~/components/CenteredContent";
 import { CollectionBreadcrumb } from "~/components/CollectionBreadcrumb";
-import CollectionDescription from "~/components/CollectionDescription";
 import Heading from "~/components/Heading";
 import CollectionIcon from "~/components/Icons/CollectionIcon";
 import InputSearchPage from "~/components/InputSearchPage";
@@ -46,6 +45,7 @@ import DropToImport from "./components/DropToImport";
 import Empty from "./components/Empty";
 import MembershipPreview from "./components/MembershipPreview";
 import Notices from "./components/Notices";
+import Overview from "./components/Overview";
 import ShareButton from "./components/ShareButton";

 const IconPicker = React.lazy(() => import("~/components/IconPicker"));
@@ -66,7 +66,6 @@ const CollectionScene = observer(function _CollectionScene() {
  const location = useLocation();
  const { t } = useTranslation();
  const { documents, collections, ui } = useStores();
-  const [isFetching, setFetching] = React.useState(false);
  const [error, setError] = React.useState<Error | undefined>();
  const currentPath = location.pathname;
  const [, setLastVisitedPath] = useLastVisitedPath();
@@ -120,21 +119,16 @@ const CollectionScene = observer(function _CollectionScene() {

  React.useEffect(() => {
    async function fetchData() {
-      if ((!can || !collection) && !error && !isFetching) {
-        try {
-          setError(undefined);
-          setFetching(true);
-          await collections.fetch(id);
-        } catch (err) {
-          setError(err);
-        } finally {
-          setFetching(false);
-        }
+      try {
+        setError(undefined);
+        await collections.fetch(id);
+      } catch (err) {
+        setError(err);
      }
    }

    void fetchData();
-  }, [collections, isFetching, collection, error, id, can]);
+  }, []);

  useCommandBarActions([editCollection], [ui.activeCollectionId ?? "none"]);

@@ -265,7 +259,7 @@ const CollectionScene = observer(function _CollectionScene() {
                path={collectionPath(collection.path, CollectionPath.Overview)}
              >
                {hasOverview ? (
-                  <CollectionDescription collection={collection} />
+                  <Overview collection={collection} />
                ) : (
                  <Redirect
                    to={{
@@ -18,7 +18,7 @@ type Props = {
 };

 function References({ document }: Props) {
-  const { collections, documents } = useStores();
+  const { documents } = useStores();
  const user = useCurrentUser();
  const location = useLocation();
  const locationSidebarContext = useLocationSidebarContext();
@@ -27,10 +27,8 @@ function References({ document }: Props) {
    void documents.fetchBacklinks(document.id);
  }, [documents, document.id]);

-  const backlinks = documents.getBacklinkedDocuments(document.id);
-  const collection = document.collectionId
-    ? collections.get(document.collectionId)
-    : undefined;
+  const backlinks = document.backlinks;
+  const collection = document.collection;
  const children = collection
    ? collection.getChildrenForDocument(document.id)
    : [];
@@ -4,6 +4,7 @@ import styled from "styled-components";
 import Flex from "@shared/components/Flex";
 import { s } from "@shared/styles";
 import { parseDomain } from "@shared/utils/domains";
+import type OAuthClient from "~/models/oauth/OAuthClient";
 import ButtonLarge from "~/components/ButtonLarge";
 import ChangeLanguage from "~/components/ChangeLanguage";
 import Heading from "~/components/Heading";
@@ -16,6 +17,7 @@ import { useLoggedInSessions } from "~/hooks/useLoggedInSessions";
 import useQuery from "~/hooks/useQuery";
 import useRequest from "~/hooks/useRequest";
 import { client } from "~/utils/ApiClient";
+import { BadRequestError, NotFoundError } from "~/utils/errors";
 import isCloudHosted from "~/utils/isCloudHosted";
 import { detectLanguage } from "~/utils/language";
 import Login from "./Login";
@@ -66,12 +68,17 @@ function Authorize() {
    scope,
  } = Object.fromEntries(params);
  const [scopes] = React.useState(() => scope?.split(" ") ?? []);
-  const { error: clientError, data: response } = useRequest(
-    () => client.post("/oauthClients.info", { clientId }),
-    true
-  );
+  const { error: clientError, data: response } = useRequest<{
+    data: OAuthClient;
+  }>(() => client.post("/oauthClients.info", { clientId, redirectUri }), true);

  const handleCancel = () => {
+    if (redirectUri && !clientError) {
+      const url = new URL(redirectUri);
+      url.searchParams.set("error", "access_denied");
+      window.location.href = url.toString();
+      return;
+    }
    if (window.history.length) {
      window.history.back();
    } else {
@@ -96,6 +103,7 @@ function Authorize() {
    !redirectUri && "redirect_uri",
    !responseType && "response_type",
    !scope && "scope",
+    !state && "state",
  ].filter(Boolean);

  if (missingParams.length || clientError) {
@@ -103,13 +111,20 @@ function Authorize() {
      <Background>
        <Centered>
          <StyledHeading>{t("An error occurred")}</StyledHeading>
-          {clientError ? (
+          {clientError instanceof NotFoundError ? (
            <Text as="p" type="secondary">
              {t(
                "The OAuth client could not be found, please check the provided client ID"
              )}
              <Pre>{clientId}</Pre>
            </Text>
+          ) : clientError instanceof BadRequestError ? (
+            <Text as="p" type="secondary">
+              {t(
+                "The OAuth client could not be loaded, please check the redirect URI is valid"
+              )}
+              <Pre>{redirectUri}</Pre>
+            </Text>
          ) : (
            <Text as="p" type="secondary">
              {t("Required OAuth parameters are missing")}
@@ -80,11 +80,16 @@ const Application = observer(function Application({ oauthClient }: Props) {
    async (data: FormData) => {
      try {
        await oauthClient.save(data);
+        toast.success(
+          oauthClient.published
+            ? t("Application published")
+            : t("Application updated")
+        );
      } catch (error) {
        toast.error(error.message);
      }
    },
-    [oauthClient]
+    [oauthClient, t]
  );

  const handleRotateSecret = React.useCallback(async () => {
@@ -173,7 +178,6 @@ const Application = observer(function Application({ oauthClient }: Props) {
          <Input
            type="text"
            {...register("description", {
-              required: true,
              maxLength: OAuthClientValidation.maxDescriptionLength,
            })}
            flex
@@ -186,6 +186,13 @@ export default class CollectionsStore extends Store<Collection> {
      statusFilter: [CollectionStatusFilter.Archived],
    });

+  get(id: string): Collection | undefined {
+    return (
+      this.data.get(id) ??
+      this.orderedData.find((collection) => id.endsWith(collection.urlId))
+    );
+  }
+
  @computed
  get archived(): Collection[] {
    return orderBy(this.orderedData, "archivedAt", "desc").filter(
@@ -300,8 +300,8 @@ export default class DocumentsStore extends Store<Document> {
    const documentIds = this.backlinks.get(documentId) || [];
    return orderBy(
      compact(documentIds.map((id) => this.data.get(id))),
-      "updatedAt",
-      "desc"
+      "title",
+      "asc"
    );
  }

@@ -48,18 +48,18 @@
    "> 0.25%, not dead"
  ],
  "dependencies": {
-    "@aws-sdk/client-s3": "3.787.0",
-    "@aws-sdk/lib-storage": "3.787.0",
-    "@aws-sdk/s3-presigned-post": "3.787.0",
-    "@aws-sdk/s3-request-presigner": "3.787.0",
-    "@aws-sdk/signature-v4-crt": "^3.787.0",
-    "@babel/core": "^7.26.10",
-    "@babel/plugin-proposal-decorators": "^7.25.9",
-    "@babel/plugin-transform-class-properties": "^7.25.9",
-    "@babel/plugin-transform-destructuring": "^7.25.9",
-    "@babel/plugin-transform-regenerator": "^7.27.0",
-    "@babel/preset-env": "^7.26.9",
-    "@babel/preset-react": "^7.26.3",
+    "@aws-sdk/client-s3": "3.803.0",
+    "@aws-sdk/lib-storage": "3.803.0",
+    "@aws-sdk/s3-presigned-post": "3.803.0",
+    "@aws-sdk/s3-request-presigner": "3.803.0",
+    "@aws-sdk/signature-v4-crt": "^3.803.0",
+    "@babel/core": "^7.27.1",
+    "@babel/plugin-proposal-decorators": "^7.27.1",
+    "@babel/plugin-transform-class-properties": "^7.27.1",
+    "@babel/plugin-transform-destructuring": "^7.27.1",
+    "@babel/plugin-transform-regenerator": "^7.27.1",
+    "@babel/preset-env": "^7.27.1",
+    "@babel/preset-react": "^7.27.1",
    "@benrbray/prosemirror-math": "^0.2.2",
    "@bull-board/api": "^6.7.10",
    "@bull-board/koa": "^6.7.10",
@@ -175,7 +175,7 @@
    "passport-oauth2": "^1.8.0",
    "passport-slack-oauth2": "^1.2.0",
    "patch-package": "^7.0.2",
-    "pg": "^8.14.1",
+    "pg": "^8.15.6",
    "pg-tsquery": "^8.4.2",
    "pluralize": "^8.0.0",
    "png-chunks-extract": "^1.0.0",
@@ -208,9 +208,9 @@
    "react-helmet-async": "^2.0.5",
    "react-hook-form": "^7.54.2",
    "react-i18next": "^12.3.1",
-    "react-medium-image-zoom": "5.2.13",
+    "react-medium-image-zoom": "5.2.14",
    "react-merge-refs": "^2.1.1",
-    "react-portal": "^4.2.2",
+    "react-portal": "^4.3.0",
    "react-router-dom": "^5.3.4",
    "react-virtualized-auto-sizer": "^1.0.26",
    "react-waypoint": "^10.3.0",
@@ -228,6 +228,7 @@
    "sequelize": "^6.37.3",
    "sequelize-cli": "^6.6.2",
    "sequelize-encrypted": "^1.0.0",
+    "sequelize-strict-attributes": "^1.0.2",
    "sequelize-typescript": "^2.1.6",
    "slug": "^5.3.0",
    "slugify": "^1.6.6",
@@ -248,9 +249,9 @@
    "umzug": "^3.8.2",
    "utility-types": "^3.11.0",
    "uuid": "^8.3.2",
-    "validator": "13.12.0",
+    "validator": "13.15.0",
    "vaul": "^1.1.2",
-    "vite": "^6.3.3",
+    "vite": "^6.3.4",
    "vite-plugin-pwa": "^0.21.2",
    "winston": "^3.17.0",
    "ws": "^7.5.10",
@@ -262,8 +263,8 @@
    "zod": "^3.24.2"
  },
  "devDependencies": {
-    "@babel/cli": "^7.27.0",
-    "@babel/preset-typescript": "^7.27.0",
+    "@babel/cli": "^7.27.1",
+    "@babel/preset-typescript": "^7.27.1",
    "@faker-js/faker": "^8.4.1",
    "@relative-ci/agent": "^4.3.0",
    "@testing-library/react": "^12.0.0",
@@ -328,7 +329,7 @@
    "@types/tmp": "^0.2.6",
    "@types/turndown": "^5.0.5",
    "@types/utf8": "^3.0.3",
-    "@types/validator": "^13.12.1",
+    "@types/validator": "^13.15.0",
    "@types/yauzl": "^2.10.3",
    "@typescript-eslint/eslint-plugin": "^6.21.0",
    "@typescript-eslint/parser": "^6.21.0",
@@ -357,7 +358,7 @@
    "jest-environment-jsdom": "^29.7.0",
    "jest-fetch-mock": "^3.0.3",
    "lint-staged": "^13.3.0",
-    "nodemon": "^3.1.9",
+    "nodemon": "^3.1.10",
    "postinstall-postinstall": "^2.1.0",
    "prettier": "^2.8.8",
    "react-refresh": "^0.14.2",
@@ -77,14 +77,14 @@ router.get(
      { transaction }
    );

-    if (workspace.logoUrl) {
-      transaction.afterCommit(async () => {
-        await UploadLinearWorkspaceLogoTask.schedule({
+    transaction.afterCommit(async () => {
+      if (workspace.logoUrl) {
+        await new UploadLinearWorkspaceLogoTask().schedule({
          integrationId: integration.id,
          logoUrl: workspace.logoUrl,
        });
-      });
-    }
+      }
+    });

    ctx.redirect(LinearUtils.successUrl());
  }
@@ -66,6 +66,6 @@ export class NotionImportsProcessor extends ImportsProcessor<IntegrationService.
  protected async scheduleTask(
    importTask: ImportTask<IntegrationService.Notion>
  ): Promise<void> {
-    await NotionAPIImportTask.schedule({ importTaskId: importTask.id });
+    await new NotionAPIImportTask().schedule({ importTaskId: importTask.id });
  }
 }
@@ -77,7 +77,7 @@ export default class NotionAPIImportTask extends APIImportTask<IntegrationServic
  protected async scheduleNextTask(
    importTask: ImportTask<IntegrationService.Notion>
  ) {
-    await NotionAPIImportTask.schedule({ importTaskId: importTask.id });
+    await new NotionAPIImportTask().schedule({ importTaskId: importTask.id });
    return;
  }

@@ -288,7 +288,7 @@ export class NotionConverter {
      if (item.mention.type === "link_mention") {
        return {
          type: "text",
-          text: item.plain_text,
+          text: item.plain_text || item.mention.link_mention.href,
          marks: [
            {
              type: "link",
@@ -302,7 +302,7 @@ export class NotionConverter {
      if (item.mention.type === "link_preview") {
        return {
          type: "text",
-          text: item.plain_text,
+          text: item.plain_text || item.mention.link_preview.url,
          marks: [
            {
              type: "link",
@@ -314,14 +314,14 @@ export class NotionConverter {
        };
      }

-      if (!item.plain_text) {
-        return undefined;
+      if (item.plain_text) {
+        return {
+          type: "text",
+          text: item.plain_text,
+        };
      }

-      return {
-        type: "text",
-        text: item.plain_text,
-      };
+      return undefined;
    }

    if (item.type === "equation") {
@@ -336,20 +336,20 @@ export class NotionConverter {
      };
    }

-    if (!item.text.content) {
-      return undefined;
+    if (item.text.content) {
+      return {
+        type: "text",
+        text: item.text.content,
+        marks: [
+          ...mapAttrs(),
+          ...(item.text.link
+            ? [{ type: "link", attrs: { href: item.text.link.url } }]
+            : []),
+        ].filter(Boolean),
+      };
    }

-    return {
-      type: "text",
-      text: item.text.content,
-      marks: [
-        ...mapAttrs(),
-        ...(item.text.link
-          ? [{ type: "link", attrs: { href: item.text.link.url } }]
-          : []),
-      ].filter(Boolean),
-    };
+    return undefined;
  }

  private static rich_text_to_plaintext(item: RichTextItemResponse) {
@@ -29,8 +29,12 @@ describe("WebhookProcessor", () => {

    await processor.perform(event);

-    expect(DeliverWebhookTask.schedule).toHaveBeenCalled();
-    expect(DeliverWebhookTask.schedule).toHaveBeenCalledWith({
+    expect(
+      jest.mocked(DeliverWebhookTask.prototype.schedule)
+    ).toHaveBeenCalled();
+    expect(
+      jest.mocked(DeliverWebhookTask.prototype.schedule)
+    ).toHaveBeenCalledWith({
      event,
      subscriptionId: subscription.id,
    });
@@ -53,7 +57,9 @@ describe("WebhookProcessor", () => {

    await processor.perform(event);

-    expect(DeliverWebhookTask.schedule).toHaveBeenCalledTimes(0);
+    expect(
+      jest.mocked(DeliverWebhookTask.prototype.schedule)
+    ).toHaveBeenCalledTimes(0);
  });

  it("it schedules a delivery for the event for each subscription", async () => {
@@ -79,13 +85,21 @@ describe("WebhookProcessor", () => {

    await processor.perform(event);

-    expect(DeliverWebhookTask.schedule).toHaveBeenCalled();
-    expect(DeliverWebhookTask.schedule).toHaveBeenCalledTimes(2);
-    expect(DeliverWebhookTask.schedule).toHaveBeenCalledWith({
+    expect(
+      jest.mocked(DeliverWebhookTask.prototype.schedule)
+    ).toHaveBeenCalled();
+    expect(
+      jest.mocked(DeliverWebhookTask.prototype.schedule)
+    ).toHaveBeenCalledTimes(2);
+    expect(
+      jest.mocked(DeliverWebhookTask.prototype.schedule)
+    ).toHaveBeenCalledWith({
      event,
      subscriptionId: subscription.id,
    });
-    expect(DeliverWebhookTask.schedule).toHaveBeenCalledWith({
+    expect(
+      jest.mocked(DeliverWebhookTask.prototype.schedule)
+    ).toHaveBeenCalledWith({
      event,
      subscriptionId: subscriptionTwo.id,
    });
@@ -24,7 +24,10 @@ export default class WebhookProcessor extends BaseProcessor {

    await Promise.all(
      applicableSubscriptions.map((subscription) =>
-        DeliverWebhookTask.schedule({ event, subscriptionId: subscription.id })
+        new DeliverWebhookTask().schedule({
+          event,
+          subscriptionId: subscription.id,
+        })
      )
    );
  }
@@ -1,4 +1,3 @@
-import invariant from "invariant";
 import { Op, WhereOptions } from "sequelize";
 import isUUID from "validator/lib/isUUID";
 import { UrlHelper } from "@shared/utils/UrlHelper";
@@ -22,8 +21,8 @@ type Props = {

 type Result = {
  document: Document;
-  share?: Share;
-  collection?: Collection | null;
+  share: Share | null;
+  collection: Collection | null;
 };

 export default async function loadDocument({
@@ -33,9 +32,9 @@ export default async function loadDocument({
  user,
  includeState,
 }: Props): Promise<Result> {
-  let document;
-  let collection;
-  let share;
+  let document: Document | null = null;
+  let collection: Collection | null = null;
+  let share: Share | null = null;

  if (!shareId && !(id && user)) {
    throw AuthenticationError(`Authentication or shareId required`);
@@ -72,20 +71,7 @@ export default async function loadDocument({
      where: whereClause,
      include: [
        {
-          // unscoping here allows us to return unpublished documents
-          model: Document.unscoped(),
-          include: [
-            {
-              model: User,
-              as: "createdBy",
-              paranoid: false,
-            },
-            {
-              model: User,
-              as: "updatedBy",
-              paranoid: false,
-            },
-          ],
+          model: Document.scope("withDrafts"),
          required: true,
          as: "document",
        },
@@ -129,14 +115,13 @@ export default async function loadDocument({
    const canReadDocument = user && can(user, "read", document);

    if (canReadDocument) {
-      // Cannot use document.collection here as it does not include the
-      // documentStructure by default through the relationship.
      if (document.collectionId) {
-        collection = await Collection.findByPk(document.collectionId);
-
-        if (!collection) {
-          throw NotFoundError("Collection could not be found for document");
-        }
+        collection = await Collection.scope("withDocumentStructure").findByPk(
+          document.collectionId,
+          {
+            rejectOnEmpty: true,
+          }
+        );
      }

      return {
@@ -155,11 +140,15 @@ export default async function loadDocument({

    // It is possible to disable sharing at the collection so we must check
    if (document.collectionId) {
-      collection = await Collection.findByPk(document.collectionId);
+      collection = await Collection.scope("withDocumentStructure").findByPk(
+        document.collectionId,
+        {
+          rejectOnEmpty: true,
+        }
+      );
    }
-    invariant(collection, "collection not found");

-    if (!collection.sharing) {
+    if (!collection?.sharing) {
      throw AuthorizationError();
    }

@@ -1,4 +1,3 @@
-import invariant from "invariant";
 import { Transaction } from "sequelize";
 import { createContext } from "@server/context";
 import { traceFunction } from "@server/logging/tracing";
@@ -24,7 +23,7 @@ type Props = {
  /** Position of moved document within document structure */
  index?: number;
  /** The IP address of the user moving the document */
-  ip: string;
+  ip: string | null;
  /** The database transaction to run within */
  transaction?: Transaction;
 };
@@ -66,16 +65,21 @@ async function documentMover({
    result.documents.push(document);
  } else {
    // Load the current and the next collection upfront and lock them
-    const collection = await Collection.findByPk(document.collectionId!, {
-      transaction,
-      lock: Transaction.LOCK.UPDATE,
-      paranoid: false,
-    });
+    const collection = await Collection.scope("withDocumentStructure").findByPk(
+      document.collectionId!,
+      {
+        transaction,
+        lock: Transaction.LOCK.UPDATE,
+        paranoid: false,
+      }
+    );

    let newCollection = collection;
    if (collectionChanged) {
      if (collectionId) {
-        newCollection = await Collection.findByPk(collectionId, {
+        newCollection = await Collection.scope(
+          "withDocumentStructure"
+        ).findByPk(collectionId, {
          transaction,
          lock: Transaction.LOCK.UPDATE,
        });
@@ -144,12 +148,14 @@ async function documentMover({

      if (collectionId) {
        // Reload the collection to get relationship data
-        newCollection = await Collection.scope({
-          method: ["withMembership", user.id],
-        }).findByPk(collectionId, {
+        newCollection = await Collection.scope([
+          {
+            method: ["withMembership", user.id],
+          },
+        ]).findByPk(collectionId, {
          transaction,
+          rejectOnEmpty: true,
        });
-        invariant(newCollection, "Collection not found");

        result.collections.push(newCollection);

@@ -4,9 +4,11 @@ import DeleteAttachmentTask from "@server/queues/tasks/DeleteAttachmentTask";
 import { buildAttachment, buildDocument } from "@server/test/factories";
 import documentPermanentDeleter from "./documentPermanentDeleter";

-jest.mock("@server/queues/tasks/DeleteAttachmentTask", () => ({
-  schedule: jest.fn(),
-}));
+jest.mock("@server/queues/tasks/DeleteAttachmentTask");
+
+beforeEach(() => {
+  jest.resetAllMocks();
+});

 describe("documentPermanentDeleter", () => {
  it("should destroy documents", async () => {
@@ -60,7 +62,9 @@ describe("documentPermanentDeleter", () => {
    await document.save();
    const countDeletedDoc = await documentPermanentDeleter([document]);
    expect(countDeletedDoc).toEqual(1);
-    expect(DeleteAttachmentTask.schedule).toHaveBeenCalledTimes(2);
+    expect(
+      jest.mocked(DeleteAttachmentTask.prototype.schedule)
+    ).toHaveBeenCalledTimes(2);
    expect(
      await Document.unscoped().count({
        where: {
@@ -67,7 +67,7 @@ export default async function documentPermanentDeleter(documents: Document[]) {
            "commands",
            `Attachment ${attachmentId} scheduled for deletion`
          );
-          await DeleteAttachmentTask.schedule({
+          await new DeleteAttachmentTask().schedule({
            attachmentId,
            teamId: document.teamId,
          });
@@ -56,5 +56,5 @@ export default async function userSuspender({
    }
  );

-  await CleanupDemotedUserTask.schedule({ userId: user.id });
+  await new CleanupDemotedUserTask().schedule({ userId: user.id });
 }
@@ -0,0 +1,29 @@
+"use strict";
+
+const { execFileSync } = require("child_process");
+const path = require("path");
+
+/** @type {import('sequelize-cli').Migration} */
+module.exports = {
+  async up() {
+    if (
+      process.env.NODE_ENV === "test" ||
+      process.env.DEPLOYMENT === "hosted"
+    ) {
+      return;
+    }
+
+    const scriptName = path.basename(__filename);
+    const scriptPath = path.join(
+      process.cwd(),
+      "build",
+      `server/scripts/${scriptName}`
+    );
+
+    execFileSync("node", [scriptPath], { stdio: "inherit" });
+  },
+
+  async down() {
+    // noop
+  },
+};
@@ -16,7 +16,7 @@ beforeEach(() => {
 });

 describe("#url", () => {
-  test("should return correct url for the collection", () => {
+  it("should return correct url for the collection", () => {
    const collection = new Collection({
      id: "1234",
    });
@@ -25,7 +25,7 @@ describe("#url", () => {
 });

 describe("getDocumentParents", () => {
-  test("should return array of parent document ids", async () => {
+  it("should return array of parent document ids", async () => {
    const parent = await buildDocument();
    const document = await buildDocument();
    const collection = await buildCollection({
@@ -41,7 +41,7 @@ describe("getDocumentParents", () => {
    expect(result ? result[0] : undefined).toBe(parent.id);
  });

-  test("should return array of parent document ids", async () => {
+  it("should return array of parent document ids", async () => {
    const parent = await buildDocument();
    const document = await buildDocument();
    const collection = await buildCollection({
@@ -56,7 +56,7 @@ describe("getDocumentParents", () => {
    expect(result?.length).toBe(0);
  });

-  test("should not error if documentStructure is empty", async () => {
+  it("should not error if documentStructure is empty", async () => {
    const parent = await buildDocument();
    await buildDocument();
    const collection = await buildCollection();
@@ -66,7 +66,7 @@ describe("getDocumentParents", () => {
 });

 describe("getDocumentTree", () => {
-  test("should return document tree", async () => {
+  it("should return document tree", async () => {
    const document = await buildDocument();
    const collection = await buildCollection({
      documentStructure: [await document.toNavigationNode()],
@@ -76,7 +76,7 @@ describe("getDocumentTree", () => {
    );
  });

-  test("should return nested documents in tree", async () => {
+  it("should return nested documents in tree", async () => {
    const parent = await buildDocument();
    const document = await buildDocument();
    const collection = await buildCollection({
@@ -99,7 +99,7 @@ describe("getDocumentTree", () => {
 });

 describe("#addDocumentToStructure", () => {
-  test("should add as last element without index", async () => {
+  it("should add as last element without index", async () => {
    const collection = await buildCollection();
    const id = uuidv4();
    const newDocument = await buildDocument({
@@ -117,7 +117,7 @@ describe("#addDocumentToStructure", () => {
    expect(collection.documentStructure!.length).toBe(1);
  });

-  test("should add with an index", async () => {
+  it("should add with an index", async () => {
    const collection = await buildCollection();
    const id = uuidv4();
    const newDocument = await buildDocument({
@@ -131,7 +131,7 @@ describe("#addDocumentToStructure", () => {
    expect(collection.documentStructure![0].id).toBe(id);
  });

-  test("should add as a child if with parent", async () => {
+  it("should add as a child if with parent", async () => {
    const collection = await buildCollection();
    const document = await buildDocument({ collectionId: collection.id });
    await collection.reload();
@@ -150,7 +150,7 @@ describe("#addDocumentToStructure", () => {
    expect(collection.documentStructure![0].children[0].id).toBe(id);
  });

-  test("should add as a child if with parent with index", async () => {
+  it("should add as a child if with parent with index", async () => {
    const collection = await buildCollection();
    const document = await buildDocument({ collectionId: collection.id });
    await collection.reload();
@@ -176,7 +176,7 @@ describe("#addDocumentToStructure", () => {
    expect(collection.documentStructure![0].children[0].id).toBe(id);
  });

-  test("should add the document along with its nested document(s)", async () => {
+  it("should add the document along with its nested document(s)", async () => {
    const collection = await buildCollection();

    const document = await buildDocument({
@@ -204,7 +204,7 @@ describe("#addDocumentToStructure", () => {
    );
  });

-  test("should add the document along with its archived nested document(s)", async () => {
+  it("should add the document along with its archived nested document(s)", async () => {
    const collection = await buildCollection();

    const document = await buildDocument({
@@ -237,7 +237,7 @@ describe("#addDocumentToStructure", () => {
    );
  });
  describe("options: documentJson", () => {
-    test("should append supplied json over document's own", async () => {
+    it("should append supplied json over document's own", async () => {
      const collection = await buildCollection();
      const id = uuidv4();
      const newDocument = await buildDocument({
@@ -268,7 +268,7 @@ describe("#addDocumentToStructure", () => {
 });

 describe("#updateDocument", () => {
-  test("should update root document's data", async () => {
+  it("should update root document's data", async () => {
    const collection = await buildCollection();
    const document = await buildDocument({ collectionId: collection.id });
    await collection.reload();
@@ -279,7 +279,7 @@ describe("#updateDocument", () => {
    expect(collection.documentStructure![0].title).toBe("Updated title");
  });

-  test("should update child document's data", async () => {
+  it("should update child document's data", async () => {
    const collection = await buildCollection();
    const document = await buildDocument({ collectionId: collection.id });
    await collection.reload();
@@ -297,7 +297,7 @@ describe("#updateDocument", () => {
    newDocument.title = "Updated title";
    await newDocument.save();
    await collection.updateDocument(newDocument);
-    const reloaded = await Collection.findByPk(collection.id);
+    const reloaded = await collection.reload();
    expect(reloaded!.documentStructure![0].children[0].title).toBe(
      "Updated title"
    );
@@ -305,7 +305,7 @@ describe("#updateDocument", () => {
 });

 describe("#removeDocument", () => {
-  test("should save if removing", async () => {
+  it("should save if removing", async () => {
    const collection = await buildCollection();
    const document = await buildDocument({ collectionId: collection.id });
    await collection.reload();
@@ -315,7 +315,7 @@ describe("#removeDocument", () => {
    expect(collection.save).toBeCalled();
  });

-  test("should remove documents from root", async () => {
+  it("should remove documents from root", async () => {
    const collection = await buildCollection();
    const document = await buildDocument({ collectionId: collection.id });
    await collection.reload();
@@ -331,7 +331,7 @@ describe("#removeDocument", () => {
    expect(collectionDocuments.count).toBe(0);
  });

-  test("should remove a document with child documents", async () => {
+  it("should remove a document with child documents", async () => {
    const collection = await buildCollection();
    const document = await buildDocument({ collectionId: collection.id });
    await collection.reload();
@@ -359,7 +359,7 @@ describe("#removeDocument", () => {
    expect(collectionDocuments.count).toBe(0);
  });

-  test("should remove a child document", async () => {
+  it("should remove a child document", async () => {
    const collection = await buildCollection();
    const document = await buildDocument({ collectionId: collection.id });
    await collection.reload();
@@ -380,7 +380,7 @@ describe("#removeDocument", () => {
    expect(collection.documentStructure![0].children.length).toBe(1);
    // Remove the document
    await collection.deleteDocument(newDocument);
-    const reloaded = await Collection.findByPk(collection.id);
+    const reloaded = await collection.reload();
    expect(reloaded!.documentStructure!.length).toBe(1);
    expect(reloaded!.documentStructure![0].children.length).toBe(0);
    const collectionDocuments = await Document.findAndCountAll({
@@ -393,7 +393,7 @@ describe("#removeDocument", () => {
 });

 describe("#membershipUserIds", () => {
-  test("should return collection and group memberships", async () => {
+  it("should return collection and group memberships", async () => {
    const team = await buildTeam();
    const teamId = team.id;
    // Make 6 users
@@ -464,47 +464,53 @@ describe("#membershipUserIds", () => {
 });

 describe("#findByPk", () => {
-  test("should return collection with collection Id", async () => {
+  it("should return collection with collection Id", async () => {
    const collection = await buildCollection();
    const response = await Collection.findByPk(collection.id);
    expect(response!.id).toBe(collection.id);
  });

-  test("should return collection when urlId is present", async () => {
+  it("should not return documentStructure by default", async () => {
+    const collection = await buildCollection();
+    const response = await Collection.findByPk(collection.id);
+    expect(() => response!.documentStructure).toThrow();
+  });
+
+  it("should return collection when urlId is present", async () => {
    const collection = await buildCollection();
    const id = `${slugify(collection.name)}-${collection.urlId}`;
    const response = await Collection.findByPk(id);
    expect(response!.id).toBe(collection.id);
  });

-  test("should return collection when urlId is present, but missing slug", async () => {
+  it("should return collection when urlId is present, but missing slug", async () => {
    const collection = await buildCollection();
    const id = collection.urlId;
    const response = await Collection.findByPk(id);
    expect(response!.id).toBe(collection.id);
  });

-  test("should return null when incorrect uuid type", async () => {
+  it("should return null when incorrect uuid type", async () => {
    const collection = await buildCollection();
    const response = await Collection.findByPk(collection.id + "-incorrect");
    expect(response).toBe(null);
  });

-  test("should return null when incorrect urlId length", async () => {
+  it("should return null when incorrect urlId length", async () => {
    const collection = await buildCollection();
    const id = `${slugify(collection.name)}-${collection.urlId}incorrect`;
    const response = await Collection.findByPk(id);
    expect(response).toBe(null);
  });

-  test("should return null when no collection is found with uuid", async () => {
+  it("should return null when no collection is found with uuid", async () => {
    const response = await Collection.findByPk(
      "a9e71a81-7342-4ea3-9889-9b9cc8f667da"
    );
    expect(response).toBe(null);
  });

-  test("should return null when no collection is found with urlId", async () => {
+  it("should return null when no collection is found with urlId", async () => {
    const id = `${slugify("test collection")}-${randomstring.generate(15)}`;
    const response = await Collection.findByPk(id);
    expect(response).toBe(null);
@@ -37,6 +37,7 @@ import {
  AllowNull,
  BeforeCreate,
  BeforeUpdate,
+  DefaultScope,
 } from "sequelize-typescript";
 import isUUID from "validator/lib/isUUID";
 import type { CollectionSort, ProsemirrorData } from "@shared/types";
@@ -69,6 +70,11 @@ type AdditionalFindOptions = {
  rejectOnEmpty?: boolean | Error;
 };

+@DefaultScope(() => ({
+  attributes: {
+    exclude: ["documentStructure"],
+  },
+}))
@Scopes(() => ({
  withAllMemberships: {
    include: [
@@ -121,6 +127,12 @@ type AdditionalFindOptions = {
      },
    ],
  }),
+  withDocumentStructure: () => ({
+    attributes: {
+      // resets to include the documentStructure column
+      exclude: [],
+    },
+  }),
  withMembership: (userId: string) => {
    if (!userId) {
      return {};
@@ -238,6 +250,7 @@ class Collection extends ParanoidModel<
  @Column
  maintainerApprovalRequired: boolean;

+  @Default(null)
  @Column(DataType.JSONB)
  documentStructure: NavigationNode[] | null;

@@ -11,7 +11,6 @@ import {
  buildUser,
  buildGuestUser,
 } from "@server/test/factories";
-import Collection from "./Collection";
 import UserMembership from "./UserMembership";

 beforeEach(() => {
@@ -96,10 +95,8 @@ describe("#delete", () => {

    await document.delete(user);
    const [newDocument, newCollection] = await Promise.all([
-      Document.findByPk(document.id, {
-        paranoid: false,
-      }),
-      Collection.findByPk(collection.id),
+      document.reload({ paranoid: false }),
+      collection.reload(),
    ]);

    expect(newDocument?.lastModifiedById).toEqual(user.id);
@@ -13,9 +13,9 @@ import {
  Transaction,
  Op,
  FindOptions,
-  ScopeOptions,
  WhereOptions,
  EmptyResultError,
+  Sequelize,
 } from "sequelize";
 import {
  ForeignKey,
@@ -72,12 +72,20 @@ import Length from "./validators/Length";

 export const DOCUMENT_VERSION = 2;

+// If content (JSON) is null then we still need to return the state column (BINARY)
+// as it's used as a fallback for content deserialization for older documents.
+// This can be removed if content is 100% backfilled.
+const stateIfContentEmpty = Sequelize.literal(
+  `CASE WHEN document.content IS NULL THEN document.state ELSE NULL END AS state`
+);
+
 type AdditionalFindOptions = {
  userId?: string;
  includeState?: boolean;
  rejectOnEmpty?: boolean | Error;
 };

+// @ts-expect-error Type 'Literal' is not assignable to type 'string | ProjectionAlias'.
@DefaultScope(() => ({
  include: [
    {
@@ -102,27 +110,14 @@ type AdditionalFindOptions = {
    },
  },
  attributes: {
-    exclude: ["state"],
+    include: [stateIfContentEmpty],
  },
 }))
+// @ts-expect-error Type 'Literal' is not assignable to type 'string | ProjectionAlias'.
@Scopes(() => ({
-  withCollectionPermissions: (userId: string, paranoid = true) => ({
-    include: [
-      {
-        attributes: ["id", "permission", "sharing", "teamId", "deletedAt"],
-        model: userId
-          ? Collection.scope({
-              method: ["withMembership", userId],
-            })
-          : Collection,
-        as: "collection",
-        paranoid,
-      },
-    ],
-  }),
  withoutState: {
    attributes: {
-      exclude: ["state"],
+      include: [stateIfContentEmpty],
    },
  },
  withCollection: {
@@ -136,7 +131,7 @@ type AdditionalFindOptions = {
  withState: {
    attributes: {
      // resets to include the state column
-      exclude: [],
+      include: [],
    },
  },
  withDrafts: {
@@ -169,13 +164,25 @@ type AdditionalFindOptions = {
      ],
    };
  },
-  withMembership: (userId: string) => {
+  withMembership: (userId: string, paranoid = true) => {
    if (!userId) {
      return {};
    }

    return {
      include: [
+        {
+          model: userId
+            ? Collection.scope([
+                "defaultScope",
+                {
+                  method: ["withMembership", userId],
+                },
+              ])
+            : Collection,
+          as: "collection",
+          paranoid,
+        },
        {
          association: "memberships",
          where: {
@@ -419,10 +426,13 @@ class Document extends ArchivableModel<
      return;
    }

-    const collection = await Collection.findByPk(model.collectionId, {
-      transaction,
-      lock: Transaction.LOCK.UPDATE,
-    });
+    const collection = await Collection.scope("withDocumentStructure").findByPk(
+      model.collectionId,
+      {
+        transaction,
+        lock: Transaction.LOCK.UPDATE,
+      }
+    );
    if (!collection) {
      return;
    }
@@ -443,7 +453,9 @@ class Document extends ArchivableModel<
    }

    return this.sequelize!.transaction(async (transaction: Transaction) => {
-      const collection = await Collection.findByPk(model.collectionId!, {
+      const collection = await Collection.scope(
+        "withDocumentStructure"
+      ).findByPk(model.collectionId!, {
        transaction,
        lock: transaction.LOCK.UPDATE,
      });
@@ -637,21 +649,19 @@ class Document extends ArchivableModel<
    return uniq(membershipUserIds);
  }

-  static defaultScopeWithUser(userId: string) {
-    const collectionScope: Readonly<ScopeOptions> = {
-      method: ["withCollectionPermissions", userId],
-    };
-    const viewScope: Readonly<ScopeOptions> = {
-      method: ["withViews", userId],
-    };
-    const membershipScope: Readonly<ScopeOptions> = {
-      method: ["withMembership", userId],
-    };
+  static withMembershipScope(
+    userId: string,
+    options?: FindOptions<Document> & { includeDrafts?: boolean }
+  ) {
    return this.scope([
-      "defaultScope",
-      collectionScope,
-      viewScope,
-      membershipScope,
+      options?.includeDrafts ? "withDrafts" : "defaultScope",
+      "withoutState",
+      {
+        method: ["withViews", userId],
+      },
+      {
+        method: ["withMembership", userId, options?.paranoid],
+      },
    ]);
  }

@@ -685,14 +695,12 @@ class Document extends ArchivableModel<
    // almost every endpoint needs the collection membership to determine policy permissions.
    const scope = this.scope([
      "withDrafts",
-      {
-        method: ["withCollectionPermissions", userId, rest.paranoid],
-      },
+      options.includeState ? "withState" : "withoutState",
      {
        method: ["withViews", userId],
      },
      {
-        method: ["withMembership", userId],
+        method: ["withMembership", userId, rest.paranoid],
      },
    ]);

@@ -750,9 +758,6 @@ class Document extends ArchivableModel<
    const user = userId ? await User.findByPk(userId) : null;
    const documents = await this.scope([
      "withDrafts",
-      {
-        method: ["withCollectionPermissions", userId, rest.paranoid],
-      },
      {
        method: ["withViews", userId],
      },
@@ -938,7 +943,9 @@ class Document extends ArchivableModel<
    }

    if (!this.template && this.collectionId) {
-      const collection = await Collection.findByPk(this.collectionId, {
+      const collection = await Collection.scope(
+        "withDocumentStructure"
+      ).findByPk(this.collectionId, {
        transaction,
        lock: Transaction.LOCK.UPDATE,
      });
@@ -1005,10 +1012,13 @@ class Document extends ArchivableModel<

    await this.sequelize.transaction(async (transaction: Transaction) => {
      const collection = this.collectionId
-        ? await Collection.findByPk(this.collectionId, {
-            transaction,
-            lock: transaction.LOCK.UPDATE,
-          })
+        ? await Collection.scope("withDocumentStructure").findByPk(
+            this.collectionId,
+            {
+              transaction,
+              lock: transaction.LOCK.UPDATE,
+            }
+          )
        : undefined;

      if (collection) {
@@ -1039,10 +1049,13 @@ class Document extends ArchivableModel<
  archive = async (user: User, options?: FindOptions) => {
    const { transaction } = { ...options };
    const collection = this.collectionId
-      ? await Collection.findByPk(this.collectionId, {
-          transaction,
-          lock: transaction?.LOCK.UPDATE,
-        })
+      ? await Collection.scope("withDocumentStructure").findByPk(
+          this.collectionId,
+          {
+            transaction,
+            lock: transaction?.LOCK.UPDATE,
+          }
+        )
      : undefined;

    if (collection) {
@@ -1063,7 +1076,7 @@ class Document extends ArchivableModel<
  ) => {
    const { transaction } = { ...options };
    const collection = collectionId
-      ? await Collection.findByPk(collectionId, {
+      ? await Collection.scope("withDocumentStructure").findByPk(collectionId, {
          transaction,
          lock: transaction?.LOCK.UPDATE,
        })
@@ -1115,7 +1128,9 @@ class Document extends ArchivableModel<
      let deleted = false;

      if (!this.template && this.collectionId) {
-        const collection = await Collection.findByPk(this.collectionId!, {
+        const collection = await Collection.scope(
+          "withDocumentStructure"
+        ).findByPk(this.collectionId!, {
          transaction,
          lock: transaction.LOCK.UPDATE,
          paranoid: false,
@@ -408,7 +408,7 @@ class Team extends ParanoidModel<
      });

      if (attachment) {
-        await DeleteAttachmentTask.schedule({
+        await new DeleteAttachmentTask().schedule({
          attachmentId: attachment.id,
          teamId: model.id,
        });
@@ -717,7 +717,7 @@ class User extends ParanoidModel<
      });

      if (attachment) {
-        await DeleteAttachmentTask.schedule({
+        await new DeleteAttachmentTask().schedule({
          attachmentId: attachment.id,
          teamId: model.teamId,
        });
@@ -1,7 +1,9 @@
-import { NotificationEventType } from "@shared/types";
+import { DocumentPermission, NotificationEventType } from "@shared/types";
+import { UserMembership } from "@server/models";
 import {
  buildComment,
  buildDocument,
+  buildDraftDocument,
  buildSubscription,
  buildUser,
 } from "@server/test/factories";
@@ -54,6 +56,78 @@ describe("NotificationHelper", () => {
      expect(recipients[0].id).toEqual(notificationEnabledUser.id);
    });

+    it("should only return users who have notification enabled for comment creation and are subscribed to the document in case of new thread in draft", async () => {
+      const documentAuthor = await buildUser();
+
+      // create a draft
+      const document = await buildDraftDocument({
+        userId: documentAuthor.id,
+        teamId: documentAuthor.teamId,
+        collectionId: null,
+      });
+
+      // add a bunch of users as direct members
+      const user = await buildUser({
+        teamId: document.teamId,
+        notificationSettings: { [NotificationEventType.CreateComment]: true },
+      });
+      const user2 = await buildUser({
+        teamId: document.teamId,
+        notificationSettings: { [NotificationEventType.CreateComment]: true },
+      });
+      const user3 = await buildUser({
+        teamId: document.teamId,
+        notificationSettings: { [NotificationEventType.CreateComment]: true },
+      });
+      await UserMembership.create({
+        documentId: document.id,
+        userId: user.id,
+        permission: DocumentPermission.Read,
+        createdById: user.id,
+      });
+      await UserMembership.create({
+        documentId: document.id,
+        userId: user2.id,
+        permission: DocumentPermission.Read,
+        createdById: user.id,
+      });
+      await UserMembership.create({
+        documentId: document.id,
+        userId: user3.id,
+        permission: DocumentPermission.Read,
+        createdById: user.id,
+      });
+
+      // Add a subscription for only one of those users
+      await Promise.all([
+        buildSubscription({
+          userId: user.id,
+        }),
+        buildSubscription({
+          userId: user2.id,
+        }),
+        buildSubscription({
+          userId: user3.id,
+          documentId: document.id,
+        }),
+      ]);
+
+      const comment = await buildComment({
+        documentId: document.id,
+        userId: documentAuthor.id,
+      });
+
+      const recipients =
+        await NotificationHelper.getCommentNotificationRecipients(
+          document,
+          comment,
+          comment.createdById
+        );
+
+      expect(recipients.length).toEqual(1);
+      expect(recipients[0].id).toEqual(user3.id);
+    });
+
    it("should only return users who have notification enabled for comment creation and are in the thread in case of child comment", async () => {
      const documentAuthor = await buildUser();
      const document = await buildDocument({
@@ -193,10 +193,16 @@ export default class NotificationHelper {
            [Op.ne]: actorId,
          },
          event: SubscriptionType.Document,
-          [Op.or]: [
-            { collectionId: document.collectionId },
-            { documentId: document.id },
-          ],
+          ...(document.collectionId
+            ? {
+                [Op.or]: [
+                  { collectionId: document.collectionId },
+                  { documentId: document.id },
+                ],
+              }
+            : {
+                documentId: document.id,
+              }),
        },
        include: [
          {
@@ -182,18 +182,9 @@ export default class SearchHelper {
      },
    ];

-    return Document.scope([
-      "withDrafts",
-      {
-        method: ["withViews", user.id],
-      },
-      {
-        method: ["withCollectionPermissions", user.id],
-      },
-      {
-        method: ["withMembership", user.id],
-      },
-    ]).findAll({
+    return Document.withMembershipScope(user.id, {
+      includeDrafts: true,
+    }).findAll({
      where,
      subQuery: false,
      order: [["updatedAt", "DESC"]],
@@ -273,18 +264,7 @@ export default class SearchHelper {

      // Final query to get associated document data
      const [documents, count] = await Promise.all([
-        Document.scope([
-          "withDrafts",
-          {
-            method: ["withViews", user.id],
-          },
-          {
-            method: ["withCollectionPermissions", user.id],
-          },
-          {
-            method: ["withMembership", user.id],
-          },
-        ]).findAll({
+        Document.withMembershipScope(user.id, { includeDrafts: true }).findAll({
          where: {
            teamId: user.teamId,
            id: map(results, "id"),
@@ -17,7 +17,7 @@ export default class AvatarProcessor extends BaseProcessor {
      });

      if (user.avatarUrl) {
-        await UploadUserAvatarTask.schedule({
+        await new UploadUserAvatarTask().schedule({
          userId: event.userId,
          avatarUrl: user.avatarUrl,
        });
@@ -30,7 +30,7 @@ export default class AvatarProcessor extends BaseProcessor {
      });

      if (team.avatarUrl) {
-        await UploadTeamAvatarTask.schedule({
+        await new UploadTeamAvatarTask().schedule({
          teamId: event.teamId,
          avatarUrl: team.avatarUrl,
        });
@@ -12,7 +12,7 @@ export default class CollectionsProcessor extends BaseProcessor {
  ];

  async perform(event: CollectionEvent) {
-    await DetachDraftsFromCollectionTask.schedule({
+    await new DetachDraftsFromCollectionTask().schedule({
      collectionId: event.collectionId,
      actorId: event.actorId,
      ip: event.ip,
@@ -27,7 +27,7 @@ export default class DocumentSubscriptionProcessor extends BaseProcessor {
  async perform(event: ReceivedEvent) {
    switch (event.name) {
      case "collections.remove_user": {
-        await CollectionSubscriptionRemoveUserTask.schedule(event);
+        await new CollectionSubscriptionRemoveUserTask().schedule(event);
        return;
      }

@@ -35,7 +35,7 @@ export default class DocumentSubscriptionProcessor extends BaseProcessor {
        return this.handleRemoveGroupFromCollection(event);

      case "documents.remove_user": {
-        await DocumentSubscriptionRemoveUserTask.schedule(event);
+        await new DocumentSubscriptionRemoveUserTask().schedule(event);
        return;
      }

@@ -57,11 +57,11 @@ export default class DocumentSubscriptionProcessor extends BaseProcessor {
      async (groupUsers) => {
        await Promise.all(
          groupUsers.map((groupUser) =>
-            CollectionSubscriptionRemoveUserTask.schedule({
+            new CollectionSubscriptionRemoveUserTask().schedule({
              ...event,
              name: "collections.remove_user",
              userId: groupUser.userId,
-            })
+            } as CollectionUserEvent)
          )
        );
      }
@@ -79,11 +79,11 @@ export default class DocumentSubscriptionProcessor extends BaseProcessor {
      async (groupUsers) => {
        await Promise.all(
          groupUsers.map((groupUser) =>
-            DocumentSubscriptionRemoveUserTask.schedule({
+            new DocumentSubscriptionRemoveUserTask().schedule({
              ...event,
              name: "documents.remove_user",
              userId: groupUser.userId,
-            })
+            } as DocumentUserEvent)
          )
        );
      }
@@ -20,12 +20,12 @@ export default class FileOperationCreatedProcessor extends BaseProcessor {
    if (fileOperation.type === FileOperationType.Import) {
      switch (fileOperation.format) {
        case FileOperationFormat.MarkdownZip:
-          await ImportMarkdownZipTask.schedule({
+          await new ImportMarkdownZipTask().schedule({
            fileOperationId: event.modelId,
          });
          break;
        case FileOperationFormat.JSON:
-          await ImportJSONTask.schedule({
+          await new ImportJSONTask().schedule({
            fileOperationId: event.modelId,
          });
          break;
@@ -36,17 +36,17 @@ export default class FileOperationCreatedProcessor extends BaseProcessor {
    if (fileOperation.type === FileOperationType.Export) {
      switch (fileOperation.format) {
        case FileOperationFormat.HTMLZip:
-          await ExportHTMLZipTask.schedule({
+          await new ExportHTMLZipTask().schedule({
            fileOperationId: event.modelId,
          });
          break;
        case FileOperationFormat.MarkdownZip:
-          await ExportMarkdownZipTask.schedule({
+          await new ExportMarkdownZipTask().schedule({
            fileOperationId: event.modelId,
          });
          break;
        case FileOperationFormat.JSON:
-          await ExportJSONTask.schedule({
+          await new ExportJSONTask().schedule({
            fileOperationId: event.modelId,
          });
          break;
@@ -20,7 +20,7 @@ export default class IntegrationCreatedProcessor extends BaseProcessor {
    }

    // Store the available issue sources in the integration record.
-    await CacheIssueSourcesTask.schedule({
+    await new CacheIssueSourcesTask().schedule({
      integrationId: integration.id,
    });

@@ -62,25 +62,25 @@ export default class NotificationsProcessor extends BaseProcessor {
      return;
    }

-    await DocumentPublishedNotificationsTask.schedule(event);
+    await new DocumentPublishedNotificationsTask().schedule(event);
  }

  async documentAddUser(event: DocumentUserEvent) {
    if (!event.data.isNew || event.userId === event.actorId) {
      return;
    }
-    await DocumentAddUserNotificationsTask.schedule(event);
+    await new DocumentAddUserNotificationsTask().schedule(event);
  }

  async documentAddGroup(event: DocumentGroupEvent) {
    if (!event.data.isNew) {
      return;
    }
-    await DocumentAddGroupNotificationsTask.schedule(event);
+    await new DocumentAddGroupNotificationsTask().schedule(event);
  }

  async revisionCreated(event: RevisionEvent) {
-    await RevisionCreatedNotificationsTask.schedule(event);
+    await new RevisionCreatedNotificationsTask().schedule(event);
  }

  async collectionCreated(event: CollectionEvent) {
@@ -93,7 +93,7 @@ export default class NotificationsProcessor extends BaseProcessor {
      return;
    }

-    await CollectionCreatedNotificationsTask.schedule(event);
+    await new CollectionCreatedNotificationsTask().schedule(event);
  }

  async collectionAddUser(event: CollectionUserEvent) {
@@ -101,14 +101,14 @@ export default class NotificationsProcessor extends BaseProcessor {
      return;
    }

-    await CollectionAddUserNotificationsTask.schedule(event);
+    await new CollectionAddUserNotificationsTask().schedule(event);
  }

  async commentCreated(event: CommentEvent) {
-    await CommentCreatedNotificationsTask.schedule(event);
+    await new CommentCreatedNotificationsTask().schedule(event);
  }

  async commentUpdated(event: CommentEvent) {
-    await CommentUpdatedNotificationsTask.schedule(event);
+    await new CommentUpdatedNotificationsTask().schedule(event);
  }
 }
@@ -37,7 +37,7 @@ export default class RevisionsProcessor extends BaseProcessor {
          return;
        }

-        await DocumentUpdateTextTask.schedule(event);
+        await new DocumentUpdateTextTask().schedule(event);

        const user = await User.findByPk(event.actorId, {
          paranoid: false,
@@ -6,6 +6,6 @@ export default class UserDemotedProcessor extends BaseProcessor {
  static applicableEvents: TEvent["name"][] = ["users.demote"];

  async perform(event: UserEvent) {
-    await CleanupDemotedUserTask.schedule({ userId: event.userId });
+    await new CleanupDemotedUserTask().schedule({ userId: event.userId });
  }
 }
@@ -325,7 +325,9 @@ export default abstract class APIImportTask<
        ([url, attachment]) => ({ attachmentId: attachment.id, url })
      );
      // publish task after attachments are persisted in DB.
-      const job = await UploadAttachmentsForImportTask.schedule(uploadItems);
+      const job = await new UploadAttachmentsForImportTask().schedule(
+        uploadItems
+      );
      await job.finished();
    } catch (err) {
      // upload attachments failure is not critical enough to fail the whole import.
@@ -21,7 +21,7 @@ export default abstract class BaseTask<T extends Record<string, any>> {
  static cron: TaskSchedule | undefined;

  /**
-   * Schedule this task type to be processed asyncronously by a worker.
+   * Schedule this task type to be processed asynchronously by a worker.
   *
   * @param props Properties to be used by the task
   * @returns A promise that resolves once the job is placed on the task queue
@@ -39,6 +39,23 @@ export default abstract class BaseTask<T extends Record<string, any>> {
    );
  }

+  /**
+   * Schedule this task type to be processed asynchronously by a worker.
+   *
+   * @param props Properties to be used by the task
+   * @param options Job options such as priority and retry strategy, as defined by Bull.
+   * @returns A promise that resolves once the job is placed on the task queue
+   */
+  public schedule(props: T, options?: JobOptions): Promise<Job> {
+    return taskQueue.add(
+      {
+        name: this.constructor.name,
+        props,
+      },
+      { ...options, ...this.options }
+    );
+  }
+
  /**
   * Execute the task.
   *
@@ -29,7 +29,7 @@ export default class CleanupDeletedTeamsTask extends BaseTask<Props> {
    });

    for (const team of teams) {
-      await CleanupDeletedTeamTask.schedule({
+      await new CleanupDeletedTeamTask().schedule({
        teamId: team.id,
      });
    }
@@ -7,7 +7,7 @@ import BaseTask from "./BaseTask";
 type Props = {
  collectionId: string;
  actorId: string;
-  ip: string;
+  ip: string | null;
 };

 export default class DetachDraftsFromCollectionTask extends BaseTask<Props> {
@@ -1,6 +1,6 @@
 import { Op } from "sequelize";
 import { GroupUser } from "@server/models";
-import { DocumentGroupEvent } from "@server/types";
+import { DocumentGroupEvent, DocumentUserEvent } from "@server/types";
 import BaseTask, { TaskPriority } from "./BaseTask";
 import DocumentAddUserNotificationsTask from "./DocumentAddUserNotificationsTask";

@@ -19,11 +19,12 @@ export default class DocumentAddGroupNotificationsTask extends BaseTask<Document
      async (groupUsers) => {
        await Promise.all(
          groupUsers.map(async (groupUser) => {
-            await DocumentAddUserNotificationsTask.schedule({
+            await new DocumentAddUserNotificationsTask().schedule({
              ...event,
+              name: "documents.add_user",
              modelId: event.data.membershipId,
              userId: groupUser.userId,
-            });
+            } as DocumentUserEvent);
          })
        );
      }
@@ -12,7 +12,7 @@ type Props = {
  sourceMetadata: Pick<Required<SourceMetadata>, "fileName" | "mimeType">;
  publish?: boolean;
  collectionId?: string;
-  parentDocumentId?: string;
+  parentDocumentId?: string | null;
  ip: string;
  key: string;
 };
@@ -171,7 +171,8 @@ export default abstract class ExportDocumentTreeTask extends ExportTask {
  /**
   * Generates a map of document urls to their path in the zip file.
   *
-   * @param collections
+   * @param collections The collections to generate the path map for.
+   * @param format The format of the exported documents.
   */
  private createPathMap(
    collections: Collection[],
@@ -44,11 +44,13 @@ export default abstract class ExportTask extends BaseTask<Props> {
      ? [fileOperation.collectionId]
      : await user.collectionIds();

-    const collections = await Collection.findAll({
-      where: {
-        id: collectionIds,
-      },
-    });
+    const collections = await Collection.scope("withDocumentStructure").findAll(
+      {
+        where: {
+          id: collectionIds,
+        },
+      }
+    );

    let filePath: string | undefined;

@@ -38,7 +38,7 @@ export default class UpdateTeamsAttachmentsSizeTask extends BaseTask<Props> {
        const teamIds = rows.map((row) => row.teamId);

        for (const teamId of teamIds) {
-          await UpdateTeamAttachmentsSizeTask.schedule({ teamId });
+          await new UpdateTeamAttachmentsSizeTask().schedule({ teamId });
        }
      }
    );
@@ -166,7 +166,7 @@ router.post(
      )
    );

-    const job = await UploadAttachmentFromUrlTask.schedule({
+    const job = await new UploadAttachmentFromUrlTask().schedule({
      attachmentId: attachment.id,
      url,
    });
@@ -135,7 +135,7 @@ router.post("auth.info", auth(), async (ctx: APIContext<T.AuthInfoReq>) => {
  // If the user did not _just_ sign in then we need to check if they continue
  // to have access to the workspace they are signed into.
  if (user.lastSignedInAt && user.lastSignedInAt < subHours(new Date(), 1)) {
-    await ValidateSSOAccessTask.schedule({ userId: user.id });
+    await new ValidateSSOAccessTask().schedule({ userId: user.id });
  }

  ctx.body = {
@@ -140,9 +140,11 @@ router.post(
  async (ctx: APIContext<T.CollectionsDocumentsReq>) => {
    const { id } = ctx.input.body;
    const { user } = ctx.state.auth;
-    const collection = await Collection.scope({
-      method: ["withMembership", user.id],
-    }).findByPk(id);
+    const collection = await Collection.scope([
+      {
+        method: ["withMembership", user.id],
+      },
+    ]).findByPk(id);

    authorize(user, "readDocument", collection);

@@ -29,7 +29,8 @@ const cronHandler = async (ctx: APIContext<T.CronSchemaReq>) => {
  for (const name in tasks) {
    const TaskClass = tasks[name];
    if (TaskClass.cron === period) {
-      await TaskClass.schedule({ limit });
+      // @ts-expect-error We won't instantiate an abstract class
+      await new TaskClass().schedule({ limit });

      // Backwards compatibility for installations that have not set up
      // cron jobs periods other than daily.
@@ -38,13 +39,15 @@ const cronHandler = async (ctx: APIContext<T.CronSchemaReq>) => {
      !receivedPeriods.has(TaskSchedule.Minute) &&
      (period === TaskSchedule.Hour || period === TaskSchedule.Day)
    ) {
-      await TaskClass.schedule({ limit });
+      // @ts-expect-error We won't instantiate an abstract class
+      await new TaskClass().schedule({ limit });
    } else if (
      TaskClass.cron === TaskSchedule.Hour &&
      !receivedPeriods.has(TaskSchedule.Hour) &&
      period === TaskSchedule.Day
    ) {
-      await TaskClass.schedule({ limit });
+      // @ts-expect-error We won't instantiate an abstract class
+      await new TaskClass().schedule({ limit });
    }
  }

@@ -977,7 +977,7 @@ describe("#documents.list", () => {
    const res = await server.post("/api/documents.list", {
      body: {
        token: user.getJwtToken(),
-        collection: document.collectionId,
+        collectionId: document.collectionId,
      },
    });
    const body = await res.json();
@@ -1013,7 +1013,7 @@ describe("#documents.list", () => {
    const res = await server.post("/api/documents.list", {
      body: {
        token: user.getJwtToken(),
-        collection: collection.id,
+        collectionId: collection.id,
      },
    });
    const body = await res.json();
@@ -133,15 +133,19 @@ router.post(
    // if a specific collection is passed then we need to check auth to view it
    if (collectionId) {
      where[Op.and].push({ collectionId: [collectionId] });
-      const collection = await Collection.scope({
-        method: ["withMembership", user.id],
-      }).findByPk(collectionId);
+      const collection = await Collection.scope([
+        sort === "index" ? "withDocumentStructure" : "defaultScope",
+        {
+          method: ["withMembership", user.id],
+        },
+      ]).findByPk(collectionId);
+
      authorize(user, "readDocument", collection);

      // index sort is special because it uses the order of the documents in the
      // collection.documentStructure rather than a database column
      if (sort === "index") {
-        documentIds = (collection?.documentStructure || [])
+        documentIds = (collection.documentStructure || [])
          .map((node) => node.id)
          .slice(ctx.state.pagination.offset, ctx.state.pagination.limit);
        where[Op.and].push({ id: documentIds });
@@ -268,7 +272,7 @@ router.post(
    }

    const [documents, total] = await Promise.all([
-      Document.defaultScopeWithUser(user.id).findAll({
+      Document.withMembershipScope(user.id).findAll({
        where,
        order: [
          [
@@ -348,7 +352,7 @@ router.post(
      };
    }

-    const documents = await Document.defaultScopeWithUser(user.id).findAll({
+    const documents = await Document.withMembershipScope(user.id).findAll({
      where,
      order: [
        [
@@ -397,15 +401,11 @@ router.post(
    const membershipScope: Readonly<ScopeOptions> = {
      method: ["withMembership", user.id],
    };
-    const collectionScope: Readonly<ScopeOptions> = {
-      method: ["withCollectionPermissions", user.id],
-    };
    const viewScope: Readonly<ScopeOptions> = {
      method: ["withViews", user.id],
    };
    const documents = await Document.scope([
      membershipScope,
-      collectionScope,
      viewScope,
      "withDrafts",
    ]).findAll({
@@ -539,7 +539,9 @@ router.post(
      delete where.updatedAt;
    }

-    const documents = await Document.defaultScopeWithUser(user.id).findAll({
+    const documents = await Document.withMembershipScope(user.id, {
+      includeDrafts: true,
+    }).findAll({
      where,
      order: [[sort, direction]],
      offset: ctx.state.pagination.offset,
@@ -1539,7 +1541,7 @@ router.post(
      acl,
    });

-    const job = await DocumentImportTask.schedule({
+    const job = await new DocumentImportTask().schedule({
      key,
      sourceMetadata: {
        fileName,
@@ -1549,6 +1551,7 @@ router.post(
      collectionId,
      parentDocumentId,
      publish,
+      ip: ctx.request.ip,
    });
    const response: DocumentImportTaskResponse = await job.finished();
    if ("error" in response) {
@@ -2032,13 +2035,7 @@ router.post(
    const collectionIds = await user.collectionIds({
      paranoid: false,
    });
-    const collectionScope: Readonly<ScopeOptions> = {
-      method: ["withCollectionPermissions", user.id],
-    };
-    const documents = await Document.scope([
-      collectionScope,
-      "withDrafts",
-    ]).findAll({
+    const documents = await Document.scope("withDrafts").findAll({
      attributes: ["id"],
      where: {
        deletedAt: {
@@ -2062,7 +2059,7 @@ router.post(
    });

    if (documents.length) {
-      await EmptyTrashTask.schedule({
+      await new EmptyTrashTask().schedule({
        documentIds: documents.map((doc) => doc.id),
      });
    }
@@ -24,6 +24,7 @@ router.post(
  async (ctx: APIContext<T.GroupMembershipsListReq>) => {
    const { groupId } = ctx.input.body;
    const { user } = ctx.state.auth;
+    const userId = user.id;

    const memberships = await GroupMembership.findAll({
      where: {
@@ -44,7 +45,7 @@ router.post(
              association: "groupUsers",
              required: true,
              where: {
-                userId: user.id,
+                userId,
              },
            },
          ],
@@ -57,11 +58,9 @@ router.post(
    const documentIds = memberships
      .map((p) => p.documentId)
      .filter(Boolean) as string[];
-    const documents = await Document.scope([
-      "withDrafts",
-      { method: ["withMembership", user.id] },
-      { method: ["withCollectionPermissions", user.id] },
-    ]).findAll({
+    const documents = await Document.withMembershipScope(userId, {
+      includeDrafts: true,
+    }).findAll({
      where: {
        id: documentIds,
      },
@@ -0,0 +1,19 @@
+// Jest Snapshot v1, https://goo.gl/fbAQLP
+
+exports[`oauthAuthentications.delete should require authentication 1`] = `
+{
+  "error": "authentication_required",
+  "message": "Authentication required",
+  "ok": false,
+  "status": 401,
+}
+`;
+
+exports[`oauthAuthentications.list should require authentication 1`] = `
+{
+  "error": "authentication_required",
+  "message": "Authentication required",
+  "ok": false,
+  "status": 401,
+}
+`;
@@ -0,0 +1,194 @@
+import { OAuthClient, OAuthAuthentication } from "@server/models";
+import {
+  buildOAuthAuthentication,
+  buildTeam,
+  buildUser,
+} from "@server/test/factories";
+import { getTestServer } from "@server/test/support";
+
+const server = getTestServer();
+
+describe("oauthAuthentications.list", () => {
+  it("should require authentication", async () => {
+    const res = await server.post("/api/oauthAuthentications.list");
+    const body = await res.json();
+    expect(res.status).toEqual(401);
+    expect(body).toMatchSnapshot();
+  });
+
+  it("should return list of oauth authentications for user", async () => {
+    const team = await buildTeam();
+    const user = await buildUser({ teamId: team.id });
+    const oauthClient = await OAuthClient.create({
+      teamId: team.id,
+      createdById: user.id,
+      name: "Test Client",
+      redirectUris: ["https://example.com/callback"],
+    });
+
+    await buildOAuthAuthentication({
+      oauthClientId: oauthClient.id,
+      user,
+      scope: ["read"],
+    });
+
+    const res = await server.post("/api/oauthAuthentications.list", {
+      body: {
+        token: user.getJwtToken(),
+      },
+    });
+
+    const body = await res.json();
+    expect(res.status).toEqual(200);
+    expect(body.data.length).toEqual(1);
+    expect(body.data[0].id).toBeDefined();
+    expect(body.data[0].oauthClient.name).toEqual("Test Client");
+    expect(body.policies).toBeDefined();
+  });
+
+  it("should only return authentications for requesting user", async () => {
+    const team = await buildTeam();
+    const user = await buildUser({ teamId: team.id });
+    const anotherUser = await buildUser({ teamId: team.id });
+    const oauthClient = await OAuthClient.create({
+      teamId: team.id,
+      createdById: user.id,
+      name: "Test Client",
+      redirectUris: ["https://example.com/callback"],
+    });
+
+    await buildOAuthAuthentication({
+      oauthClientId: oauthClient.id,
+      user: anotherUser,
+      scope: ["read"],
+    });
+
+    const res = await server.post("/api/oauthAuthentications.list", {
+      body: {
+        token: user.getJwtToken(),
+      },
+    });
+
+    const body = await res.json();
+    expect(res.status).toEqual(200);
+    expect(body.data.length).toEqual(0);
+  });
+});
+
+describe("oauthAuthentications.delete", () => {
+  it("should require authentication", async () => {
+    const res = await server.post("/api/oauthAuthentications.delete");
+    const body = await res.json();
+    expect(res.status).toEqual(401);
+    expect(body).toMatchSnapshot();
+  });
+
+  it("should delete all authentications for a client without scope", async () => {
+    const team = await buildTeam();
+    const user = await buildUser({ teamId: team.id });
+    const oauthClient = await OAuthClient.create({
+      teamId: team.id,
+      createdById: user.id,
+      name: "Test Client",
+      redirectUris: ["https://example.com/callback"],
+    });
+
+    await buildOAuthAuthentication({
+      oauthClientId: oauthClient.id,
+      user,
+      scope: ["read"],
+    });
+
+    const res = await server.post("/api/oauthAuthentications.delete", {
+      body: {
+        token: user.getJwtToken(),
+        oauthClientId: oauthClient.id,
+      },
+    });
+
+    const body = await res.json();
+    expect(res.status).toEqual(200);
+    expect(body.success).toBe(true);
+
+    const auths = await OAuthAuthentication.findAll({
+      where: {
+        userId: user.id,
+        oauthClientId: oauthClient.id,
+      },
+    });
+    expect(auths.length).toEqual(0);
+  });
+
+  it("should delete matching authentications for a client with scope", async () => {
+    const team = await buildTeam();
+    const user = await buildUser({ teamId: team.id });
+    const oauthClient = await OAuthClient.create({
+      teamId: team.id,
+      createdById: user.id,
+      name: "Test Client",
+      redirectUris: ["https://example.com/callback"],
+    });
+
+    await buildOAuthAuthentication({
+      oauthClientId: oauthClient.id,
+      user,
+      scope: ["read"],
+    });
+    await buildOAuthAuthentication({
+      oauthClientId: oauthClient.id,
+      user,
+      scope: ["write"],
+    });
+
+    const res = await server.post("/api/oauthAuthentications.delete", {
+      body: {
+        token: user.getJwtToken(),
+        oauthClientId: oauthClient.id,
+        scope: ["read"],
+      },
+    });
+
+    const body = await res.json();
+    expect(res.status).toEqual(200);
+    expect(body.success).toBe(true);
+
+    const auths = await OAuthAuthentication.findAll({
+      where: {
+        userId: user.id,
+        oauthClientId: oauthClient.id,
+      },
+    });
+    expect(auths.length).toEqual(1);
+    expect(auths[0].scope[0]).toEqual("write");
+  });
+
+  it("should only delete authentications for requesting user", async () => {
+    const team = await buildTeam();
+    const user = await buildUser({ teamId: team.id });
+    const anotherUser = await buildUser({ teamId: team.id });
+    const oauthClient = await OAuthClient.create({
+      teamId: team.id,
+      createdById: user.id,
+      name: "Test Client",
+      redirectUris: ["https://example.com/callback"],
+    });
+
+    const otherAuth = await buildOAuthAuthentication({
+      oauthClientId: oauthClient.id,
+      user: anotherUser,
+      scope: ["read"],
+    });
+
+    await server.post("/api/oauthAuthentications.delete", {
+      body: {
+        token: user.getJwtToken(),
+        oauthClientId: oauthClient.id,
+        scope: "read",
+      },
+    });
+
+    // Verify other user's auth still exists
+    const auth = await OAuthAuthentication.findByPk(otherAuth.id);
+    expect(auth).not.toBeNull();
+  });
+});
@@ -66,12 +66,12 @@ router.post(
  transaction(),
  async (ctx: APIContext<T.OAuthAuthenticationsDeleteReq>) => {
    const { user } = ctx.state.auth;
-    const { oauthClientId, scope } = ctx.request.body;
+    const { oauthClientId, scope } = ctx.input.body;
    const oauthAuthentications = await OAuthAuthentication.findAll({
      where: {
        userId: user.id,
        oauthClientId,
-        scope,
+        ...(scope ? { scope } : {}),
      },
      transaction: ctx.state.transaction,
    });
@@ -148,6 +148,46 @@ describe("oauthClients.info", () => {
    expect(body.data.id).toBeUndefined();
    expect(body.data.redirectUris).toBeUndefined();
  });
+
+  it("should validate redirectUri parameter", async () => {
+    const team = await buildTeam();
+    const admin = await buildAdmin({ teamId: team.id });
+    const user = await buildUser();
+
+    const client = await OAuthClient.create({
+      teamId: team.id,
+      createdById: admin.id,
+      name: "Test Client",
+      redirectUris: [
+        "https://example.com/callback",
+        "https://another.com/callback",
+      ],
+      published: true,
+    });
+
+    // Test with valid redirectUri
+    const validRes = await server.post("/api/oauthClients.info", {
+      body: {
+        token: user.getJwtToken(),
+        clientId: client.clientId,
+        redirectUri: "https://example.com/callback",
+      },
+    });
+
+    const validBody = await validRes.json();
+    expect(validRes.status).toEqual(200);
+    expect(validBody.data.name).toEqual("Test Client");
+
+    // Test with invalid redirectUri
+    const invalidRes = await server.post("/api/oauthClients.info", {
+      body: {
+        token: user.getJwtToken(),
+        clientId: client.clientId,
+        redirectUri: "https://malicious.com/callback",
+      },
+    });
+    expect(invalidRes.status).toEqual(400);
+  });
 });

 describe("oauthClients.create", () => {
@@ -1,5 +1,6 @@
 import Router from "koa-router";
 import { UserRole } from "@shared/types";
+import { ValidationError } from "@server/errors";
 import auth from "@server/middlewares/authentication";
 import { rateLimiter } from "@server/middlewares/rateLimiter";
 import { transaction } from "@server/middlewares/transaction";
@@ -49,7 +50,7 @@ router.post(
  auth(),
  validate(T.OAuthClientsInfoSchema),
  async (ctx: APIContext<T.OAuthClientsInfoReq>) => {
-    const { id, clientId } = ctx.input.body;
+    const { id, clientId, redirectUri } = ctx.input.body;
    const { user } = ctx.state.auth;

    const oauthClient = await OAuthClient.findOne({
@@ -58,6 +59,10 @@ router.post(
    });
    authorize(user, "read", oauthClient);

+    if (redirectUri && !oauthClient.redirectUris.includes(redirectUri)) {
+      throw ValidationError("redirect_uri is invalid");
+    }
+
    const isInternalApp = oauthClient.teamId === user.teamId;

    ctx.body = {
@@ -10,6 +10,8 @@ export const OAuthClientsInfoSchema = BaseSchema.extend({

      /** OAuth clientId */
      clientId: z.string().optional(),
+
+      redirectUri: z.string().optional(),
    })
    .refine((data) => data.id || data.clientId, {
      message: "Either id or clientId is required",
@@ -113,7 +113,7 @@ router.post(
      user.collectionIds(),
    ]);

-    const documents = await Document.defaultScopeWithUser(user.id).findAll({
+    const documents = await Document.withMembershipScope(user.id).findAll({
      where: {
        id: pins.map((pin) => pin.documentId),
        collectionId: collectionIds,
@@ -54,7 +54,11 @@ router.post(
      });
      authorize(user, "read", document);

-      const collection = await document.$get("collection");
+      const collection = document.collectionId
+        ? await Collection.scope("withDocumentStructure").findByPk(
+            document.collectionId
+          )
+        : undefined;
      const parentIds = collection?.getDocumentParents(documentId);
      const parentShare = parentIds
        ? await Share.scope({
@@ -94,7 +94,7 @@ router.post(
      .map((star) => star.documentId)
      .filter(Boolean) as string[];
    const documents = documentIds.length
-      ? await Document.defaultScopeWithUser(user.id).findAll({
+      ? await Document.withMembershipScope(user.id).findAll({
          where: {
            id: documentIds,
            collectionId: collectionIds,
@@ -1,5 +1,4 @@
 import Router from "koa-router";
-
 import { Op, Sequelize } from "sequelize";
 import auth from "@server/middlewares/authentication";
 import { transaction } from "@server/middlewares/transaction";
@@ -46,14 +45,8 @@ router.post(
    const documentIds = memberships
      .map((p) => p.documentId)
      .filter(Boolean) as string[];
-    const documents = await Document.scope([
-      "withDrafts",
-      { method: ["withMembership", user.id] },
-      { method: ["withCollectionPermissions", user.id] },
-    ]).findAll({
-      where: {
-        id: documentIds,
-      },
+    const documents = await Document.findByIds(documentIds, {
+      userId: user.id,
    });

    const policies = presentPolicies(user, [...documents, ...memberships]);
@@ -25,7 +25,7 @@ const oauth = new OAuth2Server({

 router.post(
  "/authorize",
-  rateLimiter(RateLimiterStrategy.FiftyPerHour),
+  rateLimiter(RateLimiterStrategy.OneHundredPerHour),
  auth(),
  async (ctx) => {
    const { user } = ctx.state.auth;
@@ -42,7 +42,8 @@ router.post(
    const response = new OAuth2Server.Response(ctx.response);

    const authorizationCode = await oauth.authorize(request, response, {
-      allowEmptyState: true,
+      // Require state to prevent CSRF attacks
+      allowEmptyState: false,
      authorizationCodeLifetime:
        OAuthAuthorizationCode.authorizationCodeLifetime,
      authenticateHandler: {
@@ -66,35 +67,39 @@ router.post(
  }
 );

-router.post("/token", async (ctx) => {
-  // Note: These objects are mutated by the OAuth2Server library
-  const request = new OAuth2Server.Request(ctx.request);
-  const response = new OAuth2Server.Response(ctx.response);
-  const token = await oauth.token(request, response, {
-    accessTokenLifetime: OAuthAuthentication.accessTokenLifetime,
-    refreshTokenLifetime: OAuthAuthentication.refreshTokenLifetime,
-  });
+router.post(
+  "/token",
+  rateLimiter(RateLimiterStrategy.OneHundredPerHour),
+  async (ctx) => {
+    // Note: These objects are mutated by the OAuth2Server library
+    const request = new OAuth2Server.Request(ctx.request);
+    const response = new OAuth2Server.Response(ctx.response);
+    const token = await oauth.token(request, response, {
+      accessTokenLifetime: OAuthAuthentication.accessTokenLifetime,
+      refreshTokenLifetime: OAuthAuthentication.refreshTokenLifetime,
+    });

-  if (response.headers) {
-    ctx.set(response.headers);
+    if (response.headers) {
+      ctx.set(response.headers);
+    }
+
+    ctx.body = {
+      access_token: token.accessToken,
+      refresh_token: token.refreshToken,
+      // OAuth2 spec says that the expires_in should be in seconds.
+      expires_in: token.accessTokenExpiresAt
+        ? Math.round((token.accessTokenExpiresAt.getTime() - Date.now()) / 1000)
+        : undefined,
+      token_type: "Bearer",
+      // OAuth2 spec says that the scope should be a space-separated list.
+      scope: token.scope?.join(" "),
+    };
  }
-
-  ctx.body = {
-    access_token: token.accessToken,
-    refresh_token: token.refreshToken,
-    // OAuth2 spec says that the expires_in should be in seconds.
-    expires_in: token.accessTokenExpiresAt
-      ? Math.round((token.accessTokenExpiresAt.getTime() - Date.now()) / 1000)
-      : undefined,
-    token_type: "Bearer",
-    // OAuth2 spec says that the scope should be a space-separated list.
-    scope: token.scope?.join(" "),
-  };
-});
+);

 router.post(
  "/revoke",
-  rateLimiter(RateLimiterStrategy.FiftyPerHour),
+  rateLimiter(RateLimiterStrategy.OneHundredPerHour),
  validate(T.TokenRevokeSchema),
  transaction(),
  async (ctx: APIContext<T.TokenRevokeReq>) => {
@@ -0,0 +1,127 @@
+import "./bootstrap";
+import fractionalIndex from "fractional-index";
+import { Sequelize, Transaction } from "sequelize";
+import { Collection, Team } from "@server/models";
+import { sequelize } from "@server/storage/database";
+
+const limit = 100;
+
+class CollectionIndexCollisionResolver {
+  private teamId: string;
+  private currDuplicateIndex: string | null = null;
+  private currDuplicateGroup: Collection[] = [];
+  private resolvedCollisionsCount: number = 0;
+
+  constructor(teamId: string) {
+    this.teamId = teamId;
+  }
+
+  public async process() {
+    await sequelize.transaction(async (transaction) => {
+      await this.processPage(0, transaction);
+      // edge case of last batch
+      await this.resolveDuplicates({ transaction });
+    });
+  }
+
+  private async processPage(
+    page: number,
+    transaction: Transaction
+  ): Promise<void> {
+    console.log(
+      `Resolve collection index collisions for team ${this.teamId}… page ${page}`
+    );
+
+    const collections = await Collection.unscoped().findAll({
+      where: { teamId: this.teamId },
+      attributes: ["id", "index"],
+      limit,
+      offset: page * limit,
+      order: [
+        Sequelize.literal('"collection"."index" collate "C"'), // ensure duplicates are in sequential order
+        ["updatedAt", "DESC"], // fallback as a tie breaker
+      ],
+      lock: Transaction.LOCK.UPDATE,
+      transaction,
+    });
+
+    if (!collections.length) {
+      return;
+    }
+
+    let idx = 0;
+
+    while (idx < collections.length) {
+      const collection = collections[idx];
+
+      if (collection.index === this.currDuplicateIndex) {
+        // still in the same duplicate group.
+        this.currDuplicateGroup.push(collection);
+      } else {
+        // current collection index is different from the previous one; resolve duplicates, if applicable.
+        await this.resolveDuplicates({
+          nextCollection: collection,
+          transaction,
+        });
+        // reset the duplicate index and group.
+        this.currDuplicateIndex = collection.index;
+        this.currDuplicateGroup = [collection];
+      }
+
+      idx++;
+    }
+
+    return collections.length === limit
+      ? this.processPage(page + 1, transaction)
+      : undefined;
+  }
+
+  private async resolveDuplicates({
+    nextCollection,
+    transaction,
+  }: {
+    nextCollection?: Collection;
+    transaction: Transaction;
+  }) {
+    if (this.currDuplicateGroup.length <= 1) {
+      // no action needed when there aren't more than 1 item in a group.
+      return;
+    }
+
+    let prevIndex = this.currDuplicateGroup[0].index;
+    const endIndex = nextCollection?.index ?? null;
+
+    // First collection in a duplicate group can retain its index.
+    for (let idx = 1; idx < this.currDuplicateGroup.length; idx++) {
+      const collection = this.currDuplicateGroup[idx];
+      const newIndex = fractionalIndex(prevIndex, endIndex);
+
+      console.log(`New index for collection ${collection.id} = ${newIndex}`);
+
+      collection.index = newIndex;
+      await collection.save({ silent: true, hooks: false, transaction });
+
+      prevIndex = newIndex;
+    }
+
+    this.resolvedCollisionsCount += this.currDuplicateGroup.length - 1;
+  }
+}
+
+export default async function main(exit = false) {
+  await Team.findAllInBatches<Team>({ batchLimit: 5 }, async (teams) => {
+    for (const team of teams) {
+      const resolver = new CollectionIndexCollisionResolver(team.id);
+      await resolver.process();
+    }
+  });
+
+  if (exit) {
+    process.exit(0);
+  }
+}
+
+// In the test suite we import the script rather than run via node CLI
+if (process.env.NODE_ENV !== "test") {
+  void main(true);
+}
@@ -7,7 +7,8 @@ export default function init() {
    for (const name in tasks) {
      const TaskClass = tasks[name];
      if (TaskClass.cron === schedule) {
-        await TaskClass.schedule({ limit: 10000 });
+        // @ts-expect-error We won't instantiate an abstract class
+        await new TaskClass().schedule({ limit: 10000 });
      }
    }
  }
@@ -4,6 +4,7 @@ import cookie from "cookie";
 import Koa from "koa";
 import IO from "socket.io";
 import { createAdapter } from "socket.io-redis";
+import env from "@server/env";
 import { AuthenticationError } from "@server/errors";
 import Logger from "@server/logging/Logger";
 import Metrics from "@server/logging/Metrics";
@@ -38,7 +39,8 @@ export default function init(
    pingInterval: 15000,
    pingTimeout: 30000,
    cors: {
-      origin: "*",
+      // Included for completeness, though CORS does not apply to websocket transport.
+      origin: env.isCloudHosted ? "*" : env.URL,
      methods: ["GET", "POST"],
    },
  });
@@ -60,6 +62,16 @@ export default function init(
    "upgrade",
    function (req: IncomingMessage, socket: Duplex, head: Buffer) {
      if (req.url?.startsWith(path) && ioHandleUpgrade) {
+        // For on-premise deployments, ensure the websocket origin matches the deployed URL.
+        // In cloud-hosted we support any origin for custom domains.
+        if (
+          !env.isCloudHosted &&
+          (!req.headers.origin || !env.URL.startsWith(req.headers.origin))
+        ) {
+          socket.end(`HTTP/1.1 400 Bad Request\r\n`);
+          return;
+        }
+
        ioHandleUpgrade(req, socket, head);
        return;
      }
@@ -1,5 +1,6 @@
 import path from "path";
 import { InferAttributes, InferCreationAttributes } from "sequelize";
+import sequelizeStrictAttributes from "sequelize-strict-attributes";
 import { Sequelize } from "sequelize-typescript";
 import { Umzug, SequelizeStorage, MigrationError } from "umzug";
 import env from "@server/env";
@@ -23,7 +24,7 @@ export function createDatabaseInstance(
  }
 ): Sequelize {
  try {
-    return new Sequelize(databaseUrl, {
+    const instance = new Sequelize(databaseUrl, {
      logging: (msg) =>
        process.env.DEBUG?.includes("database") &&
        Logger.debug("database", msg),
@@ -47,6 +48,8 @@ export function createDatabaseInstance(
      },
      schema,
    });
+    sequelizeStrictAttributes(instance);
+    return instance;
  } catch (error) {
    Logger.fatal(
      "Could not connect to database",
@@ -310,7 +310,7 @@ export async function buildCollection(
    overrides.permission = CollectionPermission.ReadWrite;
  }

-  return Collection.create({
+  return Collection.scope("withDocumentStructure").create({
    name: faker.lorem.words(2),
    description: faker.lorem.words(4),
    createdById: overrides.userId,
@@ -416,7 +416,9 @@ export async function buildDocument(

  if (overrides.collectionId && overrides.publishedAt !== null) {
    collection = collection
-      ? await Collection.findByPk(overrides.collectionId)
+      ? await Collection.scope("withDocumentStructure").findByPk(
+          overrides.collectionId
+        )
      : undefined;

    await collection?.addDocumentToStructure(document, 0);
@@ -756,15 +758,19 @@ export async function buildOAuthAuthorizationCode(
 }

 export async function buildOAuthAuthentication({
+  oauthClientId,
  user,
  scope,
 }: {
+  oauthClientId?: string;
  user: User;
  scope: string[];
 }) {
-  const oauthClient = await buildOAuthClient({
-    teamId: user.teamId,
-  });
+  const oauthClient = oauthClientId
+    ? await OAuthClient.findByPk(oauthClientId, { rejectOnEmpty: true })
+    : await buildOAuthClient({
+        teamId: user.teamId,
+      });
  const oauthInterfaceClient = {
    id: oauthClient.clientId,
    grants: ["authorization_code"],
@@ -191,7 +191,7 @@
            "code": false,
            "color": "default"
          },
-          "plain_text": "http://github.com/outline/",
+          "plain_text": "",
          "href": "http://github.com/outline/"
        }
      ],
@@ -506,4 +506,4 @@
      "color": "default"
    }
  }
-]
+]
@@ -11,7 +11,6 @@ export async function collectionIndexing(
    where: {
      teamId,
    },
-    attributes: ["id", "index", "name", "teamId"],
    transaction,
  });

@@ -1,8 +1,8 @@
+import crypto from "crypto";
 import {
  RefreshTokenModel,
  AuthorizationCodeModel,
 } from "@node-oauth/oauth2-server";
-import rs from "randomstring";
 import { Required } from "utility-types";
 import { Scope } from "@shared/types";
 import { isUrl } from "@shared/utils/urls";
@@ -41,17 +41,21 @@ export const OAuthInterface: RefreshTokenModel &
  grants: ["authorization_code", "refresh_token"],

  async generateAccessToken() {
-    return `${OAuthAuthentication.accessTokenPrefix}${rs.generate(32)}`;
+    return `${OAuthAuthentication.accessTokenPrefix}${crypto
+      .randomBytes(32)
+      .toString("hex")}`;
  },

  async generateRefreshToken() {
-    return `${OAuthAuthentication.refreshTokenPrefix}${rs.generate(32)}`;
+    return `${OAuthAuthentication.refreshTokenPrefix}${crypto
+      .randomBytes(32)
+      .toString("hex")}`;
  },

  async generateAuthorizationCode() {
-    return `${OAuthAuthorizationCode.authorizationCodePrefix}${rs.generate(
-      32
-    )}`;
+    return `${OAuthAuthorizationCode.authorizationCodePrefix}${crypto
+      .randomBytes(32)
+      .toString("hex")}`;
  },

  async getAccessToken(accessToken: string) {
@@ -139,10 +143,12 @@ export const OAuthInterface: RefreshTokenModel &
  },

  async saveToken(token, client, user) {
-    const accessToken = token.accessToken;
-    const refreshToken = token.refreshToken;
-    const accessTokenExpiresAt = token.accessTokenExpiresAt;
-    const refreshTokenExpiresAt = token.refreshTokenExpiresAt;
+    const {
+      accessToken,
+      refreshToken,
+      accessTokenExpiresAt,
+      refreshTokenExpiresAt,
+    } = token;
    const accessTokenHash = hash(accessToken);
    const refreshTokenHash = refreshToken ? hash(refreshToken) : undefined;

@@ -233,13 +239,13 @@ export const OAuthInterface: RefreshTokenModel &
   * @returns True if the URI is valid, false otherwise.
   */
  async validateRedirectUri(uri, client) {
-    if (uri.includes("#")) {
+    if (uri.includes("#") || uri.includes("*")) {
      return false;
    }
    if (!client.redirectUris?.includes(uri)) {
      return false;
    }
-    if (!isUrl(uri)) {
+    if (!isUrl(uri, { requireHttps: true })) {
      return false;
    }

@@ -99,10 +99,7 @@ export const getDocumentPermission = async ({
  documentId: string;
  skipMembershipId?: string;
 }): Promise<DocumentPermission | undefined> => {
-  const document = await Document.scope({
-    method: ["withCollectionPermissions", userId],
-  }).findOne({ where: { id: documentId } });
-
+  const document = await Document.findByPk(documentId, { userId });
  const permissions: DocumentPermission[] = [];

  const collection = document?.collection;
@@ -1,6 +1,11 @@
 import { GapCursor } from "prosemirror-gapcursor";
-import { Node, NodeType } from "prosemirror-model";
-import { Command, EditorState, TextSelection } from "prosemirror-state";
+import { Node, NodeType, Slice } from "prosemirror-model";
+import {
+  Command,
+  EditorState,
+  TextSelection,
+  Transaction,
+} from "prosemirror-state";
 import {
  CellSelection,
  addRow,
@@ -11,11 +16,16 @@ import {
  addColumn,
  deleteRow,
  deleteColumn,
+  deleteTable,
 } from "prosemirror-tables";
 import { ProsemirrorHelper } from "../../utils/ProsemirrorHelper";
 import { CSVHelper } from "../../utils/csv";
 import { chainTransactions } from "../lib/chainTransactions";
-import { getCellsInColumn, isHeaderEnabled } from "../queries/table";
+import {
+  getCellsInColumn,
+  isHeaderEnabled,
+  isTableSelected,
+} from "../queries/table";
 import { TableLayout } from "../types";
 import { collapseSelection } from "./collapseSelection";

@@ -44,11 +54,11 @@ export function createTable({
  };
 }

-function createTableInner(
+export function createTableInner(
  state: EditorState,
  rowsCount: number,
  colsCount: number,
-  colWidth: number,
+  colWidth?: number,
  withHeaderRow = true,
  cellContent?: Node
 ) {
@@ -544,3 +554,46 @@ export function moveOutOfTable(direction: 1 | -1): Command {
    return false;
  };
 }
+
+/**
+ * A command that deletes the entire table if all cells are selected.
+ *
+ * @returns The command
+ */
+export function deleteTableIfSelected(): Command {
+  return (state, dispatch): boolean => {
+    if (isTableSelected(state)) {
+      return deleteTable(state, dispatch);
+    }
+    return false;
+  };
+}
+
+export function deleteCellSelection(
+  state: EditorState,
+  dispatch?: (tr: Transaction) => void
+): boolean {
+  const sel = state.selection;
+  if (!(sel instanceof CellSelection)) {
+    return false;
+  }
+  if (dispatch) {
+    const tr = state.tr;
+    const baseContent = tableNodeTypes(state.schema).cell.createAndFill()!
+      .content;
+    sel.forEachCell((cell, pos) => {
+      if (!cell.content.eq(baseContent)) {
+        tr.replace(
+          tr.mapping.map(pos + 1),
+          tr.mapping.map(pos + cell.nodeSize - 1),
+          new Slice(baseContent, 0, 0)
+        );
+      }
+    });
+    if (tr.docChanged) {
+      dispatch(tr);
+      return true;
+    }
+  }
+  return false;
+}
@@ -198,6 +198,12 @@ export const codeLanguages: Record<string, CodeLanguage> = {
    label: "Powershell",
    loader: () => import("refractor/lang/powershell").then((m) => m.default),
  },
+  promql: {
+    lang: "promql",
+    label: "PromQL",
+    // @ts-expect-error PromQL is not in types but exists
+    loader: () => import("refractor/lang/promql").then((m) => m.default),
+  },
  protobuf: {
    lang: "protobuf",
    label: "Protobuf",
@@ -5,12 +5,6 @@ import {
  mathSchemaSpec,
 } from "@benrbray/prosemirror-math";
 import { PluginSimple } from "markdown-it";
-import {
-  chainCommands,
-  deleteSelection,
-  selectNodeBackward,
-  joinBackward,
-} from "prosemirror-commands";
 import {
  NodeSpec,
  NodeType,
@@ -51,12 +45,7 @@ export default class Math extends Node {
  keys({ type }: { type: NodeType }) {
    return {
      "Mod-Space": insertMathCmd(type),
-      Backspace: chainCommands(
-        deleteSelection,
-        mathBackspaceCmd,
-        joinBackward,
-        selectNodeBackward
-      ),
+      Backspace: mathBackspaceCmd,
    };
  }

@@ -1,5 +1,7 @@
 import { chainCommands } from "prosemirror-commands";
+import { InputRule } from "prosemirror-inputrules";
 import { NodeSpec, Node as ProsemirrorNode } from "prosemirror-model";
+import { TextSelection } from "prosemirror-state";
 import {
  addColumnAfter,
  addRowAfter,
@@ -22,7 +24,10 @@ import {
  setTableAttr,
  deleteColSelection,
  deleteRowSelection,
+  deleteCellSelection,
  moveOutOfTable,
+  createTableInner,
+  deleteTableIfSelected,
 } from "../commands/table";
 import { MarkdownSerializerState } from "../lib/markdown/serializer";
 import { FixTablesPlugin } from "../plugins/FixTables";
@@ -93,14 +98,34 @@ export default class Table extends Node {
      "Shift-Tab": goToNextCell(-1),
      "Mod-Enter": addRowAndMoveSelection(),
      "Mod-Backspace": chainCommands(
+        deleteCellSelection,
        deleteColSelection(),
-        deleteRowSelection()
+        deleteRowSelection(),
+        deleteTableIfSelected()
+      ),
+      Backspace: chainCommands(
+        deleteCellSelection,
+        deleteColSelection(),
+        deleteRowSelection(),
+        deleteTableIfSelected()
      ),
      ArrowDown: moveOutOfTable(1),
      ArrowUp: moveOutOfTable(-1),
    };
  }

+  inputRules() {
+    return [
+      new InputRule(/^(\|--)$/, (state, _, start, end) => {
+        const nodes = createTableInner(state, 2, 2);
+        const tr = state.tr.replaceWith(start - 1, end, nodes).scrollIntoView();
+        const resolvedPos = tr.doc.resolve(start + 1);
+        tr.setSelection(TextSelection.near(resolvedPos));
+        return tr;
+      }),
+    ];
+  }
+
  toMarkdown(state: MarkdownSerializerState, node: ProsemirrorNode) {
    state.renderTable(node);
    state.closeBlock(node);
@@ -56,8 +56,8 @@ export const basicExtensions: Nodes = [
  Emoji,
  Text,
  SimpleImage,
-  Bold,
  Code,
+  Bold,
  Italic,
  Underline,
  Link,
@@ -6,6 +6,30 @@ import {
  selectedRect,
 } from "prosemirror-tables";

+/**
+ * Checks if the current selection is a column selection.
+ * @param state The editor state.
+ * @returns True if the selection is a column selection, false otherwise.
+ */
+export function isColSelection(state: EditorState): boolean {
+  if (state.selection instanceof CellSelection) {
+    return state.selection.isColSelection();
+  }
+  return false;
+}
+
+/**
+ * Checks if the current selection is a row selection.
+ * @param state The editor state.
+ * @returns True if the selection is a row selection, false otherwise.
+ */
+export function isRowSelection(state: EditorState): boolean {
+  if (state.selection instanceof CellSelection) {
+    return state.selection.isRowSelection();
+  }
+  return false;
+}
+
 export function getColumnIndex(state: EditorState): number | undefined {
  if (state.selection instanceof CellSelection) {
    if (state.selection.isColSelection()) {
@@ -62,13 +86,18 @@ export function getCellsInRow(index: number) {
  };
 }

+/**
+ * Check if a specific column is selected in the editor.
+ *
+ * @param state The editor state
+ * @param index The index of the column to check
+ * @returns Boolean indicating if the column is selected
+ */
 export function isColumnSelected(index: number) {
  return (state: EditorState): boolean => {
-    if (state.selection instanceof CellSelection) {
-      if (state.selection.isColSelection()) {
-        const rect = selectedRect(state);
-        return rect.left <= index && rect.right > index;
-      }
+    if (isColSelection(state)) {
+      const rect = selectedRect(state);
+      return rect.left <= index && rect.right > index;
    }

    return false;
@@ -106,28 +135,42 @@ export function isHeaderEnabled(
  return true;
 }

+/**
+ * Check if a specific row is selected in the editor.
+ *
+ * @param state The editor state
+ * @param index The index of the row to check
+ * @returns Boolean indicating if the row is selected
+ */
 export function isRowSelected(index: number) {
  return (state: EditorState): boolean => {
-    if (state.selection instanceof CellSelection) {
-      if (state.selection.isRowSelection()) {
-        const rect = selectedRect(state);
-        return rect.top <= index && rect.bottom > index;
-      }
+    if (isRowSelection(state)) {
+      const rect = selectedRect(state);
+      return rect.top <= index && rect.bottom > index;
    }

    return false;
  };
 }

+/**
+ * Check if an entire table is selected in the editor.
+ *
+ * @param state The editor state
+ * @returns Boolean indicating if the table is selected
+ */
 export function isTableSelected(state: EditorState): boolean {
-  const rect = selectedRect(state);
+  if (state.selection instanceof CellSelection) {
+    const rect = selectedRect(state);

-  return (
-    rect.top === 0 &&
-    rect.left === 0 &&
-    rect.bottom === rect.map.height &&
-    rect.right === rect.map.width &&
-    !state.selection.empty &&
-    state.selection instanceof CellSelection
-  );
+    return (
+      rect.top === 0 &&
+      rect.left === 0 &&
+      rect.bottom === rect.map.height &&
+      rect.right === rect.map.width &&
+      !state.selection.empty
+    );
+  }
+
+  return false;
 }
@@ -172,8 +172,6 @@
  "Deleting": "Deleting",
  "Are you sure about that? Deleting the <em>{{collectionName}}</em> collection is permanent and cannot be restored, however all published documents within will be moved to the trash.": "Are you sure about that? Deleting the <em>{{collectionName}}</em> collection is permanent and cannot be restored, however all published documents within will be moved to the trash.",
  "Also, <em>{{collectionName}}</em> is being used as the start view – deleting it will reset the start view to the Home page.": "Also, <em>{{collectionName}}</em> is being used as the start view – deleting it will reset the start view to the Home page.",
-  "Sorry, an error occurred saving the collection": "Sorry, an error occurred saving the collection",
-  "Add a description": "Add a description",
  "Type a command or search": "Type a command or search",
  "Choose a template": "Choose a template",
  "Are you sure you want to permanently delete this entire comment thread?": "Are you sure you want to permanently delete this entire comment thread?",
@@ -618,6 +616,8 @@
  "{{ groupsCount }} groups with access": "{{ groupsCount }} group with access",
  "{{ groupsCount }} groups with access_plural": "{{ groupsCount }} groups with access",
  "Archived by {{userName}}": "Archived by {{userName}}",
+  "Sorry, an error occurred saving the collection": "Sorry, an error occurred saving the collection",
+  "Add a description": "Add a description",
  "Share": "Share",
  "Overview": "Overview",
  "Recently updated": "Recently updated",
@@ -840,6 +840,7 @@
  "Already have an account? Go to <1>login</1>.": "Already have an account? Go to <1>login</1>.",
  "An error occurred": "An error occurred",
  "The OAuth client could not be found, please check the provided client ID": "The OAuth client could not be found, please check the provided client ID",
+  "The OAuth client could not be loaded, please check the redirect URI is valid": "The OAuth client could not be loaded, please check the redirect URI is valid",
  "Required OAuth parameters are missing": "Required OAuth parameters are missing",
  "Authorize": "Authorize",
  "{{ appName }} wants to access {{ teamName }}": "{{ appName }} wants to access {{ teamName }}",
@@ -887,6 +888,8 @@
  "Manage which third-party and internal applications have been granted access to your {{ appName }} account.": "Manage which third-party and internal applications have been granted access to your {{ appName }} account.",
  "API": "API",
  "API keys can be used to authenticate with the API and programatically control\n          your workspace's data. For more details see the <em>developer documentation</em>.": "API keys can be used to authenticate with the API and programatically control\n          your workspace's data. For more details see the <em>developer documentation</em>.",
+  "Application published": "Application published",
+  "Application updated": "Application updated",
  "Client secret rotated": "Client secret rotated",
  "Rotate secret": "Rotate secret",
  "Rotating the client secret will invalidate the current secret. Make sure to update any applications using these credentials.": "Rotating the client secret will invalidate the current secret. Make sure to update any applications using these credentials.",
@@ -113,4 +113,11 @@ export default createGlobalStyle<Props>`
    outline-offset: -1px;
    outline-width: initial;
  }
+
+  :root {
+    --sat: env(safe-area-inset-top);
+    --sar: env(safe-area-inset-right);
+    --sab: env(safe-area-inset-bottom);
+    --sal: env(safe-area-inset-left);
+  }
 `;
@@ -7,6 +7,16 @@ import {
  faWebAwesome,
  faXTwitter,
  faBluesky,
+  faGithub,
+  faGitlab,
+  faDiscord,
+  faDocker,
+  faCodepen,
+  faDropbox,
+  faPaypal,
+  faShopify,
+  faSwift,
+  faSlack,
 } from "@fortawesome/free-brands-svg-icons";
 import {
  faBagShopping,
@@ -551,6 +561,16 @@ export class IconLibrary {
        faPython,
        faXTwitter,
        faBluesky,
+        faGithub,
+        faGitlab,
+        faDiscord,
+        faDocker,
+        faCodepen,
+        faDropbox,
+        faPaypal,
+        faShopify,
+        faSwift,
+        faSlack,
      ].map((icon) => [
        icon.iconName,
        {
@@ -13,6 +13,32 @@ export function isTouchDevice(): boolean {
  return window.matchMedia?.("(hover: none) and (pointer: coarse)")?.matches;
 }

+/**
+ * Returns the safe area insets for the current device.
+ */
+export function getSafeAreaInsets(): {
+  top: number;
+  right: number;
+  bottom: number;
+  left: number;
+} {
+  // Check if CSS environment variables are supported
+  const style = getComputedStyle(document.documentElement);
+  const supportsEnv = window.CSS?.supports?.("top", "env(safe-area-inset-top)");
+
+  if (supportsEnv) {
+    return {
+      top: parseFloat(style.getPropertyValue("--sat") || "0"),
+      right: parseFloat(style.getPropertyValue("--sar") || "0"),
+      bottom: parseFloat(style.getPropertyValue("--sab") || "0"),
+      left: parseFloat(style.getPropertyValue("--sal") || "0"),
+    };
+  }
+
+  // Fallback to zero if not supported
+  return { top: 0, right: 0, bottom: 0, left: 0 };
+}
+
 /**
 * Returns true if the client is running on a Mac.
 */
@@ -98,7 +98,15 @@ export function isCollectionUrl(url: string) {
 * @param options Parsing options.
 * @returns True if a url, false otherwise.
 */
-export function isUrl(text: string, options?: { requireHostname: boolean }) {
+export function isUrl(
+  text: string,
+  options?: {
+    /** Require the url to have a hostname. */
+    requireHostname?: boolean;
+    /** Require the url not to use HTTP, custom protocols are ok. */
+    requireHttps?: boolean;
+  }
+) {
  if (text.match(/\n/)) {
    return false;
  }
@@ -113,6 +121,9 @@ export function isUrl(text: string, options?: { requireHostname: boolean }) {
    if (url.hostname) {
      return true;
    }
+    if (options?.requireHttps && url.protocol === "http:") {
+      return false;
+    }

    return (
      url.protocol !== "" &&
@@ -94,6 +94,9 @@ export default () =>
          modifyURLPrefix: {
            "": `${environment.CDN_URL ?? ""}/static/`,
          },
+          skipWaiting: true,
+          clientsClaim: true,
+          cleanupOutdatedCaches: true,
          runtimeCaching: [
            {
              urlPattern: /api\/urls\.unfurl$/,
@@ -109,6 +112,34 @@ export default () =>
                },
              },
            },
+            {
+              urlPattern: /api\/attachments\.redirect/,
+              handler: "CacheFirst",
+              options: {
+                cacheName: "attachments-redirect-cache",
+                expiration: {
+                  maxEntries: 100,
+                  maxAgeSeconds: 120, // 120 seconds
+                },
+                cacheableResponse: {
+                  statuses: [0, 200, 302], // Include redirects
+                },
+              },
+            },
+            {
+              urlPattern: /api\/files\.get/,
+              handler: "CacheFirst",
+              options: {
+                cacheName: "files-cache",
+                expiration: {
+                  maxEntries: 50,
+                  maxAgeSeconds: 604800, // 7 days
+                },
+                cacheableResponse: {
+                  statuses: [0, 200, 206], // Include partial content for range requests
+                },
+              },
+            },
          ],
        },
        manifest: {