Add E2EE API (#13820)

app/services/reblog_service.rb

@@ -60,6 +60,6 @@ class ReblogService < BaseService
   end
 
   def build_json(reblog)
-    Oj.dump(serialize_payload(reblog, ActivityPub::ActivitySerializer, signer: reblog.account))
+    Oj.dump(serialize_payload(ActivityPub::ActivityPresenter.from_status(reblog), ActivityPub::ActivitySerializer, signer: reblog.account))
   end
 end

app/validators/ed25519_key_validator.rb

+# frozen_string_literal: true
+
+class Ed25519KeyValidator < ActiveModel::EachValidator
+  def validate_each(record, attribute, value)
+    return if value.blank?
+
+    key = Base64.decode64(value)
+
+    record.errors[attribute] << I18n.t('crypto.errors.invalid_key') unless verified?(key)
+  end
+
+  private
+
+  def verified?(key)
+    Ed25519.validate_key_bytes(key)
+  rescue ArgumentError
+    false
+  end
+end

app/validators/ed25519_signature_validator.rb

+# frozen_string_literal: true
+
+class Ed25519SignatureValidator < ActiveModel::EachValidator
+  def validate_each(record, attribute, value)
+    return if value.blank?
+
+    verify_key = Ed25519::VerifyKey.new(Base64.decode64(option_to_value(record, :verify_key)))
+    signature  = Base64.decode64(value)
+    message    = option_to_value(record, :message)
+
+    record.errors[attribute] << I18n.t('crypto.errors.invalid_signature') unless verified?(verify_key, signature, message)
+  end
+
+  private
+
+  def verified?(verify_key, signature, message)
+    verify_key.verify(signature, message)
+  rescue Ed25519::VerifyError, ArgumentError
+    false
+  end
+
+  def option_to_value(record, key)
+    if options[key].is_a?(Proc)
+      options[key].call(record)
+    else
+      record.public_send(options[key])
+    end
+  end
+end

app/workers/activitypub/distribution_worker.rb

@@ -43,7 +43,7 @@ class ActivityPub::DistributionWorker
   end
 
   def payload
-    @payload ||= Oj.dump(serialize_payload(@status, ActivityPub::ActivitySerializer, signer: @account))
+    @payload ||= Oj.dump(serialize_payload(ActivityPub::ActivityPresenter.from_status(@status), ActivityPub::ActivitySerializer, signer: @account))
   end
 
   def relay!

app/workers/activitypub/reply_distribution_worker.rb

@@ -29,6 +29,6 @@ class ActivityPub::ReplyDistributionWorker
   end
 
   def payload
-    @payload ||= Oj.dump(serialize_payload(@status, ActivityPub::ActivitySerializer, signer: @status.account))
+    @payload ||= Oj.dump(serialize_payload(ActivityPub::ActivityPresenter.from_status(@status), ActivityPub::ActivitySerializer, signer: @status.account))
   end
 end

app/workers/push_conversation_worker.rb

@@ -2,13 +2,14 @@
 
 class PushConversationWorker
   include Sidekiq::Worker
+  include Redisable
 
   def perform(conversation_account_id)
     conversation = AccountConversation.find(conversation_account_id)
     message      = InlineRenderer.render(conversation, conversation.account, :conversation)
     timeline_id  = "timeline:direct:#{conversation.account_id}"
 
-    Redis.current.publish(timeline_id, Oj.dump(event: :conversation, payload: message, queued_at: (Time.now.to_f * 1000.0).to_i))
+    redis.publish(timeline_id, Oj.dump(event: :conversation, payload: message, queued_at: (Time.now.to_f * 1000.0).to_i))
   rescue ActiveRecord::RecordNotFound
     true
   end

app/workers/push_encrypted_message_worker.rb

+# frozen_string_literal: true
+
+class PushEncryptedMessageWorker
+  include Sidekiq::Worker
+  include Redisable
+
+  def perform(encrypted_message_id)
+    encrypted_message = EncryptedMessage.find(encrypted_message_id)
+    message           = InlineRenderer.render(encrypted_message, nil, :encrypted_message)
+    timeline_id       = "timeline:#{encrypted_message.device.account_id}:#{encrypted_message.device.device_id}"
+
+    redis.publish(timeline_id, Oj.dump(event: :encrypted_message, payload: message, queued_at: (Time.now.to_f * 1000.0).to_i))
+  rescue ActiveRecord::RecordNotFound
+    true
+  end
+end

app/workers/scheduler/doorkeeper_cleanup_scheduler.rb

@@ -8,5 +8,6 @@ class Scheduler::DoorkeeperCleanupScheduler
   def perform
     Doorkeeper::AccessToken.where('revoked_at IS NOT NULL').where('revoked_at < NOW()').delete_all
     Doorkeeper::AccessGrant.where('revoked_at IS NOT NULL').where('revoked_at < NOW()').delete_all
+    SystemKey.expired.delete_all
   end
 end

config/brakeman.ignore

 {
   "ignored_warnings": [
-    {
-      "warning_type": "Mass Assignment",
-      "warning_code": 105,
-      "fingerprint": "0117d2be5947ea4e4fbed9c15f23c6615b12c6892973411820c83d079808819d",
-      "check_name": "PermitAttributes",
-      "message": "Potentially dangerous key allowed for mass assignment",
-      "file": "app/controllers/api/v1/search_controller.rb",
-      "line": 30,
-      "link": "https://brakemanscanner.org/docs/warning_types/mass_assignment/",
-      "code": "params.permit(:type, :offset, :min_id, :max_id, :account_id)",
-      "render_path": null,
-      "location": {
-        "type": "method",
-        "class": "Api::V1::SearchController",
-        "method": "search_params"
-      },
-      "user_input": ":account_id",
-      "confidence": "High",
-      "note": ""
-    },
     {
       "warning_type": "SQL Injection",
       "warning_code": 0,
@@ -27,7 +7,7 @@
       "check_name": "SQL",
       "message": "Possible SQL injection",
       "file": "app/models/report.rb",
-      "line": 90,
+      "line": 112,
       "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
       "code": "Admin::ActionLog.from(\"(#{[Admin::ActionLog.where(:target_type => \"Report\", :target_id => id, :created_at => ((created_at..updated_at))).unscope(:order), Admin::ActionLog.where(:target_type => \"Account\", :target_id => target_account_id, :created_at => ((created_at..updated_at))).unscope(:order), Admin::ActionLog.where(:target_type => \"Status\", :target_id => status_ids, :created_at => ((created_at..updated_at))).unscope(:order)].map do\n \"(#{query.to_sql})\"\n end.join(\" UNION ALL \")}) AS admin_action_logs\")",
       "render_path": null,
@@ -47,7 +27,7 @@
       "check_name": "SQL",
       "message": "Possible SQL injection",
       "file": "app/models/status.rb",
-      "line": 87,
+      "line": 100,
       "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
       "code": "result.joins(\"INNER JOIN statuses_tags t#{id} ON t#{id}.status_id = statuses.id AND t#{id}.tag_id = #{id}\")",
       "render_path": null,
@@ -61,39 +41,62 @@
       "note": ""
     },
     {
-      "warning_type": "Mass Assignment",
-      "warning_code": 105,
-      "fingerprint": "28d81cc22580ef76e912b077b245f353499aa27b3826476667224c00227af2a9",
-      "check_name": "PermitAttributes",
-      "message": "Potentially dangerous key allowed for mass assignment",
-      "file": "app/controllers/admin/reports_controller.rb",
-      "line": 56,
-      "link": "https://brakemanscanner.org/docs/warning_types/mass_assignment/",
-      "code": "params.permit(:account_id, :resolved, :target_account_id)",
-      "render_path": null,
+      "warning_type": "Dynamic Render Path",
+      "warning_code": 15,
+      "fingerprint": "20a660939f2bbf8c665e69f2844031c0564524689a9570a0091ed94846212020",
+      "check_name": "Render",
+      "message": "Render path contains parameter value",
+      "file": "app/views/admin/action_logs/index.html.haml",
+      "line": 26,
+      "link": "https://brakemanscanner.org/docs/warning_types/dynamic_render_path/",
+      "code": "render(action => Admin::ActionLogFilter.new(filter_params).results.page(params[:page]), {})",
+      "render_path": [
+        {
+          "type": "controller",
+          "class": "Admin::ActionLogsController",
+          "method": "index",
+          "line": 8,
+          "file": "app/controllers/admin/action_logs_controller.rb",
+          "rendered": {
+            "name": "admin/action_logs/index",
+            "file": "app/views/admin/action_logs/index.html.haml"
+          }
+        }
+      ],
       "location": {
-        "type": "method",
-        "class": "Admin::ReportsController",
-        "method": "filter_params"
+        "type": "template",
+        "template": "admin/action_logs/index"
       },
-      "user_input": ":account_id",
-      "confidence": "High",
+      "user_input": "params[:page]",
+      "confidence": "Weak",
       "note": ""
     },
     {
       "warning_type": "Dynamic Render Path",
       "warning_code": 15,
-      "fingerprint": "4b6a895e2805578d03ceedbe1d469cc75a0c759eba093722523edb4b8683c873",
+      "fingerprint": "371fe16dc4c9d6ab08a20437d65be4825776107a67c38f6d4780a9c703cd44a5",
       "check_name": "Render",
       "message": "Render path contains parameter value",
-      "file": "app/views/admin/action_logs/index.html.haml",
-      "line": 4,
+      "file": "app/views/admin/email_domain_blocks/index.html.haml",
+      "line": 17,
       "link": "https://brakemanscanner.org/docs/warning_types/dynamic_render_path/",
-      "code": "render(action => Admin::ActionLog.page(params[:page]), {})",
-      "render_path": [{"type":"controller","class":"Admin::ActionLogsController","method":"index","line":7,"file":"app/controllers/admin/action_logs_controller.rb","rendered":{"name":"admin/action_logs/index","file":"/home/eugr/Projects/mastodon/app/views/admin/action_logs/index.html.haml"}}],
+      "code": "render(action => EmailDomainBlock.where(:parent_id => nil).includes(:children).order(:id => :desc).page(params[:page]), {})",
+      "render_path": [
+        {
+          "type": "controller",
+          "class": "Admin::EmailDomainBlocksController",
+          "method": "index",
+          "line": 10,
+          "file": "app/controllers/admin/email_domain_blocks_controller.rb",
+          "rendered": {
+            "name": "admin/email_domain_blocks/index",
+            "file": "app/views/admin/email_domain_blocks/index.html.haml"
+          }
+        }
+      ],
       "location": {
         "type": "template",
-        "template": "admin/action_logs/index"
+        "template": "admin/email_domain_blocks/index"
       },
       "user_input": "params[:page]",
       "confidence": "Weak",
@@ -106,7 +109,7 @@
       "check_name": "Redirect",
       "message": "Possible unprotected redirect",
       "file": "app/controllers/remote_interaction_controller.rb",
-      "line": 21,
+      "line": 24,
       "link": "https://brakemanscanner.org/docs/warning_types/redirect/",
       "code": "redirect_to(RemoteFollow.new(resource_params).interact_address_for(Status.find(params[:id])))",
       "render_path": null,
@@ -119,25 +122,6 @@
       "confidence": "High",
       "note": ""
     },
-    {
-      "warning_type": "Dynamic Render Path",
-      "warning_code": 15,
-      "fingerprint": "67afc0d5f7775fa5bd91d1912e1b5505aeedef61876347546fa20f92fd6915e6",
-      "check_name": "Render",
-      "message": "Render path contains parameter value",
-      "file": "app/views/stream_entries/embed.html.haml",
-      "line": 3,
-      "link": "https://brakemanscanner.org/docs/warning_types/dynamic_render_path/",
-      "code": "render(action => \"stream_entries/#{Account.find_local!(params[:account_username]).statuses.find(params[:id]).stream_entry.activity_type.downcase}\", { Account.find_local!(params[:account_username]).statuses.find(params[:id]).stream_entry.activity_type.downcase.to_sym => Account.find_local!(params[:account_username]).statuses.find(params[:id]).stream_entry.activity, :centered => true, :autoplay => ActiveModel::Type::Boolean.new.cast(params[:autoplay]) })",
-      "render_path": [{"type":"controller","class":"StatusesController","method":"embed","line":63,"file":"app/controllers/statuses_controller.rb","rendered":{"name":"stream_entries/embed","file":"/home/eugr/Projects/mastodon/app/views/stream_entries/embed.html.haml"}}],
-      "location": {
-        "type": "template",
-        "template": "stream_entries/embed"
-      },
-      "user_input": "params[:id]",
-      "confidence": "Weak",
-      "note": ""
-    },
     {
       "warning_type": "SQL Injection",
       "warning_code": 0,
@@ -145,7 +129,7 @@
       "check_name": "SQL",
       "message": "Possible SQL injection",
       "file": "app/models/status.rb",
-      "line": 92,
+      "line": 105,
       "link": "https://brakemanscanner.org/docs/warning_types/sql_injection/",
       "code": "result.joins(\"LEFT OUTER JOIN statuses_tags t#{id} ON t#{id}.status_id = statuses.id AND t#{id}.tag_id = #{id}\")",
       "render_path": null,
@@ -159,22 +143,43 @@
       "note": ""
     },
     {
-      "warning_type": "Dynamic Render Path",
-      "warning_code": 15,
-      "fingerprint": "8d843713d99e8403f7992f3e72251b633817cf9076ffcbbad5613859d2bbc127",
-      "check_name": "Render",
-      "message": "Render path contains parameter value",
-      "file": "app/views/admin/custom_emojis/index.html.haml",
-      "line": 45,
-      "link": "https://brakemanscanner.org/docs/warning_types/dynamic_render_path/",
-      "code": "render(action => filtered_custom_emojis.eager_load(:local_counterpart).page(params[:page]), {})",
-      "render_path": [{"type":"controller","class":"Admin::CustomEmojisController","method":"index","line":11,"file":"app/controllers/admin/custom_emojis_controller.rb","rendered":{"name":"admin/custom_emojis/index","file":"/home/eugr/Projects/mastodon/app/views/admin/custom_emojis/index.html.haml"}}],
+      "warning_type": "Mass Assignment",
+      "warning_code": 105,
+      "fingerprint": "7631e93d0099506e7c3e5c91ba8d88523b00a41a0834ae30031a5a4e8bb3020a",
+      "check_name": "PermitAttributes",
+      "message": "Potentially dangerous key allowed for mass assignment",
+      "file": "app/controllers/api/v2/search_controller.rb",
+      "line": 28,
+      "link": "https://brakemanscanner.org/docs/warning_types/mass_assignment/",
+      "code": "params.permit(:type, :offset, :min_id, :max_id, :account_id)",
+      "render_path": null,
       "location": {
-        "type": "template",
-        "template": "admin/custom_emojis/index"
+        "type": "method",
+        "class": "Api::V2::SearchController",
+        "method": "search_params"
       },
-      "user_input": "params[:page]",
-      "confidence": "Weak",
+      "user_input": ":account_id",
+      "confidence": "High",
+      "note": ""
+    },
+    {
+      "warning_type": "Mass Assignment",
+      "warning_code": 105,
+      "fingerprint": "8f63dec68951d9bcf7eddb15af9392b2e1333003089c41fb76688dfd3579f394",
+      "check_name": "PermitAttributes",
+      "message": "Potentially dangerous key allowed for mass assignment",
+      "file": "app/controllers/api/v1/crypto/deliveries_controller.rb",
+      "line": 23,
+      "link": "https://brakemanscanner.org/docs/warning_types/mass_assignment/",
+      "code": "params.require(:device).permit(:account_id, :device_id, :type, :body, :hmac)",
+      "render_path": null,
+      "location": {
+        "type": "method",
+        "class": "Api::V1::Crypto::DeliveriesController",
+        "method": "resource_params"
+      },
+      "user_input": ":account_id",
+      "confidence": "High",
       "note": ""
     },
     {
@@ -204,10 +209,22 @@
       "check_name": "Render",
       "message": "Render path contains parameter value",
       "file": "app/views/admin/accounts/index.html.haml",
-      "line": 47,
+      "line": 54,
       "link": "https://brakemanscanner.org/docs/warning_types/dynamic_render_path/",
       "code": "render(action => filtered_accounts.page(params[:page]), {})",
-      "render_path": [{"type":"controller","class":"Admin::AccountsController","method":"index","line":12,"file":"app/controllers/admin/accounts_controller.rb","rendered":{"name":"admin/accounts/index","file":"/home/eugr/Projects/mastodon/app/views/admin/accounts/index.html.haml"}}],
+      "render_path": [
+        {
+          "type": "controller",
+          "class": "Admin::AccountsController",
+          "method": "index",
+          "line": 12,
+          "file": "app/controllers/admin/accounts_controller.rb",
+          "rendered": {
+            "name": "admin/accounts/index",
+            "file": "app/views/admin/accounts/index.html.haml"
+          }
+        }
+      ],
       "location": {
         "type": "template",
         "template": "admin/accounts/index"
@@ -219,40 +236,40 @@
     {
       "warning_type": "Redirect",
       "warning_code": 18,
-      "fingerprint": "ba699ddcc6552c422c4ecd50d2cd217f616a2446659e185a50b05a0f2dad8d33",
+      "fingerprint": "ba568ac09683f98740f663f3d850c31785900215992e8c090497d359a2563d50",
       "check_name": "Redirect",
       "message": "Possible unprotected redirect",
-      "file": "app/controllers/media_controller.rb",
-      "line": 14,
+      "file": "app/controllers/remote_follow_controller.rb",
+      "line": 21,
       "link": "https://brakemanscanner.org/docs/warning_types/redirect/",
-      "code": "redirect_to(MediaAttachment.attached.find_by!(:shortcode => ((params[:id] or params[:medium_id]))).file.url(:original))",
+      "code": "redirect_to(RemoteFollow.new(resource_params).subscribe_address_for(@account))",
       "render_path": null,
       "location": {
         "type": "method",
-        "class": "MediaController",
-        "method": "show"
+        "class": "RemoteFollowController",
+        "method": "create"
       },
-      "user_input": "MediaAttachment.attached.find_by!(:shortcode => ((params[:id] or params[:medium_id]))).file.url(:original)",
+      "user_input": "RemoteFollow.new(resource_params).subscribe_address_for(@account)",
       "confidence": "High",
       "note": ""
     },
     {
       "warning_type": "Redirect",
       "warning_code": 18,
-      "fingerprint": "bb7e94e60af41decb811bb32171f1b27e9bf3f4d01e9e511127362e22510eb11",
+      "fingerprint": "ba699ddcc6552c422c4ecd50d2cd217f616a2446659e185a50b05a0f2dad8d33",
       "check_name": "Redirect",
       "message": "Possible unprotected redirect",
-      "file": "app/controllers/remote_follow_controller.rb",
-      "line": 19,
+      "file": "app/controllers/media_controller.rb",
+      "line": 20,
       "link": "https://brakemanscanner.org/docs/warning_types/redirect/",
-      "code": "redirect_to(RemoteFollow.new(resource_params).subscribe_address_for(Account.find_local!(params[:account_username])))",
+      "code": "redirect_to(MediaAttachment.attached.find_by!(:shortcode => ((params[:id] or params[:medium_id]))).file.url(:original))",
       "render_path": null,
       "location": {
         "type": "method",
-        "class": "RemoteFollowController",
-        "method": "create"
+        "class": "MediaController",
+        "method": "show"
       },
-      "user_input": "RemoteFollow.new(resource_params).subscribe_address_for(Account.find_local!(params[:account_username]))",
+      "user_input": "MediaAttachment.attached.find_by!(:shortcode => ((params[:id] or params[:medium_id]))).file.url(:original)",
       "confidence": "High",
       "note": ""
     },
@@ -275,27 +292,8 @@
       "user_input": ":account_id",
       "confidence": "High",
       "note": ""
-    },
-    {
-      "warning_type": "Dynamic Render Path",
-      "warning_code": 15,
-      "fingerprint": "fbd0fc59adb5c6d44b60e02debb31d3af11719f534c9881e21435bbff87404d6",
-      "check_name": "Render",
-      "message": "Render path contains parameter value",
-      "file": "app/views/stream_entries/show.html.haml",
-      "line": 23,
-      "link": "https://brakemanscanner.org/docs/warning_types/dynamic_render_path/",
-      "code": "render(partial => \"stream_entries/#{Account.find_local!(params[:account_username]).statuses.find(params[:id]).stream_entry.activity_type.downcase}\", { :locals => ({ Account.find_local!(params[:account_username]).statuses.find(params[:id]).stream_entry.activity_type.downcase.to_sym => Account.find_local!(params[:account_username]).statuses.find(params[:id]).stream_entry.activity, :include_threads => true }) })",
-      "render_path": [{"type":"controller","class":"StatusesController","method":"show","line":34,"file":"app/controllers/statuses_controller.rb","rendered":{"name":"stream_entries/show","file":"/home/eugr/Projects/mastodon/app/views/stream_entries/show.html.haml"}}],
-      "location": {
-        "type": "template",
-        "template": "stream_entries/show"
-      },
-      "user_input": "params[:id]",
-      "confidence": "Weak",
-      "note": ""
     }
   ],
-  "updated": "2019-02-21 02:30:29 +0100",
-  "brakeman_version": "4.4.0"
+  "updated": "2020-06-01 18:18:02 +0200",
+  "brakeman_version": "4.8.0"
 }

config/initializers/doorkeeper.rb

@@ -95,7 +95,8 @@ Doorkeeper.configure do
                   :'admin:read:reports',
                   :'admin:write',
                   :'admin:write:accounts',
-                  :'admin:write:reports'
+                  :'admin:write:reports',
+                  :crypto
 
   # Change the way client credentials are retrieved from the request object.
   # By default it retrieves first from the `HTTP_AUTHORIZATION` header, then

config/initializers/inflections.rb

@@ -19,6 +19,7 @@ ActiveSupport::Inflector.inflections(:en) do |inflect|
   inflect.acronym 'ActivityStreams'
   inflect.acronym 'JsonLd'
   inflect.acronym 'NodeInfo'
+  inflect.acronym 'Ed25519'
 
   inflect.singular 'data', 'data'
 end

config/locales/en.yml

@@ -721,6 +721,10 @@ en:
     hint_html: "<strong>Tip:</strong> We won't ask you for your password again for the next hour."
     invalid_password: Invalid password
     prompt: Confirm password to continue
+  crypto:
+    errors:
+      invalid_key: is not a valid Ed25519 or Curve25519 key
+      invalid_signature: is not a valid Ed25519 signature
   date:
     formats:
       default: "%b %d, %Y"

config/routes.rb

@@ -79,6 +79,7 @@ Rails.application.routes.draw do
 
     resource :outbox, only: [:show], module: :activitypub
     resource :inbox, only: [:create], module: :activitypub
+    resource :claim, only: [:create], module: :activitypub
     resources :collections, only: [:show], module: :activitypub
   end
 
@@ -339,6 +340,23 @@ Rails.application.routes.draw do
         end
       end
 
+      namespace :crypto do
+        resources :deliveries, only: :create
+
+        namespace :keys do
+          resource :upload, only: [:create]
+          resource :query,  only: [:create]
+          resource :claim,  only: [:create]
+          resource :count,  only: [:show]
+        end
+
+        resources :encrypted_messages, only: [:index] do
+          collection do
+            post :clear
+          end
+        end
+      end
+
       resources :conversations, only: [:index, :destroy] do
         member do
           post :read

db/migrate/20170129000348_create_devices.rb

-class CreateDevices < ActiveRecord::Migration[5.0]
-  def change
-    create_table :devices do |t|
-      t.integer :account_id, null: false
-      t.string :registration_id, null: false, default: ''
-
-      t.timestamps
-    end
-
-    add_index :devices, :registration_id
-    add_index :devices, :account_id
-  end
-end

db/migrate/20170205175257_remove_devices.rb

 class RemoveDevices < ActiveRecord::Migration[5.0]
   def change
-    drop_table :devices
+    drop_table :devices if table_exists?(:devices)
   end
 end

db/migrate/20200516180352_create_devices.rb

+class CreateDevices < ActiveRecord::Migration[5.2]
+  def change
+    create_table :devices do |t|
+      t.references :access_token, foreign_key: { to_table: :oauth_access_tokens, on_delete: :cascade, index: :unique }
+      t.references :account, foreign_key: { on_delete: :cascade }
+      t.string :device_id, default: '', null: false
+      t.string :name, default: '', null: false
+      t.text :fingerprint_key, default: '', null: false
+      t.text :identity_key, default: '', null: false
+
+      t.timestamps
+    end
+  end
+end

db/migrate/20200516183822_create_one_time_keys.rb

+class CreateOneTimeKeys < ActiveRecord::Migration[5.2]
+  def change
+    create_table :one_time_keys do |t|
+      t.references :device, foreign_key: { on_delete: :cascade }
+      t.string :key_id, default: '', null: false, index: :unique
+      t.text :key, default: '', null: false
+      t.text :signature, default: '', null: false
+
+      t.timestamps
+    end
+  end
+end

db/migrate/20200518083523_create_encrypted_messages.rb

+class CreateEncryptedMessages < ActiveRecord::Migration[5.2]
+  def change
+    create_table :encrypted_messages do |t|
+      t.references :device, foreign_key: { on_delete: :cascade }
+      t.references :from_account, foreign_key: { to_table: :accounts, on_delete: :cascade }
+      t.string :from_device_id, default: '', null: false
+      t.integer :type, default: 0, null: false
+      t.text :body, default: '', null: false
+      t.text :digest, default: '', null: false
+      t.text :message_franking, default: '', null: false
+
+      t.timestamps
+    end
+  end
+end

db/migrate/20200521180606_encrypted_message_ids_to_timestamp_ids.rb

+class EncryptedMessageIdsToTimestampIds < ActiveRecord::Migration[5.2]
+  def up
+    safety_assured do
+      execute("ALTER TABLE encrypted_messages ALTER COLUMN id SET DEFAULT timestamp_id('encrypted_messages')")
+    end
+  end
+
+  def down
+    execute("LOCK encrypted_messages")
+    execute("SELECT setval('encrypted_messages_id_seq', (SELECT MAX(id) FROM encrypted_messages))")
+    execute("ALTER TABLE encrypted_messages ALTER COLUMN id SET DEFAULT nextval('encrypted_messages_id_seq')")
+  end
+end

db/migrate/20200529214050_add_devices_url_to_accounts.rb

+class AddDevicesUrlToAccounts < ActiveRecord::Migration[5.2]
+  def change
+    add_column :accounts, :devices_url, :string
+  end
+end