Merge branch 'main' into patch-1

2026-01-21 04:53:14 -06:00 · 2023-01-09 08:59:23 +01:00 · 2023-01-09 08:59:23 +01:00 · 1dc6502a74
parent cfeb64ba95 0995dc4822
commit 1dc6502a74
407 changed files with 15728 additions and 4243 deletions
--- a/.github/ISSUE_TEMPLATE/BUG_REPORT.md
+++ b/.github/ISSUE_TEMPLATE/BUG_REPORT.md
@ -7,24 +7,28 @@ about: Create a report to help us improve
 <!--
 All bug reports must provide the following background information
 Text between <!-- and --> marks will be invisible in the report.
 IF YOUR ISSUE IS CONSIDERED A SECURITY VULNERABILITY THEN PLEASE STOP
 AND DO NOT POST IT AS A GITHUB ISSUE! Please report the issue responsibly by
 disclosing in private by email to security@matrix.org instead. For more details, please
 see: https://www.matrix.org/security-disclosure-policy/
 -->
 ### Background information
 <!-- Please include versions of all software when known e.g database versions, docker versions, client versions -->
- **Dendrite version or git SHA**: 
+- **Dendrite version or git SHA**:
- **Monolith or Polylith?**: 
+- **Monolith or Polylith?**:
- **SQLite3 or Postgres?**: 
+- **SQLite3 or Postgres?**:
- **Running in Docker?**: 
+- **Running in Docker?**:
 - **`go version`**:
 - **Client used (if applicable)**:
 ### Description
- - **What** is the problem:
+- **What** is the problem:
- - **Who** is affected:
+- **Who** is affected:
- - **How** is this bug manifesting:
+- **How** is this bug manifesting:
- - **When** did this first appear:
+- **When** did this first appear:
 <!--
 Examples of good descriptions:
@ -38,7 +42,6 @@ Examples of good descriptions:
 - How: "Lots of logs about device change updates"
 - When: "After my server joined Matrix HQ"
 Examples of bad descriptions:
 - What: "Can't send messages"  - This is bad because it isn't specfic enough. Which endpoint isn't working and what is the response code? Does the message send but encryption fail?
 - Who: "Me" - Who are you? Running the server or a user on a Dendrite server?
--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@ -1,8 +1,8 @@
 ### Pull Request Checklist
-<!-- Please read docs/CONTRIBUTING.md before submitting your pull request -->
+<!-- Please read https://matrix-org.github.io/dendrite/development/contributing before submitting your pull request -->
-* [ ] I have added tests for PR _or_ I have justified why this PR doesn't need tests.
+* [ ] I have added Go unit tests or [Complement integration tests](https://github.com/matrix-org/complement) for this PR _or_ I have justified why this PR doesn't need tests
-* [ ] Pull request includes a [sign off](https://github.com/matrix-org/dendrite/blob/main/docs/CONTRIBUTING.md#sign-off)
+* [ ] Pull request includes a [sign off below using a legally identifiable name](https://matrix-org.github.io/dendrite/development/contributing#sign-off) _or_ I have already signed off privately
 Signed-off-by: `Your Name <your@email.example.org>`
--- a/.github/codecov.yaml
+++ b/.github/codecov.yaml
@ -0,0 +1,20 @@
 flag_management:
  default_rules:
    carryforward: true
 coverage:
  status:
    project:
      default:
        target: auto
        threshold: 0%
        base: auto
        flags:
          - unittests
    patch:
      default:
        target: 75%
        threshold: 0%
        base: auto
        flags:
          - unittests
--- a/.github/workflows/dendrite.yml
+++ b/.github/workflows/dendrite.yml
@ -26,22 +26,14 @@ jobs:
        uses: actions/setup-go@v3
        with:
          go-version: 1.18
-
+          cache: true
      - uses: actions/cache@v2
        with:
          path: |
            ~/.cache/go-build
            ~/go/pkg/mod
          key: ${{ runner.os }}-go-wasm-${{ hashFiles('**/go.sum') }}
          restore-keys: |
            ${{ runner.os }}-go-wasm
      - name: Install Node
        uses: actions/setup-node@v2
        with:
          node-version: 14
-      - uses: actions/cache@v2
+      - uses: actions/cache@v3
        with:
          path: ~/.npm
          key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
@ -76,7 +68,7 @@ jobs:
  # run go test with different go versions
  test:
-    timeout-minutes: 5
+    timeout-minutes: 10
    name: Unit tests (Go ${{ matrix.go }})
    runs-on: ubuntu-latest
    # Service containers to run with `container-job`
@ -102,7 +94,7 @@ jobs:
    strategy:
      fail-fast: false
      matrix:
-        go: ["1.18", "1.19"]
+        go: ["1.19"]
    steps:
      - uses: actions/checkout@v3
      - name: Setup go
@ -110,14 +102,20 @@ jobs:
        with:
          go-version: ${{ matrix.go }}
      - uses: actions/cache@v3
        # manually set up caches, as they otherwise clash with different steps using setup-go with cache=true
        with:
          path: |
            ~/.cache/go-build
            ~/go/pkg/mod
-          key: ${{ runner.os }}-go${{ matrix.go }}-test-${{ hashFiles('**/go.sum') }}
+          key: ${{ runner.os }}-go${{ matrix.go }}-unit-${{ hashFiles('**/go.sum') }}
          restore-keys: |
-            ${{ runner.os }}-go${{ matrix.go }}-test-
+            ${{ runner.os }}-go${{ matrix.go }}-unit-
-      - run: go test ./...
+      - name: Set up gotestfmt
        uses: gotesttools/gotestfmt-action@v2
        with:
          # Optional: pass GITHUB_TOKEN to avoid rate limiting.
          token: ${{ secrets.GITHUB_TOKEN }}
      - run: go test -json -v ./... 2>&1 | gotestfmt
        env:
          POSTGRES_HOST: localhost
          POSTGRES_USER: postgres
@ -141,17 +139,17 @@ jobs:
        uses: actions/setup-go@v3
        with:
          go-version: ${{ matrix.go }}
      - name: Install dependencies x86
        if: ${{ matrix.goarch == '386' }}
        run: sudo apt update && sudo apt-get install -y gcc-multilib
      - uses: actions/cache@v3
        with:
          path: |
            ~/.cache/go-build
            ~/go/pkg/mod
-          key: ${{ runner.os }}-go${{ matrix.go }}-${{ matrix.goarch }}-${{ hashFiles('**/go.sum') }}
+          key: ${{ runner.os }}-go${{ matrix.go }}${{ matrix.goos }}-${{ matrix.goarch }}-${{ hashFiles('**/go.sum') }}
          restore-keys: |
-            ${{ runner.os }}-go${{ matrix.go }}-${{ matrix.goarch }}-
+            key: ${{ runner.os }}-go${{ matrix.go }}${{ matrix.goos }}-${{ matrix.goarch }}-
      - name: Install dependencies x86
        if: ${{ matrix.goarch == '386' }}
        run: sudo apt update && sudo apt-get install -y gcc-multilib
      - env:
          GOOS: ${{ matrix.goos }}
          GOARCH: ${{ matrix.goarch }}
@ -175,16 +173,16 @@ jobs:
        uses: actions/setup-go@v3
        with:
          go-version: ${{ matrix.go }}
      - name: Install dependencies
        run: sudo apt update && sudo apt install -y gcc-mingw-w64-x86-64 # install required gcc
      - uses: actions/cache@v3
        with:
          path: |
            ~/.cache/go-build
            ~/go/pkg/mod
-          key: ${{ runner.os }}-go${{ matrix.go }}-${{ matrix.goos }}-${{ hashFiles('**/go.sum') }}
+          key: ${{ runner.os }}-go${{ matrix.go }}${{ matrix.goos }}-${{ matrix.goarch }}-${{ hashFiles('**/go.sum') }}
          restore-keys: |
-            ${{ runner.os }}-go${{ matrix.go }}-${{ matrix.goos }}
+            key: ${{ runner.os }}-go${{ matrix.go }}${{ matrix.goos }}-${{ matrix.goarch }}-
      - name: Install dependencies
        run: sudo apt update && sudo apt install -y gcc-mingw-w64-x86-64 # install required gcc
      - env:
          GOOS: ${{ matrix.goos }}
          GOARCH: ${{ matrix.goarch }}
@ -204,6 +202,66 @@ jobs:
        with:
          jobs: ${{ toJSON(needs) }}
  # run go test with different go versions
  integration:
    timeout-minutes: 20
    needs: initial-tests-done
    name: Integration tests (Go ${{ matrix.go }})
    runs-on: ubuntu-latest
    # Service containers to run with `container-job`
    services:
      # Label used to access the service container
      postgres:
        # Docker Hub image
        image: postgres:13-alpine
        # Provide the password for postgres
        env:
          POSTGRES_USER: postgres
          POSTGRES_PASSWORD: postgres
          POSTGRES_DB: dendrite
        ports:
          # Maps tcp port 5432 on service container to the host
          - 5432:5432
        # Set health checks to wait until postgres has started
        options: >-
          --health-cmd pg_isready
          --health-interval 10s
          --health-timeout 5s
          --health-retries 5
    strategy:
      fail-fast: false
      matrix:
        go: ["1.19"]
    steps:
      - uses: actions/checkout@v3
      - name: Setup go
        uses: actions/setup-go@v3
        with:
          go-version: ${{ matrix.go }}
      - name: Set up gotestfmt
        uses: gotesttools/gotestfmt-action@v2
        with:
          # Optional: pass GITHUB_TOKEN to avoid rate limiting.
          token: ${{ secrets.GITHUB_TOKEN }}
      - uses: actions/cache@v3
        with:
          path: |
            ~/.cache/go-build
            ~/go/pkg/mod
          key: ${{ runner.os }}-go${{ matrix.go }}-test-race-${{ hashFiles('**/go.sum') }}
          restore-keys: |
            ${{ runner.os }}-go${{ matrix.go }}-test-race-
      - run: go test -race -json -v -coverpkg=./... -coverprofile=cover.out $(go list ./... | grep -v /cmd/dendrite*) 2>&1 | gotestfmt
        env:
          POSTGRES_HOST: localhost
          POSTGRES_USER: postgres
          POSTGRES_PASSWORD: postgres
          POSTGRES_DB: dendrite
      - name: Upload coverage to Codecov
        uses: codecov/codecov-action@v3
        with:
          flags: unittests
  # run database upgrade tests
  upgrade_test:
    name: Upgrade tests
@ -216,18 +274,13 @@ jobs:
        uses: actions/setup-go@v3
        with:
          go-version: "1.18"
-      - uses: actions/cache@v3
+          cache: true
        with:
          path: |
            ~/.cache/go-build
            ~/go/pkg/mod
          key: ${{ runner.os }}-go-upgrade-${{ hashFiles('**/go.sum') }}
          restore-keys: |
            ${{ runner.os }}-go-upgrade
      - name: Build upgrade-tests
        run: go build ./cmd/dendrite-upgrade-tests
-      - name: Test upgrade
+      - name: Test upgrade (PostgreSQL)
        run: ./dendrite-upgrade-tests --head .
      - name: Test upgrade (SQLite)
        run: ./dendrite-upgrade-tests --sqlite --head .
  # run database upgrade tests, skipping over one version
  upgrade_test_direct:
@ -241,17 +294,12 @@ jobs:
        uses: actions/setup-go@v3
        with:
          go-version: "1.18"
-      - uses: actions/cache@v3
+          cache: true
        with:
          path: |
            ~/.cache/go-build
            ~/go/pkg/mod
          key: ${{ runner.os }}-go-upgrade-${{ hashFiles('**/go.sum') }}
          restore-keys: |
            ${{ runner.os }}-go-upgrade
      - name: Build upgrade-tests
        run: go build ./cmd/dendrite-upgrade-tests
-      - name: Test upgrade
+      - name: Test upgrade (PostgreSQL)
        run: ./dendrite-upgrade-tests -direct -from HEAD-2 --head .
      - name: Test upgrade (SQLite)
        run: ./dendrite-upgrade-tests -direct -from HEAD-2 --head .
  # run Sytest in different variations
@ -264,11 +312,18 @@ jobs:
      fail-fast: false
      matrix:
        include:
-          - label: SQLite
+          - label: SQLite native
-          - label: SQLite, full HTTP APIs
+          - label: SQLite Cgo
            cgo: 1
          - label: SQLite native, full HTTP APIs
            api: full-http
          - label: SQLite Cgo, full HTTP APIs
            api: full-http
            cgo: 1
          - label: PostgreSQL
            postgres: postgres
@ -276,15 +331,26 @@ jobs:
            postgres: postgres
            api: full-http
    container:
-      image: matrixdotorg/sytest-dendrite:latest
+      image: matrixdotorg/sytest-dendrite
      volumes:
        - ${{ github.workspace }}:/src
        - /root/.cache/go-build:/github/home/.cache/go-build
        - /root/.cache/go-mod:/gopath/pkg/mod
      env:
        POSTGRES: ${{ matrix.postgres && 1}}
        API: ${{ matrix.api && 1 }}
        SYTEST_BRANCH: ${{ github.head_ref }}
        CGO_ENABLED: ${{ matrix.cgo && 1 }}
    steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
      - uses: actions/cache@v3
        with:
          path: |
            ~/.cache/go-build
            /gopath/pkg/mod
          key: ${{ runner.os }}-go-sytest-${{ hashFiles('**/go.sum') }}
          restore-keys: |
            ${{ runner.os }}-go-sytest-
      - name: Run Sytest
        run: /bootstrap.sh dendrite
        working-directory: /src
@ -318,17 +384,28 @@ jobs:
      fail-fast: false
      matrix:
        include:
-          - label: SQLite
+          - label: SQLite native
            cgo: 0
-          - label: SQLite, full HTTP APIs
+          - label: SQLite Cgo
            cgo: 1
          - label: SQLite native, full HTTP APIs
            api: full-http
            cgo: 0
          - label: SQLite Cgo, full HTTP APIs
            api: full-http
            cgo: 1
          - label: PostgreSQL
            postgres: Postgres
            cgo: 0
          - label: PostgreSQL, full HTTP APIs
            postgres: Postgres
            api: full-http
            cgo: 0
    steps:
      # Env vars are set file a file given by $GITHUB_PATH. We need both Go 1.17 and GOPATH on env to run Complement.
      # See https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#adding-a-system-path
@ -336,16 +413,14 @@ jobs:
        run: |
          echo "$GOROOT_1_17_X64/bin" >> $GITHUB_PATH
          echo "~/go/bin" >> $GITHUB_PATH
      - name: "Install Complement Dependencies"
        # We don't need to install Go because it is included on the Ubuntu 20.04 image:
        # See https://github.com/actions/virtual-environments/blob/main/images/linux/Ubuntu2004-Readme.md specifically GOROOT_1_17_X64
        run: |
          sudo apt-get update && sudo apt-get install -y libolm3 libolm-dev
-          go get -v github.com/haveyoudebuggedit/gotestfmt/v2/cmd/gotestfmt@latest
+          go get -v github.com/gotesttools/gotestfmt/v2/cmd/gotestfmt@latest
-
+      - name: Run actions/checkout@v3 for dendrite
-      - name: Run actions/checkout@v2 for dendrite
+        uses: actions/checkout@v3
        uses: actions/checkout@v2
        with:
          path: dendrite
@ -369,12 +444,10 @@ jobs:
            if [[ -z "$BRANCH_NAME" || $BRANCH_NAME =~ ^refs/pull/.* ]]; then
              continue
            fi
            (wget -O - "https://github.com/matrix-org/complement/archive/$BRANCH_NAME.tar.gz" | tar -xz --strip-components=1 -C complement) && break
          done
      # Build initial Dendrite image
-      - run: docker build -t complement-dendrite -f build/scripts/Complement${{ matrix.postgres }}.Dockerfile .
+      - run: docker build --build-arg=CGO=${{ matrix.cgo }} -t complement-dendrite:${{ matrix.postgres }}${{ matrix.api }}${{ matrix.cgo }} -f build/scripts/Complement${{ matrix.postgres }}.Dockerfile .
        working-directory: dendrite
        env:
          DOCKER_BUILDKIT: 1
@ -386,7 +459,7 @@ jobs:
        shell: bash
        name: Run Complement Tests
        env:
-          COMPLEMENT_BASE_IMAGE: complement-dendrite:latest
+          COMPLEMENT_BASE_IMAGE: complement-dendrite:${{ matrix.postgres }}${{ matrix.api }}${{ matrix.cgo }}
          API: ${{ matrix.api && 1 }}
        working-directory: complement
@ -399,6 +472,7 @@ jobs:
        upgrade_test_direct,
        sytest,
        complement,
        integration
      ]
    runs-on: ubuntu-latest
    if: ${{ !cancelled() }} # Run this even if prior jobs were skipped
@ -413,6 +487,7 @@ jobs:
    permissions:
      packages: write
      contents: read
      security-events: write # To upload Trivy sarif files
    if: github.repository == 'matrix-org/dendrite' && github.ref_name == 'main'
    needs: [integration-tests-done]
    uses: matrix-org/dendrite/.github/workflows/docker.yml@main
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@ -24,23 +24,29 @@ jobs:
    permissions:
      contents: read
      packages: write
      security-events: write # To upload Trivy sarif files
    steps:
      - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
-      - name: Get release tag
+      - name: Get release tag & build flags
        if: github.event_name == 'release' # Only for GitHub releases
-        run: echo "RELEASE_VERSION=${GITHUB_REF#refs/*/}" >> $GITHUB_ENV
+        run: |
          echo "RELEASE_VERSION=${GITHUB_REF#refs/*/}" >> $GITHUB_ENV
          echo "BUILD=$(git rev-parse --short HEAD || \"\")" >> $GITHUB_ENV
          BRANCH=$(git symbolic-ref --short HEAD | tr -d \/)
          [ ${BRANCH} == "main" ] && BRANCH=""
          echo "BRANCH=${BRANCH}" >> $GITHUB_ENV
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v1
      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v2
      - name: Login to Docker Hub
-        uses: docker/login-action@v1
+        uses: docker/login-action@v2
        with:
          username: ${{ env.DOCKER_HUB_USER }}
          password: ${{ secrets.DOCKER_TOKEN }}
      - name: Login to GitHub Containers
-        uses: docker/login-action@v1
+        uses: docker/login-action@v2
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
@ -49,12 +55,13 @@ jobs:
      - name: Build main monolith image
        if: github.ref_name == 'main'
        id: docker_build_monolith
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v3
        with:
          cache-from: type=gha
          cache-to: type=gha,mode=max
          context: .
-          file: ./build/docker/Dockerfile.monolith
+          build-args: FLAGS=-X github.com/matrix-org/dendrite/internal.branch=${{ env.BRANCH }} -X github.com/matrix-org/dendrite/internal.build=${{ env.BUILD }}
          target: monolith
          platforms: ${{ env.PLATFORMS }}
          push: true
          tags: |
@ -64,12 +71,13 @@ jobs:
      - name: Build release monolith image
        if: github.event_name == 'release' # Only for GitHub releases
        id: docker_build_monolith_release
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v3
        with:
          cache-from: type=gha
          cache-to: type=gha,mode=max
          context: .
-          file: ./build/docker/Dockerfile.monolith
+          build-args: FLAGS=-X github.com/matrix-org/dendrite/internal.branch=${{ env.BRANCH }} -X github.com/matrix-org/dendrite/internal.build=${{ env.BUILD }}
          target: monolith
          platforms: ${{ env.PLATFORMS }}
          push: true
          tags: |
@ -78,29 +86,47 @@ jobs:
            ghcr.io/${{ env.GHCR_NAMESPACE }}/dendrite-monolith:latest
            ghcr.io/${{ env.GHCR_NAMESPACE }}/dendrite-monolith:${{ env.RELEASE_VERSION }}
      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: ghcr.io/${{ env.GHCR_NAMESPACE }}/dendrite-monolith:${{ github.ref_name }}
          format: "sarif"
          output: "trivy-results.sarif"
      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: "trivy-results.sarif"
  polylith:
    name: Polylith image
    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: write
      security-events: write # To upload Trivy sarif files
    steps:
      - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
-      - name: Get release tag
+      - name: Get release tag & build flags
        if: github.event_name == 'release' # Only for GitHub releases
-        run: echo "RELEASE_VERSION=${GITHUB_REF#refs/*/}" >> $GITHUB_ENV
+        run: |
          echo "RELEASE_VERSION=${GITHUB_REF#refs/*/}" >> $GITHUB_ENV
          echo "BUILD=$(git rev-parse --short HEAD || \"\")" >> $GITHUB_ENV
          BRANCH=$(git symbolic-ref --short HEAD | tr -d \/)
          [ ${BRANCH} == "main" ] && BRANCH=""
          echo "BRANCH=${BRANCH}" >> $GITHUB_ENV
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v1
      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v2
      - name: Login to Docker Hub
-        uses: docker/login-action@v1
+        uses: docker/login-action@v2
        with:
          username: ${{ env.DOCKER_HUB_USER }}
          password: ${{ secrets.DOCKER_TOKEN }}
      - name: Login to GitHub Containers
-        uses: docker/login-action@v1
+        uses: docker/login-action@v2
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
@ -109,12 +135,13 @@ jobs:
      - name: Build main polylith image
        if: github.ref_name == 'main'
        id: docker_build_polylith
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v3
        with:
          cache-from: type=gha
          cache-to: type=gha,mode=max
          context: .
-          file: ./build/docker/Dockerfile.polylith
+          build-args: FLAGS=-X github.com/matrix-org/dendrite/internal.branch=${{ env.BRANCH }} -X github.com/matrix-org/dendrite/internal.build=${{ env.BUILD }}
          target: polylith
          platforms: ${{ env.PLATFORMS }}
          push: true
          tags: |
@ -124,12 +151,13 @@ jobs:
      - name: Build release polylith image
        if: github.event_name == 'release' # Only for GitHub releases
        id: docker_build_polylith_release
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v3
        with:
          cache-from: type=gha
          cache-to: type=gha,mode=max
          context: .
-          file: ./build/docker/Dockerfile.polylith
+          build-args: FLAGS=-X github.com/matrix-org/dendrite/internal.branch=${{ env.BRANCH }} -X github.com/matrix-org/dendrite/internal.build=${{ env.BUILD }}
          target: polylith
          platforms: ${{ env.PLATFORMS }}
          push: true
          tags: |
@ -138,6 +166,18 @@ jobs:
            ghcr.io/${{ env.GHCR_NAMESPACE }}/dendrite-polylith:latest
            ghcr.io/${{ env.GHCR_NAMESPACE }}/dendrite-polylith:${{ env.RELEASE_VERSION }}
      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: ghcr.io/${{ env.GHCR_NAMESPACE }}/dendrite-polylith:${{ github.ref_name }}
          format: "sarif"
          output: "trivy-results.sarif"
      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: "trivy-results.sarif"
  demo-pinecone:
    name: Pinecone demo image
    runs-on: ubuntu-latest
@ -146,34 +186,40 @@ jobs:
      packages: write
    steps:
      - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
-      - name: Get release tag
+      - name: Get release tag & build flags
        if: github.event_name == 'release' # Only for GitHub releases
-        run: echo "RELEASE_VERSION=${GITHUB_REF#refs/*/}" >> $GITHUB_ENV
+        run: |
          echo "RELEASE_VERSION=${GITHUB_REF#refs/*/}" >> $GITHUB_ENV
          echo "BUILD=$(git rev-parse --short HEAD || \"\")" >> $GITHUB_ENV
          BRANCH=$(git symbolic-ref --short HEAD | tr -d \/)
          [ ${BRANCH} == "main" ] && BRANCH=""
          echo "BRANCH=${BRANCH}" >> $GITHUB_ENV
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v1
      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v2
      - name: Login to Docker Hub
-        uses: docker/login-action@v1
+        uses: docker/login-action@v2
        with:
          username: ${{ env.DOCKER_HUB_USER }}
          password: ${{ secrets.DOCKER_TOKEN }}
      - name: Login to GitHub Containers
-        uses: docker/login-action@v1
+        uses: docker/login-action@v2
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Build main pinecone demo image
+      - name: Build main Pinecone demo image
        if: github.ref_name == 'main'
        id: docker_build_demo_pinecone
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v3
        with:
          cache-from: type=gha
          cache-to: type=gha,mode=max
          context: .
          build-args: FLAGS=-X github.com/matrix-org/dendrite/internal.branch=${{ env.BRANCH }} -X github.com/matrix-org/dendrite/internal.build=${{ env.BUILD }}
          file: ./build/docker/Dockerfile.demo-pinecone
          platforms: ${{ env.PLATFORMS }}
          push: true
@ -181,19 +227,87 @@ jobs:
            ${{ env.DOCKER_NAMESPACE }}/dendrite-demo-pinecone:${{ github.ref_name }}
            ghcr.io/${{ env.GHCR_NAMESPACE }}/dendrite-demo-pinecone:${{ github.ref_name }}
-      - name: Build release pinecone demo image
+      - name: Build release Pinecone demo image
        if: github.event_name == 'release' # Only for GitHub releases
        id: docker_build_demo_pinecone_release
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v3
        with:
          cache-from: type=gha
          cache-to: type=gha,mode=max
          context: .
          build-args: FLAGS=-X github.com/matrix-org/dendrite/internal.branch=${{ env.BRANCH }} -X github.com/matrix-org/dendrite/internal.build=${{ env.BUILD }}
          file: ./build/docker/Dockerfile.demo-pinecone
          platforms: ${{ env.PLATFORMS }}
          push: true
          tags: |
-            ${{ env.DOCKER_NAMESPACE }}/dendrite-demo-pinecone:latest
+            ${{ env.DOCKER_NAMESPACE }}/dendrite-demo-yggdrasil:latest
-            ${{ env.DOCKER_NAMESPACE }}/dendrite-demo-pinecone:${{ env.RELEASE_VERSION }}
+            ${{ env.DOCKER_NAMESPACE }}/dendrite-demo-yggdrasil:${{ env.RELEASE_VERSION }}
-            ghcr.io/${{ env.GHCR_NAMESPACE }}/dendrite-demo-pinecone:latest
+            ghcr.io/${{ env.GHCR_NAMESPACE }}/dendrite-demo-yggdrasil:latest
-            ghcr.io/${{ env.GHCR_NAMESPACE }}/dendrite-demo-pinecone:${{ env.RELEASE_VERSION }}
+            ghcr.io/${{ env.GHCR_NAMESPACE }}/dendrite-demo-yggdrasil:${{ env.RELEASE_VERSION }}
  demo-yggdrasil:
    name: Yggdrasil demo image
    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: write
    steps:
      - name: Checkout
        uses: actions/checkout@v3
      - name: Get release tag & build flags
        if: github.event_name == 'release' # Only for GitHub releases
        run: |
          echo "RELEASE_VERSION=${GITHUB_REF#refs/*/}" >> $GITHUB_ENV
          echo "BUILD=$(git rev-parse --short HEAD || \"\")" >> $GITHUB_ENV
          BRANCH=$(git symbolic-ref --short HEAD | tr -d \/)
          [ ${BRANCH} == "main" ] && BRANCH=""
          echo "BRANCH=${BRANCH}" >> $GITHUB_ENV
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v1
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v2
      - name: Login to Docker Hub
        uses: docker/login-action@v2
        with:
          username: ${{ env.DOCKER_HUB_USER }}
          password: ${{ secrets.DOCKER_TOKEN }}
      - name: Login to GitHub Containers
        uses: docker/login-action@v2
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Build main Yggdrasil demo image
        if: github.ref_name == 'main'
        id: docker_build_demo_yggdrasil
        uses: docker/build-push-action@v3
        with:
          cache-from: type=gha
          cache-to: type=gha,mode=max
          context: .
          build-args: FLAGS=-X github.com/matrix-org/dendrite/internal.branch=${{ env.BRANCH }} -X github.com/matrix-org/dendrite/internal.build=${{ env.BUILD }}
          file: ./build/docker/Dockerfile.demo-yggdrasil
          platforms: ${{ env.PLATFORMS }}
          push: true
          tags: |
            ${{ env.DOCKER_NAMESPACE }}/dendrite-demo-yggdrasil:${{ github.ref_name }}
            ghcr.io/${{ env.GHCR_NAMESPACE }}/dendrite-demo-yggdrasil:${{ github.ref_name }}
      - name: Build release Yggdrasil demo image
        if: github.event_name == 'release' # Only for GitHub releases
        id: docker_build_demo_yggdrasil_release
        uses: docker/build-push-action@v3
        with:
          cache-from: type=gha
          cache-to: type=gha,mode=max
          context: .
          build-args: FLAGS=-X github.com/matrix-org/dendrite/internal.branch=${{ env.BRANCH }} -X github.com/matrix-org/dendrite/internal.build=${{ env.BUILD }}
          file: ./build/docker/Dockerfile.demo-yggdrasil
          platforms: ${{ env.PLATFORMS }}
          push: true
          tags: |
            ${{ env.DOCKER_NAMESPACE }}/dendrite-demo-yggdrasil:latest
            ${{ env.DOCKER_NAMESPACE }}/dendrite-demo-yggdrasil:${{ env.RELEASE_VERSION }}
            ghcr.io/${{ env.GHCR_NAMESPACE }}/dendrite-demo-yggdrasil:latest
            ghcr.io/${{ env.GHCR_NAMESPACE }}/dendrite-demo-yggdrasil:${{ env.RELEASE_VERSION }}
--- a/.github/workflows/gh-pages.yml
+++ b/.github/workflows/gh-pages.yml
@ -0,0 +1,52 @@
 # Sample workflow for building and deploying a Jekyll site to GitHub Pages
 name: Deploy GitHub Pages dependencies preinstalled
 on:
  # Runs on pushes targeting the default branch
  push:
    branches: ["main"]
    paths:
      - 'docs/**' # only execute if we have docs changes
  # Allows you to run this workflow manually from the Actions tab
  workflow_dispatch:
 # Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
 permissions:
  contents: read
  pages: write
  id-token: write
 # Allow one concurrent deployment
 concurrency:
  group: "pages"
  cancel-in-progress: true
 jobs:
  # Build job
  build:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v3
      - name: Setup Pages
        uses: actions/configure-pages@v2
      - name: Build with Jekyll
        uses: actions/jekyll-build-pages@v1
        with:
          source: ./docs
          destination: ./_site
      - name: Upload artifact
        uses: actions/upload-pages-artifact@v1
  # Deployment job
  deploy:
    environment:
      name: github-pages
      url: ${{ steps.deployment.outputs.page_url }}
    runs-on: ubuntu-latest
    needs: build
    steps:
      - name: Deploy to GitHub Pages
        id: deployment
        uses: actions/deploy-pages@v1
--- a/.github/workflows/helm.yml
+++ b/.github/workflows/helm.yml
@ -0,0 +1,39 @@
 name: Release Charts
 on:
  push:
    branches:
      - main
    paths:
      - 'helm/**' # only execute if we have helm chart changes
 jobs:
  release:
    # depending on default permission settings for your org (contents being read-only or read-write for workloads), you will have to add permissions
    # see: https://docs.github.com/en/actions/security-guides/automatic-token-authentication#modifying-the-permissions-for-the-github_token
    permissions:
      contents: write
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v2
        with:
          fetch-depth: 0
      - name: Configure Git
        run: |
          git config user.name "$GITHUB_ACTOR"
          git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
      - name: Install Helm
        uses: azure/setup-helm@v3
        with:
          version: v3.10.0
      - name: Run chart-releaser
        uses: helm/chart-releaser-action@v1.4.1
        env:
          CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
        with:
          config: helm/cr.yaml
          charts_dir: helm/
--- a/.github/workflows/k8s.yml
+++ b/.github/workflows/k8s.yml
@ -0,0 +1,90 @@
 name: k8s
 on:
  push:
    branches: ["main"]
    paths:
      - 'helm/**' # only execute if we have helm chart changes
  pull_request:
    branches: ["main"]
    paths:
      - 'helm/**'
 jobs:
  lint:
    name: Lint Helm chart
    runs-on: ubuntu-latest
    outputs:
      changed: ${{ steps.list-changed.outputs.changed }}
    steps:
      - uses: actions/checkout@v3
        with:
          fetch-depth: 0
      - uses: azure/setup-helm@v3
        with:
          version: v3.10.0
      - uses: actions/setup-python@v4
        with:
          python-version: 3.11
          check-latest: true
      - uses: helm/chart-testing-action@v2.3.1
      - name: Get changed status
        id: list-changed
        run: |
          changed=$(ct list-changed --config helm/ct.yaml --target-branch ${{ github.event.repository.default_branch }})
          if [[ -n "$changed" ]]; then
              echo "::set-output name=changed::true"
          fi
      - name: Run lint
        run: ct lint --config helm/ct.yaml
  # only bother to run if lint step reports a change to the helm chart
  install:
    needs:
      - lint
    if: ${{ needs.lint.outputs.changed == 'true' }}
    name: Install Helm charts
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v3
        with:
          fetch-depth: 0
          ref: ${{ inputs.checkoutCommit }}
      - name: Install Kubernetes tools
        uses: yokawasa/action-setup-kube-tools@v0.8.2
        with:
          setup-tools: |
            helmv3
          helm: "3.10.3"
      - uses: actions/setup-python@v4
        with:
          python-version: "3.10"
      - name: Set up chart-testing
        uses: helm/chart-testing-action@v2.3.1
      - name: Create k3d cluster
        uses: nolar/setup-k3d-k3s@v1
        with:
          version: v1.21
      - name: Remove node taints
        run: |
          kubectl taint --all=true nodes node.cloudprovider.kubernetes.io/uninitialized- || true
      - name: Run chart-testing (install)
        run: ct install --config helm/ct.yaml
      # Install the chart using helm directly and test with create-account
      - name: Install chart
        run: |
          helm install --values helm/dendrite/ci/ct-postgres-sharedsecret-values.yaml dendrite helm/dendrite
      - name: Wait for Postgres and Dendrite to be up
        run: |
          kubectl wait --for=condition=ready --timeout=90s pod -l app.kubernetes.io/name=postgresql || kubectl get pods -A
          kubectl wait --for=condition=ready --timeout=90s pod -l app.kubernetes.io/name=dendrite || kubectl get pods -A
          kubectl get pods -A
          kubectl get services
          kubectl get ingress
      - name: Run create account
        run: |
          podName=$(kubectl get pods -l app.kubernetes.io/name=dendrite -o name)
          kubectl exec "${podName}" -- /usr/bin/create-account -username alice -password somerandompassword
--- a/.github/workflows/schedules.yaml
+++ b/.github/workflows/schedules.yaml
@ -0,0 +1,75 @@
 name: Scheduled
 on:
  schedule:
    - cron: '0 0 * * *'  # every day at midnight
  workflow_dispatch:
 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true
 jobs:
  # run Sytest in different variations
  sytest:
    timeout-minutes: 60
    name: "Sytest (${{ matrix.label }})"
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        include:
          - label: SQLite
          - label: SQLite, full HTTP APIs
            api: full-http
          - label: PostgreSQL
            postgres: postgres
          - label: PostgreSQL, full HTTP APIs
            postgres: postgres
            api: full-http
    container:
      image: matrixdotorg/sytest-dendrite:latest
      volumes:
        - ${{ github.workspace }}:/src
        - /root/.cache/go-build:/github/home/.cache/go-build
        - /root/.cache/go-mod:/gopath/pkg/mod
      env:
        POSTGRES: ${{ matrix.postgres && 1}}
        API: ${{ matrix.api && 1 }}
        SYTEST_BRANCH: ${{ github.head_ref }}
        RACE_DETECTION: 1
    steps:
      - uses: actions/checkout@v3
      - uses: actions/cache@v3
        with:
          path: |
            ~/.cache/go-build
            /gopath/pkg/mod
          key: ${{ runner.os }}-go-sytest-${{ hashFiles('**/go.sum') }}
          restore-keys: |
            ${{ runner.os }}-go-sytest-
      - name: Run Sytest
        run: /bootstrap.sh dendrite
        working-directory: /src
      - name: Summarise results.tap
        if: ${{ always() }}
        run: /sytest/scripts/tap_to_gha.pl /logs/results.tap
      - name: Sytest List Maintenance
        if: ${{ always() }}
        run: /src/show-expected-fail-tests.sh /logs/results.tap /src/sytest-whitelist /src/sytest-blacklist
        continue-on-error: true # not fatal
      - name: Are We Synapse Yet?
        if: ${{ always() }}
        run: /src/are-we-synapse-yet.py /logs/results.tap -v
        continue-on-error: true # not fatal
      - name: Upload Sytest logs
        uses: actions/upload-artifact@v2
        if: ${{ always() }}
        with:
          name: Sytest Logs - ${{ job.status }} - (Dendrite, ${{ join(matrix.*, ', ') }})
          path: |
            /logs/results.tap
            /logs/**/*.log*
--- a/CHANGES.md
+++ b/CHANGES.md
@ -1,5 +1,114 @@
 # Changelog
 ## Dendrite 0.10.8 (2022-11-29)
 ### Features
 * The built-in NATS Server has been updated to version 2.9.8
 * A number of under-the-hood changes have been merged for future virtual hosting support in Dendrite (running multiple domain names on the same Dendrite deployment)
 ### Fixes
 * Event auth handling of invites has been refactored, which should fix some edge cases being handled incorrectly
 * Fix a bug when returning an empty protocol list, which could cause Element to display "The homeserver may be too old to support third party networks" when opening the public room directory
 * The sync API will no longer filter out the user's own membership when using lazy-loading
 * Dendrite will now correctly detect JetStream consumers being deleted, stopping the consumer goroutine as needed
 * A panic in the federation API where the server list could go out of bounds has been fixed
 * Blacklisted servers will now be excluded when querying joined servers, which improves CPU usage and performs less unnecessary outbound requests
 * A database writer will now be used to assign state key NIDs when requesting NIDs that may not exist yet
 * Dendrite will now correctly move local aliases for an upgraded room when the room is upgraded remotely
 * Dendrite will now correctly move account data for an upgraded room when the room is upgraded remotely
 * Missing state key NIDs will now be allocated on request rather than returning an error
 * Guest access is now correctly denied on a number of endpoints
 * Presence information will now be correctly sent for new private chats
 * A number of unspecced fields have been removed from outbound `/send` transactions
 ## Dendrite 0.10.7 (2022-11-04)
 ### Features
 * Dendrite will now use a native SQLite port when building with `CGO_ENABLED=0`
 * A number of `thirdparty` endpoints have been added, improving support for appservices
 ### Fixes
 * The `"state"` section of the `/sync` response is no longer limited, so state events should not be dropped unexpectedly
 * The deduplication of the `"timeline"` and `"state"` sections in `/sync` is now performed after applying history visibility, so state events should not be dropped unexpectedly
 * The `prev_batch` token returned by `/sync` is now calculated after applying history visibility, so that the pagination boundaries are correct
 * The room summary membership counts in `/sync` should now be calculated properly in more cases
 * A false membership leave event should no longer be sent down `/sync` as a result of retiring an accepted invite (contributed by [tak-hntlabs](https://github.com/tak-hntlabs))
 * Presence updates are now only sent to other servers for which the user shares rooms
 * A bug which could cause a panic when converting events into the `ClientEvent` format has been fixed
 ## Dendrite 0.10.6 (2022-11-01)
 ### Features
 * History visibility checks have been optimised, which should speed up response times on a variety of endpoints (including `/sync`, `/messages`, `/context` and others) and reduce database load
 * The built-in NATS Server has been updated to version 2.9.4
 * Some other minor dependencies have been updated
 ### Fixes
 * A panic has been fixed in the sync API PDU stream which could cause requests to fail
 * The `/members` response now contains the `room_id` field, which may fix some E2EE problems with clients using the JS SDK (contributed by [ashkitten](https://github.com/ashkitten))
 * The auth difference calculation in state resolution v2 has been tweaked for clarity (and moved into gomatrixserverlib with the rest of the state resolution code)
 ## Dendrite 0.10.5 (2022-10-31)
 ### Features
 * It is now possible to use hCaptcha instead of reCAPTCHA for protecting registration
 * A new `auto_join_rooms` configuration option has been added for automatically joining new users to a set of rooms
 * A new `/_dendrite/admin/downloadState/{serverName}/{roomID}` endpoint has been added, which allows a server administrator to attempt to repair a room with broken room state by downloading a state snapshot from another federated server in the room
 ### Fixes
 * Querying cross-signing keys for users should now be considerably faster
 * A bug in state resolution where some events were not correctly selected for third-party invites has been fixed
 * A bug in state resolution which could result in `not in room` event rejections has been fixed
 * When accepting a DM invite, it should now be possible to see messages that were sent before the invite was accepted
 * Claiming remote E2EE one-time keys has been refactored and should be more reliable now
 * Various fixes have been made to the `/members` endpoint, which may help with E2EE reliability and clients rendering memberships
 * A race condition in the federation API destination queues has been fixed when associating queued events with remote server destinations
 * A bug in the sync API where too many events were selected resulting in high CPU usage has been fixed
 * Configuring the avatar URL for the Server Notices user should work correctly now
 ## Dendrite 0.10.4 (2022-10-21)
 ### Features
 * Various tables belonging to the user API will be renamed so that they are namespaced with the `userapi_` prefix
  * Note that, after upgrading to this version, you should not revert to an older version of Dendrite as the database changes **will not** be reverted automatically
 * The backoff and retry behaviour in the federation API has been refactored and improved
 ### Fixes
 * Private read receipt support is now advertised in the client `/versions` endpoint
 * Private read receipts will now clear notification counts properly
 * A bug where a false `leave` membership transition was inserted into the timeline after accepting an invite has been fixed
 * Some panics caused by concurrent map writes in the key server have been fixed
 * The sync API now calculates membership transitions from state deltas more accurately
 * Transaction IDs are now scoped to endpoints, which should fix some bugs where transaction ID reuse could cause nonsensical cached responses from some endpoints
 * The length of the `type`, `sender`, `state_key` and `room_id` fields in events are now verified by number of bytes rather than codepoints after a spec clarification, reverting a change made in Dendrite 0.9.6
 ## Dendrite 0.10.3 (2022-10-14)
 ### Features
 * Event relations are now tracked and support for the `/room/{roomID}/relations/...` client API endpoints have been added
 * Support has been added for private read receipts
 * The built-in NATS Server has been updated to version 2.9.3
 ### Fixes
 * The `unread_notifications` are now always populated in joined room responses
 * The `/get_missing_events` federation API endpoint should now work correctly for rooms with `joined` and `invited` visibility settings, returning redacted events for events that other servers are not allowed to see
 * The `/event` client API endpoint now applies history visibility correctly
 * Read markers should now be updated much more reliably
 * A rare bug in the sync API which could cause some `join` memberships to be incorrectly overwritten by other memberships when working out which rooms to populate has been fixed
 * The federation API now correctly updates the joined hosts table during a state rewrite
 ## Dendrite 0.10.2 (2022-10-07)
 ### Features
--- a/66
+++ b/66
@ -0,0 +1,66 @@
 #syntax=docker/dockerfile:1.2
 #
 # base installs required dependencies and runs go mod download to cache dependencies
 #
 FROM --platform=${BUILDPLATFORM} docker.io/golang:1.19-alpine AS base
 RUN apk --update --no-cache add bash build-base curl
 #
 # build creates all needed binaries
 #
 FROM --platform=${BUILDPLATFORM} base AS build
 WORKDIR /src
 ARG TARGETOS
 ARG TARGETARCH
 ARG FLAGS
 RUN --mount=target=. \
    --mount=type=cache,target=/root/.cache/go-build \
    --mount=type=cache,target=/go/pkg/mod \
    USERARCH=`go env GOARCH` \
    GOARCH="$TARGETARCH" \
    GOOS="linux" \
    CGO_ENABLED=$([ "$TARGETARCH" = "$USERARCH" ] && echo "1" || echo "0") \
    go build -v -ldflags="${FLAGS}" -trimpath -o /out/ ./cmd/...
 #
 # The dendrite base image
 #
 FROM alpine:latest AS dendrite-base
 RUN apk --update --no-cache add curl
 LABEL org.opencontainers.image.description="Next-generation Matrix homeserver written in Go"
 LABEL org.opencontainers.image.source="https://github.com/matrix-org/dendrite"
 LABEL org.opencontainers.image.licenses="Apache-2.0"
 LABEL org.opencontainers.image.documentation="https://matrix-org.github.io/dendrite/"
 LABEL org.opencontainers.image.vendor="The Matrix.org Foundation C.I.C."
 #
 # Builds the polylith image and only contains the polylith binary
 #
 FROM dendrite-base AS polylith
 LABEL org.opencontainers.image.title="Dendrite (Polylith)"
 COPY --from=build /out/dendrite-polylith-multi /usr/bin/
 VOLUME /etc/dendrite
 WORKDIR /etc/dendrite
 ENTRYPOINT ["/usr/bin/dendrite-polylith-multi"]
 #
 # Builds the monolith image and contains all required binaries
 #
 FROM dendrite-base AS monolith
 LABEL org.opencontainers.image.title="Dendrite (Monolith)"
 COPY --from=build /out/create-account /usr/bin/create-account
 COPY --from=build /out/generate-config /usr/bin/generate-config
 COPY --from=build /out/generate-keys /usr/bin/generate-keys
 COPY --from=build /out/dendrite-monolith-server /usr/bin/dendrite-monolith-server
 VOLUME /etc/dendrite
 WORKDIR /etc/dendrite
 ENTRYPOINT ["/usr/bin/dendrite-monolith-server"]
 EXPOSE 8008 8448
--- a/appservice/api/query.go
+++ b/appservice/api/query.go
@ -19,11 +19,13 @@ package api
 import (
 	"context"
 	"encoding/json"
 	"errors"
 	"github.com/matrix-org/gomatrixserverlib"
 	"github.com/matrix-org/dendrite/clientapi/auth/authtypes"
 	userapi "github.com/matrix-org/dendrite/userapi/api"
 	"github.com/matrix-org/gomatrixserverlib"
 )
 // AppServiceInternalAPI is used to query user and room alias data from application
@ -41,6 +43,10 @@ type AppServiceInternalAPI interface {
 		req *UserIDExistsRequest,
 		resp *UserIDExistsResponse,
 	) error
 	Locations(ctx context.Context, req *LocationRequest, resp *LocationResponse) error
 	User(ctx context.Context, request *UserRequest, response *UserResponse) error
 	Protocols(ctx context.Context, req *ProtocolRequest, resp *ProtocolResponse) error
 }
 // RoomAliasExistsRequest is a request to an application service
@ -77,6 +83,73 @@ type UserIDExistsResponse struct {
 	UserIDExists bool `json:"exists"`
 }
 const (
 	ASProtocolPath = "/_matrix/app/unstable/thirdparty/protocol/"
 	ASUserPath     = "/_matrix/app/unstable/thirdparty/user"
 	ASLocationPath = "/_matrix/app/unstable/thirdparty/location"
 )
 type ProtocolRequest struct {
 	Protocol string `json:"protocol,omitempty"`
 }
 type ProtocolResponse struct {
 	Protocols map[string]ASProtocolResponse `json:"protocols"`
 	Exists    bool                          `json:"exists"`
 }
 type ASProtocolResponse struct {
 	FieldTypes     map[string]FieldType `json:"field_types,omitempty"` // NOTSPEC: field_types is required by the spec
 	Icon           string               `json:"icon"`
 	Instances      []ProtocolInstance   `json:"instances"`
 	LocationFields []string             `json:"location_fields"`
 	UserFields     []string             `json:"user_fields"`
 }
 type FieldType struct {
 	Placeholder string `json:"placeholder"`
 	Regexp      string `json:"regexp"`
 }
 type ProtocolInstance struct {
 	Description string          `json:"desc"`
 	Icon        string          `json:"icon,omitempty"`
 	NetworkID   string          `json:"network_id,omitempty"` // NOTSPEC: network_id is required by the spec
 	Fields      json.RawMessage `json:"fields,omitempty"`     // NOTSPEC: fields is required by the spec
 }
 type UserRequest struct {
 	Protocol string `json:"protocol"`
 	Params   string `json:"params"`
 }
 type UserResponse struct {
 	Users  []ASUserResponse `json:"users,omitempty"`
 	Exists bool             `json:"exists,omitempty"`
 }
 type ASUserResponse struct {
 	Protocol string          `json:"protocol"`
 	UserID   string          `json:"userid"`
 	Fields   json.RawMessage `json:"fields"`
 }
 type LocationRequest struct {
 	Protocol string `json:"protocol"`
 	Params   string `json:"params"`
 }
 type LocationResponse struct {
 	Locations []ASLocationResponse `json:"locations,omitempty"`
 	Exists    bool                 `json:"exists,omitempty"`
 }
 type ASLocationResponse struct {
 	Alias    string          `json:"alias"`
 	Protocol string          `json:"protocol"`
 	Fields   json.RawMessage `json:"fields"`
 }
 // RetrieveUserProfile is a wrapper that queries both the local database and
 // application services for a given user's profile
 // TODO: Remove this, it's called from federationapi and clientapi but is a pure function
--- a/appservice/appservice.go
+++ b/appservice/appservice.go
@ -18,11 +18,14 @@ import (
 	"context"
 	"crypto/tls"
 	"net/http"
 	"sync"
 	"time"
 	"github.com/gorilla/mux"
 	"github.com/sirupsen/logrus"
 	"github.com/matrix-org/gomatrixserverlib"
 	appserviceAPI "github.com/matrix-org/dendrite/appservice/api"
 	"github.com/matrix-org/dendrite/appservice/consumers"
 	"github.com/matrix-org/dendrite/appservice/inthttp"
@ -34,8 +37,8 @@ import (
 )
 // AddInternalRoutes registers HTTP handlers for internal API calls
-func AddInternalRoutes(router *mux.Router, queryAPI appserviceAPI.AppServiceInternalAPI) {
+func AddInternalRoutes(router *mux.Router, queryAPI appserviceAPI.AppServiceInternalAPI, enableMetrics bool) {
-	inthttp.AddRoutes(queryAPI, router)
+	inthttp.AddRoutes(queryAPI, router, enableMetrics)
 }
 // NewInternalAPI returns a concerete implementation of the internal API. Callers
@ -58,8 +61,10 @@ func NewInternalAPI(
 	// Create appserivce query API with an HTTP client that will be used for all
 	// outbound and inbound requests (inbound only for the internal API)
 	appserviceQueryAPI := &query.AppServiceQueryAPI{
-		HTTPClient: client,
+		HTTPClient:    client,
-		Cfg:        &base.Cfg.AppServiceAPI,
+		Cfg:           &base.Cfg.AppServiceAPI,
 		ProtocolCache: map[string]appserviceAPI.ASProtocolResponse{},
 		CacheMu:       sync.Mutex{},
 	}
 	if len(base.Cfg.Derived.ApplicationServices) == 0 {
@ -71,7 +76,7 @@ func NewInternalAPI(
 	// events to be sent out.
 	for _, appservice := range base.Cfg.Derived.ApplicationServices {
 		// Create bot account for this AS if it doesn't already exist
-		if err := generateAppServiceAccount(userAPI, appservice); err != nil {
+		if err := generateAppServiceAccount(userAPI, appservice, base.Cfg.Global.ServerName); err != nil {
 			logrus.WithFields(logrus.Fields{
 				"appservice": appservice.ID,
 			}).WithError(err).Panicf("failed to generate bot account for appservice")
@ -98,11 +103,13 @@ func NewInternalAPI(
 func generateAppServiceAccount(
 	userAPI userapi.AppserviceUserAPI,
 	as config.ApplicationService,
 	serverName gomatrixserverlib.ServerName,
 ) error {
 	var accRes userapi.PerformAccountCreationResponse
 	err := userAPI.PerformAccountCreation(context.Background(), &userapi.PerformAccountCreationRequest{
 		AccountType:  userapi.AccountTypeAppService,
 		Localpart:    as.SenderLocalpart,
 		ServerName:   serverName,
 		AppServiceID: as.ID,
 		OnConflict:   userapi.ConflictUpdate,
 	}, &accRes)
@ -112,6 +119,7 @@ func generateAppServiceAccount(
 	var devRes userapi.PerformDeviceCreationResponse
 	err = userAPI.PerformDeviceCreation(context.Background(), &userapi.PerformDeviceCreationRequest{
 		Localpart:          as.SenderLocalpart,
 		ServerName:         serverName,
 		AccessToken:        as.ASToken,
 		DeviceID:           &as.SenderLocalpart,
 		DeviceDisplayName:  &as.SenderLocalpart,
--- a/appservice/appservice_test.go
+++ b/appservice/appservice_test.go
@ -0,0 +1,223 @@
 package appservice_test
 import (
 	"context"
 	"encoding/json"
 	"net/http"
 	"net/http/httptest"
 	"reflect"
 	"regexp"
 	"strings"
 	"testing"
 	"github.com/gorilla/mux"
 	"github.com/matrix-org/dendrite/appservice"
 	"github.com/matrix-org/dendrite/appservice/api"
 	"github.com/matrix-org/dendrite/appservice/inthttp"
 	"github.com/matrix-org/dendrite/internal/httputil"
 	"github.com/matrix-org/dendrite/roomserver"
 	"github.com/matrix-org/dendrite/setup/config"
 	"github.com/matrix-org/dendrite/test"
 	"github.com/matrix-org/dendrite/userapi"
 	"github.com/matrix-org/dendrite/test/testrig"
 )
 func TestAppserviceInternalAPI(t *testing.T) {
 	// Set expected results
 	existingProtocol := "irc"
 	wantLocationResponse := []api.ASLocationResponse{{Protocol: existingProtocol, Fields: []byte("{}")}}
 	wantUserResponse := []api.ASUserResponse{{Protocol: existingProtocol, Fields: []byte("{}")}}
 	wantProtocolResponse := api.ASProtocolResponse{Instances: []api.ProtocolInstance{{Fields: []byte("{}")}}}
 	wantProtocolResult := map[string]api.ASProtocolResponse{
 		existingProtocol: wantProtocolResponse,
 	}
 	// create a dummy AS url, handling some cases
 	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		switch {
 		case strings.Contains(r.URL.Path, "location"):
 			// Check if we've got an existing protocol, if so, return a proper response.
 			if r.URL.Path[len(r.URL.Path)-len(existingProtocol):] == existingProtocol {
 				if err := json.NewEncoder(w).Encode(wantLocationResponse); err != nil {
 					t.Fatalf("failed to encode response: %s", err)
 				}
 				return
 			}
 			if err := json.NewEncoder(w).Encode([]api.ASLocationResponse{}); err != nil {
 				t.Fatalf("failed to encode response: %s", err)
 			}
 			return
 		case strings.Contains(r.URL.Path, "user"):
 			if r.URL.Path[len(r.URL.Path)-len(existingProtocol):] == existingProtocol {
 				if err := json.NewEncoder(w).Encode(wantUserResponse); err != nil {
 					t.Fatalf("failed to encode response: %s", err)
 				}
 				return
 			}
 			if err := json.NewEncoder(w).Encode([]api.UserResponse{}); err != nil {
 				t.Fatalf("failed to encode response: %s", err)
 			}
 			return
 		case strings.Contains(r.URL.Path, "protocol"):
 			if r.URL.Path[len(r.URL.Path)-len(existingProtocol):] == existingProtocol {
 				if err := json.NewEncoder(w).Encode(wantProtocolResponse); err != nil {
 					t.Fatalf("failed to encode response: %s", err)
 				}
 				return
 			}
 			if err := json.NewEncoder(w).Encode(nil); err != nil {
 				t.Fatalf("failed to encode response: %s", err)
 			}
 			return
 		default:
 			t.Logf("hit location: %s", r.URL.Path)
 		}
 	}))
 	// The test cases to run
 	runCases := func(t *testing.T, testAPI api.AppServiceInternalAPI) {
 		t.Run("UserIDExists", func(t *testing.T) {
 			testUserIDExists(t, testAPI, "@as-testing:test", true)
 			testUserIDExists(t, testAPI, "@as1-testing:test", false)
 		})
 		t.Run("AliasExists", func(t *testing.T) {
 			testAliasExists(t, testAPI, "@asroom-testing:test", true)
 			testAliasExists(t, testAPI, "@asroom1-testing:test", false)
 		})
 		t.Run("Locations", func(t *testing.T) {
 			testLocations(t, testAPI, existingProtocol, wantLocationResponse)
 			testLocations(t, testAPI, "abc", nil)
 		})
 		t.Run("User", func(t *testing.T) {
 			testUser(t, testAPI, existingProtocol, wantUserResponse)
 			testUser(t, testAPI, "abc", nil)
 		})
 		t.Run("Protocols", func(t *testing.T) {
 			testProtocol(t, testAPI, existingProtocol, wantProtocolResult)
 			testProtocol(t, testAPI, existingProtocol, wantProtocolResult) // tests the cache
 			testProtocol(t, testAPI, "", wantProtocolResult)               // tests getting all protocols
 			testProtocol(t, testAPI, "abc", nil)
 		})
 	}
 	test.WithAllDatabases(t, func(t *testing.T, dbType test.DBType) {
 		base, closeBase := testrig.CreateBaseDendrite(t, dbType)
 		defer closeBase()
 		// Create a dummy application service
 		base.Cfg.AppServiceAPI.Derived.ApplicationServices = []config.ApplicationService{
 			{
 				ID:              "someID",
 				URL:             srv.URL,
 				ASToken:         "",
 				HSToken:         "",
 				SenderLocalpart: "senderLocalPart",
 				NamespaceMap: map[string][]config.ApplicationServiceNamespace{
 					"users":   {{RegexpObject: regexp.MustCompile("as-.*")}},
 					"aliases": {{RegexpObject: regexp.MustCompile("asroom-.*")}},
 				},
 				Protocols: []string{existingProtocol},
 			},
 		}
 		// Create required internal APIs
 		rsAPI := roomserver.NewInternalAPI(base)
 		usrAPI := userapi.NewInternalAPI(base, &base.Cfg.UserAPI, nil, nil, rsAPI, nil)
 		asAPI := appservice.NewInternalAPI(base, usrAPI, rsAPI)
 		// Finally execute the tests
 		t.Run("HTTP API", func(t *testing.T) {
 			router := mux.NewRouter().PathPrefix(httputil.InternalPathPrefix).Subrouter()
 			appservice.AddInternalRoutes(router, asAPI, base.EnableMetrics)
 			apiURL, cancel := test.ListenAndServe(t, router, false)
 			defer cancel()
 			asHTTPApi, err := inthttp.NewAppserviceClient(apiURL, &http.Client{})
 			if err != nil {
 				t.Fatalf("failed to create HTTP client: %s", err)
 			}
 			runCases(t, asHTTPApi)
 		})
 		t.Run("Monolith", func(t *testing.T) {
 			runCases(t, asAPI)
 		})
 	})
 }
 func testUserIDExists(t *testing.T, asAPI api.AppServiceInternalAPI, userID string, wantExists bool) {
 	ctx := context.Background()
 	userResp := &api.UserIDExistsResponse{}
 	if err := asAPI.UserIDExists(ctx, &api.UserIDExistsRequest{
 		UserID: userID,
 	}, userResp); err != nil {
 		t.Errorf("failed to get userID: %s", err)
 	}
 	if userResp.UserIDExists != wantExists {
 		t.Errorf("unexpected result for UserIDExists(%s): %v, expected %v", userID, userResp.UserIDExists, wantExists)
 	}
 }
 func testAliasExists(t *testing.T, asAPI api.AppServiceInternalAPI, alias string, wantExists bool) {
 	ctx := context.Background()
 	aliasResp := &api.RoomAliasExistsResponse{}
 	if err := asAPI.RoomAliasExists(ctx, &api.RoomAliasExistsRequest{
 		Alias: alias,
 	}, aliasResp); err != nil {
 		t.Errorf("failed to get alias: %s", err)
 	}
 	if aliasResp.AliasExists != wantExists {
 		t.Errorf("unexpected result for RoomAliasExists(%s): %v, expected %v", alias, aliasResp.AliasExists, wantExists)
 	}
 }
 func testLocations(t *testing.T, asAPI api.AppServiceInternalAPI, proto string, wantResult []api.ASLocationResponse) {
 	ctx := context.Background()
 	locationResp := &api.LocationResponse{}
 	if err := asAPI.Locations(ctx, &api.LocationRequest{
 		Protocol: proto,
 	}, locationResp); err != nil {
 		t.Errorf("failed to get locations: %s", err)
 	}
 	if !reflect.DeepEqual(locationResp.Locations, wantResult) {
 		t.Errorf("unexpected result for Locations(%s): %+v, expected %+v", proto, locationResp.Locations, wantResult)
 	}
 }
 func testUser(t *testing.T, asAPI api.AppServiceInternalAPI, proto string, wantResult []api.ASUserResponse) {
 	ctx := context.Background()
 	userResp := &api.UserResponse{}
 	if err := asAPI.User(ctx, &api.UserRequest{
 		Protocol: proto,
 	}, userResp); err != nil {
 		t.Errorf("failed to get user: %s", err)
 	}
 	if !reflect.DeepEqual(userResp.Users, wantResult) {
 		t.Errorf("unexpected result for User(%s): %+v, expected %+v", proto, userResp.Users, wantResult)
 	}
 }
 func testProtocol(t *testing.T, asAPI api.AppServiceInternalAPI, proto string, wantResult map[string]api.ASProtocolResponse) {
 	ctx := context.Background()
 	protoResp := &api.ProtocolResponse{}
 	if err := asAPI.Protocols(ctx, &api.ProtocolRequest{
 		Protocol: proto,
 	}, protoResp); err != nil {
 		t.Errorf("failed to get Protocols: %s", err)
 	}
 	if !reflect.DeepEqual(protoResp.Protocols, wantResult) {
 		t.Errorf("unexpected result for Protocols(%s): %+v, expected %+v", proto, protoResp.Protocols[proto], wantResult)
 	}
 }
--- a/appservice/inthttp/client.go
+++ b/appservice/inthttp/client.go
@ -13,6 +13,9 @@ import (
 const (
 	AppServiceRoomAliasExistsPath = "/appservice/RoomAliasExists"
 	AppServiceUserIDExistsPath    = "/appservice/UserIDExists"
 	AppServiceLocationsPath       = "/appservice/locations"
 	AppServiceUserPath            = "/appservice/users"
 	AppServiceProtocolsPath       = "/appservice/protocols"
 )
 // httpAppServiceQueryAPI contains the URL to an appservice query API and a
@ -58,3 +61,24 @@ func (h *httpAppServiceQueryAPI) UserIDExists(
 		h.httpClient, ctx, request, response,
 	)
 }
 func (h *httpAppServiceQueryAPI) Locations(ctx context.Context, request *api.LocationRequest, response *api.LocationResponse) error {
 	return httputil.CallInternalRPCAPI(
 		"ASLocation", h.appserviceURL+AppServiceLocationsPath,
 		h.httpClient, ctx, request, response,
 	)
 }
 func (h *httpAppServiceQueryAPI) User(ctx context.Context, request *api.UserRequest, response *api.UserResponse) error {
 	return httputil.CallInternalRPCAPI(
 		"ASUser", h.appserviceURL+AppServiceUserPath,
 		h.httpClient, ctx, request, response,
 	)
 }
 func (h *httpAppServiceQueryAPI) Protocols(ctx context.Context, request *api.ProtocolRequest, response *api.ProtocolResponse) error {
 	return httputil.CallInternalRPCAPI(
 		"ASProtocols", h.appserviceURL+AppServiceProtocolsPath,
 		h.httpClient, ctx, request, response,
 	)
 }
--- a/appservice/inthttp/server.go
+++ b/appservice/inthttp/server.go
@ -2,19 +2,35 @@ package inthttp
 import (
 	"github.com/gorilla/mux"
 	"github.com/matrix-org/dendrite/appservice/api"
 	"github.com/matrix-org/dendrite/internal/httputil"
 )
 // AddRoutes adds the AppServiceQueryAPI handlers to the http.ServeMux.
-func AddRoutes(a api.AppServiceInternalAPI, internalAPIMux *mux.Router) {
+func AddRoutes(a api.AppServiceInternalAPI, internalAPIMux *mux.Router, enableMetrics bool) {
 	internalAPIMux.Handle(
 		AppServiceRoomAliasExistsPath,
-		httputil.MakeInternalRPCAPI("AppserviceRoomAliasExists", a.RoomAliasExists),
+		httputil.MakeInternalRPCAPI("AppserviceRoomAliasExists", enableMetrics, a.RoomAliasExists),
 	)
 	internalAPIMux.Handle(
 		AppServiceUserIDExistsPath,
-		httputil.MakeInternalRPCAPI("AppserviceUserIDExists", a.UserIDExists),
+		httputil.MakeInternalRPCAPI("AppserviceUserIDExists", enableMetrics, a.UserIDExists),
 	)
 	internalAPIMux.Handle(
 		AppServiceProtocolsPath,
 		httputil.MakeInternalRPCAPI("AppserviceProtocols", enableMetrics, a.Protocols),
 	)
 	internalAPIMux.Handle(
 		AppServiceLocationsPath,
 		httputil.MakeInternalRPCAPI("AppserviceLocations", enableMetrics, a.Locations),
 	)
 	internalAPIMux.Handle(
 		AppServiceUserPath,
 		httputil.MakeInternalRPCAPI("AppserviceUser", enableMetrics, a.User),
 	)
 }
--- a/appservice/query/query.go
+++ b/appservice/query/query.go
@ -18,13 +18,18 @@ package query
 import (
 	"context"
 	"encoding/json"
 	"io"
 	"net/http"
 	"net/url"
 	"strings"
 	"sync"
 	"github.com/opentracing/opentracing-go"
 	log "github.com/sirupsen/logrus"
 	"github.com/matrix-org/dendrite/appservice/api"
 	"github.com/matrix-org/dendrite/setup/config"
 	opentracing "github.com/opentracing/opentracing-go"
 	log "github.com/sirupsen/logrus"
 )
 const roomAliasExistsPath = "/rooms/"
@ -32,8 +37,10 @@ const userIDExistsPath = "/users/"
 // AppServiceQueryAPI is an implementation of api.AppServiceQueryAPI
 type AppServiceQueryAPI struct {
-	HTTPClient *http.Client
+	HTTPClient    *http.Client
-	Cfg        *config.AppServiceAPI
+	Cfg           *config.AppServiceAPI
 	ProtocolCache map[string]api.ASProtocolResponse
 	CacheMu       sync.Mutex
 }
 // RoomAliasExists performs a request to '/room/{roomAlias}' on all known
@ -165,3 +172,178 @@ func (a *AppServiceQueryAPI) UserIDExists(
 	response.UserIDExists = false
 	return nil
 }
 type thirdpartyResponses interface {
 	api.ASProtocolResponse | []api.ASUserResponse | []api.ASLocationResponse
 }
 func requestDo[T thirdpartyResponses](client *http.Client, url string, response *T) (err error) {
 	origURL := url
 	// try v1 and unstable appservice endpoints
 	for _, version := range []string{"v1", "unstable"} {
 		var resp *http.Response
 		var body []byte
 		asURL := strings.Replace(origURL, "unstable", version, 1)
 		resp, err = client.Get(asURL)
 		if err != nil {
 			continue
 		}
 		defer resp.Body.Close() // nolint: errcheck
 		body, err = io.ReadAll(resp.Body)
 		if err != nil {
 			continue
 		}
 		return json.Unmarshal(body, &response)
 	}
 	return err
 }
 func (a *AppServiceQueryAPI) Locations(
 	ctx context.Context,
 	req *api.LocationRequest,
 	resp *api.LocationResponse,
 ) error {
 	params, err := url.ParseQuery(req.Params)
 	if err != nil {
 		return err
 	}
 	for _, as := range a.Cfg.Derived.ApplicationServices {
 		var asLocations []api.ASLocationResponse
 		params.Set("access_token", as.HSToken)
 		url := as.URL + api.ASLocationPath
 		if req.Protocol != "" {
 			url += "/" + req.Protocol
 		}
 		if err := requestDo[[]api.ASLocationResponse](a.HTTPClient, url+"?"+params.Encode(), &asLocations); err != nil {
 			log.WithError(err).Error("unable to get 'locations' from application service")
 			continue
 		}
 		resp.Locations = append(resp.Locations, asLocations...)
 	}
 	if len(resp.Locations) == 0 {
 		resp.Exists = false
 		return nil
 	}
 	resp.Exists = true
 	return nil
 }
 func (a *AppServiceQueryAPI) User(
 	ctx context.Context,
 	req *api.UserRequest,
 	resp *api.UserResponse,
 ) error {
 	params, err := url.ParseQuery(req.Params)
 	if err != nil {
 		return err
 	}
 	for _, as := range a.Cfg.Derived.ApplicationServices {
 		var asUsers []api.ASUserResponse
 		params.Set("access_token", as.HSToken)
 		url := as.URL + api.ASUserPath
 		if req.Protocol != "" {
 			url += "/" + req.Protocol
 		}
 		if err := requestDo[[]api.ASUserResponse](a.HTTPClient, url+"?"+params.Encode(), &asUsers); err != nil {
 			log.WithError(err).Error("unable to get 'user' from application service")
 			continue
 		}
 		resp.Users = append(resp.Users, asUsers...)
 	}
 	if len(resp.Users) == 0 {
 		resp.Exists = false
 		return nil
 	}
 	resp.Exists = true
 	return nil
 }
 func (a *AppServiceQueryAPI) Protocols(
 	ctx context.Context,
 	req *api.ProtocolRequest,
 	resp *api.ProtocolResponse,
 ) error {
 	// get a single protocol response
 	if req.Protocol != "" {
 		a.CacheMu.Lock()
 		defer a.CacheMu.Unlock()
 		if proto, ok := a.ProtocolCache[req.Protocol]; ok {
 			resp.Exists = true
 			resp.Protocols = map[string]api.ASProtocolResponse{
 				req.Protocol: proto,
 			}
 			return nil
 		}
 		response := api.ASProtocolResponse{}
 		for _, as := range a.Cfg.Derived.ApplicationServices {
 			var proto api.ASProtocolResponse
 			if err := requestDo[api.ASProtocolResponse](a.HTTPClient, as.URL+api.ASProtocolPath+req.Protocol, &proto); err != nil {
 				log.WithError(err).Error("unable to get 'protocol' from application service")
 				continue
 			}
 			if len(response.Instances) != 0 {
 				response.Instances = append(response.Instances, proto.Instances...)
 			} else {
 				response = proto
 			}
 		}
 		if len(response.Instances) == 0 {
 			resp.Exists = false
 			return nil
 		}
 		resp.Exists = true
 		resp.Protocols = map[string]api.ASProtocolResponse{
 			req.Protocol: response,
 		}
 		a.ProtocolCache[req.Protocol] = response
 		return nil
 	}
 	response := make(map[string]api.ASProtocolResponse, len(a.Cfg.Derived.ApplicationServices))
 	for _, as := range a.Cfg.Derived.ApplicationServices {
 		for _, p := range as.Protocols {
 			var proto api.ASProtocolResponse
 			if err := requestDo[api.ASProtocolResponse](a.HTTPClient, as.URL+api.ASProtocolPath+p, &proto); err != nil {
 				log.WithError(err).Error("unable to get 'protocol' from application service")
 				continue
 			}
 			existing, ok := response[p]
 			if !ok {
 				response[p] = proto
 				continue
 			}
 			existing.Instances = append(existing.Instances, proto.Instances...)
 			response[p] = existing
 		}
 	}
 	if len(response) == 0 {
 		resp.Exists = false
 		return nil
 	}
 	a.CacheMu.Lock()
 	defer a.CacheMu.Unlock()
 	a.ProtocolCache = response
 	resp.Exists = true
 	resp.Protocols = response
 	return nil
 }
--- a/are-we-synapse-yet.list
+++ b/are-we-synapse-yet.list
@ -643,7 +643,7 @@ fed Inbound federation redacts events from erased users
 fme Outbound federation can request missing events 
 fme Inbound federation can return missing events for world_readable visibility 
 fme Inbound federation can return missing events for shared visibility 
-fme Inbound federation can return missing events for invite visibility 
+fme Inbound federation can return missing events for invited visibility
 fme Inbound federation can return missing events for joined visibility 
 fme outliers whose auth_events are in a different room are correctly rejected 
 fbk Outbound federation can backfill events 
--- a/build/dendritejs-pinecone/jsServer.go
+++ b/build/dendritejs-pinecone/jsServer.go
--- a/build/dendritejs-pinecone/main.go
+++ b/build/dendritejs-pinecone/main.go
@ -180,14 +180,14 @@ func startup() {
 	base := base.NewBaseDendrite(cfg, "Monolith")
 	defer base.Close() // nolint: errcheck
 	rsAPI := roomserver.NewInternalAPI(base)
 	federation := conn.CreateFederationClient(base, pSessions)
-	keyAPI := keyserver.NewInternalAPI(base, &base.Cfg.KeyServer, federation)
+	keyAPI := keyserver.NewInternalAPI(base, &base.Cfg.KeyServer, federation, rsAPI)
 	serverKeyAPI := &signing.YggdrasilKeys{}
 	keyRing := serverKeyAPI.KeyRing()
 	rsAPI := roomserver.NewInternalAPI(base)
 	userAPI := userapi.NewInternalAPI(base, &cfg.UserAPI, nil, keyAPI, rsAPI, base.PushGatewayHTTPClient())
 	keyAPI.SetUserAPI(userAPI)
--- a/build/dendritejs-pinecone/main_noop.go
+++ b/build/dendritejs-pinecone/main_noop.go
--- a/build/dendritejs-pinecone/main_test.go
+++ b/build/dendritejs-pinecone/main_test.go
--- a/build/docker/Dockerfile.demo-pinecone
+++ b/build/docker/Dockerfile.demo-pinecone
@ -1,5 +1,10 @@
 FROM docker.io/golang:1.19-alpine AS base
 #
 # Needs to be separate from the main Dockerfile for OpenShift,
 # as --target is not supported there.
 #
 RUN apk --update --no-cache add bash build-base
 WORKDIR /build
@ -12,6 +17,7 @@ RUN go build -trimpath -o bin/ ./cmd/create-account
 RUN go build -trimpath -o bin/ ./cmd/generate-keys
 FROM alpine:latest
 RUN apk --update --no-cache add curl
 LABEL org.opencontainers.image.title="Dendrite (Pinecone demo)"
 LABEL org.opencontainers.image.description="Next-generation Matrix homeserver written in Go"
 LABEL org.opencontainers.image.source="https://github.com/matrix-org/dendrite"
--- a/build/docker/Dockerfile.demo-yggdrasil
+++ b/build/docker/Dockerfile.demo-yggdrasil
@ -1,5 +1,10 @@
 FROM docker.io/golang:1.19-alpine AS base
 #
 # Needs to be separate from the main Dockerfile for OpenShift,
 # as --target is not supported there.
 #
 RUN apk --update --no-cache add bash build-base
 WORKDIR /build
@ -7,12 +12,12 @@ WORKDIR /build
 COPY . /build
 RUN mkdir -p bin
-RUN go build -trimpath -o bin/ ./cmd/dendrite-monolith-server
+RUN go build -trimpath -o bin/ ./cmd/dendrite-demo-yggdrasil
 RUN go build -trimpath -o bin/ ./cmd/create-account
 RUN go build -trimpath -o bin/ ./cmd/generate-keys
 FROM alpine:latest
-LABEL org.opencontainers.image.title="Dendrite (Monolith)"
+LABEL org.opencontainers.image.title="Dendrite (Yggdrasil demo)"
 LABEL org.opencontainers.image.description="Next-generation Matrix homeserver written in Go"
 LABEL org.opencontainers.image.source="https://github.com/matrix-org/dendrite"
 LABEL org.opencontainers.image.licenses="Apache-2.0"
@ -22,4 +27,4 @@ COPY --from=base /build/bin/* /usr/bin/
 VOLUME /etc/dendrite
 WORKDIR /etc/dendrite
-ENTRYPOINT ["/usr/bin/dendrite-monolith-server"]
+ENTRYPOINT ["/usr/bin/dendrite-demo-yggdrasil"]
--- a/build/docker/Dockerfile.polylith
+++ b/build/docker/Dockerfile.polylith
@ -1,25 +0,0 @@
 FROM docker.io/golang:1.19-alpine AS base
 RUN apk --update --no-cache add bash build-base
 WORKDIR /build
 COPY . /build
 RUN mkdir -p bin
 RUN go build -trimpath -o bin/ ./cmd/dendrite-polylith-multi
 RUN go build -trimpath -o bin/ ./cmd/create-account
 RUN go build -trimpath -o bin/ ./cmd/generate-keys
 FROM alpine:latest
 LABEL org.opencontainers.image.title="Dendrite (Polylith)"
 LABEL org.opencontainers.image.description="Next-generation Matrix homeserver written in Go"
 LABEL org.opencontainers.image.source="https://github.com/matrix-org/dendrite"
 LABEL org.opencontainers.image.licenses="Apache-2.0"
 COPY --from=base /build/bin/* /usr/bin/
 VOLUME /etc/dendrite
 WORKDIR /etc/dendrite
 ENTRYPOINT ["/usr/bin/dendrite-polylith-multi"]
--- a/build/docker/README.md
+++ b/build/docker/README.md
@ -9,15 +9,20 @@ They can be found on Docker Hub:
 ## Dockerfiles
-The `Dockerfile` builds the base image which contains all of the Dendrite
+The `Dockerfile` is a multistage file which can build all four Dendrite
-components. The `Dockerfile.component` file takes the given component, as
+images depending on the supplied `--target`. From the root of the Dendrite
-specified with `--buildarg component=` from the base image and produce
+repository, run:
-smaller component-specific images, which are substantially smaller and do
+
-not contain the Go toolchain etc.
+```
 docker build . --target monolith -t matrixdotorg/dendrite-monolith
 docker build . --target polylith -t matrixdotorg/dendrite-monolith
 docker build . --target demo-pinecone -t matrixdotorg/dendrite-demo-pinecone
 docker build . --target demo-yggdrasil -t matrixdotorg/dendrite-demo-yggdrasil
 ```
 ## Compose files
-There are three sample `docker-compose` files:
+There are two sample `docker-compose` files:
 - `docker-compose.monolith.yml` which runs a monolith Dendrite deployment
 - `docker-compose.polylith.yml` which runs a polylith Dendrite deployment
--- a/build/docker/images-build.sh
+++ b/build/docker/images-build.sh
@ -6,5 +6,7 @@ TAG=${1:-latest}
 echo "Building tag '${TAG}'"
-docker build -t matrixdotorg/dendrite-monolith:${TAG}  -f build/docker/Dockerfile.monolith .
+docker build . --target monolith -t matrixdotorg/dendrite-monolith:${TAG}
-docker build -t matrixdotorg/dendrite-polylith:${TAG}  -f build/docker/Dockerfile.polylith .
+docker build . --target polylith -t matrixdotorg/dendrite-monolith:${TAG}
 docker build . --target demo-pinecone -t matrixdotorg/dendrite-demo-pinecone:${TAG}
 docker build . --target demo-yggdrasil -t matrixdotorg/dendrite-demo-yggdrasil:${TAG}
--- a/build/gobind-pinecone/monolith.go
+++ b/build/gobind-pinecone/monolith.go
@ -40,6 +40,7 @@ import (
 	"github.com/matrix-org/dendrite/cmd/dendrite-demo-pinecone/users"
 	"github.com/matrix-org/dendrite/cmd/dendrite-demo-yggdrasil/signing"
 	"github.com/matrix-org/dendrite/federationapi"
 	"github.com/matrix-org/dendrite/federationapi/api"
 	"github.com/matrix-org/dendrite/internal/httputil"
 	"github.com/matrix-org/dendrite/keyserver"
 	"github.com/matrix-org/dendrite/roomserver"
@ -58,6 +59,7 @@ import (
 	pineconeConnections "github.com/matrix-org/pinecone/connections"
 	pineconeMulticast "github.com/matrix-org/pinecone/multicast"
 	pineconeRouter "github.com/matrix-org/pinecone/router"
 	pineconeEvents "github.com/matrix-org/pinecone/router/events"
 	pineconeSessions "github.com/matrix-org/pinecone/sessions"
 	"github.com/matrix-org/pinecone/types"
@ -101,18 +103,46 @@ func (m *DendriteMonolith) SessionCount() int {
 	return len(m.PineconeQUIC.Protocol("matrix").Sessions())
 }
-func (m *DendriteMonolith) RegisterNetworkInterface(name string, index int, mtu int, up bool, broadcast bool, loopback bool, pointToPoint bool, multicast bool, addrs string) {
+type InterfaceInfo struct {
-	m.PineconeMulticast.RegisterInterface(pineconeMulticast.InterfaceInfo{
+	Name         string
-		Name:         name,
+	Index        int
-		Index:        index,
+	Mtu          int
-		Mtu:          mtu,
+	Up           bool
-		Up:           up,
+	Broadcast    bool
-		Broadcast:    broadcast,
+	Loopback     bool
-		Loopback:     loopback,
+	PointToPoint bool
-		PointToPoint: pointToPoint,
+	Multicast    bool
-		Multicast:    multicast,
+	Addrs        string
-		Addrs:        addrs,
+}
-	})
+
 type InterfaceRetriever interface {
 	CacheCurrentInterfaces() int
 	GetCachedInterface(index int) *InterfaceInfo
 }
 func (m *DendriteMonolith) RegisterNetworkCallback(intfCallback InterfaceRetriever) {
 	callback := func() []pineconeMulticast.InterfaceInfo {
 		count := intfCallback.CacheCurrentInterfaces()
 		intfs := []pineconeMulticast.InterfaceInfo{}
 		for i := 0; i < count; i++ {
 			iface := intfCallback.GetCachedInterface(i)
 			if iface != nil {
 				intfs = append(intfs, pineconeMulticast.InterfaceInfo{
 					Name:         iface.Name,
 					Index:        iface.Index,
 					Mtu:          iface.Mtu,
 					Up:           iface.Up,
 					Broadcast:    iface.Broadcast,
 					Loopback:     iface.Loopback,
 					PointToPoint: iface.PointToPoint,
 					Multicast:    iface.Multicast,
 					Addrs:        iface.Addrs,
 				})
 			}
 		}
 		return intfs
 	}
 	m.PineconeMulticast.RegisterNetworkCallback(callback)
 }
 func (m *DendriteMonolith) SetMulticastEnabled(enabled bool) {
@ -267,7 +297,12 @@ func (m *DendriteMonolith) Start() {
 	m.logger.SetOutput(BindLogger{})
 	logrus.SetOutput(BindLogger{})
 	pineconeEventChannel := make(chan pineconeEvents.Event)
 	m.PineconeRouter = pineconeRouter.NewRouter(logrus.WithField("pinecone", "router"), sk)
 	m.PineconeRouter.EnableHopLimiting()
 	m.PineconeRouter.EnableWakeupBroadcasts()
 	m.PineconeRouter.Subscribe(pineconeEventChannel)
 	m.PineconeQUIC = pineconeSessions.NewSessions(logrus.WithField("pinecone", "sessions"), m.PineconeRouter, []string{"matrix"})
 	m.PineconeMulticast = pineconeMulticast.NewMulticast(logrus.WithField("pinecone", "multicast"), m.PineconeRouter)
 	m.PineconeManager = pineconeConnections.NewConnectionManager(m.PineconeRouter, nil)
@ -301,6 +336,7 @@ func (m *DendriteMonolith) Start() {
 	}
 	base := base.NewBaseDendrite(cfg, "Monolith")
 	base.ConfigureAdminEndpoints()
 	defer base.Close() // nolint: errcheck
 	federation := conn.CreateFederationClient(base, m.PineconeQUIC)
@ -314,7 +350,7 @@ func (m *DendriteMonolith) Start() {
 		base, federation, rsAPI, base.Caches, keyRing, true,
 	)
-	keyAPI := keyserver.NewInternalAPI(base, &base.Cfg.KeyServer, fsAPI)
+	keyAPI := keyserver.NewInternalAPI(base, &base.Cfg.KeyServer, fsAPI, rsAPI)
 	m.userAPI = userapi.NewInternalAPI(base, &cfg.UserAPI, cfg.Derived.ApplicationServices, keyAPI, rsAPI, base.PushGatewayHTTPClient())
 	keyAPI.SetUserAPI(m.userAPI)
@ -347,6 +383,8 @@ func (m *DendriteMonolith) Start() {
 	httpRouter.PathPrefix(httputil.InternalPathPrefix).Handler(base.InternalAPIMux)
 	httpRouter.PathPrefix(httputil.PublicClientPathPrefix).Handler(base.PublicClientAPIMux)
 	httpRouter.PathPrefix(httputil.PublicMediaPathPrefix).Handler(base.PublicMediaAPIMux)
 	httpRouter.PathPrefix(httputil.DendriteAdminPathPrefix).Handler(base.DendriteAdminMux)
 	httpRouter.PathPrefix(httputil.SynapseAdminPathPrefix).Handler(base.SynapseAdminMux)
 	httpRouter.HandleFunc("/pinecone", m.PineconeRouter.ManholeHandler)
 	pMux := mux.NewRouter().SkipClean(true).UseEncodedPath()
@ -395,6 +433,34 @@ func (m *DendriteMonolith) Start() {
 			m.logger.Fatal(err)
 		}
 	}()
 	go func(ch <-chan pineconeEvents.Event) {
 		eLog := logrus.WithField("pinecone", "events")
 		for event := range ch {
 			switch e := event.(type) {
 			case pineconeEvents.PeerAdded:
 			case pineconeEvents.PeerRemoved:
 			case pineconeEvents.TreeParentUpdate:
 			case pineconeEvents.SnakeDescUpdate:
 			case pineconeEvents.TreeRootAnnUpdate:
 			case pineconeEvents.SnakeEntryAdded:
 			case pineconeEvents.SnakeEntryRemoved:
 			case pineconeEvents.BroadcastReceived:
 				eLog.Info("Broadcast received from: ", e.PeerID)
 				req := &api.PerformWakeupServersRequest{
 					ServerNames: []gomatrixserverlib.ServerName{gomatrixserverlib.ServerName(e.PeerID)},
 				}
 				res := &api.PerformWakeupServersResponse{}
 				if err := fsAPI.PerformWakeupServers(base.Context(), req, res); err != nil {
 					logrus.WithError(err).Error("Failed to wakeup destination", e.PeerID)
 				}
 			case pineconeEvents.BandwidthReport:
 			default:
 			}
 		}
 	}(pineconeEventChannel)
 }
 func (m *DendriteMonolith) Stop() {
--- a/build/gobind-yggdrasil/monolith.go
+++ b/build/gobind-yggdrasil/monolith.go
@ -150,6 +150,7 @@ func (m *DendriteMonolith) Start() {
 	}
 	base := base.NewBaseDendrite(cfg, "Monolith")
 	base.ConfigureAdminEndpoints()
 	m.processContext = base.ProcessContext
 	defer base.Close() // nolint: errcheck
@ -164,7 +165,7 @@ func (m *DendriteMonolith) Start() {
 		base, federation, rsAPI, base.Caches, keyRing, true,
 	)
-	keyAPI := keyserver.NewInternalAPI(base, &base.Cfg.KeyServer, federation)
+	keyAPI := keyserver.NewInternalAPI(base, &base.Cfg.KeyServer, federation, rsAPI)
 	userAPI := userapi.NewInternalAPI(base, &cfg.UserAPI, cfg.Derived.ApplicationServices, keyAPI, rsAPI, base.PushGatewayHTTPClient())
 	keyAPI.SetUserAPI(userAPI)
@ -196,6 +197,8 @@ func (m *DendriteMonolith) Start() {
 	httpRouter.PathPrefix(httputil.InternalPathPrefix).Handler(base.InternalAPIMux)
 	httpRouter.PathPrefix(httputil.PublicClientPathPrefix).Handler(base.PublicClientAPIMux)
 	httpRouter.PathPrefix(httputil.PublicMediaPathPrefix).Handler(base.PublicMediaAPIMux)
 	httpRouter.PathPrefix(httputil.DendriteAdminPathPrefix).Handler(base.DendriteAdminMux)
 	httpRouter.PathPrefix(httputil.SynapseAdminPathPrefix).Handler(base.SynapseAdminMux)
 	yggRouter := mux.NewRouter()
 	yggRouter.PathPrefix(httputil.PublicFederationPathPrefix).Handler(base.PublicFederationAPIMux)
--- a/build/scripts/Complement.Dockerfile
+++ b/build/scripts/Complement.Dockerfile
@ -10,18 +10,22 @@ RUN mkdir /dendrite
 # Utilise Docker caching when downloading dependencies, this stops us needlessly
 # downloading dependencies every time.
 ARG CGO
 RUN --mount=target=. \
    --mount=type=cache,target=/go/pkg/mod \
    --mount=type=cache,target=/root/.cache/go-build \
-    go build -o /dendrite ./cmd/generate-config && \
+    CGO_ENABLED=${CGO} go build -o /dendrite ./cmd/generate-config && \
-    go build -o /dendrite ./cmd/generate-keys && \
+    CGO_ENABLED=${CGO} go build -o /dendrite ./cmd/generate-keys && \
-    go build -o /dendrite ./cmd/dendrite-monolith-server
+    CGO_ENABLED=${CGO} go build -o /dendrite ./cmd/dendrite-monolith-server && \
    CGO_ENABLED=${CGO} go test -c -cover -covermode=atomic -o /dendrite/dendrite-monolith-server-cover -coverpkg "github.com/matrix-org/..." ./cmd/dendrite-monolith-server && \
    cp build/scripts/complement-cmd.sh /complement-cmd.sh
 WORKDIR /dendrite
 RUN ./generate-keys --private-key matrix_key.pem
 ENV SERVER_NAME=localhost
 ENV API=0
 ENV COVER=0
 EXPOSE 8008 8448
 # At runtime, generate TLS cert based on the CA now mounted at /ca
@ -29,4 +33,4 @@ EXPOSE 8008 8448
 CMD ./generate-keys -keysize 1024 --server $SERVER_NAME --tls-cert server.crt --tls-key server.key --tls-authority-cert /complement/ca/ca.crt --tls-authority-key /complement/ca/ca.key && \
    ./generate-config -server $SERVER_NAME --ci > dendrite.yaml && \
    cp /complement/ca/ca.crt /usr/local/share/ca-certificates/ && update-ca-certificates && \
-    exec ./dendrite-monolith-server --really-enable-open-registration --tls-cert server.crt --tls-key server.key --config dendrite.yaml -api=${API:-0}
+    exec /complement-cmd.sh
--- a/build/scripts/ComplementLocal.Dockerfile
+++ b/build/scripts/ComplementLocal.Dockerfile
@ -12,18 +12,20 @@ FROM golang:1.18-stretch
 RUN apt-get update && apt-get install -y sqlite3
 ENV SERVER_NAME=localhost
 ENV COVER=0
 EXPOSE 8008 8448
 WORKDIR /runtime
 # This script compiles Dendrite for us.
 RUN echo '\
    #!/bin/bash -eux \n\
-    if test -f "/runtime/dendrite-monolith-server"; then \n\
+    if test -f "/runtime/dendrite-monolith-server" && test -f "/runtime/dendrite-monolith-server-cover"; then \n\
    echo "Skipping compilation; binaries exist" \n\
    exit 0 \n\
    fi \n\
    cd /dendrite \n\
    go build -v -o /runtime /dendrite/cmd/dendrite-monolith-server \n\
    go test -c -cover -covermode=atomic -o /runtime/dendrite-monolith-server-cover -coverpkg "github.com/matrix-org/..." /dendrite/cmd/dendrite-monolith-server \n\
    ' > compile.sh && chmod +x compile.sh
 # This script runs Dendrite for us. Must be run in the /runtime directory.
@ -33,6 +35,7 @@ RUN echo '\
    ./generate-keys -keysize 1024 --server $SERVER_NAME --tls-cert server.crt --tls-key server.key --tls-authority-cert /complement/ca/ca.crt --tls-authority-key /complement/ca/ca.key \n\
    ./generate-config -server $SERVER_NAME --ci > dendrite.yaml \n\
    cp /complement/ca/ca.crt /usr/local/share/ca-certificates/ && update-ca-certificates \n\
    [ ${COVER} -eq 1 ] && exec ./dendrite-monolith-server-cover --test.coverprofile=integrationcover.log --really-enable-open-registration --tls-cert server.crt --tls-key server.key --config dendrite.yaml \n\
    exec ./dendrite-monolith-server --really-enable-open-registration --tls-cert server.crt --tls-key server.key --config dendrite.yaml \n\
    ' > run.sh && chmod +x run.sh
--- a/build/scripts/ComplementPostgres.Dockerfile
+++ b/build/scripts/ComplementPostgres.Dockerfile
@ -28,18 +28,22 @@ RUN mkdir /dendrite
 # Utilise Docker caching when downloading dependencies, this stops us needlessly
 # downloading dependencies every time.
 ARG CGO
 RUN --mount=target=. \
    --mount=type=cache,target=/go/pkg/mod \
    --mount=type=cache,target=/root/.cache/go-build \
-    go build -o /dendrite ./cmd/generate-config && \
+    CGO_ENABLED=${CGO} go build -o /dendrite ./cmd/generate-config && \
-    go build -o /dendrite ./cmd/generate-keys && \
+    CGO_ENABLED=${CGO} go build -o /dendrite ./cmd/generate-keys && \
-    go build -o /dendrite ./cmd/dendrite-monolith-server
+    CGO_ENABLED=${CGO} go build -o /dendrite ./cmd/dendrite-monolith-server && \
    CGO_ENABLED=${CGO} go test -c -cover -covermode=atomic -o /dendrite/dendrite-monolith-server-cover -coverpkg "github.com/matrix-org/..." ./cmd/dendrite-monolith-server && \
    cp build/scripts/complement-cmd.sh /complement-cmd.sh
 WORKDIR /dendrite
 RUN ./generate-keys --private-key matrix_key.pem
 ENV SERVER_NAME=localhost
 ENV API=0
 ENV COVER=0
 EXPOSE 8008 8448
@ -50,4 +54,4 @@ CMD /build/run_postgres.sh && ./generate-keys --keysize 1024 --server $SERVER_NA
    # Bump max_open_conns up here in the global database config
    sed -i 's/max_open_conns:.*$/max_open_conns: 1990/g' dendrite.yaml && \
    cp /complement/ca/ca.crt /usr/local/share/ca-certificates/ && update-ca-certificates && \
-    exec ./dendrite-monolith-server --really-enable-open-registration --tls-cert server.crt --tls-key server.key --config dendrite.yaml -api=${API:-0}
+    exec /complement-cmd.sh
--- a/build/scripts/complement-cmd.sh
+++ b/build/scripts/complement-cmd.sh
@ -0,0 +1,22 @@
 #!/bin/bash -e
 # This script is intended to be used inside a docker container for Complement
 if [[ "${COVER}" -eq 1 ]]; then
  echo "Running with coverage"
  exec /dendrite/dendrite-monolith-server-cover \
    --really-enable-open-registration \
    --tls-cert server.crt \
    --tls-key server.key \
    --config dendrite.yaml \
    -api=${API:-0} \
    --test.coverprofile=integrationcover.log
 else
  echo "Not running with coverage"
  exec /dendrite/dendrite-monolith-server \
    --really-enable-open-registration \
    --tls-cert server.crt \
    --tls-key server.key \
    --config dendrite.yaml \
    -api=${API:-0}
 fi
--- a/clientapi/admin_test.go
+++ b/clientapi/admin_test.go
@ -0,0 +1,134 @@
 package clientapi
 import (
 	"context"
 	"net/http"
 	"net/http/httptest"
 	"testing"
 	"github.com/matrix-org/dendrite/clientapi/auth/authtypes"
 	"github.com/matrix-org/dendrite/keyserver"
 	"github.com/matrix-org/dendrite/roomserver"
 	"github.com/matrix-org/dendrite/setup/config"
 	"github.com/matrix-org/gomatrixserverlib"
 	"github.com/matrix-org/util"
 	"github.com/tidwall/gjson"
 	"github.com/matrix-org/dendrite/test"
 	"github.com/matrix-org/dendrite/test/testrig"
 	"github.com/matrix-org/dendrite/userapi"
 	uapi "github.com/matrix-org/dendrite/userapi/api"
 )
 func TestAdminResetPassword(t *testing.T) {
 	aliceAdmin := test.NewUser(t, test.WithAccountType(uapi.AccountTypeAdmin))
 	bob := test.NewUser(t, test.WithAccountType(uapi.AccountTypeUser))
 	vhUser := &test.User{ID: "@vhuser:vh1"}
 	ctx := context.Background()
 	test.WithAllDatabases(t, func(t *testing.T, dbType test.DBType) {
 		base, baseClose := testrig.CreateBaseDendrite(t, dbType)
 		defer baseClose()
 		// add a vhost
 		base.Cfg.Global.VirtualHosts = append(base.Cfg.Global.VirtualHosts, &config.VirtualHost{
 			SigningIdentity: gomatrixserverlib.SigningIdentity{ServerName: "vh1"},
 		})
 		rsAPI := roomserver.NewInternalAPI(base)
 		// Needed for changing the password/login
 		keyAPI := keyserver.NewInternalAPI(base, &base.Cfg.KeyServer, nil, rsAPI)
 		userAPI := userapi.NewInternalAPI(base, &base.Cfg.UserAPI, nil, keyAPI, rsAPI, nil)
 		keyAPI.SetUserAPI(userAPI)
 		// We mostly need the userAPI for this test, so nil for other APIs/caches etc.
 		AddPublicRoutes(base, nil, nil, nil, nil, nil, userAPI, nil, nil, nil)
 		// Create the users in the userapi and login
 		accessTokens := map[*test.User]string{
 			aliceAdmin: "",
 			bob:        "",
 			vhUser:     "",
 		}
 		for u := range accessTokens {
 			localpart, serverName, _ := gomatrixserverlib.SplitID('@', u.ID)
 			userRes := &uapi.PerformAccountCreationResponse{}
 			password := util.RandomString(8)
 			if err := userAPI.PerformAccountCreation(ctx, &uapi.PerformAccountCreationRequest{
 				AccountType: u.AccountType,
 				Localpart:   localpart,
 				ServerName:  serverName,
 				Password:    password,
 			}, userRes); err != nil {
 				t.Errorf("failed to create account: %s", err)
 			}
 			req := test.NewRequest(t, http.MethodPost, "/_matrix/client/v3/login", test.WithJSONBody(t, map[string]interface{}{
 				"type": authtypes.LoginTypePassword,
 				"identifier": map[string]interface{}{
 					"type": "m.id.user",
 					"user": u.ID,
 				},
 				"password": password,
 			}))
 			rec := httptest.NewRecorder()
 			base.PublicClientAPIMux.ServeHTTP(rec, req)
 			if rec.Code != http.StatusOK {
 				t.Fatalf("failed to login: %s", rec.Body.String())
 			}
 			accessTokens[u] = gjson.GetBytes(rec.Body.Bytes(), "access_token").String()
 		}
 		testCases := []struct {
 			name           string
 			requestingUser *test.User
 			userID         string
 			requestOpt     test.HTTPRequestOpt
 			wantOK         bool
 			withHeader     bool
 		}{
 			{name: "Missing auth", requestingUser: bob, wantOK: false, userID: bob.ID},
 			{name: "Bob is denied access", requestingUser: bob, wantOK: false, withHeader: true, userID: bob.ID},
 			{name: "Alice is allowed access", requestingUser: aliceAdmin, wantOK: true, withHeader: true, userID: bob.ID, requestOpt: test.WithJSONBody(t, map[string]interface{}{
 				"password": util.RandomString(8),
 			})},
 			{name: "missing userID does not call function", requestingUser: aliceAdmin, wantOK: false, withHeader: true, userID: ""}, // this 404s
 			{name: "rejects empty password", requestingUser: aliceAdmin, wantOK: false, withHeader: true, userID: bob.ID, requestOpt: test.WithJSONBody(t, map[string]interface{}{
 				"password": "",
 			})},
 			{name: "rejects unknown server name", requestingUser: aliceAdmin, wantOK: false, withHeader: true, userID: "@doesnotexist:localhost", requestOpt: test.WithJSONBody(t, map[string]interface{}{})},
 			{name: "rejects unknown user", requestingUser: aliceAdmin, wantOK: false, withHeader: true, userID: "@doesnotexist:test", requestOpt: test.WithJSONBody(t, map[string]interface{}{})},
 			{name: "allows changing password for different vhost", requestingUser: aliceAdmin, wantOK: true, withHeader: true, userID: vhUser.ID, requestOpt: test.WithJSONBody(t, map[string]interface{}{
 				"password": util.RandomString(8),
 			})},
 			{name: "rejects existing user, missing body", requestingUser: aliceAdmin, wantOK: false, withHeader: true, userID: bob.ID},
 			{name: "rejects invalid userID", requestingUser: aliceAdmin, wantOK: false, withHeader: true, userID: "!notauserid:test", requestOpt: test.WithJSONBody(t, map[string]interface{}{})},
 			{name: "rejects invalid json", requestingUser: aliceAdmin, wantOK: false, withHeader: true, userID: bob.ID, requestOpt: test.WithJSONBody(t, `{invalidJSON}`)},
 			{name: "rejects too weak password", requestingUser: aliceAdmin, wantOK: false, withHeader: true, userID: bob.ID, requestOpt: test.WithJSONBody(t, map[string]interface{}{
 				"password": util.RandomString(6),
 			})},
 			{name: "rejects too long password", requestingUser: aliceAdmin, wantOK: false, withHeader: true, userID: bob.ID, requestOpt: test.WithJSONBody(t, map[string]interface{}{
 				"password": util.RandomString(513),
 			})},
 		}
 		for _, tc := range testCases {
 			t.Run(tc.name, func(t *testing.T) {
 				req := test.NewRequest(t, http.MethodPost, "/_dendrite/admin/resetPassword/"+tc.userID)
 				if tc.requestOpt != nil {
 					req = test.NewRequest(t, http.MethodPost, "/_dendrite/admin/resetPassword/"+tc.userID, tc.requestOpt)
 				}
 				if tc.withHeader {
 					req.Header.Set("Authorization", "Bearer "+accessTokens[tc.requestingUser])
 				}
 				rec := httptest.NewRecorder()
 				base.DendriteAdminMux.ServeHTTP(rec, req)
 				t.Logf("%s", rec.Body.String())
 				if tc.wantOK && rec.Code != http.StatusOK {
 					t.Fatalf("expected http status %d, got %d: %s", http.StatusOK, rec.Code, rec.Body.String())
 				}
 			})
 		}
 	})
 }
--- a/clientapi/auth/login_test.go
+++ b/clientapi/auth/login_test.go
@ -24,6 +24,7 @@ import (
 	"github.com/matrix-org/dendrite/clientapi/jsonerror"
 	"github.com/matrix-org/dendrite/setup/config"
 	uapi "github.com/matrix-org/dendrite/userapi/api"
 	"github.com/matrix-org/gomatrixserverlib"
 	"github.com/matrix-org/util"
 )
@ -66,7 +67,9 @@ func TestLoginFromJSONReader(t *testing.T) {
 			var userAPI fakeUserInternalAPI
 			cfg := &config.ClientAPI{
 				Matrix: &config.Global{
-					ServerName: serverName,
+					SigningIdentity: gomatrixserverlib.SigningIdentity{
 						ServerName: serverName,
 					},
 				},
 			}
 			login, cleanup, err := LoginFromJSONReader(ctx, strings.NewReader(tst.Body), &userAPI, &userAPI, cfg)
@ -144,7 +147,9 @@ func TestBadLoginFromJSONReader(t *testing.T) {
 			var userAPI fakeUserInternalAPI
 			cfg := &config.ClientAPI{
 				Matrix: &config.Global{
-					ServerName: serverName,
+					SigningIdentity: gomatrixserverlib.SigningIdentity{
 						ServerName: serverName,
 					},
 				},
 			}
 			_, cleanup, errRes := LoginFromJSONReader(ctx, strings.NewReader(tst.Body), &userAPI, &userAPI, cfg)
--- a/clientapi/auth/password.go
+++ b/clientapi/auth/password.go
@ -61,39 +61,56 @@ func (t *LoginTypePassword) LoginFromJSON(ctx context.Context, reqBytes []byte)
 func (t *LoginTypePassword) Login(ctx context.Context, req interface{}) (*Login, *util.JSONResponse) {
 	r := req.(*PasswordRequest)
-	username := strings.ToLower(r.Username())
+	username := r.Username()
 	if username == "" {
 		return nil, &util.JSONResponse{
 			Code: http.StatusUnauthorized,
 			JSON: jsonerror.BadJSON("A username must be supplied."),
 		}
 	}
-	localpart, err := userutil.ParseUsernameParam(username, &t.Config.Matrix.ServerName)
+	if len(r.Password) == 0 {
 		return nil, &util.JSONResponse{
 			Code: http.StatusUnauthorized,
 			JSON: jsonerror.BadJSON("A password must be supplied."),
 		}
 	}
 	localpart, domain, err := userutil.ParseUsernameParam(username, t.Config.Matrix)
 	if err != nil {
 		return nil, &util.JSONResponse{
 			Code: http.StatusUnauthorized,
 			JSON: jsonerror.InvalidUsername(err.Error()),
 		}
 	}
 	if !t.Config.Matrix.IsLocalServerName(domain) {
 		return nil, &util.JSONResponse{
 			Code: http.StatusUnauthorized,
 			JSON: jsonerror.InvalidUsername("The server name is not known."),
 		}
 	}
 	// Squash username to all lowercase letters
 	res := &api.QueryAccountByPasswordResponse{}
-	err = t.GetAccountByPassword(ctx, &api.QueryAccountByPasswordRequest{Localpart: strings.ToLower(localpart), PlaintextPassword: r.Password}, res)
+	err = t.GetAccountByPassword(ctx, &api.QueryAccountByPasswordRequest{
 		Localpart:         strings.ToLower(localpart),
 		ServerName:        domain,
 		PlaintextPassword: r.Password,
 	}, res)
 	if err != nil {
 		return nil, &util.JSONResponse{
 			Code: http.StatusInternalServerError,
-			JSON: jsonerror.Unknown("unable to fetch account by password"),
+			JSON: jsonerror.Unknown("Unable to fetch account by password."),
 		}
 	}
 	if !res.Exists {
 		err = t.GetAccountByPassword(ctx, &api.QueryAccountByPasswordRequest{
 			Localpart:         localpart,
 			ServerName:        domain,
 			PlaintextPassword: r.Password,
 		}, res)
 		if err != nil {
 			return nil, &util.JSONResponse{
 				Code: http.StatusInternalServerError,
-				JSON: jsonerror.Unknown("unable to fetch account by password"),
+				JSON: jsonerror.Unknown("Unable to fetch account by password."),
 			}
 		}
 		// Technically we could tell them if the user does not exist by checking if err == sql.ErrNoRows
--- a/clientapi/auth/user_interactive_test.go
+++ b/clientapi/auth/user_interactive_test.go
@ -47,7 +47,9 @@ func (d *fakeAccountDatabase) QueryAccountByPassword(ctx context.Context, req *a
 func setup() *UserInteractive {
 	cfg := &config.ClientAPI{
 		Matrix: &config.Global{
-			ServerName: serverName,
+			SigningIdentity: gomatrixserverlib.SigningIdentity{
 				ServerName: serverName,
 			},
 		},
 	}
 	return NewUserInteractive(&fakeAccountDatabase{}, cfg)
--- a/clientapi/clientapi.go
+++ b/clientapi/clientapi.go
@ -15,6 +15,8 @@
 package clientapi
 import (
 	"github.com/matrix-org/gomatrixserverlib"
 	appserviceAPI "github.com/matrix-org/dendrite/appservice/api"
 	"github.com/matrix-org/dendrite/clientapi/api"
 	"github.com/matrix-org/dendrite/clientapi/producers"
@ -26,7 +28,6 @@ import (
 	"github.com/matrix-org/dendrite/setup/base"
 	"github.com/matrix-org/dendrite/setup/jetstream"
 	userapi "github.com/matrix-org/dendrite/userapi/api"
 	"github.com/matrix-org/gomatrixserverlib"
 )
 // AddPublicRoutes sets up and registers HTTP handlers for the ClientAPI component.
@ -57,10 +58,7 @@ func AddPublicRoutes(
 	}
 	routing.Setup(
-		base.PublicClientAPIMux,
+		base,
 		base.PublicWellKnownAPIMux,
 		base.SynapseAdminMux,
 		base.DendriteAdminMux,
 		cfg, rsAPI, asAPI,
 		userAPI, userDirectoryProvider, federation,
 		syncProducer, transactionsCache, fsAPI, keyAPI,
--- a/clientapi/routing/account_data.go
+++ b/clientapi/routing/account_data.go
@ -154,33 +154,31 @@ func SaveReadMarker(
 		return *resErr
 	}
-	if r.FullyRead == "" {
+	if r.FullyRead != "" {
-		return util.JSONResponse{
+		data, err := json.Marshal(fullyReadEvent{EventID: r.FullyRead})
-			Code: http.StatusBadRequest,
+		if err != nil {
-			JSON: jsonerror.BadJSON("Missing m.fully_read mandatory field"),
+			return jsonerror.InternalServerError()
 		}
 		dataReq := api.InputAccountDataRequest{
 			UserID:      device.UserID,
 			DataType:    "m.fully_read",
 			RoomID:      roomID,
 			AccountData: data,
 		}
 		dataRes := api.InputAccountDataResponse{}
 		if err := userAPI.InputAccountData(req.Context(), &dataReq, &dataRes); err != nil {
 			util.GetLogger(req.Context()).WithError(err).Error("userAPI.InputAccountData failed")
 			return util.ErrorResponse(err)
 		}
 	}
-	data, err := json.Marshal(fullyReadEvent{EventID: r.FullyRead})
+	// Handle the read receipts that may be included in the read marker.
 	if err != nil {
 		return jsonerror.InternalServerError()
 	}
 	dataReq := api.InputAccountDataRequest{
 		UserID:      device.UserID,
 		DataType:    "m.fully_read",
 		RoomID:      roomID,
 		AccountData: data,
 	}
 	dataRes := api.InputAccountDataResponse{}
 	if err := userAPI.InputAccountData(req.Context(), &dataReq, &dataRes); err != nil {
 		util.GetLogger(req.Context()).WithError(err).Error("userAPI.InputAccountData failed")
 		return util.ErrorResponse(err)
 	}
 	// Handle the read receipt that may be included in the read marker
 	if r.Read != "" {
-		return SetReceipt(req, syncProducer, device, roomID, "m.read", r.Read)
+		return SetReceipt(req, userAPI, syncProducer, device, roomID, "m.read", r.Read)
 	}
 	if r.ReadPrivate != "" {
 		return SetReceipt(req, userAPI, syncProducer, device, roomID, "m.read.private", r.ReadPrivate)
 	}
 	return util.JSONResponse{
--- a/clientapi/routing/admin.go
+++ b/clientapi/routing/admin.go
@ -7,6 +7,7 @@ import (
 	"time"
 	"github.com/gorilla/mux"
 	"github.com/matrix-org/dendrite/internal"
 	"github.com/matrix-org/gomatrixserverlib"
 	"github.com/matrix-org/util"
 	"github.com/nats-io/nats.go"
@ -70,7 +71,7 @@ func AdminEvacuateUser(req *http.Request, cfg *config.ClientAPI, device *userapi
 	if err != nil {
 		return util.MessageResponse(http.StatusBadRequest, err.Error())
 	}
-	if domain != cfg.Matrix.ServerName {
+	if !cfg.Matrix.IsLocalServerName(domain) {
 		return util.JSONResponse{
 			Code: http.StatusBadRequest,
 			JSON: jsonerror.MissingArgument("User ID must belong to this server."),
@ -98,21 +99,45 @@ func AdminEvacuateUser(req *http.Request, cfg *config.ClientAPI, device *userapi
 }
 func AdminResetPassword(req *http.Request, cfg *config.ClientAPI, device *userapi.Device, userAPI userapi.ClientUserAPI) util.JSONResponse {
 	if req.Body == nil {
 		return util.JSONResponse{
 			Code: http.StatusBadRequest,
 			JSON: jsonerror.Unknown("Missing request body"),
 		}
 	}
 	vars, err := httputil.URLDecodeMapValues(mux.Vars(req))
 	if err != nil {
 		return util.ErrorResponse(err)
 	}
-	localpart, ok := vars["localpart"]
+	var localpart string
-	if !ok {
+	userID := vars["userID"]
 	localpart, serverName, err := cfg.Matrix.SplitLocalID('@', userID)
 	if err != nil {
 		return util.JSONResponse{
 			Code: http.StatusBadRequest,
-			JSON: jsonerror.MissingArgument("Expecting user localpart."),
+			JSON: jsonerror.InvalidArgumentValue(err.Error()),
 		}
 	}
 	accAvailableResp := &userapi.QueryAccountAvailabilityResponse{}
 	if err = userAPI.QueryAccountAvailability(req.Context(), &userapi.QueryAccountAvailabilityRequest{
 		Localpart:  localpart,
 		ServerName: serverName,
 	}, accAvailableResp); err != nil {
 		return util.JSONResponse{
 			Code: http.StatusInternalServerError,
 			JSON: jsonerror.InternalAPIError(req.Context(), err),
 		}
 	}
 	if accAvailableResp.Available {
 		return util.JSONResponse{
 			Code: http.StatusNotFound,
 			JSON: jsonerror.Unknown("User does not exist"),
 		}
 	}
 	request := struct {
 		Password string `json:"password"`
 	}{}
-	if err := json.NewDecoder(req.Body).Decode(&request); err != nil {
+	if err = json.NewDecoder(req.Body).Decode(&request); err != nil {
 		return util.JSONResponse{
 			Code: http.StatusBadRequest,
 			JSON: jsonerror.Unknown("Failed to decode request body: " + err.Error()),
@ -124,8 +149,14 @@ func AdminResetPassword(req *http.Request, cfg *config.ClientAPI, device *userap
 			JSON: jsonerror.MissingArgument("Expecting non-empty password."),
 		}
 	}
 	if err = internal.ValidatePassword(request.Password); err != nil {
 		return *internal.PasswordResponse(err)
 	}
 	updateReq := &userapi.PerformPasswordUpdateRequest{
 		Localpart:     localpart,
 		ServerName:    serverName,
 		Password:      request.Password,
 		LogoutDevices: true,
 	}
@ -169,7 +200,7 @@ func AdminMarkAsStale(req *http.Request, cfg *config.ClientAPI, keyAPI api.Clien
 	if err != nil {
 		return util.MessageResponse(http.StatusBadRequest, err.Error())
 	}
-	if domain == cfg.Matrix.ServerName {
+	if cfg.Matrix.IsLocalServerName(domain) {
 		return util.JSONResponse{
 			Code: http.StatusBadRequest,
 			JSON: jsonerror.InvalidParam("Can not mark local device list as stale"),
@ -191,3 +222,43 @@ func AdminMarkAsStale(req *http.Request, cfg *config.ClientAPI, keyAPI api.Clien
 		JSON: struct{}{},
 	}
 }
 func AdminDownloadState(req *http.Request, cfg *config.ClientAPI, device *userapi.Device, rsAPI roomserverAPI.ClientRoomserverAPI) util.JSONResponse {
 	vars, err := httputil.URLDecodeMapValues(mux.Vars(req))
 	if err != nil {
 		return util.ErrorResponse(err)
 	}
 	roomID, ok := vars["roomID"]
 	if !ok {
 		return util.JSONResponse{
 			Code: http.StatusBadRequest,
 			JSON: jsonerror.MissingArgument("Expecting room ID."),
 		}
 	}
 	serverName, ok := vars["serverName"]
 	if !ok {
 		return util.JSONResponse{
 			Code: http.StatusBadRequest,
 			JSON: jsonerror.MissingArgument("Expecting remote server name."),
 		}
 	}
 	res := &roomserverAPI.PerformAdminDownloadStateResponse{}
 	if err := rsAPI.PerformAdminDownloadState(
 		req.Context(),
 		&roomserverAPI.PerformAdminDownloadStateRequest{
 			UserID:     device.UserID,
 			RoomID:     roomID,
 			ServerName: gomatrixserverlib.ServerName(serverName),
 		},
 		res,
 	); err != nil {
 		return jsonerror.InternalAPIError(req.Context(), err)
 	}
 	if err := res.Error; err != nil {
 		return err.JSONResponse()
 	}
 	return util.JSONResponse{
 		Code: 200,
 		JSON: map[string]interface{}{},
 	}
 }
--- a/clientapi/routing/auth_fallback.go
+++ b/clientapi/routing/auth_fallback.go
@ -15,11 +15,11 @@
 package routing
 import (
 	"fmt"
 	"html/template"
 	"net/http"
 	"github.com/matrix-org/dendrite/clientapi/auth/authtypes"
 	"github.com/matrix-org/dendrite/clientapi/jsonerror"
 	"github.com/matrix-org/dendrite/setup/config"
 	"github.com/matrix-org/util"
 )
@ -31,8 +31,7 @@ const recaptchaTemplate = `
 <title>Authentication</title>
 <meta name='viewport' content='width=device-width, initial-scale=1,
    user-scalable=no, minimum-scale=1.0, maximum-scale=1.0'>
-<script src="https://www.google.com/recaptcha/api.js"
+<script src="{{.apiJsUrl}}" async defer></script>
    async defer></script>
 <script src="//code.jquery.com/jquery-1.11.2.min.js"></script>
 <script>
 function captchaDone() {
@ -51,8 +50,8 @@ function captchaDone() {
        Please verify that you're not a robot.
        </p>
 		<input type="hidden" name="session" value="{{.session}}" />
-        <div class="g-recaptcha"
+        <div class="{{.sitekeyClass}}"
-            data-sitekey="{{.siteKey}}"
+            data-sitekey="{{.sitekey}}"
            data-callback="captchaDone">
        </div>
        <noscript>
@ -102,21 +101,38 @@ func serveTemplate(w http.ResponseWriter, templateHTML string, data map[string]s
 func AuthFallback(
 	w http.ResponseWriter, req *http.Request, authType string,
 	cfg *config.ClientAPI,
-) *util.JSONResponse {
+) {
-	sessionID := req.URL.Query().Get("session")
+	// We currently only support "m.login.recaptcha", so fail early if that's not requested
 	if authType == authtypes.LoginTypeRecaptcha {
 		if !cfg.RecaptchaEnabled {
 			writeHTTPMessage(w, req,
 				"Recaptcha login is disabled on this Homeserver",
 				http.StatusBadRequest,
 			)
 			return
 		}
 	} else {
 		writeHTTPMessage(w, req, fmt.Sprintf("Unknown authtype %q", authType), http.StatusNotImplemented)
 		return
 	}
 	sessionID := req.URL.Query().Get("session")
 	if sessionID == "" {
-		return writeHTTPMessage(w, req,
+		writeHTTPMessage(w, req,
 			"Session ID not provided",
 			http.StatusBadRequest,
 		)
 		return
 	}
 	serveRecaptcha := func() {
 		data := map[string]string{
-			"myUrl":   req.URL.String(),
+			"myUrl":        req.URL.String(),
-			"session": sessionID,
+			"session":      sessionID,
-			"siteKey": cfg.RecaptchaPublicKey,
+			"apiJsUrl":     cfg.RecaptchaApiJsUrl,
 			"sitekey":      cfg.RecaptchaPublicKey,
 			"sitekeyClass": cfg.RecaptchaSitekeyClass,
 			"formField":    cfg.RecaptchaFormField,
 		}
 		serveTemplate(w, recaptchaTemplate, data)
 	}
@ -128,70 +144,44 @@ func AuthFallback(
 	if req.Method == http.MethodGet {
 		// Handle Recaptcha
-		if authType == authtypes.LoginTypeRecaptcha {
+		serveRecaptcha()
-			if err := checkRecaptchaEnabled(cfg, w, req); err != nil {
+		return
 				return err
 			}
 			serveRecaptcha()
 			return nil
 		}
 		return &util.JSONResponse{
 			Code: http.StatusNotFound,
 			JSON: jsonerror.NotFound("Unknown auth stage type"),
 		}
 	} else if req.Method == http.MethodPost {
 		// Handle Recaptcha
-		if authType == authtypes.LoginTypeRecaptcha {
+		clientIP := req.RemoteAddr
-			if err := checkRecaptchaEnabled(cfg, w, req); err != nil {
+		err := req.ParseForm()
-				return err
+		if err != nil {
-			}
+			util.GetLogger(req.Context()).WithError(err).Error("req.ParseForm failed")
-
+			w.WriteHeader(http.StatusBadRequest)
-			clientIP := req.RemoteAddr
+			serveRecaptcha()
-			err := req.ParseForm()
+			return
 			if err != nil {
 				util.GetLogger(req.Context()).WithError(err).Error("req.ParseForm failed")
 				res := jsonerror.InternalServerError()
 				return &res
 			}
 			response := req.Form.Get("g-recaptcha-response")
 			if err := validateRecaptcha(cfg, response, clientIP); err != nil {
 				util.GetLogger(req.Context()).Error(err)
 				return err
 			}
 			// Success. Add recaptcha as a completed login flow
 			sessions.addCompletedSessionStage(sessionID, authtypes.LoginTypeRecaptcha)
 			serveSuccess()
 			return nil
 		}
-		return &util.JSONResponse{
+		response := req.Form.Get(cfg.RecaptchaFormField)
-			Code: http.StatusNotFound,
+		err = validateRecaptcha(cfg, response, clientIP)
-			JSON: jsonerror.NotFound("Unknown auth stage type"),
+		switch err {
 		case ErrMissingResponse:
 			w.WriteHeader(http.StatusBadRequest)
 			serveRecaptcha() // serve the initial page again, instead of nothing
 			return
 		case ErrInvalidCaptcha:
 			w.WriteHeader(http.StatusUnauthorized)
 			serveRecaptcha()
 			return
 		case nil:
 		default: // something else failed
 			util.GetLogger(req.Context()).WithError(err).Error("failed to validate recaptcha")
 			serveRecaptcha()
 			return
 		}
 	}
 	return &util.JSONResponse{
 		Code: http.StatusMethodNotAllowed,
 		JSON: jsonerror.NotFound("Bad method"),
 	}
 }
-// checkRecaptchaEnabled creates an error response if recaptcha is not usable on homeserver.
+		// Success. Add recaptcha as a completed login flow
-func checkRecaptchaEnabled(
+		sessions.addCompletedSessionStage(sessionID, authtypes.LoginTypeRecaptcha)
-	cfg *config.ClientAPI,
+
-	w http.ResponseWriter,
+		serveSuccess()
-	req *http.Request,
+		return
 ) *util.JSONResponse {
 	if !cfg.RecaptchaEnabled {
 		return writeHTTPMessage(w, req,
 			"Recaptcha login is disabled on this Homeserver",
 			http.StatusBadRequest,
 		)
 	}
-	return nil
+	writeHTTPMessage(w, req, "Bad method", http.StatusMethodNotAllowed)
 }
 // writeHTTPMessage writes the given header and message to the HTTP response writer.
@ -199,13 +189,10 @@ func checkRecaptchaEnabled(
 func writeHTTPMessage(
 	w http.ResponseWriter, req *http.Request,
 	message string, header int,
-) *util.JSONResponse {
+) {
 	w.WriteHeader(header)
 	_, err := w.Write([]byte(message))
 	if err != nil {
 		util.GetLogger(req.Context()).WithError(err).Error("w.Write failed")
 		res := jsonerror.InternalServerError()
 		return &res
 	}
 	return nil
 }
--- a/clientapi/routing/auth_fallback_test.go
+++ b/clientapi/routing/auth_fallback_test.go
@ -0,0 +1,149 @@
 package routing
 import (
 	"fmt"
 	"net/http"
 	"net/http/httptest"
 	"net/url"
 	"strings"
 	"testing"
 	"github.com/matrix-org/dendrite/clientapi/auth/authtypes"
 	"github.com/matrix-org/dendrite/setup/config"
 	"github.com/matrix-org/dendrite/test/testrig"
 )
 func Test_AuthFallback(t *testing.T) {
 	base, _, _ := testrig.Base(nil)
 	defer base.Close()
 	for _, useHCaptcha := range []bool{false, true} {
 		for _, recaptchaEnabled := range []bool{false, true} {
 			for _, wantErr := range []bool{false, true} {
 				t.Run(fmt.Sprintf("useHCaptcha(%v) - recaptchaEnabled(%v) - wantErr(%v)", useHCaptcha, recaptchaEnabled, wantErr), func(t *testing.T) {
 					// Set the defaults for each test
 					base.Cfg.ClientAPI.Defaults(config.DefaultOpts{Generate: true, Monolithic: true})
 					base.Cfg.ClientAPI.RecaptchaEnabled = recaptchaEnabled
 					base.Cfg.ClientAPI.RecaptchaPublicKey = "pub"
 					base.Cfg.ClientAPI.RecaptchaPrivateKey = "priv"
 					if useHCaptcha {
 						base.Cfg.ClientAPI.RecaptchaSiteVerifyAPI = "https://hcaptcha.com/siteverify"
 						base.Cfg.ClientAPI.RecaptchaApiJsUrl = "https://js.hcaptcha.com/1/api.js"
 						base.Cfg.ClientAPI.RecaptchaFormField = "h-captcha-response"
 						base.Cfg.ClientAPI.RecaptchaSitekeyClass = "h-captcha"
 					}
 					cfgErrs := &config.ConfigErrors{}
 					base.Cfg.ClientAPI.Verify(cfgErrs, true)
 					if len(*cfgErrs) > 0 {
 						t.Fatalf("(hCaptcha=%v) unexpected config errors: %s", useHCaptcha, cfgErrs.Error())
 					}
 					req := httptest.NewRequest(http.MethodGet, "/?session=1337", nil)
 					rec := httptest.NewRecorder()
 					AuthFallback(rec, req, authtypes.LoginTypeRecaptcha, &base.Cfg.ClientAPI)
 					if !recaptchaEnabled {
 						if rec.Code != http.StatusBadRequest {
 							t.Fatalf("unexpected response code: %d, want %d", rec.Code, http.StatusBadRequest)
 						}
 						if rec.Body.String() != "Recaptcha login is disabled on this Homeserver" {
 							t.Fatalf("unexpected response body: %s", rec.Body.String())
 						}
 					} else {
 						if !strings.Contains(rec.Body.String(), base.Cfg.ClientAPI.RecaptchaSitekeyClass) {
 							t.Fatalf("body does not contain %s: %s", base.Cfg.ClientAPI.RecaptchaSitekeyClass, rec.Body.String())
 						}
 					}
 					srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 						if wantErr {
 							_, _ = w.Write([]byte(`{"success":false}`))
 							return
 						}
 						_, _ = w.Write([]byte(`{"success":true}`))
 					}))
 					defer srv.Close() // nolint: errcheck
 					base.Cfg.ClientAPI.RecaptchaSiteVerifyAPI = srv.URL
 					// check the result after sending the captcha
 					req = httptest.NewRequest(http.MethodPost, "/?session=1337", nil)
 					req.Form = url.Values{}
 					req.Form.Add(base.Cfg.ClientAPI.RecaptchaFormField, "someRandomValue")
 					rec = httptest.NewRecorder()
 					AuthFallback(rec, req, authtypes.LoginTypeRecaptcha, &base.Cfg.ClientAPI)
 					if recaptchaEnabled {
 						if !wantErr {
 							if rec.Code != http.StatusOK {
 								t.Fatalf("unexpected response code: %d, want %d", rec.Code, http.StatusOK)
 							}
 							if rec.Body.String() != successTemplate {
 								t.Fatalf("unexpected response: %s, want %s", rec.Body.String(), successTemplate)
 							}
 						} else {
 							if rec.Code != http.StatusUnauthorized {
 								t.Fatalf("unexpected response code: %d, want %d", rec.Code, http.StatusUnauthorized)
 							}
 							wantString := "Authentication"
 							if !strings.Contains(rec.Body.String(), wantString) {
 								t.Fatalf("expected response to contain '%s', but didn't: %s", wantString, rec.Body.String())
 							}
 						}
 					} else {
 						if rec.Code != http.StatusBadRequest {
 							t.Fatalf("unexpected response code: %d, want %d", rec.Code, http.StatusBadRequest)
 						}
 						if rec.Body.String() != "Recaptcha login is disabled on this Homeserver" {
 							t.Fatalf("unexpected response: %s, want %s", rec.Body.String(), "successTemplate")
 						}
 					}
 				})
 			}
 		}
 	}
 	t.Run("unknown fallbacks are handled correctly", func(t *testing.T) {
 		req := httptest.NewRequest(http.MethodPost, "/?session=1337", nil)
 		rec := httptest.NewRecorder()
 		AuthFallback(rec, req, "DoesNotExist", &base.Cfg.ClientAPI)
 		if rec.Code != http.StatusNotImplemented {
 			t.Fatalf("unexpected http status: %d, want %d", rec.Code, http.StatusNotImplemented)
 		}
 	})
 	t.Run("unknown methods are handled correctly", func(t *testing.T) {
 		req := httptest.NewRequest(http.MethodDelete, "/?session=1337", nil)
 		rec := httptest.NewRecorder()
 		AuthFallback(rec, req, authtypes.LoginTypeRecaptcha, &base.Cfg.ClientAPI)
 		if rec.Code != http.StatusMethodNotAllowed {
 			t.Fatalf("unexpected http status: %d, want %d", rec.Code, http.StatusMethodNotAllowed)
 		}
 	})
 	t.Run("missing session parameter is handled correctly", func(t *testing.T) {
 		req := httptest.NewRequest(http.MethodGet, "/", nil)
 		rec := httptest.NewRecorder()
 		AuthFallback(rec, req, authtypes.LoginTypeRecaptcha, &base.Cfg.ClientAPI)
 		if rec.Code != http.StatusBadRequest {
 			t.Fatalf("unexpected http status: %d, want %d", rec.Code, http.StatusBadRequest)
 		}
 	})
 	t.Run("missing session parameter is handled correctly", func(t *testing.T) {
 		req := httptest.NewRequest(http.MethodGet, "/", nil)
 		rec := httptest.NewRecorder()
 		AuthFallback(rec, req, authtypes.LoginTypeRecaptcha, &base.Cfg.ClientAPI)
 		if rec.Code != http.StatusBadRequest {
 			t.Fatalf("unexpected http status: %d, want %d", rec.Code, http.StatusBadRequest)
 		}
 	})
 	t.Run("missing 'response' is handled correctly", func(t *testing.T) {
 		req := httptest.NewRequest(http.MethodPost, "/?session=1337", nil)
 		rec := httptest.NewRecorder()
 		AuthFallback(rec, req, authtypes.LoginTypeRecaptcha, &base.Cfg.ClientAPI)
 		if rec.Code != http.StatusBadRequest {
 			t.Fatalf("unexpected http status: %d, want %d", rec.Code, http.StatusBadRequest)
 		}
 	})
 }
--- a/clientapi/routing/createroom.go
+++ b/clientapi/routing/createroom.go
@ -169,9 +169,21 @@ func createRoom(
 	asAPI appserviceAPI.AppServiceInternalAPI,
 	evTime time.Time,
 ) util.JSONResponse {
 	_, userDomain, err := gomatrixserverlib.SplitID('@', device.UserID)
 	if err != nil {
 		util.GetLogger(ctx).WithError(err).Error("gomatrixserverlib.SplitID failed")
 		return jsonerror.InternalServerError()
 	}
 	if !cfg.Matrix.IsLocalServerName(userDomain) {
 		return util.JSONResponse{
 			Code: http.StatusForbidden,
 			JSON: jsonerror.Forbidden(fmt.Sprintf("User domain %q not configured locally", userDomain)),
 		}
 	}
 	// TODO (#267): Check room ID doesn't clash with an existing one, and we
 	//              probably shouldn't be using pseudo-random strings, maybe GUIDs?
-	roomID := fmt.Sprintf("!%s:%s", util.RandomString(16), cfg.Matrix.ServerName)
+	roomID := fmt.Sprintf("!%s:%s", util.RandomString(16), userDomain)
 	logger := util.GetLogger(ctx)
 	userID := device.UserID
@ -314,7 +326,7 @@ func createRoom(
 	var roomAlias string
 	if r.RoomAliasName != "" {
-		roomAlias = fmt.Sprintf("#%s:%s", r.RoomAliasName, cfg.Matrix.ServerName)
+		roomAlias = fmt.Sprintf("#%s:%s", r.RoomAliasName, userDomain)
 		// check it's free TODO: This races but is better than nothing
 		hasAliasReq := roomserverAPI.GetRoomIDForAliasRequest{
 			Alias:              roomAlias,
@ -436,7 +448,7 @@ func createRoom(
 			builder.PrevEvents = []gomatrixserverlib.EventReference{builtEvents[i-1].EventReference()}
 		}
 		var ev *gomatrixserverlib.Event
-		ev, err = buildEvent(&builder, &authEvents, cfg, evTime, roomVersion)
+		ev, err = buildEvent(&builder, userDomain, &authEvents, cfg, evTime, roomVersion)
 		if err != nil {
 			util.GetLogger(ctx).WithError(err).Error("buildEvent failed")
 			return jsonerror.InternalServerError()
@ -461,11 +473,11 @@ func createRoom(
 		inputs = append(inputs, roomserverAPI.InputRoomEvent{
 			Kind:         roomserverAPI.KindNew,
 			Event:        event,
-			Origin:       cfg.Matrix.ServerName,
+			Origin:       userDomain,
 			SendAsServer: roomserverAPI.DoNotSendToOtherServers,
 		})
 	}
-	if err = roomserverAPI.SendInputRoomEvents(ctx, rsAPI, inputs, false); err != nil {
+	if err = roomserverAPI.SendInputRoomEvents(ctx, rsAPI, device.UserDomain(), inputs, false); err != nil {
 		util.GetLogger(ctx).WithError(err).Error("roomserverAPI.SendInputRoomEvents failed")
 		return jsonerror.InternalServerError()
 	}
@ -548,7 +560,7 @@ func createRoom(
 				Event:           event,
 				InviteRoomState: inviteStrippedState,
 				RoomVersion:     event.RoomVersion,
-				SendAsServer:    string(cfg.Matrix.ServerName),
+				SendAsServer:    string(userDomain),
 			}, &inviteRes); err != nil {
 				util.GetLogger(ctx).WithError(err).Error("PerformInvite failed")
 				return util.JSONResponse{
@ -591,6 +603,7 @@ func createRoom(
 // buildEvent fills out auth_events for the builder then builds the event
 func buildEvent(
 	builder *gomatrixserverlib.EventBuilder,
 	serverName gomatrixserverlib.ServerName,
 	provider gomatrixserverlib.AuthEventProvider,
 	cfg *config.ClientAPI,
 	evTime time.Time,
@ -606,7 +619,7 @@ func buildEvent(
 	}
 	builder.AuthEvents = refs
 	event, err := builder.Build(
-		evTime, cfg.Matrix.ServerName, cfg.Matrix.KeyID,
+		evTime, serverName, cfg.Matrix.KeyID,
 		cfg.Matrix.PrivateKey, roomVersion,
 	)
 	if err != nil {
--- a/clientapi/routing/directory.go
+++ b/clientapi/routing/directory.go
@ -18,14 +18,15 @@ import (
 	"fmt"
 	"net/http"
 	"github.com/matrix-org/gomatrixserverlib"
 	"github.com/matrix-org/util"
 	"github.com/matrix-org/dendrite/clientapi/httputil"
 	"github.com/matrix-org/dendrite/clientapi/jsonerror"
 	federationAPI "github.com/matrix-org/dendrite/federationapi/api"
 	roomserverAPI "github.com/matrix-org/dendrite/roomserver/api"
 	"github.com/matrix-org/dendrite/setup/config"
 	userapi "github.com/matrix-org/dendrite/userapi/api"
 	"github.com/matrix-org/gomatrixserverlib"
 	"github.com/matrix-org/util"
 )
 type roomDirectoryResponse struct {
@ -75,8 +76,8 @@ func DirectoryRoom(
 	if res.RoomID == "" {
 		// If we don't know it locally, do a federation query.
 		// But don't send the query to ourselves.
-		if domain != cfg.Matrix.ServerName {
+		if !cfg.Matrix.IsLocalServerName(domain) {
-			fedRes, fedErr := federation.LookupRoomAlias(req.Context(), domain, roomAlias)
+			fedRes, fedErr := federation.LookupRoomAlias(req.Context(), cfg.Matrix.ServerName, domain, roomAlias)
 			if fedErr != nil {
 				// TODO: Return 502 if the remote server errored.
 				// TODO: Return 504 if the remote server timed out.
@ -127,7 +128,7 @@ func SetLocalAlias(
 		}
 	}
-	if domain != cfg.Matrix.ServerName {
+	if !cfg.Matrix.IsLocalServerName(domain) {
 		return util.JSONResponse{
 			Code: http.StatusForbidden,
 			JSON: jsonerror.Forbidden("Alias must be on local homeserver"),
@ -318,3 +319,43 @@ func SetVisibility(
 		JSON: struct{}{},
 	}
 }
 func SetVisibilityAS(
 	req *http.Request, rsAPI roomserverAPI.ClientRoomserverAPI, dev *userapi.Device,
 	networkID, roomID string,
 ) util.JSONResponse {
 	if dev.AccountType != userapi.AccountTypeAppService {
 		return util.JSONResponse{
 			Code: http.StatusForbidden,
 			JSON: jsonerror.Forbidden("Only appservice may use this endpoint"),
 		}
 	}
 	var v roomVisibility
 	// If the method is delete, we simply mark the visibility as private
 	if req.Method == http.MethodDelete {
 		v.Visibility = "private"
 	} else {
 		if reqErr := httputil.UnmarshalJSONRequest(req, &v); reqErr != nil {
 			return *reqErr
 		}
 	}
 	var publishRes roomserverAPI.PerformPublishResponse
 	if err := rsAPI.PerformPublish(req.Context(), &roomserverAPI.PerformPublishRequest{
 		RoomID:       roomID,
 		Visibility:   v.Visibility,
 		NetworkID:    networkID,
 		AppserviceID: dev.AppserviceID,
 	}, &publishRes); err != nil {
 		return jsonerror.InternalAPIError(req.Context(), err)
 	}
 	if publishRes.Error != nil {
 		util.GetLogger(req.Context()).WithError(publishRes.Error).Error("PerformPublish failed")
 		return publishRes.Error.JSONResponse()
 	}
 	return util.JSONResponse{
 		Code: http.StatusOK,
 		JSON: struct{}{},
 	}
 }
--- a/clientapi/routing/directory_public.go
+++ b/clientapi/routing/directory_public.go
@ -39,14 +39,17 @@ var (
 )
 type PublicRoomReq struct {
-	Since  string `json:"since,omitempty"`
+	Since              string `json:"since,omitempty"`
-	Limit  int16  `json:"limit,omitempty"`
+	Limit              int64  `json:"limit,omitempty"`
-	Filter filter `json:"filter,omitempty"`
+	Filter             filter `json:"filter,omitempty"`
-	Server string `json:"server,omitempty"`
+	Server             string `json:"server,omitempty"`
 	IncludeAllNetworks bool   `json:"include_all_networks,omitempty"`
 	NetworkID          string `json:"third_party_instance_id,omitempty"`
 }
 type filter struct {
-	SearchTerms string `json:"generic_search_term,omitempty"`
+	SearchTerms string   `json:"generic_search_term,omitempty"`
 	RoomTypes   []string `json:"room_types,omitempty"` // TODO: Implement filter on this
 }
 // GetPostPublicRooms implements GET and POST /publicRooms
@ -61,11 +64,17 @@ func GetPostPublicRooms(
 		return *fillErr
 	}
-	serverName := gomatrixserverlib.ServerName(request.Server)
+	if request.IncludeAllNetworks && request.NetworkID != "" {
 		return util.JSONResponse{
 			Code: http.StatusBadRequest,
 			JSON: jsonerror.InvalidParam("include_all_networks and third_party_instance_id can not be used together"),
 		}
 	}
-	if serverName != "" && serverName != cfg.Matrix.ServerName {
+	serverName := gomatrixserverlib.ServerName(request.Server)
 	if serverName != "" && !cfg.Matrix.IsLocalServerName(serverName) {
 		res, err := federation.GetPublicRoomsFiltered(
-			req.Context(), serverName,
+			req.Context(), cfg.Matrix.ServerName, serverName,
 			int(request.Limit), request.Since,
 			request.Filter.SearchTerms, false,
 			"",
@ -98,7 +107,7 @@ func publicRooms(
 	response := gomatrixserverlib.RespPublicRooms{
 		Chunk: []gomatrixserverlib.PublicRoom{},
 	}
-	var limit int16
+	var limit int64
 	var offset int64
 	limit = request.Limit
 	if limit == 0 {
@ -115,7 +124,7 @@ func publicRooms(
 	var rooms []gomatrixserverlib.PublicRoom
 	if request.Since == "" {
-		rooms = refreshPublicRoomCache(ctx, rsAPI, extRoomsProvider)
+		rooms = refreshPublicRoomCache(ctx, rsAPI, extRoomsProvider, request)
 	} else {
 		rooms = getPublicRoomsFromCache()
 	}
@ -177,7 +186,7 @@ func fillPublicRoomsReq(httpReq *http.Request, request *PublicRoomReq) *util.JSO
 				JSON: jsonerror.BadJSON("limit param is not a number"),
 			}
 		}
-		request.Limit = int16(limit)
+		request.Limit = int64(limit)
 		request.Since = httpReq.FormValue("since")
 		request.Server = httpReq.FormValue("server")
 	} else {
@ -205,7 +214,7 @@ func fillPublicRoomsReq(httpReq *http.Request, request *PublicRoomReq) *util.JSO
 //	 limit=3&since=6  => G     (prev='3', next='')
 //
 //	A value of '-1' for prev/next indicates no position.
-func sliceInto(slice []gomatrixserverlib.PublicRoom, since int64, limit int16) (subset []gomatrixserverlib.PublicRoom, prev, next int) {
+func sliceInto(slice []gomatrixserverlib.PublicRoom, since int64, limit int64) (subset []gomatrixserverlib.PublicRoom, prev, next int) {
 	prev = -1
 	next = -1
@ -231,6 +240,7 @@ func sliceInto(slice []gomatrixserverlib.PublicRoom, since int64, limit int16) (
 func refreshPublicRoomCache(
 	ctx context.Context, rsAPI roomserverAPI.ClientRoomserverAPI, extRoomsProvider api.ExtraPublicRoomsProvider,
 	request PublicRoomReq,
 ) []gomatrixserverlib.PublicRoom {
 	cacheMu.Lock()
 	defer cacheMu.Unlock()
@ -239,8 +249,17 @@ func refreshPublicRoomCache(
 		extraRooms = extRoomsProvider.Rooms()
 	}
 	// TODO: this is only here to make Sytest happy, for now.
 	ns := strings.Split(request.NetworkID, "|")
 	if len(ns) == 2 {
 		request.NetworkID = ns[1]
 	}
 	var queryRes roomserverAPI.QueryPublishedRoomsResponse
-	err := rsAPI.QueryPublishedRooms(ctx, &roomserverAPI.QueryPublishedRoomsRequest{}, &queryRes)
+	err := rsAPI.QueryPublishedRooms(ctx, &roomserverAPI.QueryPublishedRoomsRequest{
 		NetworkID:          request.NetworkID,
 		IncludeAllNetworks: request.IncludeAllNetworks,
 	}, &queryRes)
 	if err != nil {
 		util.GetLogger(ctx).WithError(err).Error("QueryPublishedRooms failed")
 		return publicRoomsCache
--- a/clientapi/routing/directory_public_test.go
+++ b/clientapi/routing/directory_public_test.go
@ -17,7 +17,7 @@ func TestSliceInto(t *testing.T) {
 	slice := []gomatrixserverlib.PublicRoom{
 		pubRoom("a"), pubRoom("b"), pubRoom("c"), pubRoom("d"), pubRoom("e"), pubRoom("f"), pubRoom("g"),
 	}
-	limit := int16(3)
+	limit := int64(3)
 	testCases := []struct {
 		since      int64
 		wantPrev   int
--- a/clientapi/routing/getevent.go
+++ b/clientapi/routing/getevent.go
@ -1,138 +0,0 @@
 // Copyright 2019 Alex Chen
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //     http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
 package routing
 import (
 	"net/http"
 	"github.com/matrix-org/dendrite/clientapi/jsonerror"
 	"github.com/matrix-org/dendrite/roomserver/api"
 	"github.com/matrix-org/dendrite/setup/config"
 	userapi "github.com/matrix-org/dendrite/userapi/api"
 	"github.com/matrix-org/gomatrixserverlib"
 	"github.com/matrix-org/util"
 )
 type getEventRequest struct {
 	req            *http.Request
 	device         *userapi.Device
 	roomID         string
 	eventID        string
 	cfg            *config.ClientAPI
 	requestedEvent *gomatrixserverlib.Event
 }
 // GetEvent implements GET /_matrix/client/r0/rooms/{roomId}/event/{eventId}
 // https://matrix.org/docs/spec/client_server/r0.4.0.html#get-matrix-client-r0-rooms-roomid-event-eventid
 func GetEvent(
 	req *http.Request,
 	device *userapi.Device,
 	roomID string,
 	eventID string,
 	cfg *config.ClientAPI,
 	rsAPI api.ClientRoomserverAPI,
 ) util.JSONResponse {
 	eventsReq := api.QueryEventsByIDRequest{
 		EventIDs: []string{eventID},
 	}
 	var eventsResp api.QueryEventsByIDResponse
 	err := rsAPI.QueryEventsByID(req.Context(), &eventsReq, &eventsResp)
 	if err != nil {
 		util.GetLogger(req.Context()).WithError(err).Error("queryAPI.QueryEventsByID failed")
 		return jsonerror.InternalServerError()
 	}
 	if len(eventsResp.Events) == 0 {
 		// Event not found locally
 		return util.JSONResponse{
 			Code: http.StatusNotFound,
 			JSON: jsonerror.NotFound("The event was not found or you do not have permission to read this event"),
 		}
 	}
 	requestedEvent := eventsResp.Events[0].Event
 	r := getEventRequest{
 		req:            req,
 		device:         device,
 		roomID:         roomID,
 		eventID:        eventID,
 		cfg:            cfg,
 		requestedEvent: requestedEvent,
 	}
 	stateReq := api.QueryStateAfterEventsRequest{
 		RoomID:       r.requestedEvent.RoomID(),
 		PrevEventIDs: r.requestedEvent.PrevEventIDs(),
 		StateToFetch: []gomatrixserverlib.StateKeyTuple{{
 			EventType: gomatrixserverlib.MRoomMember,
 			StateKey:  device.UserID,
 		}},
 	}
 	var stateResp api.QueryStateAfterEventsResponse
 	if err := rsAPI.QueryStateAfterEvents(req.Context(), &stateReq, &stateResp); err != nil {
 		util.GetLogger(req.Context()).WithError(err).Error("queryAPI.QueryStateAfterEvents failed")
 		return jsonerror.InternalServerError()
 	}
 	if !stateResp.RoomExists {
 		util.GetLogger(req.Context()).Errorf("Expected to find room for event %s but failed", r.requestedEvent.EventID())
 		return jsonerror.InternalServerError()
 	}
 	if !stateResp.PrevEventsExist {
 		// Missing some events locally; stateResp.StateEvents unavailable.
 		return util.JSONResponse{
 			Code: http.StatusNotFound,
 			JSON: jsonerror.NotFound("The event was not found or you do not have permission to read this event"),
 		}
 	}
 	var appService *config.ApplicationService
 	if device.AppserviceID != "" {
 		for _, as := range cfg.Derived.ApplicationServices {
 			if as.ID == device.AppserviceID {
 				appService = &as
 				break
 			}
 		}
 	}
 	for _, stateEvent := range stateResp.StateEvents {
 		if appService != nil {
 			if !appService.IsInterestedInUserID(*stateEvent.StateKey()) {
 				continue
 			}
 		} else if !stateEvent.StateKeyEquals(device.UserID) {
 			continue
 		}
 		membership, err := stateEvent.Membership()
 		if err != nil {
 			util.GetLogger(req.Context()).WithError(err).Error("stateEvent.Membership failed")
 			return jsonerror.InternalServerError()
 		}
 		if membership == gomatrixserverlib.Join {
 			return util.JSONResponse{
 				Code: http.StatusOK,
 				JSON: gomatrixserverlib.ToClientEvent(r.requestedEvent, gomatrixserverlib.FormatAll),
 			}
 		}
 	}
 	return util.JSONResponse{
 		Code: http.StatusNotFound,
 		JSON: jsonerror.NotFound("The event was not found or you do not have permission to read this event"),
 	}
 }
--- a/clientapi/routing/joined_rooms.go
+++ b/clientapi/routing/joined_rooms.go
@ -0,0 +1,52 @@
 // Copyright 2022 The Matrix.org Foundation C.I.C.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //     http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
 package routing
 import (
 	"net/http"
 	"github.com/matrix-org/util"
 	"github.com/matrix-org/dendrite/clientapi/jsonerror"
 	"github.com/matrix-org/dendrite/roomserver/api"
 	userapi "github.com/matrix-org/dendrite/userapi/api"
 )
 type getJoinedRoomsResponse struct {
 	JoinedRooms []string `json:"joined_rooms"`
 }
 func GetJoinedRooms(
 	req *http.Request,
 	device *userapi.Device,
 	rsAPI api.ClientRoomserverAPI,
 ) util.JSONResponse {
 	var res api.QueryRoomsForUserResponse
 	err := rsAPI.QueryRoomsForUser(req.Context(), &api.QueryRoomsForUserRequest{
 		UserID:         device.UserID,
 		WantMembership: "join",
 	}, &res)
 	if err != nil {
 		util.GetLogger(req.Context()).WithError(err).Error("QueryRoomsForUser failed")
 		return jsonerror.InternalServerError()
 	}
 	if res.RoomIDs == nil {
 		res.RoomIDs = []string{}
 	}
 	return util.JSONResponse{
 		Code: http.StatusOK,
 		JSON: getJoinedRoomsResponse{res.RoomIDs},
 	}
 }
--- a/clientapi/routing/joinroom.go
+++ b/clientapi/routing/joinroom.go
@ -37,6 +37,7 @@ func JoinRoomByIDOrAlias(
 	joinReq := roomserverAPI.PerformJoinRequest{
 		RoomIDOrAlias: roomIDOrAlias,
 		UserID:        device.UserID,
 		IsGuest:       device.AccountType == api.AccountTypeGuest,
 		Content:       map[string]interface{}{},
 	}
 	joinRes := roomserverAPI.PerformJoinResponse{}
@ -84,7 +85,14 @@ func JoinRoomByIDOrAlias(
 		if err := rsAPI.PerformJoin(req.Context(), &joinReq, &joinRes); err != nil {
 			done <- jsonerror.InternalAPIError(req.Context(), err)
 		} else if joinRes.Error != nil {
-			done <- joinRes.Error.JSONResponse()
+			if joinRes.Error.Code == roomserverAPI.PerformErrorNotAllowed && device.AccountType == api.AccountTypeGuest {
 				done <- util.JSONResponse{
 					Code: http.StatusForbidden,
 					JSON: jsonerror.GuestAccessForbidden(joinRes.Error.Msg),
 				}
 			} else {
 				done <- joinRes.Error.JSONResponse()
 			}
 		} else {
 			done <- util.JSONResponse{
 				Code: http.StatusOK,
--- a/clientapi/routing/joinroom_test.go
+++ b/clientapi/routing/joinroom_test.go
@ -0,0 +1,158 @@
 package routing
 import (
 	"bytes"
 	"context"
 	"net/http"
 	"testing"
 	"time"
 	"github.com/matrix-org/gomatrixserverlib"
 	"github.com/matrix-org/dendrite/appservice"
 	"github.com/matrix-org/dendrite/keyserver"
 	"github.com/matrix-org/dendrite/roomserver"
 	"github.com/matrix-org/dendrite/test"
 	"github.com/matrix-org/dendrite/test/testrig"
 	"github.com/matrix-org/dendrite/userapi"
 	uapi "github.com/matrix-org/dendrite/userapi/api"
 )
 func TestJoinRoomByIDOrAlias(t *testing.T) {
 	alice := test.NewUser(t)
 	bob := test.NewUser(t)
 	charlie := test.NewUser(t, test.WithAccountType(uapi.AccountTypeGuest))
 	ctx := context.Background()
 	test.WithAllDatabases(t, func(t *testing.T, dbType test.DBType) {
 		base, baseClose := testrig.CreateBaseDendrite(t, dbType)
 		defer baseClose()
 		rsAPI := roomserver.NewInternalAPI(base)
 		keyAPI := keyserver.NewInternalAPI(base, &base.Cfg.KeyServer, nil, rsAPI)
 		userAPI := userapi.NewInternalAPI(base, &base.Cfg.UserAPI, nil, keyAPI, rsAPI, nil)
 		asAPI := appservice.NewInternalAPI(base, userAPI, rsAPI)
 		rsAPI.SetFederationAPI(nil, nil) // creates the rs.Inputer etc
 		// Create the users in the userapi
 		for _, u := range []*test.User{alice, bob, charlie} {
 			localpart, serverName, _ := gomatrixserverlib.SplitID('@', u.ID)
 			userRes := &uapi.PerformAccountCreationResponse{}
 			if err := userAPI.PerformAccountCreation(ctx, &uapi.PerformAccountCreationRequest{
 				AccountType: u.AccountType,
 				Localpart:   localpart,
 				ServerName:  serverName,
 				Password:    "someRandomPassword",
 			}, userRes); err != nil {
 				t.Errorf("failed to create account: %s", err)
 			}
 		}
 		aliceDev := &uapi.Device{UserID: alice.ID}
 		bobDev := &uapi.Device{UserID: bob.ID}
 		charlieDev := &uapi.Device{UserID: charlie.ID, AccountType: uapi.AccountTypeGuest}
 		// create a room with disabled guest access and invite Bob
 		resp := createRoom(ctx, createRoomRequest{
 			Name:          "testing",
 			IsDirect:      true,
 			Topic:         "testing",
 			Visibility:    "public",
 			Preset:        presetPublicChat,
 			RoomAliasName: "alias",
 			Invite:        []string{bob.ID},
 			GuestCanJoin:  false,
 		}, aliceDev, &base.Cfg.ClientAPI, userAPI, rsAPI, asAPI, time.Now())
 		crResp, ok := resp.JSON.(createRoomResponse)
 		if !ok {
 			t.Fatalf("response is not a createRoomResponse: %+v", resp)
 		}
 		// create a room with guest access enabled and invite Charlie
 		resp = createRoom(ctx, createRoomRequest{
 			Name:         "testing",
 			IsDirect:     true,
 			Topic:        "testing",
 			Visibility:   "public",
 			Preset:       presetPublicChat,
 			Invite:       []string{charlie.ID},
 			GuestCanJoin: true,
 		}, aliceDev, &base.Cfg.ClientAPI, userAPI, rsAPI, asAPI, time.Now())
 		crRespWithGuestAccess, ok := resp.JSON.(createRoomResponse)
 		if !ok {
 			t.Fatalf("response is not a createRoomResponse: %+v", resp)
 		}
 		// Dummy request
 		body := &bytes.Buffer{}
 		req, err := http.NewRequest(http.MethodPost, "/?server_name=test", body)
 		if err != nil {
 			t.Fatal(err)
 		}
 		testCases := []struct {
 			name        string
 			device      *uapi.Device
 			roomID      string
 			wantHTTP200 bool
 		}{
 			{
 				name:        "User can join successfully by alias",
 				device:      bobDev,
 				roomID:      crResp.RoomAlias,
 				wantHTTP200: true,
 			},
 			{
 				name:        "User can join successfully by roomID",
 				device:      bobDev,
 				roomID:      crResp.RoomID,
 				wantHTTP200: true,
 			},
 			{
 				name:   "join is forbidden if user is guest",
 				device: charlieDev,
 				roomID: crResp.RoomID,
 			},
 			{
 				name:   "room does not exist",
 				device: aliceDev,
 				roomID: "!doesnotexist:test",
 			},
 			{
 				name:   "user from different server",
 				device: &uapi.Device{UserID: "@wrong:server"},
 				roomID: crResp.RoomAlias,
 			},
 			{
 				name:   "user doesn't exist locally",
 				device: &uapi.Device{UserID: "@doesnotexist:test"},
 				roomID: crResp.RoomAlias,
 			},
 			{
 				name:   "invalid room ID",
 				device: aliceDev,
 				roomID: "invalidRoomID",
 			},
 			{
 				name:   "roomAlias does not exist",
 				device: aliceDev,
 				roomID: "#doesnotexist:test",
 			},
 			{
 				name:   "room with guest_access event",
 				device: charlieDev,
 				roomID: crRespWithGuestAccess.RoomID,
 			},
 		}
 		for _, tc := range testCases {
 			t.Run(tc.name, func(t *testing.T) {
 				joinResp := JoinRoomByIDOrAlias(req, tc.device, rsAPI, userAPI, tc.roomID)
 				if tc.wantHTTP200 && !joinResp.Is2xx() {
 					t.Fatalf("expected join room to succeed, but didn't: %+v", joinResp)
 				}
 			})
 		}
 	})
 }
--- a/clientapi/routing/keys.go
+++ b/clientapi/routing/keys.go
@ -99,7 +99,11 @@ func (r *queryKeysRequest) GetTimeout() time.Duration {
 	if r.Timeout == 0 {
 		return 10 * time.Second
 	}
-	return time.Duration(r.Timeout) * time.Millisecond
+	timeout := time.Duration(r.Timeout) * time.Millisecond
 	if timeout > time.Second*20 {
 		timeout = time.Second * 20
 	}
 	return timeout
 }
 func QueryKeys(req *http.Request, keyAPI api.ClientKeyAPI, device *userapi.Device) util.JSONResponse {
--- a/clientapi/routing/login.go
+++ b/clientapi/routing/login.go
@ -23,15 +23,13 @@ import (
 	"github.com/matrix-org/dendrite/clientapi/userutil"
 	"github.com/matrix-org/dendrite/setup/config"
 	userapi "github.com/matrix-org/dendrite/userapi/api"
 	"github.com/matrix-org/gomatrixserverlib"
 	"github.com/matrix-org/util"
 )
 type loginResponse struct {
-	UserID      string                       `json:"user_id"`
+	UserID      string `json:"user_id"`
-	AccessToken string                       `json:"access_token"`
+	AccessToken string `json:"access_token"`
-	HomeServer  gomatrixserverlib.ServerName `json:"home_server"`
+	DeviceID    string `json:"device_id"`
 	DeviceID    string                       `json:"device_id"`
 }
 type flows struct {
@ -68,7 +66,7 @@ func Login(
 			return *authErr
 		}
 		// make a device/access token
-		authErr2 := completeAuth(req.Context(), cfg.Matrix.ServerName, userAPI, login, req.RemoteAddr, req.UserAgent())
+		authErr2 := completeAuth(req.Context(), cfg.Matrix, userAPI, login, req.RemoteAddr, req.UserAgent())
 		cleanup(req.Context(), &authErr2)
 		return authErr2
 	}
@ -79,7 +77,7 @@ func Login(
 }
 func completeAuth(
-	ctx context.Context, serverName gomatrixserverlib.ServerName, userAPI userapi.ClientUserAPI, login *auth.Login,
+	ctx context.Context, cfg *config.Global, userAPI userapi.ClientUserAPI, login *auth.Login,
 	ipAddr, userAgent string,
 ) util.JSONResponse {
 	token, err := auth.GenerateAccessToken()
@ -88,7 +86,7 @@ func completeAuth(
 		return jsonerror.InternalServerError()
 	}
-	localpart, err := userutil.ParseUsernameParam(login.Username(), &serverName)
+	localpart, serverName, err := userutil.ParseUsernameParam(login.Username(), cfg)
 	if err != nil {
 		util.GetLogger(ctx).WithError(err).Error("auth.ParseUsernameParam failed")
 		return jsonerror.InternalServerError()
@ -100,6 +98,7 @@ func completeAuth(
 		DeviceID:          login.DeviceID,
 		AccessToken:       token,
 		Localpart:         localpart,
 		ServerName:        serverName,
 		IPAddr:            ipAddr,
 		UserAgent:         userAgent,
 	}, &performRes)
@ -115,7 +114,6 @@ func completeAuth(
 		JSON: loginResponse{
 			UserID:      performRes.Device.UserID,
 			AccessToken: performRes.Device.AccessToken,
 			HomeServer:  serverName,
 			DeviceID:    performRes.Device.ID,
 		},
 	}
--- a/clientapi/routing/membership.go
+++ b/clientapi/routing/membership.go
@ -105,12 +105,14 @@ func sendMembership(ctx context.Context, profileAPI userapi.ClientUserAPI, devic
 		return jsonerror.InternalServerError()
 	}
 	serverName := device.UserDomain()
 	if err = roomserverAPI.SendEvents(
 		ctx, rsAPI,
 		roomserverAPI.KindNew,
 		[]*gomatrixserverlib.HeaderedEvent{event.Event.Headered(roomVer)},
-		cfg.Matrix.ServerName,
+		device.UserDomain(),
-		cfg.Matrix.ServerName,
+		serverName,
 		serverName,
 		nil,
 		false,
 	); err != nil {
@ -271,7 +273,7 @@ func sendInvite(
 		Event:           event,
 		InviteRoomState: nil, // ask the roomserver to draw up invite room state for us
 		RoomVersion:     event.RoomVersion,
-		SendAsServer:    string(cfg.Matrix.ServerName),
+		SendAsServer:    string(device.UserDomain()),
 	}, &inviteRes); err != nil {
 		util.GetLogger(ctx).WithError(err).Error("PerformInvite failed")
 		return util.JSONResponse{
@ -321,7 +323,12 @@ func buildMembershipEvent(
 		return nil, err
 	}
-	return eventutil.QueryAndBuildEvent(ctx, &builder, cfg.Matrix, evTime, rsAPI, nil)
+	identity, err := cfg.Matrix.SigningIdentityFor(device.UserDomain())
 	if err != nil {
 		return nil, err
 	}
 	return eventutil.QueryAndBuildEvent(ctx, &builder, cfg.Matrix, identity, evTime, rsAPI, nil)
 }
 // loadProfile lookups the profile of a given user from the database and returns
@ -341,7 +348,7 @@ func loadProfile(
 	}
 	var profile *authtypes.Profile
-	if serverName == cfg.Matrix.ServerName {
+	if cfg.Matrix.IsLocalServerName(serverName) {
 		profile, err = appserviceAPI.RetrieveUserProfile(ctx, userID, asAPI, profileAPI)
 	} else {
 		profile = &authtypes.Profile{}
--- a/clientapi/routing/notification.go
+++ b/clientapi/routing/notification.go
@ -40,16 +40,17 @@ func GetNotifications(
 	}
 	var queryRes userapi.QueryNotificationsResponse
-	localpart, _, err := gomatrixserverlib.SplitID('@', device.UserID)
+	localpart, domain, err := gomatrixserverlib.SplitID('@', device.UserID)
 	if err != nil {
 		util.GetLogger(req.Context()).WithError(err).Error("SplitID failed")
 		return jsonerror.InternalServerError()
 	}
 	err = userAPI.QueryNotifications(req.Context(), &userapi.QueryNotificationsRequest{
-		Localpart: localpart,
+		Localpart:  localpart,
-		From:      req.URL.Query().Get("from"),
+		ServerName: domain,
-		Limit:     int(limit),
+		From:       req.URL.Query().Get("from"),
-		Only:      req.URL.Query().Get("only"),
+		Limit:      int(limit),
 		Only:       req.URL.Query().Get("only"),
 	}, &queryRes)
 	if err != nil {
 		util.GetLogger(req.Context()).WithError(err).Error("QueryNotifications failed")
--- a/clientapi/routing/openid.go
+++ b/clientapi/routing/openid.go
@ -63,7 +63,7 @@ func CreateOpenIDToken(
 		JSON: openIDTokenResponse{
 			AccessToken:      response.Token.Token,
 			TokenType:        "Bearer",
-			MatrixServerName: string(cfg.Matrix.ServerName),
+			MatrixServerName: string(device.UserDomain()),
 			ExpiresIn:        response.Token.ExpiresAtMS / 1000, // convert ms to s
 		},
 	}
--- a/clientapi/routing/password.go
+++ b/clientapi/routing/password.go
@ -7,6 +7,7 @@ import (
 	"github.com/matrix-org/dendrite/clientapi/auth/authtypes"
 	"github.com/matrix-org/dendrite/clientapi/httputil"
 	"github.com/matrix-org/dendrite/clientapi/jsonerror"
 	"github.com/matrix-org/dendrite/internal"
 	"github.com/matrix-org/dendrite/setup/config"
 	"github.com/matrix-org/dendrite/userapi/api"
 	"github.com/matrix-org/gomatrixserverlib"
@ -81,12 +82,12 @@ func Password(
 	sessions.addCompletedSessionStage(sessionID, authtypes.LoginTypePassword)
 	// Check the new password strength.
-	if resErr = validatePassword(r.NewPassword); resErr != nil {
+	if err := internal.ValidatePassword(r.NewPassword); err != nil {
-		return *resErr
+		return *internal.PasswordResponse(err)
 	}
 	// Get the local part.
-	localpart, _, err := gomatrixserverlib.SplitID('@', device.UserID)
+	localpart, domain, err := gomatrixserverlib.SplitID('@', device.UserID)
 	if err != nil {
 		util.GetLogger(req.Context()).WithError(err).Error("gomatrixserverlib.SplitID failed")
 		return jsonerror.InternalServerError()
@ -94,8 +95,9 @@ func Password(
 	// Ask the user API to perform the password change.
 	passwordReq := &api.PerformPasswordUpdateRequest{
-		Localpart: localpart,
+		Localpart:  localpart,
-		Password:  r.NewPassword,
+		ServerName: domain,
 		Password:   r.NewPassword,
 	}
 	passwordRes := &api.PerformPasswordUpdateResponse{}
 	if err := userAPI.PerformPasswordUpdate(req.Context(), passwordReq, passwordRes); err != nil {
@ -122,8 +124,9 @@ func Password(
 		}
 		pushersReq := &api.PerformPusherDeletionRequest{
-			Localpart: localpart,
+			Localpart:  localpart,
-			SessionID: device.SessionID,
+			ServerName: domain,
 			SessionID:  device.SessionID,
 		}
 		if err := userAPI.PerformPusherDeletion(req.Context(), pushersReq, &struct{}{}); err != nil {
 			util.GetLogger(req.Context()).WithError(err).Error("PerformPusherDeletion failed")
--- a/clientapi/routing/profile.go
+++ b/clientapi/routing/profile.go
@ -19,6 +19,8 @@ import (
 	"net/http"
 	"time"
 	"github.com/matrix-org/gomatrixserverlib"
 	appserviceAPI "github.com/matrix-org/dendrite/appservice/api"
 	"github.com/matrix-org/dendrite/clientapi/auth/authtypes"
 	"github.com/matrix-org/dendrite/clientapi/httputil"
@ -27,7 +29,6 @@ import (
 	"github.com/matrix-org/dendrite/roomserver/api"
 	"github.com/matrix-org/dendrite/setup/config"
 	userapi "github.com/matrix-org/dendrite/userapi/api"
 	"github.com/matrix-org/gomatrixserverlib"
 	"github.com/matrix-org/gomatrix"
 	"github.com/matrix-org/util"
@ -112,12 +113,19 @@ func SetAvatarURL(
 		}
 	}
-	localpart, _, err := gomatrixserverlib.SplitID('@', userID)
+	localpart, domain, err := gomatrixserverlib.SplitID('@', userID)
 	if err != nil {
 		util.GetLogger(req.Context()).WithError(err).Error("gomatrixserverlib.SplitID failed")
 		return jsonerror.InternalServerError()
 	}
 	if !cfg.Matrix.IsLocalServerName(domain) {
 		return util.JSONResponse{
 			Code: http.StatusForbidden,
 			JSON: jsonerror.Forbidden("userID does not belong to a locally configured domain"),
 		}
 	}
 	evTime, err := httputil.ParseTSParam(req)
 	if err != nil {
 		return util.JSONResponse{
@ -126,63 +134,26 @@ func SetAvatarURL(
 		}
 	}
 	res := &userapi.QueryProfileResponse{}
 	err = profileAPI.QueryProfile(req.Context(), &userapi.QueryProfileRequest{
 		UserID: userID,
 	}, res)
 	if err != nil {
 		util.GetLogger(req.Context()).WithError(err).Error("profileAPI.QueryProfile failed")
 		return jsonerror.InternalServerError()
 	}
 	oldProfile := &authtypes.Profile{
 		Localpart:   localpart,
 		DisplayName: res.DisplayName,
 		AvatarURL:   res.AvatarURL,
 	}
 	setRes := &userapi.PerformSetAvatarURLResponse{}
 	if err = profileAPI.SetAvatarURL(req.Context(), &userapi.PerformSetAvatarURLRequest{
-		Localpart: localpart,
+		Localpart:  localpart,
-		AvatarURL: r.AvatarURL,
+		ServerName: domain,
 		AvatarURL:  r.AvatarURL,
 	}, setRes); err != nil {
 		util.GetLogger(req.Context()).WithError(err).Error("profileAPI.SetAvatarURL failed")
 		return jsonerror.InternalServerError()
 	}
-
+	// No need to build new membership events, since nothing changed
-	var roomsRes api.QueryRoomsForUserResponse
+	if !setRes.Changed {
 	err = rsAPI.QueryRoomsForUser(req.Context(), &api.QueryRoomsForUserRequest{
 		UserID:         device.UserID,
 		WantMembership: "join",
 	}, &roomsRes)
 	if err != nil {
 		util.GetLogger(req.Context()).WithError(err).Error("QueryRoomsForUser failed")
 		return jsonerror.InternalServerError()
 	}
 	newProfile := authtypes.Profile{
 		Localpart:   localpart,
 		DisplayName: oldProfile.DisplayName,
 		AvatarURL:   r.AvatarURL,
 	}
 	events, err := buildMembershipEvents(
 		req.Context(), roomsRes.RoomIDs, newProfile, userID, cfg, evTime, rsAPI,
 	)
 	switch e := err.(type) {
 	case nil:
 	case gomatrixserverlib.BadJSONError:
 		return util.JSONResponse{
-			Code: http.StatusBadRequest,
+			Code: http.StatusOK,
-			JSON: jsonerror.BadJSON(e.Error()),
+			JSON: struct{}{},
 		}
 	default:
 		util.GetLogger(req.Context()).WithError(err).Error("buildMembershipEvents failed")
 		return jsonerror.InternalServerError()
 	}
-	if err := api.SendEvents(req.Context(), rsAPI, api.KindNew, events, cfg.Matrix.ServerName, cfg.Matrix.ServerName, nil, true); err != nil {
+	response, err := updateProfile(req.Context(), rsAPI, device, setRes.Profile, userID, cfg, evTime)
-		util.GetLogger(req.Context()).WithError(err).Error("SendEvents failed")
+	if err != nil {
-		return jsonerror.InternalServerError()
+		return response
 	}
 	return util.JSONResponse{
@ -241,12 +212,19 @@ func SetDisplayName(
 		}
 	}
-	localpart, _, err := gomatrixserverlib.SplitID('@', userID)
+	localpart, domain, err := gomatrixserverlib.SplitID('@', userID)
 	if err != nil {
 		util.GetLogger(req.Context()).WithError(err).Error("gomatrixserverlib.SplitID failed")
 		return jsonerror.InternalServerError()
 	}
 	if !cfg.Matrix.IsLocalServerName(domain) {
 		return util.JSONResponse{
 			Code: http.StatusForbidden,
 			JSON: jsonerror.Forbidden("userID does not belong to a locally configured domain"),
 		}
 	}
 	evTime, err := httputil.ParseTSParam(req)
 	if err != nil {
 		return util.JSONResponse{
@ -255,47 +233,58 @@ func SetDisplayName(
 		}
 	}
-	pRes := &userapi.QueryProfileResponse{}
+	profileRes := &userapi.PerformUpdateDisplayNameResponse{}
 	err = profileAPI.QueryProfile(req.Context(), &userapi.QueryProfileRequest{
 		UserID: userID,
 	}, pRes)
 	if err != nil {
 		util.GetLogger(req.Context()).WithError(err).Error("profileAPI.QueryProfile failed")
 		return jsonerror.InternalServerError()
 	}
 	oldProfile := &authtypes.Profile{
 		Localpart:   localpart,
 		DisplayName: pRes.DisplayName,
 		AvatarURL:   pRes.AvatarURL,
 	}
 	err = profileAPI.SetDisplayName(req.Context(), &userapi.PerformUpdateDisplayNameRequest{
 		Localpart:   localpart,
 		ServerName:  domain,
 		DisplayName: r.DisplayName,
-	}, &struct{}{})
+	}, profileRes)
 	if err != nil {
 		util.GetLogger(req.Context()).WithError(err).Error("profileAPI.SetDisplayName failed")
 		return jsonerror.InternalServerError()
 	}
 	// No need to build new membership events, since nothing changed
 	if !profileRes.Changed {
 		return util.JSONResponse{
 			Code: http.StatusOK,
 			JSON: struct{}{},
 		}
 	}
 	response, err := updateProfile(req.Context(), rsAPI, device, profileRes.Profile, userID, cfg, evTime)
 	if err != nil {
 		return response
 	}
 	return util.JSONResponse{
 		Code: http.StatusOK,
 		JSON: struct{}{},
 	}
 }
 func updateProfile(
 	ctx context.Context, rsAPI api.ClientRoomserverAPI, device *userapi.Device,
 	profile *authtypes.Profile,
 	userID string, cfg *config.ClientAPI, evTime time.Time,
 ) (util.JSONResponse, error) {
 	var res api.QueryRoomsForUserResponse
-	err = rsAPI.QueryRoomsForUser(req.Context(), &api.QueryRoomsForUserRequest{
+	err := rsAPI.QueryRoomsForUser(ctx, &api.QueryRoomsForUserRequest{
 		UserID:         device.UserID,
 		WantMembership: "join",
 	}, &res)
 	if err != nil {
-		util.GetLogger(req.Context()).WithError(err).Error("QueryRoomsForUser failed")
+		util.GetLogger(ctx).WithError(err).Error("QueryRoomsForUser failed")
-		return jsonerror.InternalServerError()
+		return jsonerror.InternalServerError(), err
 	}
-	newProfile := authtypes.Profile{
+	_, domain, err := gomatrixserverlib.SplitID('@', userID)
-		Localpart:   localpart,
+	if err != nil {
-		DisplayName: r.DisplayName,
+		util.GetLogger(ctx).WithError(err).Error("gomatrixserverlib.SplitID failed")
-		AvatarURL:   oldProfile.AvatarURL,
+		return jsonerror.InternalServerError(), err
 	}
 	events, err := buildMembershipEvents(
-		req.Context(), res.RoomIDs, newProfile, userID, cfg, evTime, rsAPI,
+		ctx, device, res.RoomIDs, *profile, userID, cfg, evTime, rsAPI,
 	)
 	switch e := err.(type) {
 	case nil:
@ -303,21 +292,17 @@ func SetDisplayName(
 		return util.JSONResponse{
 			Code: http.StatusBadRequest,
 			JSON: jsonerror.BadJSON(e.Error()),
-		}
+		}, e
 	default:
-		util.GetLogger(req.Context()).WithError(err).Error("buildMembershipEvents failed")
+		util.GetLogger(ctx).WithError(err).Error("buildMembershipEvents failed")
-		return jsonerror.InternalServerError()
+		return jsonerror.InternalServerError(), e
 	}
-	if err := api.SendEvents(req.Context(), rsAPI, api.KindNew, events, cfg.Matrix.ServerName, cfg.Matrix.ServerName, nil, true); err != nil {
+	if err := api.SendEvents(ctx, rsAPI, api.KindNew, events, device.UserDomain(), domain, domain, nil, true); err != nil {
-		util.GetLogger(req.Context()).WithError(err).Error("SendEvents failed")
+		util.GetLogger(ctx).WithError(err).Error("SendEvents failed")
-		return jsonerror.InternalServerError()
+		return jsonerror.InternalServerError(), err
 	}
 	return util.JSONResponse{
 		Code: http.StatusOK,
 		JSON: struct{}{},
 	}
 	return util.JSONResponse{}, nil
 }
 // getProfile gets the full profile of a user by querying the database or a
@ -335,8 +320,8 @@ func getProfile(
 		return nil, err
 	}
-	if domain != cfg.Matrix.ServerName {
+	if !cfg.Matrix.IsLocalServerName(domain) {
-		profile, fedErr := federation.LookupProfile(ctx, domain, userID, "")
+		profile, fedErr := federation.LookupProfile(ctx, cfg.Matrix.ServerName, domain, userID, "")
 		if fedErr != nil {
 			if x, ok := fedErr.(gomatrix.HTTPError); ok {
 				if x.Code == http.StatusNotFound {
@ -364,6 +349,7 @@ func getProfile(
 func buildMembershipEvents(
 	ctx context.Context,
 	device *userapi.Device,
 	roomIDs []string,
 	newProfile authtypes.Profile, userID string, cfg *config.ClientAPI,
 	evTime time.Time, rsAPI api.ClientRoomserverAPI,
@ -395,7 +381,12 @@ func buildMembershipEvents(
 			return nil, err
 		}
-		event, err := eventutil.QueryAndBuildEvent(ctx, &builder, cfg.Matrix, evTime, rsAPI, nil)
+		identity, err := cfg.Matrix.SigningIdentityFor(device.UserDomain())
 		if err != nil {
 			return nil, err
 		}
 		event, err := eventutil.QueryAndBuildEvent(ctx, &builder, cfg.Matrix, identity, evTime, rsAPI, nil)
 		if err != nil {
 			return nil, err
 		}
--- a/clientapi/routing/pusher.go
+++ b/clientapi/routing/pusher.go
@ -31,13 +31,14 @@ func GetPushers(
 	userAPI userapi.ClientUserAPI,
 ) util.JSONResponse {
 	var queryRes userapi.QueryPushersResponse
-	localpart, _, err := gomatrixserverlib.SplitID('@', device.UserID)
+	localpart, domain, err := gomatrixserverlib.SplitID('@', device.UserID)
 	if err != nil {
 		util.GetLogger(req.Context()).WithError(err).Error("SplitID failed")
 		return jsonerror.InternalServerError()
 	}
 	err = userAPI.QueryPushers(req.Context(), &userapi.QueryPushersRequest{
-		Localpart: localpart,
+		Localpart:  localpart,
 		ServerName: domain,
 	}, &queryRes)
 	if err != nil {
 		util.GetLogger(req.Context()).WithError(err).Error("QueryPushers failed")
@ -59,7 +60,7 @@ func SetPusher(
 	req *http.Request, device *userapi.Device,
 	userAPI userapi.ClientUserAPI,
 ) util.JSONResponse {
-	localpart, _, err := gomatrixserverlib.SplitID('@', device.UserID)
+	localpart, domain, err := gomatrixserverlib.SplitID('@', device.UserID)
 	if err != nil {
 		util.GetLogger(req.Context()).WithError(err).Error("SplitID failed")
 		return jsonerror.InternalServerError()
@ -93,6 +94,7 @@ func SetPusher(
 	}
 	body.Localpart = localpart
 	body.ServerName = domain
 	body.SessionID = device.SessionID
 	err = userAPI.PerformPusherSet(req.Context(), &body, &struct{}{})
 	if err != nil {
--- a/clientapi/routing/receipt.go
+++ b/clientapi/routing/receipt.go
@ -15,19 +15,22 @@
 package routing
 import (
 	"encoding/json"
 	"fmt"
 	"net/http"
 	"time"
 	"github.com/matrix-org/dendrite/clientapi/jsonerror"
 	"github.com/matrix-org/dendrite/clientapi/producers"
 	"github.com/matrix-org/gomatrixserverlib"
 	"github.com/matrix-org/dendrite/userapi/api"
 	userapi "github.com/matrix-org/dendrite/userapi/api"
 	"github.com/matrix-org/util"
 	"github.com/sirupsen/logrus"
 )
-func SetReceipt(req *http.Request, syncProducer *producers.SyncAPIProducer, device *userapi.Device, roomID, receiptType, eventID string) util.JSONResponse {
+func SetReceipt(req *http.Request, userAPI api.ClientUserAPI, syncProducer *producers.SyncAPIProducer, device *userapi.Device, roomID, receiptType, eventID string) util.JSONResponse {
 	timestamp := gomatrixserverlib.AsTimestamp(time.Now())
 	logrus.WithFields(logrus.Fields{
 		"roomID":      roomID,
@ -37,13 +40,32 @@ func SetReceipt(req *http.Request, syncProducer *producers.SyncAPIProducer, devi
 		"timestamp":   timestamp,
 	}).Debug("Setting receipt")
-	// currently only m.read is accepted
+	switch receiptType {
-	if receiptType != "m.read" {
+	case "m.read", "m.read.private":
-		return util.MessageResponse(400, fmt.Sprintf("receipt type must be m.read not '%s'", receiptType))
+		if err := syncProducer.SendReceipt(req.Context(), device.UserID, roomID, eventID, receiptType, timestamp); err != nil {
-	}
+			return util.ErrorResponse(err)
 		}
-	if err := syncProducer.SendReceipt(req.Context(), device.UserID, roomID, eventID, receiptType, timestamp); err != nil {
+	case "m.fully_read":
-		return util.ErrorResponse(err)
+		data, err := json.Marshal(fullyReadEvent{EventID: eventID})
 		if err != nil {
 			return jsonerror.InternalServerError()
 		}
 		dataReq := api.InputAccountDataRequest{
 			UserID:      device.UserID,
 			DataType:    "m.fully_read",
 			RoomID:      roomID,
 			AccountData: data,
 		}
 		dataRes := api.InputAccountDataResponse{}
 		if err := userAPI.InputAccountData(req.Context(), &dataReq, &dataRes); err != nil {
 			util.GetLogger(req.Context()).WithError(err).Error("userAPI.InputAccountData failed")
 			return util.ErrorResponse(err)
 		}
 	default:
 		return util.MessageResponse(400, fmt.Sprintf("Receipt type '%s' not known", receiptType))
 	}
 	return util.JSONResponse{
--- a/clientapi/routing/redaction.go
+++ b/clientapi/routing/redaction.go
@ -19,6 +19,9 @@ import (
 	"net/http"
 	"time"
 	"github.com/matrix-org/gomatrixserverlib"
 	"github.com/matrix-org/util"
 	"github.com/matrix-org/dendrite/clientapi/httputil"
 	"github.com/matrix-org/dendrite/clientapi/jsonerror"
 	"github.com/matrix-org/dendrite/internal/eventutil"
@ -26,8 +29,6 @@ import (
 	roomserverAPI "github.com/matrix-org/dendrite/roomserver/api"
 	"github.com/matrix-org/dendrite/setup/config"
 	userapi "github.com/matrix-org/dendrite/userapi/api"
 	"github.com/matrix-org/gomatrixserverlib"
 	"github.com/matrix-org/util"
 )
 type redactionContent struct {
@ -51,7 +52,7 @@ func SendRedaction(
 	if txnID != nil {
 		// Try to fetch response from transactionsCache
-		if res, ok := txnCache.FetchTransaction(device.AccessToken, *txnID); ok {
+		if res, ok := txnCache.FetchTransaction(device.AccessToken, *txnID, req.URL); ok {
 			return *res
 		}
 	}
@ -122,15 +123,21 @@ func SendRedaction(
 		return jsonerror.InternalServerError()
 	}
 	identity, err := cfg.Matrix.SigningIdentityFor(device.UserDomain())
 	if err != nil {
 		return jsonerror.InternalServerError()
 	}
 	var queryRes roomserverAPI.QueryLatestEventsAndStateResponse
-	e, err := eventutil.QueryAndBuildEvent(req.Context(), &builder, cfg.Matrix, time.Now(), rsAPI, &queryRes)
+	e, err := eventutil.QueryAndBuildEvent(req.Context(), &builder, cfg.Matrix, identity, time.Now(), rsAPI, &queryRes)
 	if err == eventutil.ErrRoomNoExists {
 		return util.JSONResponse{
 			Code: http.StatusNotFound,
 			JSON: jsonerror.NotFound("Room does not exist"),
 		}
 	}
-	if err = roomserverAPI.SendEvents(context.Background(), rsAPI, roomserverAPI.KindNew, []*gomatrixserverlib.HeaderedEvent{e}, cfg.Matrix.ServerName, cfg.Matrix.ServerName, nil, false); err != nil {
+	domain := device.UserDomain()
 	if err = roomserverAPI.SendEvents(context.Background(), rsAPI, roomserverAPI.KindNew, []*gomatrixserverlib.HeaderedEvent{e}, device.UserDomain(), domain, domain, nil, false); err != nil {
 		util.GetLogger(req.Context()).WithError(err).Errorf("failed to SendEvents")
 		return jsonerror.InternalServerError()
 	}
@ -144,7 +151,7 @@ func SendRedaction(
 	// Add response to transactionsCache
 	if txnID != nil {
-		txnCache.AddTransaction(device.AccessToken, *txnID, &res)
+		txnCache.AddTransaction(device.AccessToken, *txnID, req.URL, &res)
 	}
 	return res
--- a/clientapi/routing/register.go
+++ b/clientapi/routing/register.go
@ -18,17 +18,19 @@ package routing
 import (
 	"context"
 	"encoding/json"
 	"errors"
 	"fmt"
 	"io"
 	"net"
 	"net/http"
 	"net/url"
 	"regexp"
 	"sort"
 	"strconv"
 	"strings"
 	"sync"
 	"time"
 	"github.com/matrix-org/dendrite/internal"
 	"github.com/tidwall/gjson"
 	"github.com/matrix-org/dendrite/internal/eventutil"
@ -58,12 +60,7 @@ var (
 	)
 )
-const (
+const sessionIDLength = 24
 	minPasswordLength = 8   // http://matrix.org/docs/spec/client_server/r0.2.0.html#password-based
 	maxPasswordLength = 512 // https://github.com/matrix-org/synapse/blob/v0.20.0/synapse/rest/client/v2_alpha/register.py#L161
 	maxUsernameLength = 254 // http://matrix.org/speculator/spec/HEAD/intro.html#user-identifiers TODO account for domain
 	sessionIDLength   = 24
 )
 // sessionsDict keeps track of completed auth stages for each session.
 // It shouldn't be passed by value because it contains a mutex.
@ -198,8 +195,7 @@ func (d *sessionsDict) getDeviceToDelete(sessionID string) (string, bool) {
 }
 var (
-	sessions           = newSessionsDict()
+	sessions = newSessionsDict()
 	validUsernameRegex = regexp.MustCompile(`^[0-9a-z_\-=./]+$`)
 )
 // registerRequest represents the submitted registration request.
@ -210,9 +206,10 @@ var (
 // previous parameters with the ones supplied. This mean you cannot "build up" request params.
 type registerRequest struct {
 	// registration parameters
-	Password string `json:"password"`
+	Password   string                       `json:"password"`
-	Username string `json:"username"`
+	Username   string                       `json:"username"`
-	Admin    bool   `json:"admin"`
+	ServerName gomatrixserverlib.ServerName `json:"-"`
 	Admin      bool                         `json:"admin"`
 	// user-interactive auth params
 	Auth authDict `json:"auth"`
@ -261,10 +258,9 @@ func newUserInteractiveResponse(
 // http://matrix.org/speculator/spec/HEAD/client_server/unstable.html#post-matrix-client-unstable-register
 type registerResponse struct {
-	UserID      string                       `json:"user_id"`
+	UserID      string `json:"user_id"`
-	AccessToken string                       `json:"access_token,omitempty"`
+	AccessToken string `json:"access_token,omitempty"`
-	HomeServer  gomatrixserverlib.ServerName `json:"home_server"`
+	DeviceID    string `json:"device_id,omitempty"`
 	DeviceID    string                       `json:"device_id,omitempty"`
 }
 // recaptchaResponse represents the HTTP response from a Google Recaptcha server
@ -275,95 +271,38 @@ type recaptchaResponse struct {
 	ErrorCodes  []int     `json:"error-codes"`
 }
-// validateUsername returns an error response if the username is invalid
+var (
-func validateUsername(localpart string, domain gomatrixserverlib.ServerName) *util.JSONResponse {
+	ErrInvalidCaptcha  = errors.New("invalid captcha response")
-	// https://github.com/matrix-org/synapse/blob/v0.20.0/synapse/rest/client/v2_alpha/register.py#L161
+	ErrMissingResponse = errors.New("captcha response is required")
-	if id := fmt.Sprintf("@%s:%s", localpart, domain); len(id) > maxUsernameLength {
+	ErrCaptchaDisabled = errors.New("captcha registration is disabled")
-		return &util.JSONResponse{
+)
 			Code: http.StatusBadRequest,
 			JSON: jsonerror.BadJSON(fmt.Sprintf("%q exceeds the maximum length of %d characters", id, maxUsernameLength)),
 		}
 	} else if !validUsernameRegex.MatchString(localpart) {
 		return &util.JSONResponse{
 			Code: http.StatusBadRequest,
 			JSON: jsonerror.InvalidUsername("Username can only contain characters a-z, 0-9, or '_-./='"),
 		}
 	} else if localpart[0] == '_' { // Regex checks its not a zero length string
 		return &util.JSONResponse{
 			Code: http.StatusBadRequest,
 			JSON: jsonerror.InvalidUsername("Username cannot start with a '_'"),
 		}
 	}
 	return nil
 }
 // validateApplicationServiceUsername returns an error response if the username is invalid for an application service
 func validateApplicationServiceUsername(localpart string, domain gomatrixserverlib.ServerName) *util.JSONResponse {
 	if id := fmt.Sprintf("@%s:%s", localpart, domain); len(id) > maxUsernameLength {
 		return &util.JSONResponse{
 			Code: http.StatusBadRequest,
 			JSON: jsonerror.BadJSON(fmt.Sprintf("%q exceeds the maximum length of %d characters", id, maxUsernameLength)),
 		}
 	} else if !validUsernameRegex.MatchString(localpart) {
 		return &util.JSONResponse{
 			Code: http.StatusBadRequest,
 			JSON: jsonerror.InvalidUsername("Username can only contain characters a-z, 0-9, or '_-./='"),
 		}
 	}
 	return nil
 }
 // validatePassword returns an error response if the password is invalid
 func validatePassword(password string) *util.JSONResponse {
 	// https://github.com/matrix-org/synapse/blob/v0.20.0/synapse/rest/client/v2_alpha/register.py#L161
 	if len(password) > maxPasswordLength {
 		return &util.JSONResponse{
 			Code: http.StatusBadRequest,
 			JSON: jsonerror.BadJSON(fmt.Sprintf("'password' >%d characters", maxPasswordLength)),
 		}
 	} else if len(password) > 0 && len(password) < minPasswordLength {
 		return &util.JSONResponse{
 			Code: http.StatusBadRequest,
 			JSON: jsonerror.WeakPassword(fmt.Sprintf("password too weak: min %d chars", minPasswordLength)),
 		}
 	}
 	return nil
 }
 // validateRecaptcha returns an error response if the captcha response is invalid
 func validateRecaptcha(
 	cfg *config.ClientAPI,
 	response string,
 	clientip string,
-) *util.JSONResponse {
+) error {
 	ip, _, _ := net.SplitHostPort(clientip)
 	if !cfg.RecaptchaEnabled {
-		return &util.JSONResponse{
+		return ErrCaptchaDisabled
 			Code: http.StatusConflict,
 			JSON: jsonerror.Unknown("Captcha registration is disabled"),
 		}
 	}
 	if response == "" {
-		return &util.JSONResponse{
+		return ErrMissingResponse
 			Code: http.StatusBadRequest,
 			JSON: jsonerror.BadJSON("Captcha response is required"),
 		}
 	}
-	// Make a POST request to Google's API to check the captcha response
+	// Make a POST request to the captcha provider API to check the captcha response
 	resp, err := http.PostForm(cfg.RecaptchaSiteVerifyAPI,
 		url.Values{
 			"secret":   {cfg.RecaptchaPrivateKey},
 			"response": {response},
-			"remoteip": {clientip},
+			"remoteip": {ip},
 		},
 	)
 	if err != nil {
-		return &util.JSONResponse{
+		return err
 			Code: http.StatusInternalServerError,
 			JSON: jsonerror.BadJSON("Error in requesting validation of captcha response"),
 		}
 	}
 	// Close the request once we're finishing reading from it
@ -373,25 +312,16 @@ func validateRecaptcha(
 	var r recaptchaResponse
 	body, err := io.ReadAll(resp.Body)
 	if err != nil {
-		return &util.JSONResponse{
+		return err
 			Code: http.StatusGatewayTimeout,
 			JSON: jsonerror.Unknown("Error in contacting captcha server" + err.Error()),
 		}
 	}
 	err = json.Unmarshal(body, &r)
 	if err != nil {
-		return &util.JSONResponse{
+		return err
 			Code: http.StatusInternalServerError,
 			JSON: jsonerror.BadJSON("Error in unmarshaling captcha server's response: " + err.Error()),
 		}
 	}
 	// Check that we received a "success"
 	if !r.Success {
-		return &util.JSONResponse{
+		return ErrInvalidCaptcha
 			Code: http.StatusUnauthorized,
 			JSON: jsonerror.BadJSON("Invalid captcha response. Please try again."),
 		}
 	}
 	return nil
 }
@ -412,7 +342,7 @@ func UserIDIsWithinApplicationServiceNamespace(
 		return false
 	}
-	if domain != cfg.Matrix.ServerName {
+	if !cfg.Matrix.IsLocalServerName(domain) {
 		return false
 	}
@ -523,8 +453,8 @@ func validateApplicationService(
 	}
 	// Check username application service is trying to register is valid
-	if err := validateApplicationServiceUsername(username, cfg.Matrix.ServerName); err != nil {
+	if err := internal.ValidateApplicationServiceUsername(username, cfg.Matrix.ServerName); err != nil {
-		return "", err
+		return "", internal.UsernameResponse(err)
 	}
 	// No errors, registration valid
@ -548,6 +478,12 @@ func Register(
 	}
 	var r registerRequest
 	host := gomatrixserverlib.ServerName(req.Host)
 	if v := cfg.Matrix.VirtualHostForHTTPHost(host); v != nil {
 		r.ServerName = v.ServerName
 	} else {
 		r.ServerName = cfg.Matrix.ServerName
 	}
 	sessionID := gjson.GetBytes(reqBody, "auth.session").String()
 	if sessionID == "" {
 		// Generate a new, random session ID
@ -557,6 +493,7 @@ func Register(
 		// Some of these might end up being overwritten if the
 		// values are specified again in the request body.
 		r.Username = data.Username
 		r.ServerName = data.ServerName
 		r.Password = data.Password
 		r.DeviceID = data.DeviceID
 		r.InitialDisplayName = data.InitialDisplayName
@ -568,7 +505,6 @@ func Register(
 				JSON: response,
 			}
 		}
 	}
 	if resErr := httputil.UnmarshalJSON(reqBody, &r); resErr != nil {
 		return *resErr
@ -578,7 +514,7 @@ func Register(
 	}
 	// Don't allow numeric usernames less than MAX_INT64.
-	if _, err := strconv.ParseInt(r.Username, 10, 64); err == nil {
+	if _, err = strconv.ParseInt(r.Username, 10, 64); err == nil {
 		return util.JSONResponse{
 			Code: http.StatusBadRequest,
 			JSON: jsonerror.InvalidUsername("Numeric user IDs are reserved"),
@ -586,12 +522,15 @@ func Register(
 	}
 	// Auto generate a numeric username if r.Username is empty
 	if r.Username == "" {
-		res := &userapi.QueryNumericLocalpartResponse{}
+		nreq := &userapi.QueryNumericLocalpartRequest{
-		if err := userAPI.QueryNumericLocalpart(req.Context(), res); err != nil {
+			ServerName: r.ServerName,
 		}
 		nres := &userapi.QueryNumericLocalpartResponse{}
 		if err = userAPI.QueryNumericLocalpart(req.Context(), nreq, nres); err != nil {
 			util.GetLogger(req.Context()).WithError(err).Error("userAPI.QueryNumericLocalpart failed")
 			return jsonerror.InternalServerError()
 		}
-		r.Username = strconv.FormatInt(res.ID, 10)
+		r.Username = strconv.FormatInt(nres.ID, 10)
 	}
 	// Is this an appservice registration? It will be if the access
@ -604,8 +543,8 @@ func Register(
 	case r.Type == authtypes.LoginTypeApplicationService && accessTokenErr == nil:
 		// Spec-compliant case (the access_token is specified and the login type
 		// is correctly set, so it's an appservice registration)
-		if resErr := validateApplicationServiceUsername(r.Username, cfg.Matrix.ServerName); resErr != nil {
+		if err = internal.ValidateApplicationServiceUsername(r.Username, r.ServerName); err != nil {
-			return *resErr
+			return *internal.UsernameResponse(err)
 		}
 	case accessTokenErr == nil:
 		// Non-spec-compliant case (the access_token is specified but the login
@ -617,12 +556,12 @@ func Register(
 	default:
 		// Spec-compliant case (neither the access_token nor the login type are
 		// specified, so it's a normal user registration)
-		if resErr := validateUsername(r.Username, cfg.Matrix.ServerName); resErr != nil {
+		if err = internal.ValidateUsername(r.Username, r.ServerName); err != nil {
-			return *resErr
+			return *internal.UsernameResponse(err)
 		}
 	}
-	if resErr := validatePassword(r.Password); resErr != nil {
+	if err = internal.ValidatePassword(r.Password); err != nil {
-		return *resErr
+		return *internal.PasswordResponse(err)
 	}
 	logger := util.GetLogger(req.Context())
@ -641,16 +580,25 @@ func handleGuestRegistration(
 	cfg *config.ClientAPI,
 	userAPI userapi.ClientUserAPI,
 ) util.JSONResponse {
-	if cfg.RegistrationDisabled || cfg.GuestsDisabled {
+	registrationEnabled := !cfg.RegistrationDisabled
 	guestsEnabled := !cfg.GuestsDisabled
 	if v := cfg.Matrix.VirtualHost(r.ServerName); v != nil {
 		registrationEnabled, guestsEnabled = v.RegistrationAllowed()
 	}
 	if !registrationEnabled || !guestsEnabled {
 		return util.JSONResponse{
 			Code: http.StatusForbidden,
-			JSON: jsonerror.Forbidden("Guest registration is disabled"),
+			JSON: jsonerror.Forbidden(
 				fmt.Sprintf("Guest registration is disabled on %q", r.ServerName),
 			),
 		}
 	}
 	var res userapi.PerformAccountCreationResponse
 	err := userAPI.PerformAccountCreation(req.Context(), &userapi.PerformAccountCreationRequest{
 		AccountType: userapi.AccountTypeGuest,
 		ServerName:  r.ServerName,
 	}, &res)
 	if err != nil {
 		return util.JSONResponse{
@ -674,6 +622,7 @@ func handleGuestRegistration(
 	var devRes userapi.PerformDeviceCreationResponse
 	err = userAPI.PerformDeviceCreation(req.Context(), &userapi.PerformDeviceCreationRequest{
 		Localpart:         res.Account.Localpart,
 		ServerName:        res.Account.ServerName,
 		DeviceDisplayName: r.InitialDisplayName,
 		AccessToken:       token,
 		IPAddr:            req.RemoteAddr,
@ -690,7 +639,6 @@ func handleGuestRegistration(
 		JSON: registerResponse{
 			UserID:      devRes.Device.UserID,
 			AccessToken: devRes.Device.AccessToken,
 			HomeServer:  res.Account.ServerName,
 			DeviceID:    devRes.Device.ID,
 		},
 	}
@ -726,10 +674,16 @@ func handleRegistrationFlow(
 		)
 	}
-	if cfg.RegistrationDisabled && r.Auth.Type != authtypes.LoginTypeSharedSecret {
+	registrationEnabled := !cfg.RegistrationDisabled
 	if v := cfg.Matrix.VirtualHost(r.ServerName); v != nil {
 		registrationEnabled, _ = v.RegistrationAllowed()
 	}
 	if !registrationEnabled && r.Auth.Type != authtypes.LoginTypeSharedSecret {
 		return util.JSONResponse{
 			Code: http.StatusForbidden,
-			JSON: jsonerror.Forbidden("Registration is disabled"),
+			JSON: jsonerror.Forbidden(
 				fmt.Sprintf("Registration is disabled on %q", r.ServerName),
 			),
 		}
 	}
@ -748,9 +702,18 @@ func handleRegistrationFlow(
 	switch r.Auth.Type {
 	case authtypes.LoginTypeRecaptcha:
 		// Check given captcha response
-		resErr := validateRecaptcha(cfg, r.Auth.Response, req.RemoteAddr)
+		err := validateRecaptcha(cfg, r.Auth.Response, req.RemoteAddr)
-		if resErr != nil {
+		switch err {
-			return *resErr
+		case ErrCaptchaDisabled:
 			return util.JSONResponse{Code: http.StatusForbidden, JSON: jsonerror.Unknown(err.Error())}
 		case ErrMissingResponse:
 			return util.JSONResponse{Code: http.StatusBadRequest, JSON: jsonerror.BadJSON(err.Error())}
 		case ErrInvalidCaptcha:
 			return util.JSONResponse{Code: http.StatusUnauthorized, JSON: jsonerror.BadJSON(err.Error())}
 		case nil:
 		default:
 			util.GetLogger(req.Context()).WithError(err).Error("failed to validate recaptcha")
 			return util.JSONResponse{Code: http.StatusInternalServerError, JSON: jsonerror.InternalServerError()}
 		}
 		// Add Recaptcha to the list of completed registration stages
@ -817,8 +780,9 @@ func handleApplicationServiceRegistration(
 	// Don't need to worry about appending to registration stages as
 	// application service registration is entirely separate.
 	return completeRegistration(
-		req.Context(), userAPI, r.Username, "", appserviceID, req.RemoteAddr, req.UserAgent(), r.Auth.Session,
+		req.Context(), userAPI, r.Username, r.ServerName, "", appserviceID, req.RemoteAddr,
-		r.InhibitLogin, r.InitialDisplayName, r.DeviceID, userapi.AccountTypeAppService,
+		req.UserAgent(), r.Auth.Session, r.InhibitLogin, r.InitialDisplayName, r.DeviceID,
 		userapi.AccountTypeAppService,
 	)
 }
@ -836,8 +800,9 @@ func checkAndCompleteFlow(
 	if checkFlowCompleted(flow, cfg.Derived.Registration.Flows) {
 		// This flow was completed, registration can continue
 		return completeRegistration(
-			req.Context(), userAPI, r.Username, r.Password, "", req.RemoteAddr, req.UserAgent(), sessionID,
+			req.Context(), userAPI, r.Username, r.ServerName, r.Password, "", req.RemoteAddr,
-			r.InhibitLogin, r.InitialDisplayName, r.DeviceID, userapi.AccountTypeUser,
+			req.UserAgent(), sessionID, r.InhibitLogin, r.InitialDisplayName, r.DeviceID,
 			userapi.AccountTypeUser,
 		)
 	}
 	sessions.addParams(sessionID, r)
@ -859,7 +824,8 @@ func checkAndCompleteFlow(
 func completeRegistration(
 	ctx context.Context,
 	userAPI userapi.ClientUserAPI,
-	username, password, appserviceID, ipAddr, userAgent, sessionID string,
+	username string, serverName gomatrixserverlib.ServerName,
 	password, appserviceID, ipAddr, userAgent, sessionID string,
 	inhibitLogin eventutil.WeakBoolean,
 	displayName, deviceID *string,
 	accType userapi.AccountType,
@ -881,6 +847,7 @@ func completeRegistration(
 	err := userAPI.PerformAccountCreation(ctx, &userapi.PerformAccountCreationRequest{
 		AppServiceID: appserviceID,
 		Localpart:    username,
 		ServerName:   serverName,
 		Password:     password,
 		AccountType:  accType,
 		OnConflict:   userapi.ConflictAbort,
@ -907,8 +874,7 @@ func completeRegistration(
 		return util.JSONResponse{
 			Code: http.StatusOK,
 			JSON: registerResponse{
-				UserID:     userutil.MakeUserID(username, accRes.Account.ServerName),
+				UserID: userutil.MakeUserID(username, accRes.Account.ServerName),
 				HomeServer: accRes.Account.ServerName,
 			},
 		}
 	}
@ -924,6 +890,7 @@ func completeRegistration(
 	var devRes userapi.PerformDeviceCreationResponse
 	err = userAPI.PerformDeviceCreation(ctx, &userapi.PerformDeviceCreationRequest{
 		Localpart:         username,
 		ServerName:        serverName,
 		AccessToken:       token,
 		DeviceDisplayName: displayName,
 		DeviceID:          deviceID,
@ -940,7 +907,6 @@ func completeRegistration(
 	result := registerResponse{
 		UserID:      devRes.Device.UserID,
 		AccessToken: devRes.Device.AccessToken,
 		HomeServer:  accRes.Account.ServerName,
 		DeviceID:    devRes.Device.ID,
 	}
 	sessions.addCompletedRegistration(sessionID, result)
@ -1017,13 +983,31 @@ func RegisterAvailable(
 	// Squash username to all lowercase letters
 	username = strings.ToLower(username)
 	domain := cfg.Matrix.ServerName
 	host := gomatrixserverlib.ServerName(req.Host)
 	if v := cfg.Matrix.VirtualHostForHTTPHost(host); v != nil {
 		domain = v.ServerName
 	}
 	if u, l, err := cfg.Matrix.SplitLocalID('@', username); err == nil {
 		username, domain = u, l
 	}
 	for _, v := range cfg.Matrix.VirtualHosts {
 		if v.ServerName == domain && !v.AllowRegistration {
 			return util.JSONResponse{
 				Code: http.StatusForbidden,
 				JSON: jsonerror.Forbidden(
 					fmt.Sprintf("Registration is not allowed on %q", string(v.ServerName)),
 				),
 			}
 		}
 	}
-	if err := validateUsername(username, cfg.Matrix.ServerName); err != nil {
+	if err := internal.ValidateUsername(username, domain); err != nil {
-		return *err
+		return *internal.UsernameResponse(err)
 	}
 	// Check if this username is reserved by an application service
-	userID := userutil.MakeUserID(username, cfg.Matrix.ServerName)
+	userID := userutil.MakeUserID(username, domain)
 	for _, appservice := range cfg.Derived.ApplicationServices {
 		if appservice.OwnsNamespaceCoveringUserId(userID) {
 			return util.JSONResponse{
@ -1035,7 +1019,8 @@ func RegisterAvailable(
 	res := &userapi.QueryAccountAvailabilityResponse{}
 	err := registerAPI.QueryAccountAvailability(req.Context(), &userapi.QueryAccountAvailabilityRequest{
-		Localpart: username,
+		Localpart:  username,
 		ServerName: domain,
 	}, res)
 	if err != nil {
 		return util.JSONResponse{
@ -1080,11 +1065,11 @@ func handleSharedSecretRegistration(cfg *config.ClientAPI, userAPI userapi.Clien
 	// downcase capitals
 	ssrr.User = strings.ToLower(ssrr.User)
-	if resErr := validateUsername(ssrr.User, cfg.Matrix.ServerName); resErr != nil {
+	if err = internal.ValidateUsername(ssrr.User, cfg.Matrix.ServerName); err != nil {
-		return *resErr
+		return *internal.UsernameResponse(err)
 	}
-	if resErr := validatePassword(ssrr.Password); resErr != nil {
+	if err = internal.ValidatePassword(ssrr.Password); err != nil {
-		return *resErr
+		return *internal.PasswordResponse(err)
 	}
 	deviceID := "shared_secret_registration"
@ -1092,5 +1077,5 @@ func handleSharedSecretRegistration(cfg *config.ClientAPI, userAPI userapi.Clien
 	if ssrr.Admin {
 		accType = userapi.AccountTypeAdmin
 	}
-	return completeRegistration(req.Context(), userAPI, ssrr.User, ssrr.Password, "", req.RemoteAddr, req.UserAgent(), "", false, &ssrr.User, &deviceID, accType)
+	return completeRegistration(req.Context(), userAPI, ssrr.User, cfg.Matrix.ServerName, ssrr.Password, "", req.RemoteAddr, req.UserAgent(), "", false, &ssrr.User, &deviceID, accType)
 }
--- a/clientapi/routing/register_test.go
+++ b/clientapi/routing/register_test.go
@ -15,12 +15,27 @@
 package routing
 import (
 	"bytes"
 	"encoding/json"
 	"fmt"
 	"net/http"
 	"net/http/httptest"
 	"reflect"
 	"regexp"
 	"strings"
 	"testing"
 	"time"
 	"github.com/matrix-org/dendrite/clientapi/auth/authtypes"
 	"github.com/matrix-org/dendrite/clientapi/jsonerror"
 	"github.com/matrix-org/dendrite/internal"
 	"github.com/matrix-org/dendrite/keyserver"
 	"github.com/matrix-org/dendrite/roomserver"
 	"github.com/matrix-org/dendrite/setup/config"
 	"github.com/matrix-org/dendrite/test"
 	"github.com/matrix-org/dendrite/test/testrig"
 	"github.com/matrix-org/dendrite/userapi"
 	"github.com/matrix-org/util"
 )
 var (
@ -264,3 +279,294 @@ func TestSessionCleanUp(t *testing.T) {
 		}
 	})
 }
 func Test_register(t *testing.T) {
 	testCases := []struct {
 		name                 string
 		kind                 string
 		password             string
 		username             string
 		loginType            string
 		forceEmpty           bool
 		registrationDisabled bool
 		guestsDisabled       bool
 		enableRecaptcha      bool
 		captchaBody          string
 		wantResponse         util.JSONResponse
 	}{
 		{
 			name:           "disallow guests",
 			kind:           "guest",
 			guestsDisabled: true,
 			wantResponse: util.JSONResponse{
 				Code: http.StatusForbidden,
 				JSON: jsonerror.Forbidden(`Guest registration is disabled on "test"`),
 			},
 		},
 		{
 			name: "allow guests",
 			kind: "guest",
 		},
 		{
 			name:      "unknown login type",
 			loginType: "im.not.known",
 			wantResponse: util.JSONResponse{
 				Code: http.StatusNotImplemented,
 				JSON: jsonerror.Unknown("unknown/unimplemented auth type"),
 			},
 		},
 		{
 			name:                 "disabled registration",
 			registrationDisabled: true,
 			wantResponse: util.JSONResponse{
 				Code: http.StatusForbidden,
 				JSON: jsonerror.Forbidden(`Registration is disabled on "test"`),
 			},
 		},
 		{
 			name:       "successful registration, numeric ID",
 			username:   "",
 			password:   "someRandomPassword",
 			forceEmpty: true,
 		},
 		{
 			name:     "successful registration",
 			username: "success",
 		},
 		{
 			name:     "failing registration - user already exists",
 			username: "success",
 			wantResponse: util.JSONResponse{
 				Code: http.StatusBadRequest,
 				JSON: jsonerror.UserInUse("Desired user ID is already taken."),
 			},
 		},
 		{
 			name:     "successful registration uppercase username",
 			username: "LOWERCASED", // this is going to be lower-cased
 		},
 		{
 			name:         "invalid username",
 			username:     "#totalyNotValid",
 			wantResponse: *internal.UsernameResponse(internal.ErrUsernameInvalid),
 		},
 		{
 			name:     "numeric username is forbidden",
 			username: "1337",
 			wantResponse: util.JSONResponse{
 				Code: http.StatusBadRequest,
 				JSON: jsonerror.InvalidUsername("Numeric user IDs are reserved"),
 			},
 		},
 		{
 			name:      "disabled recaptcha login",
 			loginType: authtypes.LoginTypeRecaptcha,
 			wantResponse: util.JSONResponse{
 				Code: http.StatusForbidden,
 				JSON: jsonerror.Unknown(ErrCaptchaDisabled.Error()),
 			},
 		},
 		{
 			name:            "enabled recaptcha, no response defined",
 			enableRecaptcha: true,
 			loginType:       authtypes.LoginTypeRecaptcha,
 			wantResponse: util.JSONResponse{
 				Code: http.StatusBadRequest,
 				JSON: jsonerror.BadJSON(ErrMissingResponse.Error()),
 			},
 		},
 		{
 			name:            "invalid captcha response",
 			enableRecaptcha: true,
 			loginType:       authtypes.LoginTypeRecaptcha,
 			captchaBody:     `notvalid`,
 			wantResponse: util.JSONResponse{
 				Code: http.StatusUnauthorized,
 				JSON: jsonerror.BadJSON(ErrInvalidCaptcha.Error()),
 			},
 		},
 		{
 			name:            "valid captcha response",
 			enableRecaptcha: true,
 			loginType:       authtypes.LoginTypeRecaptcha,
 			captchaBody:     `success`,
 		},
 		{
 			name:            "captcha invalid from remote",
 			enableRecaptcha: true,
 			loginType:       authtypes.LoginTypeRecaptcha,
 			captchaBody:     `i should fail for other reasons`,
 			wantResponse:    util.JSONResponse{Code: http.StatusInternalServerError, JSON: jsonerror.InternalServerError()},
 		},
 	}
 	test.WithAllDatabases(t, func(t *testing.T, dbType test.DBType) {
 		base, baseClose := testrig.CreateBaseDendrite(t, dbType)
 		defer baseClose()
 		rsAPI := roomserver.NewInternalAPI(base)
 		keyAPI := keyserver.NewInternalAPI(base, &base.Cfg.KeyServer, nil, rsAPI)
 		userAPI := userapi.NewInternalAPI(base, &base.Cfg.UserAPI, nil, keyAPI, rsAPI, nil)
 		keyAPI.SetUserAPI(userAPI)
 		for _, tc := range testCases {
 			t.Run(tc.name, func(t *testing.T) {
 				if tc.enableRecaptcha {
 					srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 						if err := r.ParseForm(); err != nil {
 							t.Fatal(err)
 						}
 						response := r.Form.Get("response")
 						// Respond with valid JSON or no JSON at all to test happy/error cases
 						switch response {
 						case "success":
 							json.NewEncoder(w).Encode(recaptchaResponse{Success: true})
 						case "notvalid":
 							json.NewEncoder(w).Encode(recaptchaResponse{Success: false})
 						default:
 						}
 					}))
 					defer srv.Close()
 					base.Cfg.ClientAPI.RecaptchaSiteVerifyAPI = srv.URL
 				}
 				if err := base.Cfg.Derive(); err != nil {
 					t.Fatalf("failed to derive config: %s", err)
 				}
 				base.Cfg.ClientAPI.RecaptchaEnabled = tc.enableRecaptcha
 				base.Cfg.ClientAPI.RegistrationDisabled = tc.registrationDisabled
 				base.Cfg.ClientAPI.GuestsDisabled = tc.guestsDisabled
 				if tc.kind == "" {
 					tc.kind = "user"
 				}
 				if tc.password == "" && !tc.forceEmpty {
 					tc.password = "someRandomPassword"
 				}
 				if tc.username == "" && !tc.forceEmpty {
 					tc.username = "valid"
 				}
 				if tc.loginType == "" {
 					tc.loginType = "m.login.dummy"
 				}
 				reg := registerRequest{
 					Password: tc.password,
 					Username: tc.username,
 				}
 				body := &bytes.Buffer{}
 				err := json.NewEncoder(body).Encode(reg)
 				if err != nil {
 					t.Fatal(err)
 				}
 				req := httptest.NewRequest(http.MethodPost, fmt.Sprintf("/?kind=%s", tc.kind), body)
 				resp := Register(req, userAPI, &base.Cfg.ClientAPI)
 				t.Logf("Resp: %+v", resp)
 				// The first request should return a userInteractiveResponse
 				switch r := resp.JSON.(type) {
 				case userInteractiveResponse:
 					// Check that the flows are the ones we configured
 					if !reflect.DeepEqual(r.Flows, base.Cfg.Derived.Registration.Flows) {
 						t.Fatalf("unexpected registration flows: %+v, want %+v", r.Flows, base.Cfg.Derived.Registration.Flows)
 					}
 				case *jsonerror.MatrixError:
 					if !reflect.DeepEqual(tc.wantResponse, resp) {
 						t.Fatalf("(%s), unexpected response: %+v, want: %+v", tc.name, resp, tc.wantResponse)
 					}
 					return
 				case registerResponse:
 					// this should only be possible on guest user registration, never for normal users
 					if tc.kind != "guest" {
 						t.Fatalf("got register response on first request: %+v", r)
 					}
 					// assert we've got a UserID, AccessToken and DeviceID
 					if r.UserID == "" {
 						t.Fatalf("missing userID in response")
 					}
 					if r.AccessToken == "" {
 						t.Fatalf("missing accessToken in response")
 					}
 					if r.DeviceID == "" {
 						t.Fatalf("missing deviceID in response")
 					}
 					return
 				default:
 					t.Logf("Got response: %T", resp.JSON)
 				}
 				// If we reached this, we should have received a UIA response
 				uia, ok := resp.JSON.(userInteractiveResponse)
 				if !ok {
 					t.Fatalf("did not receive a userInteractiveResponse: %T", resp.JSON)
 				}
 				t.Logf("%+v", uia)
 				// Register the user
 				reg.Auth = authDict{
 					Type:    authtypes.LoginType(tc.loginType),
 					Session: uia.Session,
 				}
 				if tc.captchaBody != "" {
 					reg.Auth.Response = tc.captchaBody
 				}
 				dummy := "dummy"
 				reg.DeviceID = &dummy
 				reg.InitialDisplayName = &dummy
 				reg.Type = authtypes.LoginType(tc.loginType)
 				err = json.NewEncoder(body).Encode(reg)
 				if err != nil {
 					t.Fatal(err)
 				}
 				req = httptest.NewRequest(http.MethodPost, "/", body)
 				resp = Register(req, userAPI, &base.Cfg.ClientAPI)
 				switch resp.JSON.(type) {
 				case *jsonerror.MatrixError:
 					if !reflect.DeepEqual(tc.wantResponse, resp) {
 						t.Fatalf("unexpected response: %+v, want: %+v", resp, tc.wantResponse)
 					}
 					return
 				case util.JSONResponse:
 					if !reflect.DeepEqual(tc.wantResponse, resp) {
 						t.Fatalf("unexpected response: %+v, want: %+v", resp, tc.wantResponse)
 					}
 					return
 				}
 				rr, ok := resp.JSON.(registerResponse)
 				if !ok {
 					t.Fatalf("expected a registerresponse, got %T", resp.JSON)
 				}
 				// validate the response
 				if tc.forceEmpty {
 					// when not supplying a username, one will be generated. Given this _SHOULD_ be
 					// the second user, set the username accordingly
 					reg.Username = "2"
 				}
 				wantUserID := strings.ToLower(fmt.Sprintf("@%s:%s", reg.Username, "test"))
 				if wantUserID != rr.UserID {
 					t.Fatalf("unexpected userID: %s, want %s", rr.UserID, wantUserID)
 				}
 				if rr.DeviceID != *reg.DeviceID {
 					t.Fatalf("unexpected deviceID: %s, want %s", rr.DeviceID, *reg.DeviceID)
 				}
 				if rr.AccessToken == "" {
 					t.Fatalf("missing accessToken in response")
 				}
 			})
 		}
 	})
 }
--- a/clientapi/routing/routing.go
+++ b/clientapi/routing/routing.go
@ -20,6 +20,7 @@ import (
 	"strings"
 	"github.com/gorilla/mux"
 	"github.com/matrix-org/dendrite/setup/base"
 	"github.com/matrix-org/gomatrixserverlib"
 	"github.com/matrix-org/util"
 	"github.com/nats-io/nats.go"
@ -49,7 +50,7 @@ import (
 // applied:
 // nolint: gocyclo
 func Setup(
-	publicAPIMux, wkMux, synapseAdminRouter, dendriteAdminRouter *mux.Router,
+	base *base.BaseDendrite,
 	cfg *config.ClientAPI,
 	rsAPI roomserverAPI.ClientRoomserverAPI,
 	asAPI appserviceAPI.AppServiceInternalAPI,
@ -63,13 +64,21 @@ func Setup(
 	extRoomsProvider api.ExtraPublicRoomsProvider,
 	mscCfg *config.MSCs, natsClient *nats.Conn,
 ) {
-	prometheus.MustRegister(amtRegUsers, sendEventDuration)
+	publicAPIMux := base.PublicClientAPIMux
 	wkMux := base.PublicWellKnownAPIMux
 	synapseAdminRouter := base.SynapseAdminMux
 	dendriteAdminRouter := base.DendriteAdminMux
 	if base.EnableMetrics {
 		prometheus.MustRegister(amtRegUsers, sendEventDuration)
 	}
 	rateLimits := httputil.NewRateLimits(&cfg.RateLimiting)
 	userInteractiveAuth := auth.NewUserInteractive(userAPI, cfg)
 	unstableFeatures := map[string]bool{
 		"org.matrix.e2e_cross_signing": true,
 		"org.matrix.msc2285.stable":    true,
 	}
 	for _, msc := range cfg.MSCs.MSCs {
 		unstableFeatures["org.matrix."+msc] = true
@ -156,12 +165,18 @@ func Setup(
 		}),
 	).Methods(http.MethodGet, http.MethodOptions)
-	dendriteAdminRouter.Handle("/admin/resetPassword/{localpart}",
+	dendriteAdminRouter.Handle("/admin/resetPassword/{userID}",
 		httputil.MakeAdminAPI("admin_reset_password", userAPI, func(req *http.Request, device *userapi.Device) util.JSONResponse {
 			return AdminResetPassword(req, cfg, device, userAPI)
 		}),
 	).Methods(http.MethodPost, http.MethodOptions)
 	dendriteAdminRouter.Handle("/admin/downloadState/{serverName}/{roomID}",
 		httputil.MakeAdminAPI("admin_download_state", userAPI, func(req *http.Request, device *userapi.Device) util.JSONResponse {
 			return AdminDownloadState(req, cfg, device, rsAPI)
 		}),
 	).Methods(http.MethodGet, http.MethodOptions)
 	dendriteAdminRouter.Handle("/admin/fulltext/reindex",
 		httputil.MakeAdminAPI("admin_fultext_reindex", userAPI, func(req *http.Request, device *userapi.Device) util.JSONResponse {
 			return AdminReindex(req, cfg, device, natsClient)
@ -177,7 +192,7 @@ func Setup(
 	// server notifications
 	if cfg.Matrix.ServerNotices.Enabled {
 		logrus.Info("Enabling server notices at /_synapse/admin/v1/send_server_notice")
-		serverNotificationSender, err := getSenderDevice(context.Background(), userAPI, cfg)
+		serverNotificationSender, err := getSenderDevice(context.Background(), rsAPI, userAPI, cfg)
 		if err != nil {
 			logrus.WithError(err).Fatal("unable to get account for sending sending server notices")
 		}
@ -245,7 +260,7 @@ func Setup(
 			return JoinRoomByIDOrAlias(
 				req, device, rsAPI, userAPI, vars["roomIDOrAlias"],
 			)
-		}),
+		}, httputil.WithAllowGuests()),
 	).Methods(http.MethodPost, http.MethodOptions)
 	if mscCfg.Enabled("msc2753") {
@ -267,7 +282,7 @@ func Setup(
 	v3mux.Handle("/joined_rooms",
 		httputil.MakeAuthAPI("joined_rooms", userAPI, func(req *http.Request, device *userapi.Device) util.JSONResponse {
 			return GetJoinedRooms(req, device, rsAPI)
-		}),
+		}, httputil.WithAllowGuests()),
 	).Methods(http.MethodGet, http.MethodOptions)
 	v3mux.Handle("/rooms/{roomID}/join",
 		httputil.MakeAuthAPI(gomatrixserverlib.Join, userAPI, func(req *http.Request, device *userapi.Device) util.JSONResponse {
@ -281,7 +296,7 @@ func Setup(
 			return JoinRoomByIDOrAlias(
 				req, device, rsAPI, userAPI, vars["roomID"],
 			)
-		}),
+		}, httputil.WithAllowGuests()),
 	).Methods(http.MethodPost, http.MethodOptions)
 	v3mux.Handle("/rooms/{roomID}/leave",
 		httputil.MakeAuthAPI("membership", userAPI, func(req *http.Request, device *userapi.Device) util.JSONResponse {
@ -295,7 +310,7 @@ func Setup(
 			return LeaveRoomByID(
 				req, device, rsAPI, vars["roomID"],
 			)
-		}),
+		}, httputil.WithAllowGuests()),
 	).Methods(http.MethodPost, http.MethodOptions)
 	v3mux.Handle("/rooms/{roomID}/unpeek",
 		httputil.MakeAuthAPI("unpeek", userAPI, func(req *http.Request, device *userapi.Device) util.JSONResponse {
@ -354,7 +369,7 @@ func Setup(
 				return util.ErrorResponse(err)
 			}
 			return SendEvent(req, device, vars["roomID"], vars["eventType"], nil, nil, cfg, rsAPI, nil)
-		}),
+		}, httputil.WithAllowGuests()),
 	).Methods(http.MethodPost, http.MethodOptions)
 	v3mux.Handle("/rooms/{roomID}/send/{eventType}/{txnID}",
 		httputil.MakeAuthAPI("send_message", userAPI, func(req *http.Request, device *userapi.Device) util.JSONResponse {
@ -365,17 +380,8 @@ func Setup(
 			txnID := vars["txnID"]
 			return SendEvent(req, device, vars["roomID"], vars["eventType"], &txnID,
 				nil, cfg, rsAPI, transactionsCache)
-		}),
+		}, httputil.WithAllowGuests()),
 	).Methods(http.MethodPut, http.MethodOptions)
 	v3mux.Handle("/rooms/{roomID}/event/{eventID}",
 		httputil.MakeAuthAPI("rooms_get_event", userAPI, func(req *http.Request, device *userapi.Device) util.JSONResponse {
 			vars, err := httputil.URLDecodeMapValues(mux.Vars(req))
 			if err != nil {
 				return util.ErrorResponse(err)
 			}
 			return GetEvent(req, device, vars["roomID"], vars["eventID"], cfg, rsAPI)
 		}),
 	).Methods(http.MethodGet, http.MethodOptions)
 	v3mux.Handle("/rooms/{roomID}/state", httputil.MakeAuthAPI("room_state", userAPI, func(req *http.Request, device *userapi.Device) util.JSONResponse {
 		vars, err := httputil.URLDecodeMapValues(mux.Vars(req))
@ -383,7 +389,7 @@ func Setup(
 			return util.ErrorResponse(err)
 		}
 		return OnIncomingStateRequest(req.Context(), device, rsAPI, vars["roomID"])
-	})).Methods(http.MethodGet, http.MethodOptions)
+	}, httputil.WithAllowGuests())).Methods(http.MethodGet, http.MethodOptions)
 	v3mux.Handle("/rooms/{roomID}/aliases", httputil.MakeAuthAPI("aliases", userAPI, func(req *http.Request, device *userapi.Device) util.JSONResponse {
 		vars, err := httputil.URLDecodeMapValues(mux.Vars(req))
@ -402,7 +408,7 @@ func Setup(
 		eventType := strings.TrimSuffix(vars["type"], "/")
 		eventFormat := req.URL.Query().Get("format") == "event"
 		return OnIncomingStateTypeRequest(req.Context(), device, rsAPI, vars["roomID"], eventType, "", eventFormat)
-	})).Methods(http.MethodGet, http.MethodOptions)
+	}, httputil.WithAllowGuests())).Methods(http.MethodGet, http.MethodOptions)
 	v3mux.Handle("/rooms/{roomID}/state/{type}/{stateKey}", httputil.MakeAuthAPI("room_state", userAPI, func(req *http.Request, device *userapi.Device) util.JSONResponse {
 		vars, err := httputil.URLDecodeMapValues(mux.Vars(req))
@ -411,7 +417,7 @@ func Setup(
 		}
 		eventFormat := req.URL.Query().Get("format") == "event"
 		return OnIncomingStateTypeRequest(req.Context(), device, rsAPI, vars["roomID"], vars["type"], vars["stateKey"], eventFormat)
-	})).Methods(http.MethodGet, http.MethodOptions)
+	}, httputil.WithAllowGuests())).Methods(http.MethodGet, http.MethodOptions)
 	v3mux.Handle("/rooms/{roomID}/state/{eventType:[^/]+/?}",
 		httputil.MakeAuthAPI("send_message", userAPI, func(req *http.Request, device *userapi.Device) util.JSONResponse {
@ -422,7 +428,7 @@ func Setup(
 			emptyString := ""
 			eventType := strings.TrimSuffix(vars["eventType"], "/")
 			return SendEvent(req, device, vars["roomID"], eventType, nil, &emptyString, cfg, rsAPI, nil)
-		}),
+		}, httputil.WithAllowGuests()),
 	).Methods(http.MethodPut, http.MethodOptions)
 	v3mux.Handle("/rooms/{roomID}/state/{eventType}/{stateKey}",
@ -433,7 +439,7 @@ func Setup(
 			}
 			stateKey := vars["stateKey"]
 			return SendEvent(req, device, vars["roomID"], vars["eventType"], nil, &stateKey, cfg, rsAPI, nil)
-		}),
+		}, httputil.WithAllowGuests()),
 	).Methods(http.MethodPut, http.MethodOptions)
 	v3mux.Handle("/register", httputil.MakeExternalAPI("register", func(req *http.Request) util.JSONResponse {
@ -488,7 +494,7 @@ func Setup(
 			return GetVisibility(req, rsAPI, vars["roomID"])
 		}),
 	).Methods(http.MethodGet, http.MethodOptions)
-	// TODO: Add AS support
+
 	v3mux.Handle("/directory/list/room/{roomID}",
 		httputil.MakeAuthAPI("directory_list", userAPI, func(req *http.Request, device *userapi.Device) util.JSONResponse {
 			vars, err := httputil.URLDecodeMapValues(mux.Vars(req))
@ -498,6 +504,27 @@ func Setup(
 			return SetVisibility(req, rsAPI, device, vars["roomID"])
 		}),
 	).Methods(http.MethodPut, http.MethodOptions)
 	v3mux.Handle("/directory/list/appservice/{networkID}/{roomID}",
 		httputil.MakeAuthAPI("directory_list", userAPI, func(req *http.Request, device *userapi.Device) util.JSONResponse {
 			vars, err := httputil.URLDecodeMapValues(mux.Vars(req))
 			if err != nil {
 				return util.ErrorResponse(err)
 			}
 			return SetVisibilityAS(req, rsAPI, device, vars["networkID"], vars["roomID"])
 		}),
 	).Methods(http.MethodPut, http.MethodOptions)
 	// Undocumented endpoint
 	v3mux.Handle("/directory/list/appservice/{networkID}/{roomID}",
 		httputil.MakeAuthAPI("directory_list", userAPI, func(req *http.Request, device *userapi.Device) util.JSONResponse {
 			vars, err := httputil.URLDecodeMapValues(mux.Vars(req))
 			if err != nil {
 				return util.ErrorResponse(err)
 			}
 			return SetVisibilityAS(req, rsAPI, device, vars["networkID"], vars["roomID"])
 		}),
 	).Methods(http.MethodDelete, http.MethodOptions)
 	v3mux.Handle("/publicRooms",
 		httputil.MakeExternalAPI("public_rooms", func(req *http.Request) util.JSONResponse {
 			return GetPostPublicRooms(req, rsAPI, extRoomsProvider, federation, cfg)
@ -556,7 +583,7 @@ func Setup(
 			}
 			txnID := vars["txnID"]
 			return SendToDevice(req, device, syncProducer, transactionsCache, vars["eventType"], &txnID)
-		}),
+		}, httputil.WithAllowGuests()),
 	).Methods(http.MethodPut, http.MethodOptions)
 	// This is only here because sytest refers to /unstable for this endpoint
@ -570,7 +597,7 @@ func Setup(
 			}
 			txnID := vars["txnID"]
 			return SendToDevice(req, device, syncProducer, transactionsCache, vars["eventType"], &txnID)
-		}),
+		}, httputil.WithAllowGuests()),
 	).Methods(http.MethodPut, http.MethodOptions)
 	v3mux.Handle("/account/whoami",
@ -579,7 +606,7 @@ func Setup(
 				return *r
 			}
 			return Whoami(req, device)
-		}),
+		}, httputil.WithAllowGuests()),
 	).Methods(http.MethodGet, http.MethodOptions)
 	v3mux.Handle("/account/password",
@ -612,9 +639,9 @@ func Setup(
 	).Methods(http.MethodGet, http.MethodPost, http.MethodOptions)
 	v3mux.Handle("/auth/{authType}/fallback/web",
-		httputil.MakeHTMLAPI("auth_fallback", func(w http.ResponseWriter, req *http.Request) *util.JSONResponse {
+		httputil.MakeHTMLAPI("auth_fallback", base.EnableMetrics, func(w http.ResponseWriter, req *http.Request) {
 			vars := mux.Vars(req)
-			return AuthFallback(w, req, vars["authType"], cfg)
+			AuthFallback(w, req, vars["authType"], cfg)
 		}),
 	).Methods(http.MethodGet, http.MethodPost, http.MethodOptions)
@ -811,7 +838,7 @@ func Setup(
 				return util.ErrorResponse(err)
 			}
 			return SetDisplayName(req, userAPI, device, vars["userID"], cfg, rsAPI)
-		}),
+		}, httputil.WithAllowGuests()),
 	).Methods(http.MethodPut, http.MethodOptions)
 	// Browsers use the OPTIONS HTTP method to check if the CORS policy allows
 	// PUT requests, so we need to allow this method
@ -850,13 +877,51 @@ func Setup(
 	).Methods(http.MethodGet, http.MethodOptions)
 	v3mux.Handle("/thirdparty/protocols",
-		httputil.MakeExternalAPI("thirdparty_protocols", func(req *http.Request) util.JSONResponse {
+		httputil.MakeAuthAPI("thirdparty_protocols", userAPI, func(req *http.Request, device *userapi.Device) util.JSONResponse {
-			// TODO: Return the third party protcols
+			return Protocols(req, asAPI, device, "")
-			return util.JSONResponse{
+		}, httputil.WithAllowGuests()),
-				Code: http.StatusOK,
+	).Methods(http.MethodGet, http.MethodOptions)
-				JSON: struct{}{},
+
 	v3mux.Handle("/thirdparty/protocol/{protocolID}",
 		httputil.MakeAuthAPI("thirdparty_protocols", userAPI, func(req *http.Request, device *userapi.Device) util.JSONResponse {
 			vars, err := httputil.URLDecodeMapValues(mux.Vars(req))
 			if err != nil {
 				return util.ErrorResponse(err)
 			}
-		}),
+			return Protocols(req, asAPI, device, vars["protocolID"])
 		}, httputil.WithAllowGuests()),
 	).Methods(http.MethodGet, http.MethodOptions)
 	v3mux.Handle("/thirdparty/user/{protocolID}",
 		httputil.MakeAuthAPI("thirdparty_user", userAPI, func(req *http.Request, device *userapi.Device) util.JSONResponse {
 			vars, err := httputil.URLDecodeMapValues(mux.Vars(req))
 			if err != nil {
 				return util.ErrorResponse(err)
 			}
 			return User(req, asAPI, device, vars["protocolID"], req.URL.Query())
 		}, httputil.WithAllowGuests()),
 	).Methods(http.MethodGet, http.MethodOptions)
 	v3mux.Handle("/thirdparty/user",
 		httputil.MakeAuthAPI("thirdparty_user", userAPI, func(req *http.Request, device *userapi.Device) util.JSONResponse {
 			return User(req, asAPI, device, "", req.URL.Query())
 		}, httputil.WithAllowGuests()),
 	).Methods(http.MethodGet, http.MethodOptions)
 	v3mux.Handle("/thirdparty/location/{protocolID}",
 		httputil.MakeAuthAPI("thirdparty_location", userAPI, func(req *http.Request, device *userapi.Device) util.JSONResponse {
 			vars, err := httputil.URLDecodeMapValues(mux.Vars(req))
 			if err != nil {
 				return util.ErrorResponse(err)
 			}
 			return Location(req, asAPI, device, vars["protocolID"], req.URL.Query())
 		}, httputil.WithAllowGuests()),
 	).Methods(http.MethodGet, http.MethodOptions)
 	v3mux.Handle("/thirdparty/location",
 		httputil.MakeAuthAPI("thirdparty_location", userAPI, func(req *http.Request, device *userapi.Device) util.JSONResponse {
 			return Location(req, asAPI, device, "", req.URL.Query())
 		}, httputil.WithAllowGuests()),
 	).Methods(http.MethodGet, http.MethodOptions)
 	v3mux.Handle("/rooms/{roomID}/initialSync",
@ -958,26 +1023,6 @@ func Setup(
 		}),
 	).Methods(http.MethodPost, http.MethodOptions)
 	v3mux.Handle("/rooms/{roomID}/members",
 		httputil.MakeAuthAPI("rooms_members", userAPI, func(req *http.Request, device *userapi.Device) util.JSONResponse {
 			vars, err := httputil.URLDecodeMapValues(mux.Vars(req))
 			if err != nil {
 				return util.ErrorResponse(err)
 			}
 			return GetMemberships(req, device, vars["roomID"], false, cfg, rsAPI)
 		}),
 	).Methods(http.MethodGet, http.MethodOptions)
 	v3mux.Handle("/rooms/{roomID}/joined_members",
 		httputil.MakeAuthAPI("rooms_members", userAPI, func(req *http.Request, device *userapi.Device) util.JSONResponse {
 			vars, err := httputil.URLDecodeMapValues(mux.Vars(req))
 			if err != nil {
 				return util.ErrorResponse(err)
 			}
 			return GetMemberships(req, device, vars["roomID"], true, cfg, rsAPI)
 		}),
 	).Methods(http.MethodGet, http.MethodOptions)
 	v3mux.Handle("/rooms/{roomID}/read_markers",
 		httputil.MakeAuthAPI("rooms_read_markers", userAPI, func(req *http.Request, device *userapi.Device) util.JSONResponse {
 			if r := rateLimits.Limit(req, device); r != nil {
@ -1017,7 +1062,7 @@ func Setup(
 	v3mux.Handle("/devices",
 		httputil.MakeAuthAPI("get_devices", userAPI, func(req *http.Request, device *userapi.Device) util.JSONResponse {
 			return GetDevicesByLocalpart(req, userAPI, device)
-		}),
+		}, httputil.WithAllowGuests()),
 	).Methods(http.MethodGet, http.MethodOptions)
 	v3mux.Handle("/devices/{deviceID}",
@ -1027,7 +1072,7 @@ func Setup(
 				return util.ErrorResponse(err)
 			}
 			return GetDeviceByID(req, userAPI, device, vars["deviceID"])
-		}),
+		}, httputil.WithAllowGuests()),
 	).Methods(http.MethodGet, http.MethodOptions)
 	v3mux.Handle("/devices/{deviceID}",
@ -1037,7 +1082,7 @@ func Setup(
 				return util.ErrorResponse(err)
 			}
 			return UpdateDeviceByID(req, userAPI, device, vars["deviceID"])
-		}),
+		}, httputil.WithAllowGuests()),
 	).Methods(http.MethodPut, http.MethodOptions)
 	v3mux.Handle("/devices/{deviceID}",
@ -1079,21 +1124,21 @@ func Setup(
 	// Stub implementations for sytest
 	v3mux.Handle("/events",
-		httputil.MakeExternalAPI("events", func(req *http.Request) util.JSONResponse {
+		httputil.MakeAuthAPI("events", userAPI, func(req *http.Request, device *userapi.Device) util.JSONResponse {
 			return util.JSONResponse{Code: http.StatusOK, JSON: map[string]interface{}{
 				"chunk": []interface{}{},
 				"start": "",
 				"end":   "",
 			}}
-		}),
+		}, httputil.WithAllowGuests()),
 	).Methods(http.MethodGet, http.MethodOptions)
 	v3mux.Handle("/initialSync",
-		httputil.MakeExternalAPI("initial_sync", func(req *http.Request) util.JSONResponse {
+		httputil.MakeAuthAPI("initial_sync", userAPI, func(req *http.Request, device *userapi.Device) util.JSONResponse {
 			return util.JSONResponse{Code: http.StatusOK, JSON: map[string]interface{}{
 				"end": "",
 			}}
-		}),
+		}, httputil.WithAllowGuests()),
 	).Methods(http.MethodGet, http.MethodOptions)
 	v3mux.Handle("/user/{userId}/rooms/{roomId}/tags",
@ -1132,7 +1177,7 @@ func Setup(
 				return *r
 			}
 			return GetCapabilities(req, rsAPI)
-		}),
+		}, httputil.WithAllowGuests()),
 	).Methods(http.MethodGet, http.MethodOptions)
 	// Key Backup Versions (Metadata)
@ -1313,7 +1358,7 @@ func Setup(
 	postDeviceSigningSignatures := httputil.MakeAuthAPI("post_device_signing_signatures", userAPI, func(req *http.Request, device *userapi.Device) util.JSONResponse {
 		return UploadCrossSigningDeviceSignatures(req, keyAPI, device)
-	})
+	}, httputil.WithAllowGuests())
 	v3mux.Handle("/keys/device_signing/upload", postDeviceSigningKeys).Methods(http.MethodPost, http.MethodOptions)
 	v3mux.Handle("/keys/signatures/upload", postDeviceSigningSignatures).Methods(http.MethodPost, http.MethodOptions)
@ -1325,22 +1370,22 @@ func Setup(
 	v3mux.Handle("/keys/upload/{deviceID}",
 		httputil.MakeAuthAPI("keys_upload", userAPI, func(req *http.Request, device *userapi.Device) util.JSONResponse {
 			return UploadKeys(req, keyAPI, device)
-		}),
+		}, httputil.WithAllowGuests()),
 	).Methods(http.MethodPost, http.MethodOptions)
 	v3mux.Handle("/keys/upload",
 		httputil.MakeAuthAPI("keys_upload", userAPI, func(req *http.Request, device *userapi.Device) util.JSONResponse {
 			return UploadKeys(req, keyAPI, device)
-		}),
+		}, httputil.WithAllowGuests()),
 	).Methods(http.MethodPost, http.MethodOptions)
 	v3mux.Handle("/keys/query",
 		httputil.MakeAuthAPI("keys_query", userAPI, func(req *http.Request, device *userapi.Device) util.JSONResponse {
 			return QueryKeys(req, keyAPI, device)
-		}),
+		}, httputil.WithAllowGuests()),
 	).Methods(http.MethodPost, http.MethodOptions)
 	v3mux.Handle("/keys/claim",
 		httputil.MakeAuthAPI("keys_claim", userAPI, func(req *http.Request, device *userapi.Device) util.JSONResponse {
 			return ClaimKeys(req, keyAPI)
-		}),
+		}, httputil.WithAllowGuests()),
 	).Methods(http.MethodPost, http.MethodOptions)
 	v3mux.Handle("/rooms/{roomId}/receipt/{receiptType}/{eventId}",
 		httputil.MakeAuthAPI(gomatrixserverlib.Join, userAPI, func(req *http.Request, device *userapi.Device) util.JSONResponse {
@ -1352,7 +1397,7 @@ func Setup(
 				return util.ErrorResponse(err)
 			}
-			return SetReceipt(req, syncProducer, device, vars["roomId"], vars["receiptType"], vars["eventId"])
+			return SetReceipt(req, userAPI, syncProducer, device, vars["roomId"], vars["receiptType"], vars["eventId"])
 		}),
 	).Methods(http.MethodPost, http.MethodOptions)
 	v3mux.Handle("/presence/{userId}/status",
--- a/clientapi/routing/sendevent.go
+++ b/clientapi/routing/sendevent.go
@ -86,7 +86,7 @@ func SendEvent(
 	if txnID != nil {
 		// Try to fetch response from transactionsCache
-		if res, ok := txnCache.FetchTransaction(device.AccessToken, *txnID); ok {
+		if res, ok := txnCache.FetchTransaction(device.AccessToken, *txnID, req.URL); ok {
 			return *res
 		}
 	}
@ -94,6 +94,7 @@ func SendEvent(
 	// create a mutex for the specific user in the specific room
 	// this avoids a situation where events that are received in quick succession are sent to the roomserver in a jumbled order
 	userID := device.UserID
 	domain := device.UserDomain()
 	mutex, _ := userRoomSendMutexes.LoadOrStore(roomID+userID, &sync.Mutex{})
 	mutex.(*sync.Mutex).Lock()
 	defer mutex.(*sync.Mutex).Unlock()
@ -185,8 +186,9 @@ func SendEvent(
 		[]*gomatrixserverlib.HeaderedEvent{
 			e.Headered(verRes.RoomVersion),
 		},
-		cfg.Matrix.ServerName,
+		device.UserDomain(),
-		cfg.Matrix.ServerName,
+		domain,
 		domain,
 		txnAndSessionID,
 		false,
 	); err != nil {
@ -206,7 +208,7 @@ func SendEvent(
 	}
 	// Add response to transactionsCache
 	if txnID != nil {
-		txnCache.AddTransaction(device.AccessToken, *txnID, &res)
+		txnCache.AddTransaction(device.AccessToken, *txnID, req.URL, &res)
 	}
 	// Take a note of how long it took to generate the event vs submit
@ -274,8 +276,14 @@ func generateSendEvent(
 		return nil, &resErr
 	}
 	identity, err := cfg.Matrix.SigningIdentityFor(device.UserDomain())
 	if err != nil {
 		resErr := jsonerror.InternalServerError()
 		return nil, &resErr
 	}
 	var queryRes api.QueryLatestEventsAndStateResponse
-	e, err := eventutil.QueryAndBuildEvent(ctx, &builder, cfg.Matrix, evTime, rsAPI, &queryRes)
+	e, err := eventutil.QueryAndBuildEvent(ctx, &builder, cfg.Matrix, identity, evTime, rsAPI, &queryRes)
 	if err == eventutil.ErrRoomNoExists {
 		return nil, &util.JSONResponse{
 			Code: http.StatusNotFound,
--- a/clientapi/routing/sendtodevice.go
+++ b/clientapi/routing/sendtodevice.go
@ -16,12 +16,13 @@ import (
 	"encoding/json"
 	"net/http"
 	"github.com/matrix-org/util"
 	"github.com/matrix-org/dendrite/clientapi/httputil"
 	"github.com/matrix-org/dendrite/clientapi/jsonerror"
 	"github.com/matrix-org/dendrite/clientapi/producers"
 	"github.com/matrix-org/dendrite/internal/transactions"
 	userapi "github.com/matrix-org/dendrite/userapi/api"
 	"github.com/matrix-org/util"
 )
 // SendToDevice handles PUT /_matrix/client/r0/sendToDevice/{eventType}/{txnId}
@ -33,7 +34,7 @@ func SendToDevice(
 	eventType string, txnID *string,
 ) util.JSONResponse {
 	if txnID != nil {
-		if res, ok := txnCache.FetchTransaction(device.AccessToken, *txnID); ok {
+		if res, ok := txnCache.FetchTransaction(device.AccessToken, *txnID, req.URL); ok {
 			return *res
 		}
 	}
@ -63,7 +64,7 @@ func SendToDevice(
 	}
 	if txnID != nil {
-		txnCache.AddTransaction(device.AccessToken, *txnID, &res)
+		txnCache.AddTransaction(device.AccessToken, *txnID, req.URL, &res)
 	}
 	return res
--- a/clientapi/routing/server_notices.go
+++ b/clientapi/routing/server_notices.go
@ -21,7 +21,6 @@ import (
 	"net/http"
 	"time"
 	"github.com/matrix-org/dendrite/roomserver/version"
 	"github.com/matrix-org/gomatrix"
 	"github.com/matrix-org/gomatrixserverlib"
 	"github.com/matrix-org/gomatrixserverlib/tokens"
@ -29,6 +28,8 @@ import (
 	"github.com/prometheus/client_golang/prometheus"
 	"github.com/sirupsen/logrus"
 	"github.com/matrix-org/dendrite/roomserver/version"
 	appserviceAPI "github.com/matrix-org/dendrite/appservice/api"
 	"github.com/matrix-org/dendrite/clientapi/httputil"
 	"github.com/matrix-org/dendrite/clientapi/jsonerror"
@ -73,7 +74,7 @@ func SendServerNotice(
 	if txnID != nil {
 		// Try to fetch response from transactionsCache
-		if res, ok := txnCache.FetchTransaction(device.AccessToken, *txnID); ok {
+		if res, ok := txnCache.FetchTransaction(device.AccessToken, *txnID, req.URL); ok {
 			return *res
 		}
 	}
@ -230,6 +231,7 @@ func SendServerNotice(
 		[]*gomatrixserverlib.HeaderedEvent{
 			e.Headered(roomVersion),
 		},
 		device.UserDomain(),
 		cfgClient.Matrix.ServerName,
 		cfgClient.Matrix.ServerName,
 		txnAndSessionID,
@ -251,7 +253,7 @@ func SendServerNotice(
 	}
 	// Add response to transactionsCache
 	if txnID != nil {
-		txnCache.AddTransaction(device.AccessToken, *txnID, &res)
+		txnCache.AddTransaction(device.AccessToken, *txnID, req.URL, &res)
 	}
 	// Take a note of how long it took to generate the event vs submit
@ -276,6 +278,7 @@ func (r sendServerNoticeRequest) valid() (ok bool) {
 // It returns an userapi.Device, which is used for building the event
 func getSenderDevice(
 	ctx context.Context,
 	rsAPI api.ClientRoomserverAPI,
 	userAPI userapi.ClientUserAPI,
 	cfg *config.ClientAPI,
 ) (*userapi.Device, error) {
@ -284,22 +287,41 @@ func getSenderDevice(
 	err := userAPI.PerformAccountCreation(ctx, &userapi.PerformAccountCreationRequest{
 		AccountType: userapi.AccountTypeUser,
 		Localpart:   cfg.Matrix.ServerNotices.LocalPart,
 		ServerName:  cfg.Matrix.ServerName,
 		OnConflict:  userapi.ConflictUpdate,
 	}, &accRes)
 	if err != nil {
 		return nil, err
 	}
-	// set the avatarurl for the user
+	// Set the avatarurl for the user
-	res := &userapi.PerformSetAvatarURLResponse{}
+	avatarRes := &userapi.PerformSetAvatarURLResponse{}
 	if err = userAPI.SetAvatarURL(ctx, &userapi.PerformSetAvatarURLRequest{
-		Localpart: cfg.Matrix.ServerNotices.LocalPart,
+		Localpart:  cfg.Matrix.ServerNotices.LocalPart,
-		AvatarURL: cfg.Matrix.ServerNotices.AvatarURL,
+		ServerName: cfg.Matrix.ServerName,
-	}, res); err != nil {
+		AvatarURL:  cfg.Matrix.ServerNotices.AvatarURL,
 	}, avatarRes); err != nil {
 		util.GetLogger(ctx).WithError(err).Error("userAPI.SetAvatarURL failed")
 		return nil, err
 	}
 	profile := avatarRes.Profile
 	// Set the displayname for the user
 	displayNameRes := &userapi.PerformUpdateDisplayNameResponse{}
 	if err = userAPI.SetDisplayName(ctx, &userapi.PerformUpdateDisplayNameRequest{
 		Localpart:   cfg.Matrix.ServerNotices.LocalPart,
 		ServerName:  cfg.Matrix.ServerName,
 		DisplayName: cfg.Matrix.ServerNotices.DisplayName,
 	}, displayNameRes); err != nil {
 		util.GetLogger(ctx).WithError(err).Error("userAPI.SetDisplayName failed")
 		return nil, err
 	}
 	if displayNameRes.Changed {
 		profile.DisplayName = cfg.Matrix.ServerNotices.DisplayName
 	}
 	// Check if we got existing devices
 	deviceRes := &userapi.QueryDevicesResponse{}
 	err = userAPI.QueryDevices(ctx, &userapi.QueryDevicesRequest{
@ -309,7 +331,15 @@ func getSenderDevice(
 		return nil, err
 	}
 	// We've got an existing account, return the first device of it
 	if len(deviceRes.Devices) > 0 {
 		// If there were changes to the profile, create a new membership event
 		if displayNameRes.Changed || avatarRes.Changed {
 			_, err = updateProfile(ctx, rsAPI, &deviceRes.Devices[0], profile, accRes.Account.UserID, cfg, time.Now())
 			if err != nil {
 				return nil, err
 			}
 		}
 		return &deviceRes.Devices[0], nil
 	}
@ -327,6 +357,7 @@ func getSenderDevice(
 	var devRes userapi.PerformDeviceCreationResponse
 	err = userAPI.PerformDeviceCreation(ctx, &userapi.PerformDeviceCreationRequest{
 		Localpart:          cfg.Matrix.ServerNotices.LocalPart,
 		ServerName:         cfg.Matrix.ServerName,
 		DeviceDisplayName:  &cfg.Matrix.ServerNotices.LocalPart,
 		AccessToken:        token,
 		NoDeviceListUpdate: true,
--- a/clientapi/routing/thirdparty.go
+++ b/clientapi/routing/thirdparty.go
@ -0,0 +1,112 @@
 // Copyright 2022 The Matrix.org Foundation C.I.C.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //     http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
 package routing
 import (
 	"net/http"
 	"net/url"
 	"github.com/matrix-org/util"
 	appserviceAPI "github.com/matrix-org/dendrite/appservice/api"
 	"github.com/matrix-org/dendrite/clientapi/jsonerror"
 	"github.com/matrix-org/dendrite/userapi/api"
 )
 // Protocols implements
 //
 //	GET /_matrix/client/v3/thirdparty/protocols/{protocol}
 //	GET /_matrix/client/v3/thirdparty/protocols
 func Protocols(req *http.Request, asAPI appserviceAPI.AppServiceInternalAPI, device *api.Device, protocol string) util.JSONResponse {
 	resp := &appserviceAPI.ProtocolResponse{}
 	if err := asAPI.Protocols(req.Context(), &appserviceAPI.ProtocolRequest{Protocol: protocol}, resp); err != nil {
 		return jsonerror.InternalServerError()
 	}
 	if !resp.Exists {
 		if protocol != "" {
 			return util.JSONResponse{
 				Code: http.StatusNotFound,
 				JSON: jsonerror.NotFound("The protocol is unknown."),
 			}
 		}
 		return util.JSONResponse{
 			Code: http.StatusOK,
 			JSON: struct{}{},
 		}
 	}
 	if protocol != "" {
 		return util.JSONResponse{
 			Code: http.StatusOK,
 			JSON: resp.Protocols[protocol],
 		}
 	}
 	return util.JSONResponse{
 		Code: http.StatusOK,
 		JSON: resp.Protocols,
 	}
 }
 // User implements
 //
 //	GET /_matrix/client/v3/thirdparty/user
 //	GET /_matrix/client/v3/thirdparty/user/{protocol}
 func User(req *http.Request, asAPI appserviceAPI.AppServiceInternalAPI, device *api.Device, protocol string, params url.Values) util.JSONResponse {
 	resp := &appserviceAPI.UserResponse{}
 	params.Del("access_token")
 	if err := asAPI.User(req.Context(), &appserviceAPI.UserRequest{
 		Protocol: protocol,
 		Params:   params.Encode(),
 	}, resp); err != nil {
 		return jsonerror.InternalServerError()
 	}
 	if !resp.Exists {
 		return util.JSONResponse{
 			Code: http.StatusNotFound,
 			JSON: jsonerror.NotFound("The Matrix User ID was not found"),
 		}
 	}
 	return util.JSONResponse{
 		Code: http.StatusOK,
 		JSON: resp.Users,
 	}
 }
 // Location implements
 //
 //	GET /_matrix/client/v3/thirdparty/location
 //	GET /_matrix/client/v3/thirdparty/location/{protocol}
 func Location(req *http.Request, asAPI appserviceAPI.AppServiceInternalAPI, device *api.Device, protocol string, params url.Values) util.JSONResponse {
 	resp := &appserviceAPI.LocationResponse{}
 	params.Del("access_token")
 	if err := asAPI.Locations(req.Context(), &appserviceAPI.LocationRequest{
 		Protocol: protocol,
 		Params:   params.Encode(),
 	}, resp); err != nil {
 		return jsonerror.InternalServerError()
 	}
 	if !resp.Exists {
 		return util.JSONResponse{
 			Code: http.StatusNotFound,
 			JSON: jsonerror.NotFound("No portal rooms were found."),
 		}
 	}
 	return util.JSONResponse{
 		Code: http.StatusOK,
 		JSON: resp.Locations,
 	}
 }
--- a/clientapi/routing/threepid.go
+++ b/clientapi/routing/threepid.go
@ -136,16 +136,17 @@ func CheckAndSave3PIDAssociation(
 	}
 	// Save the association in the database
-	localpart, _, err := gomatrixserverlib.SplitID('@', device.UserID)
+	localpart, domain, err := gomatrixserverlib.SplitID('@', device.UserID)
 	if err != nil {
 		util.GetLogger(req.Context()).WithError(err).Error("gomatrixserverlib.SplitID failed")
 		return jsonerror.InternalServerError()
 	}
 	if err = threePIDAPI.PerformSaveThreePIDAssociation(req.Context(), &api.PerformSaveThreePIDAssociationRequest{
-		ThreePID:  address,
+		ThreePID:   address,
-		Localpart: localpart,
+		Localpart:  localpart,
-		Medium:    medium,
+		ServerName: domain,
 		Medium:     medium,
 	}, &struct{}{}); err != nil {
 		util.GetLogger(req.Context()).WithError(err).Error("threePIDAPI.PerformSaveThreePIDAssociation failed")
 		return jsonerror.InternalServerError()
@ -161,7 +162,7 @@ func CheckAndSave3PIDAssociation(
 func GetAssociated3PIDs(
 	req *http.Request, threepidAPI api.ClientUserAPI, device *api.Device,
 ) util.JSONResponse {
-	localpart, _, err := gomatrixserverlib.SplitID('@', device.UserID)
+	localpart, domain, err := gomatrixserverlib.SplitID('@', device.UserID)
 	if err != nil {
 		util.GetLogger(req.Context()).WithError(err).Error("gomatrixserverlib.SplitID failed")
 		return jsonerror.InternalServerError()
@ -169,7 +170,8 @@ func GetAssociated3PIDs(
 	res := &api.QueryThreePIDsForLocalpartResponse{}
 	err = threepidAPI.QueryThreePIDsForLocalpart(req.Context(), &api.QueryThreePIDsForLocalpartRequest{
-		Localpart: localpart,
+		Localpart:  localpart,
 		ServerName: domain,
 	}, res)
 	if err != nil {
 		util.GetLogger(req.Context()).WithError(err).Error("threepidAPI.QueryThreePIDsForLocalpart failed")
--- a/clientapi/routing/userdirectory.go
+++ b/clientapi/routing/userdirectory.go
@ -106,7 +106,7 @@ knownUsersLoop:
 				continue
 			}
 			// TODO: We should probably cache/store this
-			fedProfile, fedErr := federation.LookupProfile(ctx, serverName, userID, "")
+			fedProfile, fedErr := federation.LookupProfile(ctx, localServerName, serverName, userID, "")
 			if fedErr != nil {
 				if x, ok := fedErr.(gomatrix.HTTPError); ok {
 					if x.Code == http.StatusNotFound {
--- a/clientapi/threepid/invites.go
+++ b/clientapi/threepid/invites.go
@ -215,7 +215,7 @@ func queryIDServerStoreInvite(
 	}
 	var profile *authtypes.Profile
-	if serverName == cfg.Matrix.ServerName {
+	if cfg.Matrix.IsLocalServerName(serverName) {
 		res := &userapi.QueryProfileResponse{}
 		err = userAPI.QueryProfile(ctx, &userapi.QueryProfileRequest{UserID: device.UserID}, res)
 		if err != nil {
@ -359,8 +359,13 @@ func emit3PIDInviteEvent(
 		return err
 	}
 	identity, err := cfg.Matrix.SigningIdentityFor(device.UserDomain())
 	if err != nil {
 		return err
 	}
 	queryRes := api.QueryLatestEventsAndStateResponse{}
-	event, err := eventutil.QueryAndBuildEvent(ctx, builder, cfg.Matrix, evTime, rsAPI, &queryRes)
+	event, err := eventutil.QueryAndBuildEvent(ctx, builder, cfg.Matrix, identity, evTime, rsAPI, &queryRes)
 	if err != nil {
 		return err
 	}
@ -371,6 +376,7 @@ func emit3PIDInviteEvent(
 		[]*gomatrixserverlib.HeaderedEvent{
 			event.Headered(queryRes.RoomVersion),
 		},
 		device.UserDomain(),
 		cfg.Matrix.ServerName,
 		cfg.Matrix.ServerName,
 		nil,
--- a/clientapi/userutil/userutil.go
+++ b/clientapi/userutil/userutil.go
@ -17,6 +17,7 @@ import (
 	"fmt"
 	"strings"
 	"github.com/matrix-org/dendrite/setup/config"
 	"github.com/matrix-org/gomatrixserverlib"
 )
@ -24,23 +25,23 @@ import (
 // usernameParam can either be a user ID or just the localpart/username.
 // If serverName is passed, it is verified against the domain obtained from usernameParam (if present)
 // Returns error in case of invalid usernameParam.
-func ParseUsernameParam(usernameParam string, expectedServerName *gomatrixserverlib.ServerName) (string, error) {
+func ParseUsernameParam(usernameParam string, cfg *config.Global) (string, gomatrixserverlib.ServerName, error) {
 	localpart := usernameParam
 	if strings.HasPrefix(usernameParam, "@") {
 		lp, domain, err := gomatrixserverlib.SplitID('@', usernameParam)
 		if err != nil {
-			return "", errors.New("invalid username")
+			return "", "", errors.New("invalid username")
 		}
-		if expectedServerName != nil && domain != *expectedServerName {
+		if !cfg.IsLocalServerName(domain) {
-			return "", errors.New("user ID does not belong to this server")
+			return "", "", errors.New("user ID does not belong to this server")
 		}
-		localpart = lp
+		return lp, domain, nil
 	}
-	return localpart, nil
+	return localpart, cfg.ServerName, nil
 }
 // MakeUserID generates user ID from localpart & server name
--- a/clientapi/userutil/userutil_test.go
+++ b/clientapi/userutil/userutil_test.go
@ -15,6 +15,7 @@ package userutil
 import (
 	"testing"
 	"github.com/matrix-org/dendrite/setup/config"
 	"github.com/matrix-org/gomatrixserverlib"
 )
@ -28,7 +29,13 @@ var (
 // TestGoodUserID checks that correct localpart is returned for a valid user ID.
 func TestGoodUserID(t *testing.T) {
-	lp, err := ParseUsernameParam(goodUserID, &serverName)
+	cfg := &config.Global{
 		SigningIdentity: gomatrixserverlib.SigningIdentity{
 			ServerName: serverName,
 		},
 	}
 	lp, _, err := ParseUsernameParam(goodUserID, cfg)
 	if err != nil {
 		t.Error("User ID Parsing failed for ", goodUserID, " with error: ", err.Error())
@ -41,7 +48,13 @@ func TestGoodUserID(t *testing.T) {
 // TestWithLocalpartOnly checks that localpart is returned when usernameParam contains only localpart.
 func TestWithLocalpartOnly(t *testing.T) {
-	lp, err := ParseUsernameParam(localpart, &serverName)
+	cfg := &config.Global{
 		SigningIdentity: gomatrixserverlib.SigningIdentity{
 			ServerName: serverName,
 		},
 	}
 	lp, _, err := ParseUsernameParam(localpart, cfg)
 	if err != nil {
 		t.Error("User ID Parsing failed for ", localpart, " with error: ", err.Error())
@ -54,7 +67,13 @@ func TestWithLocalpartOnly(t *testing.T) {
 // TestIncorrectDomain checks for error when there's server name mismatch.
 func TestIncorrectDomain(t *testing.T) {
-	_, err := ParseUsernameParam(goodUserID, &invalidServerName)
+	cfg := &config.Global{
 		SigningIdentity: gomatrixserverlib.SigningIdentity{
 			ServerName: invalidServerName,
 		},
 	}
 	_, _, err := ParseUsernameParam(goodUserID, cfg)
 	if err == nil {
 		t.Error("Invalid Domain should return an error")
@ -63,7 +82,13 @@ func TestIncorrectDomain(t *testing.T) {
 // TestBadUserID checks that ParseUsernameParam fails for invalid user ID
 func TestBadUserID(t *testing.T) {
-	_, err := ParseUsernameParam(badUserID, &serverName)
+	cfg := &config.Global{
 		SigningIdentity: gomatrixserverlib.SigningIdentity{
 			ServerName: serverName,
 		},
 	}
 	_, _, err := ParseUsernameParam(badUserID, cfg)
 	if err == nil {
 		t.Error("Illegal User ID should return an error")
--- a/cmd/create-account/main.go
+++ b/cmd/create-account/main.go
@ -25,10 +25,10 @@ import (
 	"io"
 	"net/http"
 	"os"
 	"regexp"
 	"strings"
 	"time"
 	"github.com/matrix-org/dendrite/internal"
 	"github.com/tidwall/gjson"
 	"github.com/sirupsen/logrus"
@ -58,15 +58,14 @@ Arguments:
 `
 var (
-	username           = flag.String("username", "", "The username of the account to register (specify the localpart only, e.g. 'alice' for '@alice:domain.com')")
+	username      = flag.String("username", "", "The username of the account to register (specify the localpart only, e.g. 'alice' for '@alice:domain.com')")
-	password           = flag.String("password", "", "The password to associate with the account")
+	password      = flag.String("password", "", "The password to associate with the account")
-	pwdFile            = flag.String("passwordfile", "", "The file to use for the password (e.g. for automated account creation)")
+	pwdFile       = flag.String("passwordfile", "", "The file to use for the password (e.g. for automated account creation)")
-	pwdStdin           = flag.Bool("passwordstdin", false, "Reads the password from stdin")
+	pwdStdin      = flag.Bool("passwordstdin", false, "Reads the password from stdin")
-	isAdmin            = flag.Bool("admin", false, "Create an admin account")
+	isAdmin       = flag.Bool("admin", false, "Create an admin account")
-	resetPassword      = flag.Bool("reset-password", false, "Deprecated")
+	resetPassword = flag.Bool("reset-password", false, "Deprecated")
-	serverURL          = flag.String("url", "http://localhost:8008", "The URL to connect to.")
+	serverURL     = flag.String("url", "http://localhost:8008", "The URL to connect to.")
-	validUsernameRegex = regexp.MustCompile(`^[0-9a-z_\-=./]+$`)
+	timeout       = flag.Duration("timeout", time.Second*30, "Timeout for the http client when connecting to the server")
 	timeout            = flag.Duration("timeout", time.Second*30, "Timeout for the http client when connecting to the server")
 )
 var cl = http.Client{
@ -95,20 +94,21 @@ func main() {
 		os.Exit(1)
 	}
-	if !validUsernameRegex.MatchString(*username) {
+	if err := internal.ValidateUsername(*username, cfg.Global.ServerName); err != nil {
-		logrus.Warn("Username can only contain characters a-z, 0-9, or '_-./='")
+		logrus.WithError(err).Error("Specified username is invalid")
 		os.Exit(1)
 	}
 	if len(fmt.Sprintf("@%s:%s", *username, cfg.Global.ServerName)) > 255 {
 		logrus.Fatalf("Username can not be longer than 255 characters: %s", fmt.Sprintf("@%s:%s", *username, cfg.Global.ServerName))
 	}
 	pass, err := getPassword(*password, *pwdFile, *pwdStdin, os.Stdin)
 	if err != nil {
 		logrus.Fatalln(err)
 	}
 	if err = internal.ValidatePassword(pass); err != nil {
 		logrus.WithError(err).Error("Specified password is invalid")
 		os.Exit(1)
 	}
 	cl.Timeout = *timeout
 	accessToken, err := sharedSecretRegister(cfg.ClientAPI.RegistrationSharedSecret, *serverURL, *username, pass, *isAdmin)
@ -177,9 +177,12 @@ func sharedSecretRegister(sharedSecret, serverURL, localpart, password string, a
 	defer regResp.Body.Close() // nolint: errcheck
 	if regResp.StatusCode < 200 || regResp.StatusCode >= 300 {
 		body, _ = io.ReadAll(regResp.Body)
-		return "", fmt.Errorf(gjson.GetBytes(body, "error").Str)
+		return "", fmt.Errorf("got HTTP %d error from server: %s", regResp.StatusCode, string(body))
 	}
 	r, err := io.ReadAll(regResp.Body)
 	if err != nil {
 		return "", fmt.Errorf("failed to read response body (HTTP %d): %w", regResp.StatusCode, err)
 	}
 	r, _ := io.ReadAll(regResp.Body)
 	return gjson.GetBytes(r, "access_token").Str, nil
 }
--- a/cmd/dendrite-demo-pinecone/README.md
+++ b/cmd/dendrite-demo-pinecone/README.md
@ -0,0 +1,26 @@
 # Pinecone Demo
 This is the Dendrite Pinecone demo! It's easy to get started.
 To run the homeserver, start at the root of the Dendrite repository and run:
 ```
 go run ./cmd/dendrite-demo-pinecone
 ```
 To connect to the static Pinecone peer used by the mobile demos run:
 ```
 go run ./cmd/dendrite-demo-pinecone -peer wss://pinecone.matrix.org/public
 ```
 The following command line arguments are accepted:
 * `-peer tcp://a.b.c.d:e` to specify a static Pinecone peer to connect to - you will need to supply this if you do not have another Pinecone node on your network
 * `-port 12345` to specify a port to listen on for client connections
 Then point your favourite Matrix client to  the homeserver URL`http://localhost:8008` (or whichever `-port` you specified), create an account and log in.
 If your peering connection is operational then you should see a `Connected TCP:` line in the log output. If not then try a different peer.
 Once logged in, you should be able to open the room directory or join a room by its ID.
--- a/cmd/dendrite-demo-pinecone/conn/client.go
+++ b/cmd/dendrite-demo-pinecone/conn/client.go
@ -101,9 +101,7 @@ func CreateFederationClient(
 	base *base.BaseDendrite, s *pineconeSessions.Sessions,
 ) *gomatrixserverlib.FederationClient {
 	return gomatrixserverlib.NewFederationClient(
-		base.Cfg.Global.ServerName,
+		base.Cfg.Global.SigningIdentities(),
 		base.Cfg.Global.KeyID,
 		base.Cfg.Global.PrivateKey,
 		gomatrixserverlib.WithTransport(createTransport(s)),
 	)
 }
--- a/cmd/dendrite-demo-pinecone/main.go
+++ b/cmd/dendrite-demo-pinecone/main.go
@ -37,6 +37,7 @@ import (
 	"github.com/matrix-org/dendrite/cmd/dendrite-demo-pinecone/users"
 	"github.com/matrix-org/dendrite/cmd/dendrite-demo-yggdrasil/signing"
 	"github.com/matrix-org/dendrite/federationapi"
 	"github.com/matrix-org/dendrite/federationapi/api"
 	"github.com/matrix-org/dendrite/internal"
 	"github.com/matrix-org/dendrite/internal/httputil"
 	"github.com/matrix-org/dendrite/keyserver"
@ -51,11 +52,10 @@ import (
 	pineconeConnections "github.com/matrix-org/pinecone/connections"
 	pineconeMulticast "github.com/matrix-org/pinecone/multicast"
 	pineconeRouter "github.com/matrix-org/pinecone/router"
 	pineconeEvents "github.com/matrix-org/pinecone/router/events"
 	pineconeSessions "github.com/matrix-org/pinecone/sessions"
 	"github.com/sirupsen/logrus"
 	_ "github.com/mattn/go-sqlite3"
 )
 var (
@ -155,9 +155,15 @@ func main() {
 	cfg.Global.KeyID = gomatrixserverlib.KeyID(signing.KeyID)
 	base := base.NewBaseDendrite(cfg, "Monolith")
 	base.ConfigureAdminEndpoints()
 	defer base.Close() // nolint: errcheck
 	pineconeEventChannel := make(chan pineconeEvents.Event)
 	pRouter := pineconeRouter.NewRouter(logrus.WithField("pinecone", "router"), sk)
 	pRouter.EnableHopLimiting()
 	pRouter.EnableWakeupBroadcasts()
 	pRouter.Subscribe(pineconeEventChannel)
 	pQUIC := pineconeSessions.NewSessions(logrus.WithField("pinecone", "sessions"), pRouter, []string{"matrix"})
 	pMulticast := pineconeMulticast.NewMulticast(logrus.WithField("pinecone", "multicast"), pRouter)
 	pManager := pineconeConnections.NewConnectionManager(pRouter, nil)
@ -207,7 +213,7 @@ func main() {
 		base, federation, rsAPI, base.Caches, keyRing, true,
 	)
-	keyAPI := keyserver.NewInternalAPI(base, &base.Cfg.KeyServer, fsAPI)
+	keyAPI := keyserver.NewInternalAPI(base, &base.Cfg.KeyServer, fsAPI, rsComponent)
 	userAPI := userapi.NewInternalAPI(base, &cfg.UserAPI, nil, keyAPI, rsAPI, base.PushGatewayHTTPClient())
 	keyAPI.SetUserAPI(userAPI)
@ -243,6 +249,8 @@ func main() {
 	httpRouter.PathPrefix(httputil.InternalPathPrefix).Handler(base.InternalAPIMux)
 	httpRouter.PathPrefix(httputil.PublicClientPathPrefix).Handler(base.PublicClientAPIMux)
 	httpRouter.PathPrefix(httputil.PublicMediaPathPrefix).Handler(base.PublicMediaAPIMux)
 	httpRouter.PathPrefix(httputil.DendriteAdminPathPrefix).Handler(base.DendriteAdminMux)
 	httpRouter.PathPrefix(httputil.SynapseAdminPathPrefix).Handler(base.SynapseAdminMux)
 	httpRouter.HandleFunc("/ws", func(w http.ResponseWriter, r *http.Request) {
 		c, err := wsUpgrader.Upgrade(w, r, nil)
 		if err != nil {
@ -295,5 +303,33 @@ func main() {
 		logrus.Fatal(http.ListenAndServe(httpBindAddr, httpRouter))
 	}()
 	go func(ch <-chan pineconeEvents.Event) {
 		eLog := logrus.WithField("pinecone", "events")
 		for event := range ch {
 			switch e := event.(type) {
 			case pineconeEvents.PeerAdded:
 			case pineconeEvents.PeerRemoved:
 			case pineconeEvents.TreeParentUpdate:
 			case pineconeEvents.SnakeDescUpdate:
 			case pineconeEvents.TreeRootAnnUpdate:
 			case pineconeEvents.SnakeEntryAdded:
 			case pineconeEvents.SnakeEntryRemoved:
 			case pineconeEvents.BroadcastReceived:
 				eLog.Info("Broadcast received from: ", e.PeerID)
 				req := &api.PerformWakeupServersRequest{
 					ServerNames: []gomatrixserverlib.ServerName{gomatrixserverlib.ServerName(e.PeerID)},
 				}
 				res := &api.PerformWakeupServersResponse{}
 				if err := fsAPI.PerformWakeupServers(base.Context(), req, res); err != nil {
 					logrus.WithError(err).Error("Failed to wakeup destination", e.PeerID)
 				}
 			case pineconeEvents.BandwidthReport:
 			default:
 			}
 		}
 	}(pineconeEventChannel)
 	base.WaitForShutdown()
 }
--- a/cmd/dendrite-demo-pinecone/rooms/rooms.go
+++ b/cmd/dendrite-demo-pinecone/rooms/rooms.go
@ -58,13 +58,17 @@ func (p *PineconeRoomProvider) Rooms() []gomatrixserverlib.PublicRoom {
 	for _, k := range p.r.Peers() {
 		list[gomatrixserverlib.ServerName(k.PublicKey)] = struct{}{}
 	}
-	return bulkFetchPublicRoomsFromServers(context.Background(), p.fedClient, list)
+	return bulkFetchPublicRoomsFromServers(
 		context.Background(), p.fedClient,
 		gomatrixserverlib.ServerName(p.r.PublicKey().String()), list,
 	)
 }
 // bulkFetchPublicRoomsFromServers fetches public rooms from the list of homeservers.
 // Returns a list of public rooms.
 func bulkFetchPublicRoomsFromServers(
 	ctx context.Context, fedClient *gomatrixserverlib.FederationClient,
 	origin gomatrixserverlib.ServerName,
 	homeservers map[gomatrixserverlib.ServerName]struct{},
 ) (publicRooms []gomatrixserverlib.PublicRoom) {
 	limit := 200
@ -82,7 +86,7 @@ func bulkFetchPublicRoomsFromServers(
 		go func(homeserverDomain gomatrixserverlib.ServerName) {
 			defer wg.Done()
 			util.GetLogger(reqctx).WithField("hs", homeserverDomain).Info("Querying HS for public rooms")
-			fres, err := fedClient.GetPublicRooms(reqctx, homeserverDomain, int(limit), "", false, "")
+			fres, err := fedClient.GetPublicRooms(reqctx, origin, homeserverDomain, int(limit), "", false, "")
 			if err != nil {
 				util.GetLogger(reqctx).WithError(err).WithField("hs", homeserverDomain).Warn(
 					"bulkFetchPublicRoomsFromServers: failed to query hs",
--- a/cmd/dendrite-demo-yggdrasil/main.go
+++ b/cmd/dendrite-demo-yggdrasil/main.go
@ -48,8 +48,6 @@ import (
 	"github.com/matrix-org/dendrite/test"
 	"github.com/matrix-org/dendrite/userapi"
 	"github.com/sirupsen/logrus"
 	_ "github.com/mattn/go-sqlite3"
 )
 var (
@ -146,6 +144,7 @@ func main() {
 	cfg.Global.KeyID = gomatrixserverlib.KeyID(signing.KeyID)
 	base := base.NewBaseDendrite(cfg, "Monolith")
 	base.ConfigureAdminEndpoints()
 	defer base.Close() // nolint: errcheck
 	ygg, err := yggconn.Setup(sk, *instanceName, ".", *instancePeer, *instanceListen)
@ -158,11 +157,12 @@ func main() {
 	serverKeyAPI := &signing.YggdrasilKeys{}
 	keyRing := serverKeyAPI.KeyRing()
 	keyAPI := keyserver.NewInternalAPI(base, &base.Cfg.KeyServer, federation)
 	rsComponent := roomserver.NewInternalAPI(
 		base,
 	)
 	keyAPI := keyserver.NewInternalAPI(base, &base.Cfg.KeyServer, federation, rsComponent)
 	rsAPI := rsComponent
 	userAPI := userapi.NewInternalAPI(base, &cfg.UserAPI, nil, keyAPI, rsAPI, base.PushGatewayHTTPClient())
@ -200,6 +200,8 @@ func main() {
 	httpRouter.PathPrefix(httputil.InternalPathPrefix).Handler(base.InternalAPIMux)
 	httpRouter.PathPrefix(httputil.PublicClientPathPrefix).Handler(base.PublicClientAPIMux)
 	httpRouter.PathPrefix(httputil.PublicMediaPathPrefix).Handler(base.PublicMediaAPIMux)
 	httpRouter.PathPrefix(httputil.DendriteAdminPathPrefix).Handler(base.DendriteAdminMux)
 	httpRouter.PathPrefix(httputil.SynapseAdminPathPrefix).Handler(base.SynapseAdminMux)
 	embed.Embed(httpRouter, *instancePort, "Yggdrasil Demo")
 	yggRouter := mux.NewRouter().SkipClean(true).UseEncodedPath()
--- a/cmd/dendrite-demo-yggdrasil/yggconn/client.go
+++ b/cmd/dendrite-demo-yggdrasil/yggconn/client.go
@ -55,8 +55,7 @@ func (n *Node) CreateFederationClient(
 		},
 	)
 	return gomatrixserverlib.NewFederationClient(
-		base.Cfg.Global.ServerName, base.Cfg.Global.KeyID,
+		base.Cfg.Global.SigningIdentities(),
 		base.Cfg.Global.PrivateKey,
 		gomatrixserverlib.WithTransport(tr),
 	)
 }
--- a/cmd/dendrite-demo-yggdrasil/yggconn/node.go
+++ b/cmd/dendrite-demo-yggdrasil/yggconn/node.go
@ -20,6 +20,7 @@ import (
 	"encoding/hex"
 	"fmt"
 	"net"
 	"regexp"
 	"strings"
 	"github.com/matrix-org/gomatrixserverlib"
@ -27,9 +28,9 @@ import (
 	"github.com/sirupsen/logrus"
 	ironwoodtypes "github.com/Arceliar/ironwood/types"
-	yggdrasilconfig "github.com/yggdrasil-network/yggdrasil-go/src/config"
+	"github.com/yggdrasil-network/yggdrasil-go/src/core"
 	yggdrasilcore "github.com/yggdrasil-network/yggdrasil-go/src/core"
-	yggdrasildefaults "github.com/yggdrasil-network/yggdrasil-go/src/defaults"
+	"github.com/yggdrasil-network/yggdrasil-go/src/multicast"
 	yggdrasilmulticast "github.com/yggdrasil-network/yggdrasil-go/src/multicast"
 	gologme "github.com/gologme/log"
@ -37,7 +38,6 @@ import (
 type Node struct {
 	core      *yggdrasilcore.Core
 	config    *yggdrasilconfig.NodeConfig
 	multicast *yggdrasilmulticast.Multicast
 	log       *gologme.Logger
 	utpSocket *utp.Socket
@ -57,43 +57,52 @@ func (n *Node) DialerContext(ctx context.Context, _, address string) (net.Conn,
 func Setup(sk ed25519.PrivateKey, instanceName, storageDirectory, peerURI, listenURI string) (*Node, error) {
 	n := &Node{
-		core:      &yggdrasilcore.Core{},
+		log:      gologme.New(logrus.StandardLogger().Writer(), "", 0),
-		config:    yggdrasildefaults.GenerateConfig(),
+		incoming: make(chan net.Conn),
 		multicast: &yggdrasilmulticast.Multicast{},
 		log:       gologme.New(logrus.StandardLogger().Writer(), "", 0),
 		incoming:  make(chan net.Conn),
 	}
 	options := []yggdrasilcore.SetupOption{
 		yggdrasilcore.AdminListenAddress("none"),
 	}
 	if listenURI != "" {
 		options = append(options, yggdrasilcore.ListenAddress(listenURI))
 	}
 	if peerURI != "" {
 		for _, uri := range strings.Split(peerURI, ",") {
 			options = append(options, yggdrasilcore.Peer{
 				URI: uri,
 			})
 		}
 	}
 	var err error
 	if n.core, err = yggdrasilcore.New(sk, options...); err != nil {
 		panic(err)
 	}
 	n.log.EnableLevel("error")
 	n.log.EnableLevel("warn")
 	n.log.EnableLevel("info")
-	n.core.SetLogger(n.log)
+
-	if n.utpSocket, err = utp.NewSocketFromPacketConnNoClose(n.core); err != nil {
+	{
-		panic(err)
+		var err error
 		options := []yggdrasilcore.SetupOption{}
 		if listenURI != "" {
 			options = append(options, yggdrasilcore.ListenAddress(listenURI))
 		}
 		if peerURI != "" {
 			for _, uri := range strings.Split(peerURI, ",") {
 				options = append(options, yggdrasilcore.Peer{
 					URI: uri,
 				})
 			}
 		}
 		if n.core, err = core.New(sk[:], n.log, options...); err != nil {
 			panic(err)
 		}
 		n.core.SetLogger(n.log)
 		if n.utpSocket, err = utp.NewSocketFromPacketConnNoClose(n.core); err != nil {
 			panic(err)
 		}
 	}
-	if err = n.multicast.Init(n.core, n.config, n.log, nil); err != nil {
+
-		panic(err)
+	// Setup the multicast module.
-	}
+	{
-	if err = n.multicast.Start(); err != nil {
+		var err error
-		panic(err)
+		options := []multicast.SetupOption{
 			multicast.MulticastInterface{
 				Regex:    regexp.MustCompile(".*"),
 				Beacon:   true,
 				Listen:   true,
 				Port:     0,
 				Priority: 0,
 			},
 		}
 		if n.multicast, err = multicast.New(n.core, n.log, options...); err != nil {
 			panic(err)
 		}
 	}
 	n.log.Printf("Public key: %x", n.core.PublicKey())
@ -114,14 +123,7 @@ func (n *Node) DerivedServerName() string {
 }
 func (n *Node) PrivateKey() ed25519.PrivateKey {
-	sk := make(ed25519.PrivateKey, ed25519.PrivateKeySize)
+	return n.core.PrivateKey()
 	sb, err := hex.DecodeString(n.config.PrivateKey)
 	if err == nil {
 		copy(sk, sb[:])
 	} else {
 		panic(err)
 	}
 	return sk
 }
 func (n *Node) PublicKey() ed25519.PublicKey {
--- a/cmd/dendrite-demo-yggdrasil/yggrooms/yggrooms.go
+++ b/cmd/dendrite-demo-yggdrasil/yggrooms/yggrooms.go
@ -43,13 +43,18 @@ func NewYggdrasilRoomProvider(
 }
 func (p *YggdrasilRoomProvider) Rooms() []gomatrixserverlib.PublicRoom {
-	return bulkFetchPublicRoomsFromServers(context.Background(), p.fedClient, p.node.KnownNodes())
+	return bulkFetchPublicRoomsFromServers(
 		context.Background(), p.fedClient,
 		gomatrixserverlib.ServerName(p.node.DerivedServerName()),
 		p.node.KnownNodes(),
 	)
 }
 // bulkFetchPublicRoomsFromServers fetches public rooms from the list of homeservers.
 // Returns a list of public rooms.
 func bulkFetchPublicRoomsFromServers(
 	ctx context.Context, fedClient *gomatrixserverlib.FederationClient,
 	origin gomatrixserverlib.ServerName,
 	homeservers []gomatrixserverlib.ServerName,
 ) (publicRooms []gomatrixserverlib.PublicRoom) {
 	limit := 200
@ -66,7 +71,7 @@ func bulkFetchPublicRoomsFromServers(
 		go func(homeserverDomain gomatrixserverlib.ServerName) {
 			defer wg.Done()
 			util.GetLogger(ctx).WithField("hs", homeserverDomain).Info("Querying HS for public rooms")
-			fres, err := fedClient.GetPublicRooms(ctx, homeserverDomain, int(limit), "", false, "")
+			fres, err := fedClient.GetPublicRooms(ctx, origin, homeserverDomain, int(limit), "", false, "")
 			if err != nil {
 				util.GetLogger(ctx).WithError(err).WithField("hs", homeserverDomain).Warn(
 					"bulkFetchPublicRoomsFromServers: failed to query hs",
--- a/cmd/dendrite-monolith-server/main.go
+++ b/cmd/dendrite-monolith-server/main.go
@ -18,6 +18,8 @@ import (
 	"flag"
 	"os"
 	"github.com/sirupsen/logrus"
 	"github.com/matrix-org/dendrite/appservice"
 	"github.com/matrix-org/dendrite/federationapi"
 	"github.com/matrix-org/dendrite/keyserver"
@ -29,9 +31,6 @@ import (
 	"github.com/matrix-org/dendrite/setup/mscs"
 	"github.com/matrix-org/dendrite/userapi"
 	uapi "github.com/matrix-org/dendrite/userapi/api"
 	"github.com/sirupsen/logrus"
 	_ "github.com/mattn/go-sqlite3"
 )
 var (
@ -77,7 +76,7 @@ func main() {
 	// call functions directly on the impl unless running in HTTP mode
 	rsAPI := rsImpl
 	if base.UseHTTPAPIs {
-		roomserver.AddInternalRoutes(base.InternalAPIMux, rsImpl)
+		roomserver.AddInternalRoutes(base.InternalAPIMux, rsImpl, base.EnableMetrics)
 		rsAPI = base.RoomserverHTTPClient()
 	}
 	if traceInternal {
@ -91,15 +90,15 @@ func main() {
 	)
 	fsImplAPI := fsAPI
 	if base.UseHTTPAPIs {
-		federationapi.AddInternalRoutes(base.InternalAPIMux, fsAPI)
+		federationapi.AddInternalRoutes(base.InternalAPIMux, fsAPI, base.EnableMetrics)
 		fsAPI = base.FederationAPIHTTPClient()
 	}
 	keyRing := fsAPI.KeyRing()
-	keyImpl := keyserver.NewInternalAPI(base, &base.Cfg.KeyServer, fsAPI)
+	keyImpl := keyserver.NewInternalAPI(base, &base.Cfg.KeyServer, fsAPI, rsAPI)
 	keyAPI := keyImpl
 	if base.UseHTTPAPIs {
-		keyserver.AddInternalRoutes(base.InternalAPIMux, keyAPI)
+		keyserver.AddInternalRoutes(base.InternalAPIMux, keyAPI, base.EnableMetrics)
 		keyAPI = base.KeyServerHTTPClient()
 	}
@ -107,7 +106,7 @@ func main() {
 	userImpl := userapi.NewInternalAPI(base, &cfg.UserAPI, cfg.Derived.ApplicationServices, keyAPI, rsAPI, pgClient)
 	userAPI := userImpl
 	if base.UseHTTPAPIs {
-		userapi.AddInternalRoutes(base.InternalAPIMux, userAPI)
+		userapi.AddInternalRoutes(base.InternalAPIMux, userAPI, base.EnableMetrics)
 		userAPI = base.UserAPIClient()
 	}
 	if traceInternal {
@ -121,7 +120,7 @@ func main() {
 	// before the listeners are up.
 	asAPI := appservice.NewInternalAPI(base, userImpl, rsAPI)
 	if base.UseHTTPAPIs {
-		appservice.AddInternalRoutes(base.InternalAPIMux, asAPI)
+		appservice.AddInternalRoutes(base.InternalAPIMux, asAPI, base.EnableMetrics)
 		asAPI = base.AppserviceHTTPClient()
 	}
--- a/cmd/dendrite-polylith-multi/main.go
+++ b/cmd/dendrite-polylith-multi/main.go
@ -24,8 +24,6 @@ import (
 	"github.com/matrix-org/dendrite/setup/base"
 	"github.com/matrix-org/dendrite/setup/config"
 	"github.com/sirupsen/logrus"
 	_ "github.com/mattn/go-sqlite3"
 )
 type entrypoint func(base *base.BaseDendrite, cfg *config.Dendrite)
--- a/cmd/dendrite-polylith-multi/personalities/appservice.go
+++ b/cmd/dendrite-polylith-multi/personalities/appservice.go
@ -26,7 +26,7 @@ func Appservice(base *base.BaseDendrite, cfg *config.Dendrite) {
 	rsAPI := base.RoomserverHTTPClient()
 	intAPI := appservice.NewInternalAPI(base, userAPI, rsAPI)
-	appservice.AddInternalRoutes(base.InternalAPIMux, intAPI)
+	appservice.AddInternalRoutes(base.InternalAPIMux, intAPI, base.EnableMetrics)
 	base.SetupAndServeHTTP(
 		base.Cfg.AppServiceAPI.InternalAPI.Listen, // internal listener
--- a/cmd/dendrite-polylith-multi/personalities/federationapi.go
+++ b/cmd/dendrite-polylith-multi/personalities/federationapi.go
@ -34,7 +34,7 @@ func FederationAPI(base *basepkg.BaseDendrite, cfg *config.Dendrite) {
 		rsAPI, fsAPI, keyAPI, nil,
 	)
-	federationapi.AddInternalRoutes(base.InternalAPIMux, fsAPI)
+	federationapi.AddInternalRoutes(base.InternalAPIMux, fsAPI, base.EnableMetrics)
 	base.SetupAndServeHTTP(
 		base.Cfg.FederationAPI.InternalAPI.Listen,
--- a/cmd/dendrite-polylith-multi/personalities/keyserver.go
+++ b/cmd/dendrite-polylith-multi/personalities/keyserver.go
@ -22,10 +22,11 @@ import (
 func KeyServer(base *basepkg.BaseDendrite, cfg *config.Dendrite) {
 	fsAPI := base.FederationAPIHTTPClient()
-	intAPI := keyserver.NewInternalAPI(base, &base.Cfg.KeyServer, fsAPI)
+	rsAPI := base.RoomserverHTTPClient()
 	intAPI := keyserver.NewInternalAPI(base, &base.Cfg.KeyServer, fsAPI, rsAPI)
 	intAPI.SetUserAPI(base.UserAPIClient())
-	keyserver.AddInternalRoutes(base.InternalAPIMux, intAPI)
+	keyserver.AddInternalRoutes(base.InternalAPIMux, intAPI, base.EnableMetrics)
 	base.SetupAndServeHTTP(
 		base.Cfg.KeyServer.InternalAPI.Listen, // internal listener
--- a/cmd/dendrite-polylith-multi/personalities/roomserver.go
+++ b/cmd/dendrite-polylith-multi/personalities/roomserver.go
@ -26,7 +26,7 @@ func RoomServer(base *basepkg.BaseDendrite, cfg *config.Dendrite) {
 	rsAPI := roomserver.NewInternalAPI(base)
 	rsAPI.SetFederationAPI(fsAPI, fsAPI.KeyRing())
 	rsAPI.SetAppserviceAPI(asAPI)
-	roomserver.AddInternalRoutes(base.InternalAPIMux, rsAPI)
+	roomserver.AddInternalRoutes(base.InternalAPIMux, rsAPI, base.EnableMetrics)
 	base.SetupAndServeHTTP(
 		base.Cfg.RoomServer.InternalAPI.Listen, // internal listener
--- a/cmd/dendrite-polylith-multi/personalities/userapi.go
+++ b/cmd/dendrite-polylith-multi/personalities/userapi.go
@ -27,7 +27,7 @@ func UserAPI(base *basepkg.BaseDendrite, cfg *config.Dendrite) {
 		base.PushGatewayHTTPClient(),
 	)
-	userapi.AddInternalRoutes(base.InternalAPIMux, userAPI)
+	userapi.AddInternalRoutes(base.InternalAPIMux, userAPI, base.EnableMetrics)
 	base.SetupAndServeHTTP(
 		base.Cfg.UserAPI.InternalAPI.Listen, // internal listener
--- a/cmd/dendrite-upgrade-tests/main.go
+++ b/cmd/dendrite-upgrade-tests/main.go
@ -7,6 +7,7 @@ import (
 	"flag"
 	"fmt"
 	"io"
 	"io/ioutil"
 	"log"
 	"net/http"
 	"os"
@ -38,6 +39,7 @@ var (
 	flagHead             = flag.String("head", "", "Location to a dendrite repository to treat as HEAD instead of Github")
 	flagDockerHost       = flag.String("docker-host", "localhost", "The hostname of the docker client. 'localhost' if running locally, 'host.docker.internal' if running in Docker.")
 	flagDirect           = flag.Bool("direct", false, "If a direct upgrade from the defined FROM version to TO should be done")
 	flagSqlite           = flag.Bool("sqlite", false, "Test SQLite instead of PostgreSQL")
 	alphaNumerics        = regexp.MustCompile("[^a-zA-Z0-9]+")
 )
@ -49,7 +51,7 @@ const HEAD = "HEAD"
 // due to the error:
 // When using COPY with more than one source file, the destination must be a directory and end with a /
 // We need to run a postgres anyway, so use the dockerfile associated with Complement instead.
-const Dockerfile = `FROM golang:1.18-stretch as build
+const DockerfilePostgreSQL = `FROM golang:1.18-stretch as build
 RUN apt-get update && apt-get install -y postgresql
 WORKDIR /build
@ -60,6 +62,7 @@ COPY . .
 RUN go build ./cmd/dendrite-monolith-server
 RUN go build ./cmd/generate-keys
 RUN go build ./cmd/generate-config
 RUN go build ./cmd/create-account
 RUN ./generate-config --ci > dendrite.yaml
 RUN ./generate-keys --private-key matrix_key.pem --tls-cert server.crt --tls-key server.key
@ -92,6 +95,43 @@ ENV SERVER_NAME=localhost
 EXPOSE 8008 8448
 CMD /build/run_dendrite.sh `
 const DockerfileSQLite = `FROM golang:1.18-stretch as build
 RUN apt-get update && apt-get install -y postgresql
 WORKDIR /build
 # Copy the build context to the repo as this is the right dendrite code. This is different to the
 # Complement Dockerfile which wgets a branch.
 COPY . .
 RUN go build ./cmd/dendrite-monolith-server
 RUN go build ./cmd/generate-keys
 RUN go build ./cmd/generate-config
 RUN go build ./cmd/create-account
 RUN ./generate-config --ci > dendrite.yaml
 RUN ./generate-keys --private-key matrix_key.pem --tls-cert server.crt --tls-key server.key
 # Make sure the SQLite databases are in a persistent location, we're already mapping
 # the postgresql folder so let's just use that for simplicity
 RUN sed -i "s%connection_string:.file:%connection_string: file:\/var\/lib\/postgresql\/9.6\/main\/%g" dendrite.yaml 
 # This entry script starts postgres, waits for it to be up then starts dendrite
 RUN echo '\
 sed -i "s/server_name: localhost/server_name: ${SERVER_NAME}/g" dendrite.yaml \n\
 PARAMS="--tls-cert server.crt --tls-key server.key --config dendrite.yaml" \n\
 ./dendrite-monolith-server --really-enable-open-registration ${PARAMS} || ./dendrite-monolith-server ${PARAMS} \n\
 ' > run_dendrite.sh && chmod +x run_dendrite.sh
 ENV SERVER_NAME=localhost
 EXPOSE 8008 8448
 CMD /build/run_dendrite.sh `
 func dockerfile() []byte {
 	if *flagSqlite {
 		return []byte(DockerfileSQLite)
 	}
 	return []byte(DockerfilePostgreSQL)
 }
 const dendriteUpgradeTestLabel = "dendrite_upgrade_test"
 // downloadArchive downloads an arbitrary github archive of the form:
@ -150,7 +190,7 @@ func buildDendrite(httpClient *http.Client, dockerClient *client.Client, tmpDir,
 	if branchOrTagName == HEAD && *flagHead != "" {
 		log.Printf("%s: Using %s as HEAD", branchOrTagName, *flagHead)
 		// add top level Dockerfile
-		err = os.WriteFile(path.Join(*flagHead, "Dockerfile"), []byte(Dockerfile), os.ModePerm)
+		err = os.WriteFile(path.Join(*flagHead, "Dockerfile"), dockerfile(), os.ModePerm)
 		if err != nil {
 			return "", fmt.Errorf("custom HEAD: failed to inject /Dockerfile: %w", err)
 		}
@ -166,7 +206,7 @@ func buildDendrite(httpClient *http.Client, dockerClient *client.Client, tmpDir,
 		// pull an archive, this contains a top-level directory which screws with the build context
 		// which we need to fix up post download
 		u := fmt.Sprintf("https://github.com/matrix-org/dendrite/archive/%s.tar.gz", branchOrTagName)
-		tarball, err = downloadArchive(httpClient, tmpDir, u, []byte(Dockerfile))
+		tarball, err = downloadArchive(httpClient, tmpDir, u, dockerfile())
 		if err != nil {
 			return "", fmt.Errorf("failed to download archive %s: %w", u, err)
 		}
@ -367,7 +407,8 @@ func runImage(dockerClient *client.Client, volumeName, version, imageID string)
 	// hit /versions to check it is up
 	var lastErr error
 	for i := 0; i < 500; i++ {
-		res, err := http.Get(versionsURL)
+		var res *http.Response
 		res, err = http.Get(versionsURL)
 		if err != nil {
 			lastErr = fmt.Errorf("GET %s => error: %s", versionsURL, err)
 			time.Sleep(50 * time.Millisecond)
@ -381,18 +422,22 @@ func runImage(dockerClient *client.Client, volumeName, version, imageID string)
 		lastErr = nil
 		break
 	}
-	if lastErr != nil {
+	logs, err := dockerClient.ContainerLogs(context.Background(), containerID, types.ContainerLogsOptions{
-		logs, err := dockerClient.ContainerLogs(context.Background(), containerID, types.ContainerLogsOptions{
+		ShowStdout: true,
-			ShowStdout: true,
+		ShowStderr: true,
-			ShowStderr: true,
+		Follow:     true,
-		})
+	})
-		// ignore errors when cannot get logs, it's just for debugging anyways
+	// ignore errors when cannot get logs, it's just for debugging anyways
-		if err == nil {
+	if err == nil {
-			logbody, err := io.ReadAll(logs)
+		go func() {
-			if err == nil {
+			for {
-				log.Printf("Container logs:\n\n%s\n\n", string(logbody))
+				if body, err := io.ReadAll(logs); err == nil && len(body) > 0 {
 					log.Printf("%s: %s", version, string(body))
 				} else {
 					return
 				}
 			}
-		}
+		}()
 	}
 	return baseURL, containerID, lastErr
 }
@ -416,6 +461,46 @@ func loadAndRunTests(dockerClient *client.Client, volumeName, v string, branchTo
 	if err = runTests(csAPIURL, v); err != nil {
 		return fmt.Errorf("failed to run tests on version %s: %s", v, err)
 	}
 	err = testCreateAccount(dockerClient, v, containerID)
 	if err != nil {
 		return err
 	}
 	return nil
 }
 // test that create-account is working
 func testCreateAccount(dockerClient *client.Client, v string, containerID string) error {
 	createUser := strings.ToLower("createaccountuser-" + v)
 	log.Printf("%s: Creating account %s with create-account\n", v, createUser)
 	respID, err := dockerClient.ContainerExecCreate(context.Background(), containerID, types.ExecConfig{
 		AttachStderr: true,
 		AttachStdout: true,
 		Cmd: []string{
 			"/build/create-account",
 			"-username", createUser,
 			"-password", "someRandomPassword",
 		},
 	})
 	if err != nil {
 		return fmt.Errorf("failed to ContainerExecCreate: %w", err)
 	}
 	response, err := dockerClient.ContainerExecAttach(context.Background(), respID.ID, types.ExecStartCheck{})
 	if err != nil {
 		return fmt.Errorf("failed to attach to container: %w", err)
 	}
 	defer response.Close()
 	data, err := ioutil.ReadAll(response.Reader)
 	if err != nil {
 		return err
 	}
 	if !bytes.Contains(data, []byte("AccessToken")) {
 		return fmt.Errorf("failed to create-account: %s", string(data))
 	}
 	return nil
 }
--- a/cmd/furl/main.go
+++ b/cmd/furl/main.go
@ -48,10 +48,15 @@ func main() {
 		panic("unexpected key block")
 	}
 	serverName := gomatrixserverlib.ServerName(*requestFrom)
 	client := gomatrixserverlib.NewFederationClient(
-		gomatrixserverlib.ServerName(*requestFrom),
+		[]*gomatrixserverlib.SigningIdentity{
-		gomatrixserverlib.KeyID(keyBlock.Headers["Key-ID"]),
+			{
-		privateKey,
+				ServerName: serverName,
 				KeyID:      gomatrixserverlib.KeyID(keyBlock.Headers["Key-ID"]),
 				PrivateKey: privateKey,
 			},
 		},
 	)
 	u, err := url.Parse(flag.Arg(0))
@ -79,6 +84,7 @@ func main() {
 	req := gomatrixserverlib.NewFederationRequest(
 		method,
 		serverName,
 		gomatrixserverlib.ServerName(u.Host),
 		u.RequestURI(),
 	)
--- a/dendrite-sample.monolith.yaml
+++ b/dendrite-sample.monolith.yaml
@ -179,7 +179,13 @@ client_api:
  recaptcha_public_key: ""
  recaptcha_private_key: ""
  recaptcha_bypass_secret: ""
-  recaptcha_siteverify_api: ""
+  
  # To use hcaptcha.com instead of ReCAPTCHA, set the following parameters, otherwise just keep them empty.
  # recaptcha_siteverify_api: "https://hcaptcha.com/siteverify"
  # recaptcha_api_js_url: "https://js.hcaptcha.com/1/api.js"
  # recaptcha_form_field: "h-captcha-response"
  # recaptcha_sitekey_class: "h-captcha"
  # TURN server information that this homeserver should send to clients.
  turn:
@ -310,6 +316,14 @@ user_api:
  # The default lifetime is 3600000ms (60 minutes).
  # openid_token_lifetime_ms: 3600000
  # Users who register on this homeserver will automatically be joined to the rooms listed under "auto_join_rooms" option.
  # By default, any room aliases included in this list will be created as a publicly joinable room
  # when the first user registers for the homeserver. If the room already exists,
  # make certain it is a publicly joinable room, i.e. the join rule of the room must be set to 'public'.
  # As Spaces are just rooms under the hood, Space aliases may also be used.
  auto_join_rooms:
  #  - "#main:matrix.org"
 # Configuration for Opentracing.
 # See https://github.com/matrix-org/dendrite/tree/master/docs/tracing for information on
 # how this works and how to set it up.
--- a/dendrite-sample.polylith.yaml
+++ b/dendrite-sample.polylith.yaml
@ -175,7 +175,13 @@ client_api:
  recaptcha_public_key: ""
  recaptcha_private_key: ""
  recaptcha_bypass_secret: ""
-  recaptcha_siteverify_api: ""
+
  # To use hcaptcha.com instead of ReCAPTCHA, set the following parameters, otherwise just keep them empty.
  # recaptcha_siteverify_api: "https://hcaptcha.com/siteverify"
  # recaptcha_api_js_url: "https://js.hcaptcha.com/1/api.js"
  # recaptcha_form_field: "h-captcha-response"
  # recaptcha_sitekey_class: "h-captcha"
  # TURN server information that this homeserver should send to clients.
  turn:
@ -375,6 +381,14 @@ user_api:
  # The default lifetime is 3600000ms (60 minutes).
  # openid_token_lifetime_ms: 3600000
  # Users who register on this homeserver will automatically be joined to the rooms listed under "auto_join_rooms" option.
  # By default, any room aliases included in this list will be created as a publicly joinable room
  # when the first user registers for the homeserver. If the room already exists,
  # make certain it is a publicly joinable room, i.e. the join rule of the room must be set to 'public'.
  # As Spaces are just rooms under the hood, Space aliases may also be used.
  auto_join_rooms:
  #  - "#main:matrix.org"
 # Configuration for Opentracing.
 # See https://github.com/matrix-org/dendrite/tree/master/docs/tracing for information on
 # how this works and how to set it up.
--- a/docs/FAQ.md
+++ b/docs/FAQ.md
@ -91,7 +91,7 @@ Please use PostgreSQL wherever possible, especially if you are planning to run a
 ## Dendrite is using a lot of CPU
 Generally speaking, you should expect to see some CPU spikes, particularly if you are joining or participating in large rooms. However, constant/sustained high CPU usage is not expected - if you are experiencing that, please join `#dendrite-dev:matrix.org` and let us know what you were doing when the
-CPU usage shot up, or file a GitHub issue. If you can take a [CPU profile](PROFILING.md) then that would
+CPU usage shot up, or file a GitHub issue. If you can take a [CPU profile](development/PROFILING.md) then that would
 be a huge help too, as that will help us to understand where the CPU time is going.
 ## Dendrite is using a lot of RAM
@ -99,7 +99,7 @@ be a huge help too, as that will help us to understand where the CPU time is goi
 As above with CPU usage, some memory spikes are expected if Dendrite is doing particularly heavy work
 at a given instant. However, if it is using more RAM than you expect for a long time, that's probably
 not expected. Join `#dendrite-dev:matrix.org` and let us know what you were doing when the memory usage
-ballooned, or file a GitHub issue if you can. If you can take a [memory profile](PROFILING.md) then that
+ballooned, or file a GitHub issue if you can. If you can take a [memory profile](development/PROFILING.md) then that
 would be a huge help too, as that will help us to understand where the memory usage is happening.
 ## Dendrite is running out of PostgreSQL database connections
--- a/docs/Gemfile.lock
+++ b/docs/Gemfile.lock
@ -231,9 +231,9 @@ GEM
      jekyll-seo-tag (~> 2.1)
    minitest (5.15.0)
    multipart-post (2.1.1)
-    nokogiri (1.13.6-arm64-darwin)
+    nokogiri (1.13.10-arm64-darwin)
      racc (~> 1.4)
-    nokogiri (1.13.6-x86_64-linux)
+    nokogiri (1.13.10-x86_64-linux)
      racc (~> 1.4)
    octokit (4.22.0)
      faraday (>= 0.9)
@ -241,7 +241,7 @@ GEM
    pathutil (0.16.2)
      forwardable-extended (~> 2.6)
    public_suffix (4.0.7)
-    racc (1.6.0)
+    racc (1.6.1)
    rb-fsevent (0.11.1)
    rb-inotify (0.10.1)
      ffi (~> 1.0)
--- a/docs/administration/4_adminapi.md
+++ b/docs/administration/4_adminapi.md
@ -44,7 +44,9 @@ This endpoint will instruct Dendrite to part the given local `userID` in the URL
 all rooms which they are currently joined. A JSON body will be returned containing
 the room IDs of all affected rooms.
-## POST `/_dendrite/admin/resetPassword/{localpart}`
+## POST `/_dendrite/admin/resetPassword/{userID}`
 Reset the password of a local user.
 Request body format:
@ -54,9 +56,6 @@ Request body format:
 }
 ```
 Reset the password of a local user. The `localpart` is the username only, i.e. if
 the full user ID is `@alice:domain.com` then the local part is `alice`.
 ## GET `/_dendrite/admin/fulltext/reindex`
 This endpoint instructs Dendrite to reindex all searchable events (`m.room.message`, `m.room.topic` and `m.room.name`). An empty JSON body will be returned immediately.
--- a/docs/caddy/polylith/Caddyfile
+++ b/docs/caddy/polylith/Caddyfile
@ -1,66 +1,85 @@
-# Sample Caddyfile for using Caddy in front of Dendrite.
+# Sample Caddyfile for using Caddy in front of Dendrite
-#
+
 # Customize email address and domain names.
 # Optional settings commented out.
 #
 # BE SURE YOUR DOMAINS ARE POINTED AT YOUR SERVER FIRST.
 # Documentation: https://caddyserver.com/docs/
 #
 # Bonus tip: If your IP address changes, use Caddy's
 # dynamic DNS plugin to update your DNS records to
 # point to your new IP automatically:
 # https://github.com/mholt/caddy-dynamicdns
 #
 # Customize email address and domain names
 # Optional settings commented out
 #
 # BE SURE YOUR DOMAINS ARE POINTED AT YOUR SERVER FIRST
 # Documentation: <https://caddyserver.com/docs/>
 #
 # Bonus tip: If your IP address changes, use Caddy's
 # dynamic DNS plugin to update your DNS records to
 # point to your new IP automatically
 # <https://github.com/mholt/caddy-dynamicdns>
 #
 # Global options block
 {
-	# In case there is a problem with your certificates.
+ # In case there is a problem with your certificates.
-	# email example@example.com
+ # email example@example.com
-	# Turn off the admin endpoint if you don't need graceful config
+ # Turn off the admin endpoint if you don't need graceful config
-	# changes and/or are running untrusted code on your machine.
+ # changes and/or are running untrusted code on your machine.
-	# admin off
+ # admin off
-	# Enable this if your clients don't send ServerName in TLS handshakes.
+ # Enable this if your clients don't send ServerName in TLS handshakes.
-	# default_sni example.com
+ # default_sni example.com
-	# Enable debug mode for verbose logging.
+ # Enable debug mode for verbose logging.
-	# debug
+ # debug
-	# Use Let's Encrypt's staging endpoint for testing.
+ # Use Let's Encrypt's staging endpoint for testing.
-	# acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
+ # acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
-	# If you're port-forwarding HTTP/HTTPS ports from 80/443 to something
+ # If you're port-forwarding HTTP/HTTPS ports from 80/443 to something
-	# else, enable these and put the alternate port numbers here.
+ # else, enable these and put the alternate port numbers here.
-	# http_port  8080
+ # http_port  8080
-	# https_port 8443
+ # https_port 8443
 }
 # The server name of your matrix homeserver. This example shows
-# "well-known delegation" from the registered domain to a subdomain,
+
 # "well-known delegation" from the registered domain to a subdomain
 # which is only needed if your server_name doesn't match your Matrix
 # homeserver URL (i.e. you can show users a vanity domain that looks
 # nice and is easy to remember but still have your Matrix server on
-# its own subdomain or hosted service).
+
 # its own subdomain or hosted service)
 example.com {
-	header /.well-known/matrix/* Content-Type application/json
+ header /.well-known/matrix/*Content-Type application/json
-	header /.well-known/matrix/* Access-Control-Allow-Origin *
+ header /.well-known/matrix/* Access-Control-Allow-Origin *
-	respond /.well-known/matrix/server `{"m.server": "matrix.example.com:443"}`
+ respond /.well-known/matrix/server `{"m.server": "matrix.example.com:443"}`
-	respond /.well-known/matrix/client `{"m.homeserver": {"base_url": "https://matrix.example.com"}}`
+ respond /.well-known/matrix/client `{"m.homeserver": {"base_url": "https://matrix.example.com"}}`
 }
-# The actual domain name whereby your Matrix server is accessed.
+# The actual domain name whereby your Matrix server is accessed
 matrix.example.com {
-	# Change the end of each reverse_proxy line to the correct
+ # Change the end of each reverse_proxy line to the correct
-	# address for your various services.
+ # address for your various services.
-	@sync_api {
+ @sync_api {
-		path_regexp /_matrix/client/.*?/(sync|user/.*?/filter/?.*|keys/changes|rooms/.*?/messages)$
+  path_regexp /_matrix/client/.*?/(sync|user/.*?/filter/?.*|keys/changes|rooms/.*?/(messages|.*?_?members|context/.*?|relations/.*?|event/.*?))$
-	}
+ }
-	reverse_proxy @sync_api sync_api:8073
+ reverse_proxy @sync_api sync_api:8073
-	reverse_proxy /_matrix/client* client_api:8071
+ reverse_proxy /_matrix/client* client_api:8071
-	reverse_proxy /_matrix/federation* federation_api:8071
+ reverse_proxy /_matrix/federation* federation_api:8071
-	reverse_proxy /_matrix/key* federation_api:8071
+ reverse_proxy /_matrix/key* federation_api:8071
-	reverse_proxy /_matrix/media* media_api:8071
+ reverse_proxy /_matrix/media* media_api:8071
 }
--- a/docs/development/CONTRIBUTING.md
+++ b/docs/development/CONTRIBUTING.md
@ -9,6 +9,28 @@ permalink: /development/contributing
 Everyone is welcome to contribute to Dendrite! We aim to make it as easy as
 possible to get started.
 ## Contribution types
 We are a small team maintaining a large project. As a result, we cannot merge every feature, even if it
 is bug-free and useful, because we then commit to maintaining it indefinitely. We will always accept:
 - bug fixes
 - security fixes (please responsibly disclose via security@matrix.org *before* creating pull requests)
 We will accept the following with caveats:
 - documentation fixes, provided they do not add additional instructions which can end up going out-of-date,
   e.g example configs, shell commands.
 - performance fixes, provided they do not add significantly more maintenance burden.
 - additional functionality on existing features, provided the functionality is small and maintainable.
 - additional functionality that, in its absence, would impact the ecosystem e.g spam and abuse mitigations
 - test-only changes, provided they help improve coverage or test tricky code.
 The following items are at risk of not being accepted:
 - Configuration or CLI changes, particularly ones which increase the overall configuration surface.
 The following items are unlikely to be accepted into a main Dendrite release for now:
 - New MSC implementations.
 - New features which are not in the specification.
 ## Sign off
 We require that everyone who contributes to the project signs off their contributions
@ -35,7 +57,7 @@ to do so for future contributions.
 ## Getting up and running
-See the [Installation](installation) section for information on how to build an
+See the [Installation](../installation) section for information on how to build an
 instance of Dendrite. You will likely need this in order to test your changes.
 ## Code style
@ -75,7 +97,20 @@ comment. Please avoid doing this if you can.
 We also have unit tests which we run via:
 ```bash
-go test --race ./...
+DENDRITE_TEST_SKIP_NODB=1 go test --race ./...
 ```
 This only runs SQLite database tests. If you wish to execute Postgres tests as well, you'll either need to 
 have Postgres installed locally (`createdb` will be used) or have a remote/containerized Postgres instance
 available.
 To configure the connection to a remote Postgres, you can use the following enviroment variables:
 ```bash
 POSTGRES_USER=postgres
 POSTGERS_PASSWORD=yourPostgresPassword
 POSTGRES_HOST=localhost
 POSTGRES_DB=postgres # the superuser database to use
 ```
 In general, we like submissions that come with tests. Anything that proves that the
@ -116,7 +151,7 @@ significant amount of CPU and RAM.
 Once the code builds, run [Sytest](https://github.com/matrix-org/sytest)
 according to the guide in
-[docs/sytest.md](https://github.com/matrix-org/dendrite/blob/main/docs/sytest.md#using-a-sytest-docker-image)
+[docs/development/sytest.md](https://github.com/matrix-org/dendrite/blob/main/docs/development/sytest.md#using-a-sytest-docker-image)
 so you can see whether something is being broken and whether there are newly
 passing tests.
--- a/docs/development/PROFILING.md
+++ b/docs/development/PROFILING.md
--- a/docs/development/coverage.md
+++ b/docs/development/coverage.md
--- a/docs/development/sytest.md
+++ b/docs/development/sytest.md
--- a/Show more
+++ b/Show more