Discord migrating users off means that default avatars will be broken and fake discriminators will be needlessly displayed for migrated users.

I've already done worked in the develop branch (fa7dcb3) to better support but I haven't fully tested it and the develop branch won't be merged to master for a while. fa7dcb3 needs some code cleanup and to be cherry picked to master to target v0.6.4. Discord just migrated my account so I'll be able to properly test with some real user data.

The one important missing feature in this implementation is support for display names. Modmail doesn't save them and I don't foresee it doing so in a timescale I consider relevant so they're just getting skipped for now. I don't consider this a dealbreaker

Discord has just announced they will soon be adding additional authentication parameters to attachments. Without significant change, this will result in all attachments becoming unusable after an unknown (likely short) period of time even when the thread is still open.

The easiest option is probably to patch modmail to store images as base64 in the database (though this will hugely inflate its size). This is the best solution for downloaded transcripts in html format since the file will contain everything it needs to work.

Modmail viewer should have the required information to get messages from discord, so it could renew links for open threads on its own.

There's also the option of S3 and file system storage, but these would likely require more work for modmail and the viewer.

Issue

If the user sets a URL that has a slash at the end, like the following:

• https://logs.ushie.dev/

an extra / will be appended to the link by logviewer, breaking the redirect URL as it then becomes https://logs.ushie.dev//

Solution

Check if the MODMAIL_VIEWER_URL variable ends with a /

Some changes I'm pondering for the current audit logging implementation

• Remove description field, use stored properties for the action key instead
  • Improved database efficiency (not storing a bunch of strings) and allows localization.
• A field for storing the thing that has been action upon, for instance, log_id

Describe the solution you'd like
Discord is working on implementing greater markdown support, including headers, masked links, and lists. Modmail-Viewer doesn't currently render these and it should implement them to maintain parity with discord.

Additional context
Most of these features are already supported by the current parse and were intentionally disabled to maintain parity with discords intentional decision not to support them, so the changes should be relatively minor. There are likely going to be some special cases especially around links that might require substantial work function similarly.

https://support.discord.com/hc/en-us/articles/210298617-Markdown-Text-101-Chat-Formatting-Bold-Italic-Underline-#h_01GY0EQVRRRB2F19HXC2BA30FG

Any error that occurs during a specific part of the OAuth2 callback will display an "invalid state" http 400. This is very misleading since the error may not actually be due to invalid state on the clients behalf and thus shouldn't be an http 400. For server side errors, we should simply return a generic server side error

Add support for checking if a user is part of any Discord role ids that are set as Modmail Roles (Supporter, Adminstrator etc...)

Is there an existing issue for this?

• I have searched the existing issues

Version

New

In which part of the application does the error occur?

Frontend

Current Behavior

No response

Expected Behavior

No response

Steps To Reproduce

No response

Environment

- OS:
- Java:

Relevant log output

No response

I want to suggest as an addition a sessions log, where you can see directly in the dashboard who logged in/logged out.

Add sane default favicon at expected location and allow users to set a custom favicon to match their brand

Unlike the official log viewer, this one authenticates you based on Modmail roles instead of the whitelist command in the original.

I suggest adding some sort of mention in the setup instructions that a user should be added under a Modmail role.
Another alternative or addition would be to support the traditional oauth2 whitelist as well to some extent.

Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
Issues such as shown in #78. Not everyone use docker, so allowing them to set configuration in different ways would improve the adaptability of use and simplify non containerized us cases.

Describe the solution you'd like
Allow users to configure through both environment variables (current, highest priority), a file (properties, json, other), and potentially other 12 factor methods. The configuration file path should be able to be specified via the command line in addition to wherever the default is.

Additionally, the current manner of configuration is hard to manage and inconsistent. It would be an improvement to migrate to a purpose built configuration library. Unfortunately, the choices for java are not nearly as good as those present in Go, so some research is required.

Is there an existing issue for this?

• I have searched the existing issues

Version

v0.6.4

In which part of the application does the error occur?

Unknown/both

Current Behavior

If I don't use docker and run modmail directly by downloading tar, where should I configure environment variables such as MODMAIL_VIEWER_MONGODB_URI

Expected Behavior

No response

Steps To Reproduce

No response

Environment

- OS: Ubuntu 20.04
- Java: 17.0.7

Relevant log output

Exception in thread "main" java.lang.ExceptionInInitializerError
        at com.github.khakers.modmailviewer.Main.main(Main.java:72)
Caused by: java.lang.IllegalArgumentException: No mongodb URI provided. provide one with the option "MODMAIL_VIEWER_MONGODB_URI"
        at org.apache.logging.log4j.core.util.Assert.requireNonEmpty(Assert.java:96)
        at com.github.khakers.modmailviewer.Config.<clinit>(Config.java:26)
        ... 1 more

Is there an existing issue for this?

• I have searched the existing issues

Version

v0.6.4

In which part of the application does the error occur?

Frontend

Current Behavior

Opening will redirect to http://127.0.0.1:3000/?status=open
Closing will redirect to http://127.0.0.1:3000/?status=closed

Expected Behavior

Opening will redirect to https://mysite.com/?status=open
Closing will redirect to https://mysite.com/?status=closed

Steps To Reproduce

docker:
docker run --name modmail-viewer -p 3000:80
--env "MODMAIL_VIEWER_MONGODB_URI="
--env "MODMAIL_VIEWER_URL=https://mysite.com"
--env "MODMAIL_VIEWER_DISCORD_OAUTH_CLIENT_ID="
--env "MODMAIL_VIEWER_DISCORD_OAUTH_CLIENT_SECRET="
--env "MODMAIL_VIEWER_DISCORD_GUILD_ID="
--env "MODMAIL_VIEWER_SECRETKEY=***"
-d ghcr.io/khakers/modmail-viewer:latest

Environment

- OS:Ubuntu 20.04

Relevant log output

No response

If a time stamp happens to be created without nanos (exactly on a second?), the current date time formatter cannot correctly parse it and throws an exception, potentially breaking the front page entirely.

This all stems down to a few issues:
Modmail uses strings instead of date types in mongodb
Modmail use str() to get the strings instead of an iso format
Python replaces the T separator with a space in str()
Therefore the string modmail puts in the database is not iso 8601 compliant

The Java code uses DateTimeFormatters for patterns
Jackson does not
Setting patterns for Jackson is incredibly brittle in general

Ultimately, I probably need to create my own instant deserializer class.

Chrome requires secure cookies be sent over a secure conenction, but currently, state and auth cookies are always set as secure, even if https is disabled. Ideally everyone who uses Auth also connects via https, but we should still allow auth over insecure connections.

To fix, cookies should either be set to secure only if https is enabled, or be independently disabled or enabled with a different config option. Setting Secure based only off https being enabled will cause problems with users that don't enable https in app but do have a reverse proxy in front of their application providing and terminating ssl connections, in which case we want cookies to be set as secure.